SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

Budget boost promises better cybersecurity for our health system

By Matthew Lark
Mon 28 Mar 2022

Late December 2021, found New Zealand enduring a novel, multi-coloured response to Covid-19 called the Traffic Light system. News-readers dithered over how to pronounce the name of yet another ancient Greek letter, (omicron), while GPs and hospital health workers took a short, rasping breath, before a new wave of viral misery inundated our shores.

Five days before Christmas though, some hope glimmered at the chatty end of the Ministry of Health. A short, unremarkable press release turned up on its website, which announced a new bucket of money to improve cybersecurity throughout our entire health system. $75.7 million, over three years was pledged, specifically to upgrade cybersecurity tools and improve training, awareness and incident management capability in the Ministry itself, within the 20 District Health Boards and at the primary health and community care levels. Only a handful of media took this story up, and all too briefly, where it actually deserved and still warrants a closer examination.

Background to the boost

Several historic cyberattacks on health institutions have inspired the Ministry’s budget bids to improve its systems. The Wannacry attack on Britain’s National Health Service of May 2017, saw critical services at 80 hospital trusts and 603 primary healthcare organisations severely disrupted and it is estimated it cost the NHS 92 million pounds.

In partial reaction to this attack, our Ministry of Health contemplated the purchase of a single enterprise security protection software tool, which it planned to license out to all 20 DHBs. Discussions between it and several companies and technology experts, occurred in late 2019 but were abandoned when the Ministry admitted it did not have funds to make such a purchase.

2019 was the year in which Tuora Compass Health, the primary healthcare organisation serving Wellington, Kapiti and Wairarapa was the victim of New Zealand’s first major health data breach. It is thought that international hacker Vanda the God may have had access to the personal and medical records of over one million Kiwis when it attacked Tuora in August that year.

A ransomware attack on the Health Service Executive (HSE), Ireland’s national health provider in May 2021, saw 80% of critical IT infrastructure heavily compromised, with massive losses of patients’ personal and diagnostic data. The group responsible for this attack, known as the Conti Ransomware Gang, based in Russia may have been the same group which attacked the Waikato DHB in the same month, causing a complete outage of its information service. Waikato DHB has consistently denied the attack on it was caused by Conti.

This budget allocation came shortly after a $257 million investment pledge for digital health systems, including $87 million targeting legacy technologies and capability deficits. 

Some comment on the changing landscape

Shane Hunter is the Ministry’s deputy director-general, data and digital and he acknowledges our health cybersecurity needs urgent attention.

“Some of the more recent incidents that have happended both in and outside of health have prompted us to push the boat out in terms of getting more investment. But it’s not a kneejerk reaction to recent events; it’s been something we’ve been working on for some time,” Hunter remarks.  “We need to continue to invest in what is a game of cat and mouse with these characters that want to find ways in and disrupt our business and to access personal information.”

Shane believes his Ministry and his sector are more at risk, simply because of what they do and what they represent. 

“Health is a bigger target; health credentials and health information have a value on the dark web; - we’re a target and we know it,” he says.

Steve Honiss is director of cyber strategy and risk at Zx Security, a firm which has several district health boards as clients. He believes the balance between delivery of adequate cybersecurity measures and operational service delivery is a special challenge for sectors like health, where old equipment using old operating systems is crucial to daily services. 

“In a lot of cases, upgrading systems to the latest secure versions would require replacement of the equipment. When that equipment can cost several hundred thousand dollars to replace, it is not an easy problem to solve. Add in the complexity of busy and high-pressure clinical environments when access to timely patient data and providing ready access to multiple clinicians is essential, and you find striking a balance that meets both security and clinical care requirements is difficult,” Honiss says.

From 1 July 2022, the 20 DHBs will be disestablished and their functions will be delivered by one national umbrella organisation called Health New Zealand. Shane Hunter believes this may confer benefit to the security improvement programme announced inDecember.

“I think it will strengthen what we’ve been trying to achieve,” Hunter asserts. “The 20 dhb’s are essentially sovereign with their own boards, their own budgets and they will tend to do their own things. WE think that moving to a single system gives us more of an opportunity to think about how we can beter operate as one, reduce duplication of effort and free up money and capacity in the system to invest more into security. It’s going to be never ending in terms of demand for money but we think the move to a single health system will work for us more than against us in terms of cybersecurity,” he comments.

Conversely, Hunter believes a homogenous system is not the consuming goal and that local solutions within the whole, will still have currency.

“I would make the point that as part of the new model we will need to be mindful about what systems we do consolidate into a national system. That is, Whether or not we leave local systems or local parts of the system to have local choices. Because in moving to a single big model to run the health system we would probably make ourselves a bigger target,” he says.  

Programme priorities

The ministry has produced a high level national strategy document which sets out seven priority areas where this new money will be directed over years one to three.  Shane Hunter enumerates some of them as follows.

“we’ve got systems that need to be upgraded, so that means  nvesting in more modern tools to support beter security practice. WE want to further establish guidelines and standards for good security practice, we want to strengthen how we do assurance, how we do testing and how we can move to being more continuously up-to-date, rather than relying on patching in a manual way,” he states.  

Hunter says moving to cloud-based services is a major priority and that the advent of Covid-19 showed the Ministry how valuable the cloud may be in the near future. 

“We also want to see regions having more of a focus on security. We want to move to having regional chief information security officers across the regional hospital system, supporting our partners in health like primary health and community health providers,” he says.
Matthew Lord is the Ministry’s IT security manager. He says that cybersecurity awareness amongst all national and regional staff will be a major focus of the education work done in year 1 in particular. 

“We know that theres a lot of benefit in educating the whole health system on how to respond to a security incident, what a phishing scam looks like or what bad practice is.  We know such education will result in preventable incidents. It won’t stop in year 1 and we wil create a programme of work to support this for further years,” Lord says.

Cynics might point out that spending on education and awareness isn’t materially improving defences against phishing attacks or the depositing of malware into hospital computers. But Steve Honiss observes any set of priorities for this new spending has to encompass the entire security landscape.

“Security relies on a combination of people, process and technology. Complementing new security technology with the people to operate it, and with process improvements where needed are essential. The cost of security can be high, but the cost of being insecure can be higher,” Honiss says.

Tools for the future

The Ministry’s national strategy document provides a list of tools which will be utilised in national and regional settings. They include products such as Phish Me and Microsoft’s anti-phishing simulator, for awareness training, while Tenable and Rapid7 are to be used in development of new identity and access management processes. The Ministry expects firewalls such as Checkpoint’s Sandblast or Palo Alto’s Wildfire, to be in place across the system as well.

Meeting the requirements of end-point security will involve the Microsoft E5 suite. Matthew Lord says this tool will make life a lot easier and will ensure cyber threat detection becomes a lot more efficient.

“E5 gives us access to a suite of security tools that you can implement and use to protect, respond and recover in one hit. It saves us having to buy a bunch of other tools and stitch them all together,” Lord says.

The combination of tools in E5, makes it possible for human errors or human-induced anomalies to be notified and responded to rapidly. Matthew offers working examples of how it can assist with monitoring and then managing a potential internal or external threat.
“If my identity is sold on the dark web, what Microsoft, through E5, are able to do is to tell me if that event has occurred. If I've used a weak password for instance, it does a bunch of automation under the hood and when you start to marry that into a connected bunch of security operations centres looking at data and processing it, someone can have a conversation with me and say ‘something’s happened to your identity; we recommend you change your password’.”

By analogy, E5 will be able to assist in finding cyberthreats throughout the system, where it has first detected a breach at one hospital.

Turning needs into tasks

The variety of needs identified has to be made operational, somehow, and the Ministry have chosen to call their execution instrument a “roadmap”. Far from being a nebulous guiding concept in a few senior heads, this is a formalised strategic programme with three workstreams established to deliver the priorities for the next three years.

“The e5 tools makes up one workstream,” Shane Hunter says. “There’s a security operations centre and security incident and event management or soc siem stream, looking at how we do incident management across the system from local, to regional and national levels.  The other major piece of work is our health information services framework or HISF stream, which is about reviewing and updating our system to align it to our revised framework around standards and policies.”

A vulnerability management component will be included in the SOC SIEM workstream to improve the training of staff to manage patching and other protection techniques within their current systems. A “capability uplift” element will sit within the HISF stream, and this will see more training given to key staff within hospitals and the Ministry, so they can better manage cyber incidents and survive them as they occur. 
The implementation of the E5 tools, has been the focus of year 1 to date but work on the other two will begin later this year.

Guiding and doing the work streams, falls to two separate entities established by the Ministry. 

The Cyber Security Governance Board is made up of the senior responsible officer, the Programme Director, representatives from the Ministry of Health, the District Health Boards, pending their consolidation into Health NZ, a representative from the four regional Chief Information Security Officers, Primary Care, and Māori & staff of Pasifika Health providers. This board also utilises expertise from the Department of Internal Affairs, the National Cyber security Centre, and the Government Chief Digital Officer. 

Reporting to this Board is the Cyber Security Programme Steering Committee which includes some members of the governance board, together with project managers and business sponsors. This committee will be augmented over time, by members representing the Maori Health Authority and non-government organisations.

The Committee meets monthly to review programme progress, challenge and build planning thinking and to approve final products. It will exist only so long as the Programme does. This committee is obtaining assistance from international advisers in the British National Health Service and from the Health Sector Cybersecurity Coordination Centre in the United states, both of which have undertaken improvement programmes similar to this one. 

The steering committee reports its progress to the governance board and chair of both of these is James Allison, the chief digital officer for Canterbury and West Coast District Health Boards. 

“There is a large cultural challenge involved in this programme,” he says. “it’s not simply about policies and technologies, but a change in people’s attitude toward security generally and information security specifically.”

James has his eyes on a big-picture and offers a colourful vision of outcomes over outputs as the key results of his committee’s work. 

“Our approach is holistic; it’s about assets and clinical equipment; it’s at the digital borders and in the building corridors; it’s moving in synchronicity; it’s about making sure we have trained people well to understand the why behind all of this, the concepts and products, and how to protect our health data – measuring our success as the back of the rear wheel, not the front of the leading rider,” he remarks.

Shane Hunter believes the amount allocated is enough for now but he emphasises that he will go to government for more if it is needed. He distinguishes the Ministry’s possible need to ask for more money, from bids made by projects like the New Zealand police’s INCIS programme, which failed dismally in 1999.

“We would be going back for more money because of the evolution of cybersecurity,” Hunter observes. “This is a pretty good investment the government’s making in bolstering our security posture but that’s not to say we wouldn’t be back for more money at some point in the future. But it would be because it is the right thing to do, as opposed to a situation like INCIS, where we’ve effectively blown our budget through a failed project.”

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Artificial Intelligence
AI-based email security platform Abnormal Security valued at $4B
"A new breed of cybersecurity solutions that leverage AI is required to change the game and stop the rising threat of sophisticated and targeted email attacks."
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.
Story image
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
Digital Transformation
How to modernise legacy apps without compromising security
At a time when digital transformation has become central to business, even the most important applications come with a ‘use-by’ date.
Story image
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
BeyondTrust integrates Password Safe solution with SailPoint
BeyondTrust has announced the integration of BeyondTrust Password Safe with SailPoint identity security offerings.
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
NCSC advisory highlights poor security configurations
The GCSB's National Cyber Security Centre (NCSC) has released a cyber security advisory identifying commonly exploited controls and practices.
Story image
PwC NZ unveils new Cloud Security Operations Center
PwC New Zealand has unveiled its new Cloud Security Operations Center for the entire Microsoft technology stack.
Story image
Rubrik Security Cloud marks 'next frontier' in cybersecurity
"The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data."
Story image
The 'A-B-C' of effective application security
Software applications have been a key tool for businesses for decades, but the way they are designed and operated has changed during the past few years.
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
Remote Working
How zero trust and SD-WANs can support productive remote working
The way people connect with applications and data has changed, users are remotely accessing resources that could be stored anywhere from a corporate data center to the cloud.
Story image
Video: 10 Minute IT Jams - An update from IronNet
Michael Ehrlich joins us today to discuss the history of IronNet and the crucial role the company plays in the cyber defence space.
Story image
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Story image
CyberArk launches $30M investment fund to advance security
CyberArk has announced the launch of CyberArk Ventures, a $30 million global investment fund dedicated to advancing the next generation of security disruptors.
Story image
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Story image
BlackBerry offers Kaspersky replacement cybersecurity for the channel
BlackBerry advises that users of Kaspersky software in Australia and New Zealand undertake a rigorous risk analysis of their current security posture.
Story image
Artificial Intelligence
ForgeRock releases Autonomous Access solution powered by AI
ForgeRock has officially introduced ForgeRock Autonomous Access, a new solution that uses AI to prevent identity-based cyber attacks and fraud.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
Ivanti and Lookout bring zero trust security to hybrid work
Ivanti and Lookout have joined forces to help organisations accelerate cloud adoption and mature their zero trust security posture in the everywhere workplace.
Story image
Palo Alto Networks says ZTNA 1.0 not secure enough
Palo Alto Networks is urging the industry to move to Zero Trust Network Access 2.0 because previous versions have major gaps in security protection.
Story image
Artificial Intelligence
Updates from Google Workspace set to ease hybrid working troubles
Google Workspace has announced a variety of new features which will utilise Google AI capabilities to help make hybrid working situations more efficient and effective.
Story image
Digital Transformation
Physical security systems guide the hybrid workplace to new heights
Organisations are reviewing how data gathered from their physical security systems can optimise, protect and enhance their business operations in unique ways.
Story image
Hard numbers: Why ambiguity in cybersecurity no longer adds up
As cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. Getting rid of ambiguity becomes necessary.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
KnowBe4 celebrates reaching 50,000 customers worldwide
KnowBe4 has reached the milestone of 50,000 customers, adding nearly 2,500 in the first quarter of 2022 alone.
Story image
Managed service providers: effective scoping to avoid costly vendor pitfalls
Managed security services are outsourced services focusing on the security and resilience of business networks.
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
Ingram Micro Cloud adds Bitdefender solutions to marketplace
Ingram Micro Cloud has announced the expanded availability of Bitdefender solutions on the Ingram Micro Cloud Marketplace.
Story image
Artificial Intelligence
How to ensure ethical deployment of AI implementations
The increase in automation and machine technology such as AI and machine learning has unlocked a whole new level of scale and service to organisations. 
Story image
A third of companies paying ransom don’t recover data - report
Veeam's report finds 76% of businesses who are victims of cyberattacks paid the ransom to recover data, but a third were still unable to get their information back.