Budget boost promises better cybersecurity for our health system
Late December 2021, found New Zealand enduring a novel, multi-coloured response to Covid-19 called the Traffic Light system. News-readers dithered over how to pronounce the name of yet another ancient Greek letter, (omicron), while GPs and hospital health workers took a short, rasping breath, before a new wave of viral misery inundated our shores.
Five days before Christmas though, some hope glimmered at the chatty end of the Ministry of Health. A short, unremarkable press release turned up on its website, which announced a new bucket of money to improve cybersecurity throughout our entire health system. $75.7 million, over three years was pledged, specifically to upgrade cybersecurity tools and improve training, awareness and incident management capability in the Ministry itself, within the 20 District Health Boards and at the primary health and community care levels. Only a handful of media took this story up, and all too briefly, where it actually deserved and still warrants a closer examination.
Background to the boost
Several historic cyberattacks on health institutions have inspired the Ministry’s budget bids to improve its systems. The Wannacry attack on Britain’s National Health Service of May 2017, saw critical services at 80 hospital trusts and 603 primary healthcare organisations severely disrupted and it is estimated it cost the NHS 92 million pounds.
In partial reaction to this attack, our Ministry of Health contemplated the purchase of a single enterprise security protection software tool, which it planned to license out to all 20 DHBs. Discussions between it and several companies and technology experts, occurred in late 2019 but were abandoned when the Ministry admitted it did not have funds to make such a purchase.
2019 was the year in which Tuora Compass Health, the primary healthcare organisation serving Wellington, Kapiti and Wairarapa was the victim of New Zealand’s first major health data breach. It is thought that international hacker Vanda the God may have had access to the personal and medical records of over one million Kiwis when it attacked Tuora in August that year.
A ransomware attack on the Health Service Executive (HSE), Ireland’s national health provider in May 2021, saw 80% of critical IT infrastructure heavily compromised, with massive losses of patients’ personal and diagnostic data. The group responsible for this attack, known as the Conti Ransomware Gang, based in Russia may have been the same group which attacked the Waikato DHB in the same month, causing a complete outage of its information service. Waikato DHB has consistently denied the attack on it was caused by Conti.
This budget allocation came shortly after a $257 million investment pledge for digital health systems, including $87 million targeting legacy technologies and capability deficits.
Some comment on the changing landscape
Shane Hunter is the Ministry’s deputy director-general, data and digital and he acknowledges our health cybersecurity needs urgent attention.
“Some of the more recent incidents that have happended both in and outside of health have prompted us to push the boat out in terms of getting more investment. But it’s not a kneejerk reaction to recent events; it’s been something we’ve been working on for some time,” Hunter remarks. “We need to continue to invest in what is a game of cat and mouse with these characters that want to find ways in and disrupt our business and to access personal information.”
Shane believes his Ministry and his sector are more at risk, simply because of what they do and what they represent.
“Health is a bigger target; health credentials and health information have a value on the dark web; - we’re a target and we know it,” he says.
Steve Honiss is director of cyber strategy and risk at Zx Security, a firm which has several district health boards as clients. He believes the balance between delivery of adequate cybersecurity measures and operational service delivery is a special challenge for sectors like health, where old equipment using old operating systems is crucial to daily services.
“In a lot of cases, upgrading systems to the latest secure versions would require replacement of the equipment. When that equipment can cost several hundred thousand dollars to replace, it is not an easy problem to solve. Add in the complexity of busy and high-pressure clinical environments when access to timely patient data and providing ready access to multiple clinicians is essential, and you find striking a balance that meets both security and clinical care requirements is difficult,” Honiss says.
From 1 July 2022, the 20 DHBs will be disestablished and their functions will be delivered by one national umbrella organisation called Health New Zealand. Shane Hunter believes this may confer benefit to the security improvement programme announced inDecember.
“I think it will strengthen what we’ve been trying to achieve,” Hunter asserts. “The 20 dhb’s are essentially sovereign with their own boards, their own budgets and they will tend to do their own things. WE think that moving to a single system gives us more of an opportunity to think about how we can beter operate as one, reduce duplication of effort and free up money and capacity in the system to invest more into security. It’s going to be never ending in terms of demand for money but we think the move to a single health system will work for us more than against us in terms of cybersecurity,” he comments.
Conversely, Hunter believes a homogenous system is not the consuming goal and that local solutions within the whole, will still have currency.
“I would make the point that as part of the new model we will need to be mindful about what systems we do consolidate into a national system. That is, Whether or not we leave local systems or local parts of the system to have local choices. Because in moving to a single big model to run the health system we would probably make ourselves a bigger target,” he says.
The ministry has produced a high level national strategy document which sets out seven priority areas where this new money will be directed over years one to three. Shane Hunter enumerates some of them as follows.
“we’ve got systems that need to be upgraded, so that means nvesting in more modern tools to support beter security practice. WE want to further establish guidelines and standards for good security practice, we want to strengthen how we do assurance, how we do testing and how we can move to being more continuously up-to-date, rather than relying on patching in a manual way,” he states.
Hunter says moving to cloud-based services is a major priority and that the advent of Covid-19 showed the Ministry how valuable the cloud may be in the near future.
“We also want to see regions having more of a focus on security. We want to move to having regional chief information security officers across the regional hospital system, supporting our partners in health like primary health and community health providers,” he says.
Matthew Lord is the Ministry’s IT security manager. He says that cybersecurity awareness amongst all national and regional staff will be a major focus of the education work done in year 1 in particular.
“We know that theres a lot of benefit in educating the whole health system on how to respond to a security incident, what a phishing scam looks like or what bad practice is. We know such education will result in preventable incidents. It won’t stop in year 1 and we wil create a programme of work to support this for further years,” Lord says.
Cynics might point out that spending on education and awareness isn’t materially improving defences against phishing attacks or the depositing of malware into hospital computers. But Steve Honiss observes any set of priorities for this new spending has to encompass the entire security landscape.
“Security relies on a combination of people, process and technology. Complementing new security technology with the people to operate it, and with process improvements where needed are essential. The cost of security can be high, but the cost of being insecure can be higher,” Honiss says.
Tools for the future
The Ministry’s national strategy document provides a list of tools which will be utilised in national and regional settings. They include products such as Phish Me and Microsoft’s anti-phishing simulator, for awareness training, while Tenable and Rapid7 are to be used in development of new identity and access management processes. The Ministry expects firewalls such as Checkpoint’s Sandblast or Palo Alto’s Wildfire, to be in place across the system as well.
Meeting the requirements of end-point security will involve the Microsoft E5 suite. Matthew Lord says this tool will make life a lot easier and will ensure cyber threat detection becomes a lot more efficient.
“E5 gives us access to a suite of security tools that you can implement and use to protect, respond and recover in one hit. It saves us having to buy a bunch of other tools and stitch them all together,” Lord says.
The combination of tools in E5, makes it possible for human errors or human-induced anomalies to be notified and responded to rapidly. Matthew offers working examples of how it can assist with monitoring and then managing a potential internal or external threat.
“If my identity is sold on the dark web, what Microsoft, through E5, are able to do is to tell me if that event has occurred. If I've used a weak password for instance, it does a bunch of automation under the hood and when you start to marry that into a connected bunch of security operations centres looking at data and processing it, someone can have a conversation with me and say ‘something’s happened to your identity; we recommend you change your password’.”
By analogy, E5 will be able to assist in finding cyberthreats throughout the system, where it has first detected a breach at one hospital.
Turning needs into tasks
The variety of needs identified has to be made operational, somehow, and the Ministry have chosen to call their execution instrument a “roadmap”. Far from being a nebulous guiding concept in a few senior heads, this is a formalised strategic programme with three workstreams established to deliver the priorities for the next three years.
“The e5 tools makes up one workstream,” Shane Hunter says. “There’s a security operations centre and security incident and event management or soc siem stream, looking at how we do incident management across the system from local, to regional and national levels. The other major piece of work is our health information services framework or HISF stream, which is about reviewing and updating our system to align it to our revised framework around standards and policies.”
A vulnerability management component will be included in the SOC SIEM workstream to improve the training of staff to manage patching and other protection techniques within their current systems. A “capability uplift” element will sit within the HISF stream, and this will see more training given to key staff within hospitals and the Ministry, so they can better manage cyber incidents and survive them as they occur.
The implementation of the E5 tools, has been the focus of year 1 to date but work on the other two will begin later this year.
Guiding and doing the work streams, falls to two separate entities established by the Ministry.
The Cyber Security Governance Board is made up of the senior responsible officer, the Programme Director, representatives from the Ministry of Health, the District Health Boards, pending their consolidation into Health NZ, a representative from the four regional Chief Information Security Officers, Primary Care, and Māori & staff of Pasifika Health providers. This board also utilises expertise from the Department of Internal Affairs, the National Cyber security Centre, and the Government Chief Digital Officer.
Reporting to this Board is the Cyber Security Programme Steering Committee which includes some members of the governance board, together with project managers and business sponsors. This committee will be augmented over time, by members representing the Maori Health Authority and non-government organisations.
The Committee meets monthly to review programme progress, challenge and build planning thinking and to approve final products. It will exist only so long as the Programme does. This committee is obtaining assistance from international advisers in the British National Health Service and from the Health Sector Cybersecurity Coordination Centre in the United states, both of which have undertaken improvement programmes similar to this one.
The steering committee reports its progress to the governance board and chair of both of these is James Allison, the chief digital officer for Canterbury and West Coast District Health Boards.
“There is a large cultural challenge involved in this programme,” he says. “it’s not simply about policies and technologies, but a change in people’s attitude toward security generally and information security specifically.”
James has his eyes on a big-picture and offers a colourful vision of outcomes over outputs as the key results of his committee’s work.
“Our approach is holistic; it’s about assets and clinical equipment; it’s at the digital borders and in the building corridors; it’s moving in synchronicity; it’s about making sure we have trained people well to understand the why behind all of this, the concepts and products, and how to protect our health data – measuring our success as the back of the rear wheel, not the front of the leading rider,” he remarks.
Shane Hunter believes the amount allocated is enough for now but he emphasises that he will go to government for more if it is needed. He distinguishes the Ministry’s possible need to ask for more money, from bids made by projects like the New Zealand police’s INCIS programme, which failed dismally in 1999.
“We would be going back for more money because of the evolution of cybersecurity,” Hunter observes. “This is a pretty good investment the government’s making in bolstering our security posture but that’s not to say we wouldn’t be back for more money at some point in the future. But it would be because it is the right thing to do, as opposed to a situation like INCIS, where we’ve effectively blown our budget through a failed project.”