DHBs not included in SIS cyber security programme
The SIS is not seeking to have district health boards included in a programme where it sets out what agencies must do to cope with information security threats.
The quality of DHB cyber defences has been questioned after a ransomware attack on Waikato hospitals in May.
Several dozen government agencies are required by Cabinet to follow a programme in which the spy agency sets out all sorts of security requirements - but not DHBs.
The SIS said it is up to Cabinet what agencies are mandated to follow the Protective Security Requirements (PSR).
It gives DHBs advice anyway, and what they do is consistent with that.
"The NZSIS has not, however, sought to have DHBs included in the PSR mandate," the SIS told RNZ.
"The current changes to the broader health system will provide an opportunity to consider how to best ensure cyber security resilience is best factored into the technology platforms and tools used in the health sector."
RNZ asked the Health Ministry what it has done to ensure the country's public health units, that are at the forefront of pandemic contact tracing, are not exposed to the type of attack that crippled the Waikato DHB.
The ministry said it followed advice to ensure national security systems that supported public health units and contact tracing were up-to-date.
It also advised the 20 DHBs on how to increase their cyber resilience, and asked them for assurances they have followed it.
"This includes checking their systems to ensure they have the right level of protection in place to avoid such a breach," the ministry said.
"All 20 DHBs have now completed that work."