Minister Andrew Little has announced a full inquiry into the ransomware attack at Waikato District Health Board (DHB) in the early hours of May 18.
Last week Parliament held an urgent debate about the release of sensitive materials related to the attack.
Health Minister Andrew Little announced that once the DHB has mitigated the security issues, there will be a full independent inquiry into the state of the DHB's IT systems before the ransomware attack, as well as the quality of the DHB's response.
The attack attracted much speculation, however concrete details about the nature of the attack have been scarce, leaving many to jump to conclusions too soon.
RNZ alleges that DHBs are 'refusing' to provide information about their cybersecurity strategies, but the DHBs have explained that it is because they don't want to risk providing potential adversaries with more information.
The investigation and remediation processes behind large-scale security breaches can actually take months or sometimes even years to remediate. According to IBM's 2020 Cost of a Data Breach report, it can take organisations up to 280 days to identify and contain a data breach.
For some, including the media, Members of Parliament, and patients who don't know if their information has been compromised, New Zealand simply cannot wait.
During the Parliamentary debate, ACT deputy leader Brooke van Helden spoke about the information that has been leaked on the dark web including patient files, correspondence, and financial information. van Velden said it should be a major concern for not only those living in the Waikato region, but also all New Zealanders and the privacy of their personal information.
van Helden commends the actions that the government has taken to investigate the attack, but it could have done more. She points to a 2020 inquiry into all DHBs, which noted that they had outdated IT networks and infrastructure, and a lack of cybersecurity services.
“The government has also failed on its cybersecurity strategy. We were supposed to have annual reports on our cybersecurity in New Zealand so we could protect ourselves from cybersecurity breaches. But once again, these didn't happen because of budget constraints.
Health Minister Andrew Little said, “We are not immune to cyber attacks.” He notes that there are 120 IT platforms operating across the 20 DHBs.
He says the Waikato DHB is still working on remediating the issue and has a system in place to notify people whose information has been compromised as part of the breach. He notes that people can also approach the Office of the Privacy Commissioner if they are concerned.
Little said that the inquiry will begin once the DHB returns to business as usual.
“Only after the inquiry will the government have an understanding about the extent to which the system was vulnerable, the extent to which any steps that might have been taken to prevent further protection could have been taken, or whether the DHB had done everything expected of it, and met the appropriate standards expected of it.
Waikato DHB is currently advertising a number of job vacancies within its information services and IT teams. These roles include cloud/technology architect, senior analyst, solution architect and business/data analyst, as well as project coordinator and project manager.