SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Waikato District Health Board cyberattack: Cancer hub out of action in chaotic aftermath
Thu, 2nd Dec 2021
FYI, this story is more than a year old

A cyber security breach that brought Waikato District Health Board to its knees took out one of the country's four regional cancer hubs, prompting the Cancer Control Agency to declare a national emergency to get patients with life-threatening cancer conditions moved to other hospitals.

Radiation treatment at Waikato Hospital where a regional cancer hub operates, was one of dozens of services rendered unavailable after the ransomware attack on 18 May.

Cancer Control Agency, Te Aho o Te Kahu chief executive Diana Sarfati stopped short of calling the situation a crisis but said it was "incredibly anxiety provoking" for patients.

"There was a crisis in that a cyberattack took out a major hospital. We were certainly treating it as an urgent situation that needed to be addressed."

According to a contingency planning document put together in the aftermath of the attack and released by the DHB under the Official Information Act, at least 30 cancer patients were transferred including to private hospitals in Wellington and Tauranga, and Auckland's public hospital.

"Patients that went to Auckland needed to be seen within hours," Sarfati said. "These were patients who were very acutely unwell. [For example]… if a patient had pressure on the spinal chord which can result in paralysis."

Other cancer patients whose treatment was not life-threatening faced minor delays, Sarfati said, but a crisis in providing cancer treatment was avoided because Te Aho o Te Kahu was able to coordinate with other hospitals to provide capacity.

"The patients were relocated very quickly and they were very grateful. But the delays were not great and of course it's incredibly stressful for people in the middle of cancer treatment or due to start."

No patients were sent overseas and Sarfati said at no point did Te Aho o Te Kahu consider it because both Melbourne and Sydney were in the middle of a Delta surge.

Sarfati said all cancer treatment had now resumed at Waikato DHB.

"Radiation got up and running quite quickly at the beginning. The biggest difficulty was the information systems and that has taken longer but they have really done an incredible job to provide continuous care."

She said the Ministry of Health was now "looking at how to secure systems". "There's a lot of work going on to ensure as great a security as possible."

A Ministry of Health spokesperson said a cyber security assurance review of the Ministry and all DHBs was underway and was expected to be completed later this month.

The review was initiated by DHB chief executives and deputy director general of data and digital Shayne Hunter in response to the Waikato breach, and would provide assurance of continued improvement to cyber security systems to ensure they were resilient to any future cyberattack.

The contingency planning document shows Waikato Hospital was in chaos after the attack, as staff grappled with paralysed information technology systems, and the disorder was widespread.

In children's health, lab services such as for blood tests were reduced to critical samples only and large reports for clinically complex children could not be completed.

Many online capabilities had to be moved to paper-based systems such as referrals, admissions, transfer, clinic appointments, location of patients and patient alerts.

There was no eligibility status for patients, patient NHI [National Health Index] numbers were unavailable meaning doctors could not keep track of them, daily news updates were not getting through to staff without phones, staff rosters were down and in women's health the delivery suite theatre bookings were in question.

The child protection team was unable to upload alerts to a national system, there was no access to local alerts for the vulnerable unborn, staff had no visibility of Ōranga Tamariki cases entered prior to the breach, and they were unable to see who was booked into violence intervention training.

Some regional DHBs blocked Waikato emails and faxes making updates to them on babies from those regions in Waikato Hospital's Newborn Intensive Care Unit [NICU] difficult.

In women's health, gynaecology patients were told not to come in for their appointments which were rescheduled, women who turned up for antenatal clinics had to identify themselves while scans of their babies could not be saved, and staff had to manually go through every elective caesarean section booking.

The 42-page document shows patient safety was compromised in the intensive care unit [ICU] because of limited access to each patient's history, specialist clinics were cancelled, incoming emergency patients with less severe injuries or illness were redirected to Auckland, and surgeries were limited to patients that did not require radiology or laboratory services.

In other departments, clinicians were disconnected from the network, turning to bedside monitoring of critical patients in ICU and the high dependency unit; errors were reported in handwritten NHI numbers; there was no ability to send electronic COVID-19 reports from the lab; patients trying to call could not get through; CCTV and parking pay stations were down, and even dietary requirements could not be accessed for patients being fed in hospital.

The DHB has now recovered from the attack and continues to investigate the cause.