Waikato DHB cyber attack: Privacy Commissioner warns all DHBs to fix its IT vulnerabilities

The Privacy Commissioner is warning all District Health Boards to urgently fix their IT vulnerabilities amid the country’s biggest ever cyber attack.

It comes as the Waikato DHB ransomware has been escalated to a national crisis with top-level Government officials holding an urgent meeting to discuss a plan of action.

Confidential DHB patient notes also appeared to have been sent to media outlets by the alleged hackers and had been referred to police.

Privacy Commissioner John Edwards said if any DHB was found not to have taken adequate security measures to protect its information systems, it could be liable to any staff member, contractor or patient who suffers harm as a result.

“We understand from media reports that other DHBs may be aware of security vulnerabilities in their systems as a result of the audit undertaken last year,”

Edwards said his expectation was that DHBs should have taken steps to act on any deficiencies in security.

“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions,” he said.

The Commissioner also said he was aware of the leaked information sent to media outlets, saying it expected the DHB to notify and offer support to the individuals identified in that information without delay.

“We would also expect that the DHB would be actively monitoring for potential host sites on the Dark Web or elsewhere.”

His office was not investigating to determine any liability “at this stage”, Edwards said.

Earlier this afternoon, Health Minister Andrew Little said a meeting, involving the Officials’ Committee for Domestic and External Security Co-ordination (ODESC), was being held in Wellington today.

“The crisis response to the ransomware attack on the Waikato DHB has been stepped up. The Ministry of Health is increasing its resourcing of the dedicated response team,” Little said.

ODESC is the primary committee of the country’s national security system, and is assembled to respond to crises which pose a threat to New Zealand’s security, sovereignty, or economy.

Prime Minister Jacinda Ardern said cyber vulnerability was a growing problem worldwide and New Zealand was not immune.

“We have to make sure we shore up some of our basic practice when it comes to cyber security.”

Ardern said a separate cross-Government emergency response group meeting was also called today and support continued to be provided to the DHB as required.

“That support was not just in terms of cyber support … the cancer control agency, for instance is working with the DHB to see if any support is required to ensure ongoing cancer care in the area,” she said.

Media outlets confirmed the information would not be made public and had been referred to police, the DHB said in a statement released this afternoon.

“Waikato DHB apologises to our patients for the inconvenience caused by this disruption and appreciate their co-operation and understanding. We acknowledge the additional distress and concern for patients and their whānau at this time,” the statement said.

The DHB also revealed today, in a statement, that about 70 seriously ill cancer patients are being transferred to other North lsland hospitals, and some may also be flown to Australia as a last resort.

Doctors are warning there will be a massive backlog due to the large number of appointments and surgeries being deferred, and handwritten notes.

“There were already really long waiting lists and overbooked clinics before this happened so the catch-up now is going to be massive … So that’s a pretty big mountain for them to climb,” Association of Salaried Medical Specialists (ASMS) executive director Sarah Dalton said.

One of the doctors told us “it’s a war zone, but we are soldiers”, she said.

The boss of the union representing thousands of senior doctors across the country said there were large amounts of paperwork caused by notes having to be taken by hand that would have to be re-entered once the IT system was back online.

“All the doctors we’ve spoken to have said it is difficult for everyone, but acute services are most affected and that’s simply because of the pressure of time and the urgency of the care required for those people.”

It comes as Waikato DHB enters its ninth day of running its five hospitals without a vital IT system while technology experts work around the clock urgently trying to restore the entire network.

The DHB’s IT system crashed last Tuesday after a sophisticated cyber attack left staff at Waikato, Thames, Taumarunui, Tokoroa and Te Kuiti hospitals reverting back to manual processes to run its services.

On Monday night people claiming to be the hackers contacted media outlets saying they had given the Waikato DHB one more day to respond.

The group claiming responsibility for the attack claimed it had accessed confidential patient notes, staff details and financial information.

They said the DHB had until Tuesday to comply with its demands or warned the information would be made public. That deadline has now expired.

A senior doctor at Waikato Hospital told the Herald yesterday that the technology outage meant they were unable to provide key services such as radiotherapy and as a result very sick patients were being left untreated.

The doctor said their frustration was shared by clinicians working in a range of services.

Waikato DHB chief executive Kevin Snee claims the majority of outpatients clinics and surgeries are still taking place – albeit slightly differently to normal.

“Obviously all of our services are not working as normal … These services are trying really hard to deliver the best possible care for patients in really trying circumstances.”

Last night Health Minister Andrew Little reiterated earlier comments from Snee that the Government would not pay a ransom to the attackers.

“Ransomware attacks are a crime. The New Zealand Government will not pay ransoms to criminals because this will encourage further offending,” Little said.

He said patient wellbeing and supporting staff remained the Government’s first priority.

“I have been in touch with the Waikato DHB Commissioner Dame Karen Poutasi this evening and will continue to be in contact with her about any assistance the DHB requires to support people whose information may have been held in the DHB’s systems.”

When approached by the Herald for an interview, Poutasi – who was appointed commissioner of the Waikato DHB in 2019 – referred any media requests to Kevin Snee via the DHB’s communications team.

Waikato DHB is holding daily press conferences.

Source: Read Full Article