All phones and computers across Waikato DHB have been taken down by a cyber security incident, leaving clinical services
scrambling.
The DHB has called in external help, and says it refuses to pay any ransom demanded.
The SMC asked experts to comment on the attack and the aging IT infrastructure that may have enabled it. Feel free to
use these comments in your reporting or follow up with the contact details provided.Professor Robin Gauld, Director, Centre for Health Systems and Technology, University of Otago, comments:
"For three decades we've known in New Zealand that our health information and clinical systems have been vulnerable to
attack. So while this attack comes as no surprise, it is alarming and has had an impact on healthcare functions.
"Having disparate IT systems across the country's 20 DHBs is not helpful, which has been highlighted in many reports and
stocktakes over the years, and more recently brought into stark relief by the Covid-19 pandemic. We need to have
national IT systems and national security systems to deal with this kind of cyber threat."
No conflict of interest declared.
Professor Dave Parry, Department of Computer Science, AUT, comments:
"The recent cyber attack on Waikato DHB demonstrates the degree to which the health system depends on IT systems working
efficiently. DHBs have some of the most complex collections of systems in the country – there is not just one system but
a large collection of different systems, sometimes hundreds – that are used to support different departments and
clinical areas. DHBs are much better prepared than they were a few years ago for cyber attacks, there are regular audits
and GCSB and CERT are called in very rapidly. DHB systems represent critical infrastructure and of course hold very
sensitive personal data.
"It is not yet clear exactly what sort of attack this was, but a few days ago there was an attack on the Irish health
system in the form of “ransomware”. In this sort of attack, the attacker manages to get some of their software onto the
victim’s network and this encrypts files, making them unreadable. The attacker then offers to give the victim the key to
unlock the encryption in return for money - usually in the form of bitcoin or other cryptocurrency.
"If the victim doesn’t pay, then they will normally shut down access to systems, check for the attacker’s software and
delete it. After that the victim will then restore the encrypted files from backups and start up the services again.
Normally very little data if any is lost. Generally, once the attack software is identified, the DHB can set up its
firewall and other security software to identify it and not allow it to run on the network. The complexity of DHB
systems and the relatively small IT teams can make the shutdown/clean/startup process very demanding - they will be
getting help from the rest of the health system and government. It would be reasonable to expect critical systems to be
up and running again in a day or so at most.
"Getting the “malware” onto networks may have involved “phishing” or emails that included links that downloaded the
software. The firewall updates should prevent the same software being downloaded again.
"Unfortunately, last week the Colonial oil pipeline in the US was attacked and apparently they paid $5 million to the
attackers – this will probably have encouraged attacks by the same gang or similar ones. Government agencies very rarely
pay ransoms, but health systems are always tempting targets because they are so high-profile."
No conflict of interest.