A cyberattack lesson from Waikato DHB

Waikato District Health Board still has a “long road ahead” in the restoration of services a month on from the cyberattack that brought down all IT systems and phone lines, according to chief executive Kevin Snee.

In an update on the DHB’s website, the chief executive outlined crucial services that had been resumed for patients including radiation therapy but acknowledged that a great deal of work still needed to be done.

New Zealand organisations need to take this attack (and the aftermath) as a lesson and, regardless of their size, put measures in place that will protect them or, at the very least, provide them with a crisis management plan for dealing with cyberattacks.

What happened at Waikato on May 18 was a major ransomware attack. This is when a computer virus that blocks access to data and systems is used to attack an organisation. The virus encrypts files and documents and causes chaos. Victims are then asked to pay a ransom to restore access.

The Health Service Executive of Ireland suffered a similar ransomware attack on May 14. Initially, it was considered that both cyberattacks were related though some believe it is Zeppelin, which is available as the Ransomware-as-a-Service (Raas) model, which means anyone can buy and launch it.

New Zealand is not unique in facing cyberattacks. The FBI reported in May that, during the last year, US healthcare infrastructure had been targeted in Conti ransomware attacks made on 400 organisations worldwide. However, the FBI issued alerts naming Mega Ltd, an Auckland-based company providing cloud storage and file-sharing services, and warned that potential ransomware attackers uploaded stolen data to the Mega server. Although it is difficult to identify people with a history of stealing data, Mega closed 565,000 accounts for sharing stolen data and illegal content.

Clearly, in the absence of adequate cybersecurity policies and practices, cyberattacks can raise not only financial issues but also, as in the case of the attack against Waikato DHB, healthcare issues. For example, hundreds of scheduled appointments and surgeries were cancelled. The hospitals had to use pen and paper and manual processing to treat some regional patients, while those requiring urgent care were referred to other DHBs.

As part of the recovery plan, once the system is up and running, it will have to take into account any handwritten notes and manual processing which will cause further significant delay and financial loss.

The process to recover from this cyberattack appears to be relatively slow. In my opinion, any critical infrastructure provider should be well-versed in responding to and recovering from cyberattacks, but this is unfortunately only a dream when we consider New Zealand’s organisations.

Small and medium-sized enterprises (SMEs) represent 97 percent of New Zealand businesses and this large group is the most vulnerable to cyberattack given they usually have limited budgets. Large enterprises do have the budget and should be using it to protect their infrastructure. And at the very least, the smaller enterprises, the SMEs, must find the budget to develop a crisis management plan to deal with any cyberattack and its potential consequences.

To ensure organisations take cybersecurity seriously and report incidents properly, New Zealand has introduced the Privacy Act 2020, where Section 114 requires that organisations notify the Privacy Commissioner of notifiable privacy breaches within 72 hours. Failing to do so means the organisation commits an offence and is liable on conviction a fine up to $10,000 as per Section 118(1).

To better deal with cybersecurity and privacy issues, here are some suggestions for New Zealand organisations:

• Have a crisis management plan for dealing with cyberattacks
• Develop a cybersecurity strategy for your organisation
• Follow a proactive approach to privacy and cybersecurity instead of reactive
• Inform the Privacy Commissioner as soon as a privacy breach is notified
• Conduct regular cybersecurity audits
• Fix critical issues identified in vulnerability analysis.