Microsoft, which holds the data of millions of New Zealanders given to it by the government, has been castigated in the United States for slack cybersecurity which it says let in Chinese hackers.
Health New Zealand Te Whatu Ora said it was seeking "assurances" from the tech giant and, with other public agencies, was "monitoring these developments".
The US Department of Homeland Security in a new investigation said Microsoft had a lax overall security culture, leading to "a cascade of avoidable errors" in last year's hack of US and United Kingdom government emails.
Microsoft's attitude to security was "at odds with the company's centrality in the technology ecosystem and the level of trust customers place in" it, the DHS's Cyber Safety Review board said.
"Microsoft still doesn't know how the hackers got in", though it had pretended for months that it did, it said.
This comes on top of alarm at an ongoing successful hack of Microsoft corporate email by the Russia-backed Midnight Blizzard group linked to successful attacks which targeted the US presidential elections in 2016.
The US government is exposed because it has more contracts with Microsoft than any other tech firm. New Zealand's exposure, too, has increased as successive governments have encouraged a mass migration of public data on to cloud systems primarily run by Microsoft and its rival Amazon, from police, health, passports, and scores of other agencies, and possibly soon the courts.
Te Whatu Ora said it would be working on an "all-of-government approach" with the government's Chief Digital Officer (GCDO).
Microsoft had not reported any security incidents or cyberattacks "compromising our systems or data", the health agency said.
"Nor are we aware of any such intrusion exploiting Microsoft vulnerabilities."
The GCDO said nothing directly relevant to the US findings.
The National Cyber Security Centre at the GCSB said the US findings were still being considered, "along with other inputs".
These "will be reflected in the standards and guidance we publish online ... and in the direction provided to government through the office of the Government Chief Information Security Officer".
New Zealand was the first country to put its citizens' authentication records offshore, into Microsoft's Azure cloud computing servers in Australia in 2021.
Officials and cyber experts argue security is better with the Big Tech US firms, and will be still more secure once the firms shift the data from Australia to new big data centres they are building here.
The US investigators urged Microsoft to publish a clear plan for making "fundamental" security improvements.
The company said it accepted the findings and promised to do better.
It issued a boilerplate statement to RNZ, saying it appreciated the federal investigation into "the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence".
"Recent events have demonstrated a need to adopt a new culture of engineering security in our own networks."
It had "mobilised" its engineers to "harden all our systems against attack" - to find old systems, improve processes and enforce security benchmarks, Microsoft said, citing its Secure Future Initiative launched late last year.
Te Whatu Ora said it was aware of the investigation and, "like other public sector organisations in New Zealand using Microsoft products, is monitoring these developments, and will be working with the Government's Chief Digital Officer to help inform an all-of-government approach and any subsequent review".
It has just expanded how much patient information can be held on its new My Health Record web app, which patients get to through an authentication checker called My Health Account hosted primarily on Microsoft Azure servers in Sydney. It aims to expand what people can check on to include their "current and past medications and lab results".
The agency last year told RNZ it chose Microsoft and Amazon for its cloud moves because they had better "scale, security and robustness" than local cloud companies.
Initially, it said this followed "a competitive tender" but later admitted to RNZ this "was incorrect - we sincerely apologise for this error"; it in fact chose them off a list of pre-approved cloud vendors.
The government doubled-down on its 'cloud-first' policy last year, basically forbidding agencies from building their own systems, though recent briefings lament that the push has not gone far or fast enough.
The courts and Justice Ministry are among the latest to embark on this, and have not ruled out sensitive data being held in Australia.
Security would be key to the design of Te Au Reka (Caseflow Management) system in coming months, the ministry said.
"At present, no final decision has been made by the judiciary regarding the hosting of court data on cloud services based outside of New Zealand.
"The preference of the judiciary remains that all judicial and court information contained in Te Au Reka (Caseflow Management) should remain in New Zealand."
It has signed a deal with US firm DXC Technology around the scope and phase one covering Family Court data.
Dilemma of going with Big Tech
The shift to the cloud poses a dilemma; Big Tech has high security, but is a magnet for hackers.
"A coalescence of security services into the hands of a few cloud-based suppliers has provided security gains and, equally, incentive and opportunities for cyber threat actors," the National Cyber Security Centre said last year.
"Malicious cyber actors likely prefer these services for extracting large volumes of data quickly and undetected.
"Cloud storage often features scalable storage and fast, free inbound bandwidth.
"Connections between Aotearoa New Zealand organisations and large cloud computing or storage providers are not uncommon and may not initially raise alarms."
In addition, the centre warned: "Remember, complexity is the enemy of security."
Te Whatu Ora has complex systems, such as the new national disease management system (NDMS) it is building to take over from Covid contact tracing.
It uses Amazon cloud, not Microsoft, but "with any network connected and complex system such as the NDMS, there will be risks of accidental or intentional information disclosure, such as an accidental misconfiguration of the system exposing data, or a determined and sophisticated attacker who is able to bypass security measures to access information they shouldn't have", a privacy impact assessment said in February.
Once again, however, it endorsed Big Tech, arguing for "the use of established and experienced large global cloud providers who are responsible for maintaining the security of their environments. These cloud providers have extensive interests in maintaining the security of their platforms, and often go through regular extensive certification processes".
At police, an internal report about going to the cloud charted six "new and increased risks", but also said old technology had different risks and there was a "wealth of potential benefits" with the cloud.
Another risk is cost. Vendors offered discounts but "navigating discounts and ongoing management of costs has become one of the more complex and labour-intensive aspects of using cloud services, while many organisations have resorted to large, long-term upfront commitments that rather reduce than increase their future flexibility", the police report said.