Waikato DHB cyber attack: Doctors 'walking through fog'

Top security officials are confident all necessary arrangements are in place to get the Waikato District Health Board's (DHB) IT systems operational again.

The Officials Committee for Domestic and External Security Co-ordination met in Wellington yesterday to discuss the response.

Health Minister Andrew Little told Morning Report the committee was satisfied with the actions taken so far.

He said the private patient data that had been stolen in the attack was unrecoverable.

"Once it's gone, it's gone, and you lose control of it."

"It's a ransomware attack on a critical part of our health system. It is one of our tertiary hospitals, its operations have been affected now for over a week and given the information on Tuesday night that patient data has been exfiltrated from the system and has been put who knows where because it is being circulated to at least a media - that does lift the risk profile of it which was necessary to lift the response profile as well."

He said he was advised by the Health Ministry that, as of yesterday afternoon, all 19 other DHBs had examined systems for resilience against ransomware attacks against cyber attacks.

"The critical part of the response that this point has been patient safety, staff safety, getting the operations going. Now we're in the recovery phase. Then there'll be a review phase and it won't be until a review is conducted we'll know what state system was in before the attack happened."

A stocktake carried out in 2020 pointed out a lack of technical support for data security and raised a number of concerns.

IT expert Daniel Ayers yesterday called on Little, also the GCSB Minister, to resign.

Little said he would not, adding: "I could not imagine a more foolish statement. I don't run the country's IT systems, we have literally tens of thousands of them."

He said his job as minister was to focus on the recovery effort.

"It's most likely that the source of this attack was offshore. Once that data is exfiltrated and put offshore we lose control of it and that is the reality of cyber offence activity in this day and age."

He said it was important that the public were alert to calls and emails from people they are not familiar with.

"The priority right now is for those who need treatment and can't get it at Waikato, is to try and find places in the rest of the New Zealand system to provide that help. There is a possibility that some may need to go to Australia. That is very much a last resort and we would want to avoid that if at all.

"If people have to go to Australia that won't be going there on their own, they'll be properly supported to do so."

Robertson says no negotiation

Finance Minister Grant Robertson told Morning Report the Ministry of Health was working with the DHB to ensure is was up to speed to IT security efforts and working with patients to ensure they received treatment.

He reiterated the government was not prepared to negotiate with criminal hackers to resolve the situation.

"They are attempting to extort things from us," he said. "We don't negotiate on these matters, as it only encourages further attacks.

"So, we're working with the DHB and the Ministry of Health is alongside them, making sure they are talking to patients, and talking to people whose records they do hold and we've just got to continue to do that. Unfortunately, given the nature of the people involved, you can't be sure what their next move will be."

Robertson said that he was aware of major New Zealand companies strengthening their IT security the wake of the attacks and urged everyone to do the same.

The cost of the attack couldn't be calculated yet, but Robertson said there would be multiple costs associated with the disruption.

"Clearly there is some significant work that's had to go on the computer system, but also on the reorganising of a number of different services and treatments. There'll be costs to the wider systems as well because some patients, particularly in the cancer area, they're being treated in other centres in Auckland, Tauranga and Wellington. So obviously there are associated costs with helping people get to the appointments they need."

Cancer Society medical director Chris Jackson said no one wanted to travel to Australia for treatment, and centres in New Zealand with radiation machines were stepping up.

He told Morning Report Waikato cancer patients so far had managed to secure treatment in Auckland, Tauranga and Wellington.

"When people move from their home base for treatment that's extraordinarily disruptive even if they have to move within New Zealand to a major centre, but going overseas would be an even bigger burden for them at what's a very vulnerable time."

He said it was easier to provide wrap-around support for patients onshore.

"Chemotherapy is still proceeding as normal and as is blood cancer care."

The hospital has been unable to retrieve the details of about 20 cancer patients who were waiting to begin treatment.

"It's hard to understate how disruptive the loss of an IT system is on a hospital. Things like access to medical records ... to previous scans, so if you are trying to look at someone's old x-rays, you just can't access that."

Colleagues had described it as "walking through fog", he said.

Radiotherapy was highly dependant on technology intervention.

"It is IT dependant, and if your IT system is down, you just can't do it," Jackson said.

Privacy concerns raised

Privacy Commissioner John Edwards said health authorities must speed up and tell people whether their hacked data had been leaked.

"I was concerned yesterday to hear the news media outlets had been sent copies of identifiable patient information that also included information about clinicians and other services.

"I asked, I think it might have been Radio New Zealand to see those. So we had those, we had them before the DHB did. We sent them to the DHB to say 'look this may be just a sample but you've still got to do these people know'.

Edwards told Morning Report the scale was yet unknown and there were a few isolated such incidents, which meant there was not much the public could do to prepare, without knowing more details.

"I'm hoping that the DHB is monitoring potential dump sites on the dark web or elsewhere for that material and it is prepared to offer assistance and support to people who may be caught up in it."

He said if people did receive such information, they should contact the DHB and police. "They should not publish it further or distribute it.

"If people are being blackmailed they should notify the police."

Edwards said he would be seeking assurances from DHBs that there were no outstanding recommendations for improvements on cyber security that had not been acted on.

'Lack of urgency'

National Party deputy leader and a former lecturer in cyber security, Dr Shane Reti, said there had been a lack of urgency across parts of the government over cyber security.

It has been nine days since the ransomware attack on the Waikato DHB.

But speaking to Morning Report, Reti said generally by day three organisations would know if information had been compromised.

"What I wasn't seeing across the sector was regular cyber security training. We know that there were some issues at Waikato DHB that ... they were having a slow migration to Windows10.

"They had lowered their peripheral firewall to Outlook 365 so you can access external email servers like Hotmail and Gmail."

Reti said there had been a "lack of urgency across the whole sector" in preparing for cyber attacks, and in dealing with this attack.

"The policy part is actually the most important ... is there real leadership from the top of the health system? Is there reporting at a board level, is there appropriate funding? That's actually the key to this.