Makes it clear that it was just the module where patients upload their own document contributions to their record which was exposed, and not data held by EHRs:
A further update, which outlines much more clearly what exactly was breached:
Fabulous assessment of the practical cyber security aspects:
Hindsight is always a wonderful thing, but this report on NZ Patient Portals, produced by Patients First for the MoH back in 2014, contains a prescient section on safe and secure access.
Yeah, but that is pretty vague and general advice! Basically, identify and manage cybersecurity risks. And it dates back to when ‘cloud’ was only just leaving its ‘dirty word’ status.
Certainly lots to read about this at the mo:
Personally, I’m encouraged by some of the minister’s rhetoric - particularly that openness, transparency, and the sharing of lessons learned (quickly) is vital for us to minimise our future exposure to the risk of cybersecurity breaches like this.
As discussed above, the design of a digitally enabled healthcare ecosystem requires IT services to be put on balanced footing with clinical services. As shown through the impact to delivery on health care services throughout the restoration following the cyber incident, the system cannot function effectively without the core IT services operating. Looking ahead to the changes and integration that Te Whatu Ora will want, our recommendationsall sit around four themes:
Architected for security: designing in data segmentation, identification of high risk/value data assets, the use of encryption for data, access controls, a monitoring and logging framework, and others. The design phase can limit damage in the event of an intrusion and make the system more resilient. At the same time, systems need to be usable at a clinical level, reflecting pressures and urgencies at he point of delivery. Highly secure systems will not be used if they are awkward, time-consuming or non-intuitive in practice;
Kept up to date: patching is the classic recommendation here. But for the healthcare system in NZ, it also means systematically investing to eliminate unsafe legacy systems, to make full use of well-managed cloud systems, and to accommodate the increasing use of internet-connected medical devices in a safe manner. It also means investing in people, both through IT skills and by providing clear frameworks for others: for example, a ‘code of connection’ that sets minimum cybersecurity requirements for all parties and develop an assurance mechanism to ensure adherence, provide training and genuine support.
Active defence: Logging, monitoring, responding, planning. As noted above, this is a task for the whole system, including healthcare delivery colleagues at the clinical end. It cannot be left to IT teams. It requires the – otherwise excellent – CIMS framework to be updated. And it needs to be accompanied by the sort of behavioural discipline described above, otherwise it will fail; and
Practice. Every single person we have spoken to has enthusiastically endorsed the idea that cyber responses need to be rehearsed. “Train hard; fight easy” is more than a truism. Finding the time, and space to do this is always hard, especially in busy hospitals with real people to treat. But the costs of not doing so are very high and very unpredictable. The solution may be a ‘simulator’ – a national virtual IT resource to allow clinicians and managers as well as IT teams to practice for disruption in a virtual environment. It would also allow NCSC to simulate various types of attack, and better understand how to advise on the responses, without having to wait for the real thing. Results could be assessed from an equity perspective, as well as through clinical and technical lenses.
This structure of recommendations can be complemented by another, for the IT system design and operation teams themselves:
To avoid and acknowledge the risks (getting design and operational protocols right);
To detect and stop threats (logging, monitoring and responding - automatically where possible);
To respond (limiting immediate impact when something gets through, as it will); and
Restore.
None of this will be cheap: it will cost money and it will cost time, as managers and clinicians will need to be more involved. There is a real opportunity cost to that, which we acknowledge. But we see little alternative. The WDHB incident shows the level of disruption, the actual cost and impact on confidence that can accompany even a medium-sized intrusion. If we are to benefit from a national healthcare system, we need to be prepared to invest the time and money to make it safe in an unsafe world.
How well do you think we have implemented those recommendations in Health NZ | Te Whatu Ora???
I think you know the answer to your question. The current government has been systematically gutting the health information back office in the name of cost-cutting, which does not bode well. We also have a frail, complex and failing infrastructure made up of many diverse components that are, frankly, a security nightmare.
It is possible that their new initiatives will ultimately bear fruit, but at present we remain hugely vulnerable on many fronts. And let’s face it. The number of people out there with true expertise at *secure system design* is minuscule; most are in private; and even if they offer good advice about how to build secure health systems, they likely won’t be listened to owing to (a) cost; (b) deadlines; and (c) perceptions that other ‘priorities’ are important—right until the next security breach.
Sorry to be so morose, but show me a better scenario and I’ll embrace it
This dates back to the pre-HNZ days and when Patients First still had a role in primary care IT governance before being subsumed (i.e. knee-capped) by the Ministry of Health (in Jan 2022). Patients First regularly held a Security Forum with PHO CIO’s and a Ministry representative usually attended. Some PHOs implemented the Security Checking artefacts produced by Patients First and its partner Medical IT Advisors. Penetration Testing was recommended for all PHO apps that contained patient data. Patient portals were often cited as security risks, but were considered to be out of scope as, by that stage, what remained of Patient First’s funding was contingent on not doing anything likely to influence/hinder/compete with (choose your preferred term) the private sector market. Unfortunately, this latest breach has been the foreseeable consequence of turning a blind eye to the security of patient data held outside the public system - even in applications that have received a significant amount of public funding.
Yes. That’s only been introduced to MMH since I logged in last Friday. MyIndici has also been promising to introduce MFA in the near future.
As a PHO board member + Health consumer concerned about this data breach, and someone who has advocated about being aware of the difficulties associated with rebuilding trust after such an event (especially with older patient and health consumer cohorts who are suspicious of digital interventions), I’m surprised that todate I’ve not heard an reference to the role of PHOs in this scenario.
Sadly, have to agree
Being ahead of the dark web skills will need exceptional skills and security, the cost of which far outweighs the consequences of not having them.
Confidence in confidentiality will take a significant knock.
Hopefully, the need for increased cybersecurity funding will be the positive outcome, but disappointing that its taken a security breach to instigate it.
Interesting. The first thing I did when I heard about the breach was to check if two factor authentication was in place - it was when I checked but I remember last year thinking that it should be there but wasn’t.
So how do we advise people (consumers/patients/clients) who feel vulnerable and want to withdraw from using MMH? Very little is coming from anyone with authority.
I’m not sure about that. Certainly, there are (or, at least, were) exclusions for those with shared email addresses or no email address (rare these days) - but I’m not sure if the records of those patients are/were copied to the MMH Server regardless.
Update - FWIW, this is what Claude returned when I asked it if NZ Patient Portals are opt-in or opt-out..
“New Zealand patient portals are opt-in.
Patients must voluntarily sign up for a patient portal, and they can opt out at any time if they choose to HealthifyRnzcgp. The Royal New Zealand College of General Practitioners’ guidance specifically states that portals are voluntary and opt-in Rnzcgp, and practices are required to inform patients of this.
To use a patient portal in New Zealand, you need to actively register by providing your email address to your general practice, after which you’ll receive an invitation to set up your secure username and password. You’re not automatically enrolled.”
CoPilot adds..
“Why NZ uses an opt‑in model
Health information is governed by the Health Information Privacy Code 2020, which requires explicit patient consent for new forms of access.
Identity verification is required before enabling online access, which naturally fits an opt‑in workflow.
I both a GP practice owner and a Manage My Health user, so this incident is of considerable concern, and with a frustrating level of transparency. My own Manage My Health app is set up with 2FA but I think, like many apps, this is an option for the user, rather than a requirement.
As a practice owner it remains unclear how the breach occurred and what data was hacked. My understanding is it related to Health Documents which are transfer of care documents and outpatient letters. It would help the practices if we could have a coherent explanation for our patients about what happened and who might be at risk
I did the exercise myself and it is not clear. I advised my GP clinic to opt me out and they did not know if you opt out from their side deletes your information and data from MMH. In the app itself it does not give you the option to opt out or close the account. If you log into your account on the website version there is an option to delete your account and then it takes them 72 hours to delete all your information from MMH. What is unclear is whether the clinic ticking opt out on their side automatically deletes your current data already held by MMH?
I had to request to join MMH when it was available at my GP Practice. They are now using Well, but don’t know if my data would still be available on MMH?
Found this particularly detailed analysis done by someone who managed to contact the threat actor:
MMH is opt in, requiring a registration and activation process. Only when activation occur (i.e. consent form completed) does clinical details actually come through into their platform. Registration does provide PII information to send off the invitation email though, but no other details besides what’s required to complete an invitation (i.e. name, email by inviting organisation).
The wider problem of the data breach is that once it’s activated, AND the GP practice has turned on the “My Health Documents’ for that patient, even if the practice changes to another portal, practice changes PMS, or the patient moves to another GP, it’s still live and running until the patient explicitly requests to deactivate. This means the breach would impact many patients at Indici practices and those who moved to Centriks as well. This was designed so patients could carry their records regardless of changes in PMS databases and practice (if the whole ecosystem used MMH, then it would flow seemlessly through) - good intention, if all of the security controls were consistent.
I hope they will be contacting users who have changed practices or practices who changed portals or PMSs as part of this because they will be orphaned in the PHO comms plan given they aren’t enrolled anymore.
My comments are observations from what I know of their system, many years ago, which may have changed, and the latest Reddit/infoSec news that uncovered additional details beyond their media breifings.
I changed practice from affluent GP practice where I was able to link to MMH. Then, I moved to a rural area with a high maori population where my GP practice was not available to link to. I raised this with my new GP, “why not?” Reply was, “the folks around here aren’t very health literate.” That GP couldnt speak maori (neither can I) :-/ I digress. Maybe that’s a good thing, people. Just saying. Tech can seem fragile and unreliable. BTW, enjoying reading the chat.
