This dates back to the pre-HNZ days and when Patients First still had a role in primary care IT governance before being subsumed (i.e. knee-capped) by the Ministry of Health (in Jan 2022). Patients First regularly held a Security Forum with PHO CIO’s and a Ministry representative usually attended. Some PHOs implemented the Security Checking artefacts produced by Patients First and its partner Medical IT Advisors. Penetration Testing was recommended for all PHO apps that contained patient data. Patient portals were often cited as security risks, but were considered to be out of scope as, by that stage, what remained of Patient First’s funding was contingent on not doing anything likely to influence/hinder/compete with (choose your preferred term) the private sector market. Unfortunately, this latest breach has been the foreseeable consequence of turning a blind eye to the security of patient data held outside the public system - even in applications that have received a significant amount of public funding.
Yes. That’s only been introduced to MMH since I logged in last Friday. MyIndici has also been promising to introduce MFA in the near future.