Hi Peter. I assume that in primary care there is a similar model around risk assessment and liability to what exists internally in HNZ.
Do you know whether it will be individual practice owners that are responsible for sign off of vendor security commitments, or would this be being done at the PHO level?
Hi Alastair, I can’t provide the answers to your questions as the GP/PHO security landscape has possibly changed in the 4 years since Patients First was wound up. However, I will say that performing Risk Assessments and PEN Testing of applications is expensive, time-consuming, and expecting 1,000 plus general practices and 30 odd PHOs to do it is completely unrealistic. Therefore, IMO, now that HNZ has assumed the governance role in Primary Care IT, this is something that they should be responsible for performing for the PMS and Patient Portal products.
Hmmm, typically the vendor is reasonable for arranging and paying for pen-tests from trusted 3rd party providers. I agree the risk assessment piece is definitely not something an individual practice owner should ever be expected to manage, but I guess the current state is that these tools have been commissioned by PHOs/practices (which may make for some interesting conversations over the next few months)
OK, but there still has to be an overarching governance process to ensure that software suppliers fulfill their data privacy and security obligations. This is clearly missing at the moment, hence the current incident and those that will inevitably follow.
Again, I can only speak from experience both inside and working with HNZ, but there is an existing clearly-defined series of security risk assessments, privacy assessments and vendor obligations that are pre-requisites for engagement. This concludes with a senior customer representative signing off acceptance that appropriate checks are in, mitigations have been undertaken and standards are being adhered to.
In light of the rapid uptake of new cloud-based digital tools across primary and secondary care in NZ, a clearer understanding of responsibilities and accountability between both vendor and customer may be one silver lining that comes out of the MMH breach.
Does ‘engagement’ extend further than the systems that HNZ actually procures to those that access it’s digital services and beyond? During my time in the Digital Medicines Team at HNZ, there were no security assessments, etc., performed on any of the many systems that participate in NZePS and access the MDR API. In theory, this should cover any system that accesses the NHI which would bring all NZ digital health applications that hold patient data into scope.
When all is said and done, the fundamental issue here is legal compliance. Every organisation that holds personal information in NZ must comply with the requirements of the Privacy Act and these are about to be strengthened on 1 May 206 by the Privacy Amendment Act 2025. Patient data in this country is scattered to the 4 winds (e.g., details of an individual prescription item can be held in at least a dozen places) - it is virtually impossible to implement security effectively and comply with privacy legislation in this highly distributed environment. We need to discuss alternative solutions that allow the (engaged) consumer to be custodians of their own healthcare and wellness data.
Legally it’s practice due diligence going forward, but it will be ultimate legal owner, so for some practices, it will be the PHO or corporate owner.
Although corporate/PHO ownership is growing, well over 50% of NZ general practices are still owned by GPs. It is simply not realistic to expect >500 practices - not to mention thousands of privately-owned allied healthcare facilities - to apply anything other than cursory attention to due diligence, particularly in respect of hosted and cloud solutions. Maybe this signals the end of the independent practice owner model - although there is obviously massive resistance to that in some quarters. However, IMO, we need to start looking at data security and privacy from a consumer perspective. Hopefully, the loss of trust that will result from this latest issue will trigger some appreciation of the risks inherent in the current way health data is stored and accessed in this country.
Hi Peter, I get it, and I’m definitely not trying to be provocative. The point I’m making is that by choosing to use a service the practice does inevitably take on a degree of liability in the event of an issue. The extent of the liability would presumably come down to a combination of the due diligence the practice did and the information they were provided by a vendor.
As an analogue metaphor, if a business has sensitive paper records stored off site and it turns out they’re just piled up in an unlocked office somewhere and the business didn’t take the time to check exactly where the records were being stored then obviously that is problematic.
From other comments it sounds like a patient portal isn’t a mandatory requirement in primary practice so presumably there is an active decision being made to use these solutions.
Again, in no way am I suggesting any fault on the part of practices in what has happened, it was more highlighting that the run-on consequences may mean significant changes in how things are governed will be required. (So I think we are violently in agreement 
Here’s information flow from a single-issue GP consult. Probably missing stuff. No ACC in that one, the place that still emails request for patient info via email, and has had breaches
GP going to arrange ‘due diligence’ on the entire system? We are sending information to then all. Just not possible. We rely on trust.
We couldn’t run our practice without a portal, and patients show by their use that they appreciate it. Open Notes, for example, one of the strongest patient empowerment tools out there.
So, we are all very disappointed by the breach. The usual trust hard to gain easily lost applies.
Hi Richard, does your PHO (or practice) ask for evidence of security/privacy audits of any of the systems on that diagram? Or alternatively do any of those systems proactively provide that info to you?
Hi Peter, I totally agree that alternative consumer-centred solutions are needed. The most promising technical approach to this that I have seen is SOLID (SOcial LInked Data), which is a new set of web standards under the leadership of Sir Tim Berners-Lee. These standards allow for data to be stored in a user-controlled ‘pod’ or ‘wallet’, with granular access controls also able to be managed by users. A range of user-facing apps are being built on top of the standards, including for consumer health data. A company (Inrupt) has been set up to drive the build-out of commercially successful SOLID-based enterprise software.
Info about SOLID: https://theodi.org/what-we-do/solid/
Inrupt: https://www.inrupt.com/products/enterprise-wallet-infrastructure
Australian National University project to give Aboriginal people in northern Queensland control over their health data using SOLID: https://solidcommunity.au/yarrabah/https://solidcommunity.au/yarrabah/
Hi Chris. Thanks for the information on SOLID, I did take a look at that a few years ago but it had slipped out my radar subsequently. This would be extremely attractive for health & wellness data if accessible via an HL7 FHIR API.
