The Waikato District Board of Health was warned that its IT security was inadequate and severely compromised just months before a massive ransomware attack that brought Waikato Hospital to its knees.
The internal cybersecurity document dated December 2020 also warned that lack of training meant that staff posed an unintended threat to their systems.
However, Waikato DHB said the strategy was just a draft that was part of a broader digital strategy about to be heard by DHB commissioners when hackers struck on May 18.
The draft of the strategy, seen by Local democracy reports, says DHB’s IT security was compromised by outdated systems, infrastructure, and personnel resources, making it an easy target for a major cybersecurity attack.
In the wake of the cyberattack, some cancer patients were transferred and elective surgeries postponed due to hackers taking down hundreds of servers and spilling patient and staff information onto the dark web.
The strategy said there was no cybersecurity incident response plan at the time and noted that the urgent incident response option available to Waikato Hospital staff was to “disconnect network equipment.”
It appears to be a damning indictment of the state of IT security at the DHB five months prior to the cybersecurity breach.
The 32-page report read Waikato DHB:
- I was still using Windows XP on some systems, software released in 2001 that has not been supported for five years;
- It relied on “perimeter security” such as firewalls, blocking, and protection against malware that was becoming obsolete as DHB moved to cloud-based services;
- I struggled with multiple IT applications with inconsistent functionality, most of them very old and with little support, if any;
- Delayed patching, installing critical software updates for security reasons;
- I didn’t have enough IT staff to manage and coordinate IT security without a cybersecurity specialist, and cybersecurity investments were not prioritized;
- It didn’t have cloud services continuously monitored for suspicious behavior;
- And it didn’t have the proper policies and training for staff on IT security.
The strategy, written by two DHB employees, estimated that DHB had at least 800 software applications, many of which are known to duplicate significant functionality.
“Some of the legacy systems do not have security configurations that can be modernized to protect against today’s security threats, and most are based on technology that is so old that it can no longer be patched or upgraded to protect against security threats. emerging “.
There was no procurement policy designed to monitor and regulate the purchase of medical devices used in patient care.
This meant that they were often purchased based on vendor demos without regard for compatibility.
“As a result, the DHB has many systems and devices that were purchased to perform a clinical function but that have many security holes that are difficult to plug.”
The strategy gave an example of internet-connectable clinical devices running Windows XP.
“These old control systems cannot be patched, and when the machines are connected to the network, they pose a significant risk to the network of DHB and other devices.”
The devices had poorly configured IT security controls that could be compromised by malware, resulting in incorrect reads, corrupted data, or even hacking for patient data.
“This creates a clinical risk for patients and for DHB.”
There was also no “trace” print pattern on the DHB, meaning that unauthorized parties could see the information printed on the printer.
The document said that a skills deficit in the IT unit meant that DHB’s IT operations focus was to reduce cyber risk by locking down systems and limiting access.
“DHB clinical staff have responded to this by turning to ‘shadow IT’ – informal software applications and personal hardware devices – which in turn increase IT risk even further, creating a never-ending risk cycle that worsens with every turn. “
With a limited budget, Waikato DHB faced a difficult decision when allocating resources, according to the report, and cybersecurity had not been a priority when DHB was struggling to meet the minimum requirements for the provision of IT to support the provision of medical care.
“This compensation is common at DHB, although the consequences of a targeted cyberattack would be catastrophic for patient safety.”
Sources said Local democracy reports The draft strategy was abandoned due to cost, but Waikato DHB Executive Director Dr. Kevin Snee said, “This was a working paper that was an input to the broader Digital Health Strategy that subsequently came to the executive on May 13. “
“It proposed a substantial investment in digital technology, was supported by the executive and was due to go to the commissioners on May 26, but was interrupted by the cyberattack.”
A DHB spokesperson said that work had been initiated by DHB’s new digital leadership to address any areas that require attention and support migration to new solutions, such as cloud-based applications, which would also introduce new cybersecurity considerations tailored. to move the systems abroad. the configuration of “perimeter security” of the firewalls, the protections against intrusions and malware.
“The document had not yet reached the final draft, had not been reviewed or qualified, and had not been presented to management or the government.”
The broader Digital Health Strategy, which would have involved a substantial investment, was presented to the executive and endorsed on May 13 and was due to go to the Audit and Financial Risk committee on May 26, the spokesperson said.
“The security strategy work would have informed the Digital Health Strategy as one aspect of that broader program.”
The cost had not been calculated and any associated work program had not been confirmed.
“This work was interrupted by the cyberattack, but has now been restarted.”
When asked if the strategy could have prevented the attack if it had been implemented, the spokesperson said that elements outlined in the strategy were in place and in some cases accelerated, such as migration to the cloud and adoption of Windows 10 in the entire organization.
“… There is no current evidence to indicate whether full implementation of the draft long-term strategy would have impacted the May 18. event.”
The spokesperson said that Windows 10 was deployed on all supported machines at the time of the cyber event.
“It is noted that it is not possible in all cases to run Windows 10 due to specific peripheral hardware or medical compliance needs. Mitigations were taken to protect those machines.”
The DHB has now recovered from the attack and is continuing to investigate what triggered it.
To date, it has not said what cost the incident incurred, but more than 4,200 people were affected and at least 22 people have notified DHB of a privacy violation.
Complaints have also been made to the Privacy Commissioner, but a spokesperson did not say how many.
Local Democracy Reporting is a public interest news service supported by RNZ, the Association of News Publishers, and NZ On Air.