Ministry of Health responds to unauthorised digital intrusion at Tū Ora Compass Health

Thanks very much for coming to the Ministry of Health We’ve got Shayne Hunter, our Deputy Director General of Data and Digital and Ashley Bloomfield, our Director General of Health, Dr Ashley Bloomfield. I’ll hand over to Ashley … Thanks Peter. Mōrena koutou, welcome to the Ministry of
Health, Manatū Hauora and thank you very much for attending the briefing here
this morning so as Peter said, I’m Dr. Ashley Bloomfield. I’m the Director General of Health. With me today is Shayne Hunter, he’s our Deputy Director General for Data and Digital. The program for the briefing is I will speak, then Shayne and I will be available to answer any questions you may have. Then I’ll be available for any one-on-one interviews you might want to do after the briefing wraps up. As you’ve been made aware, at the briefing earlier this morning, Tū Ora, Compass Health PHO, notified the Ministry of Health in early August, that it had been subjected to an illegal cyber intrusion. This became evident following the
defacement of its public-facing website. At the same time, the national cybersecurity center, or NCSC, which is within the Government Communications Security Bureau, was notified. and the NCSC has been working closely with ourselves and Tū Ora, to ensure that – order Tū Ora systems are secure, to investigate
the incident, and to support the appropriate response. The Ministry of Health and the wider health sector take the need to ensure security and privacy of health information very seriously. Secure information exchange between health agencies is critical for the provision of modern quality and
evidence-based health care. There has been a significant focus on this, since the mid-1990s, with obligations outlined in the 1994 health information privacy code and contracts with PHOs require them to comply with the provisions of that code and with the Privacy Act 1993. While Tū Ora Compass is a non-government organization, obviously the ministry is very concerned
about this cyber incident and its potential impact on individuals whose data may have been accessed. We have initiated several actions to assure ourselves and the wider public that all reasonable steps are being taken to ensure their health information is safe and secure. The first action undertaken was further investigation of the August intrusion on the Tū Ora website, which confirmed previous illegal unauthorized access to its systems dating back, as you know, to 2016. As Tū Ora has advised, this means data may have been accessed for up to an estimated 1 million people and it could include data going back to 2002. While we do not know for certain whether data has or hasn’t been accessed we are working on the basis that it is likely that at least some data has been accessed since 2016. The unauthorized access has now been identified as affecting, to a greater or lesser degree, five lower North Island based primary health organizations that have a relationship with Tū Ora. As you are also aware, this illegal access is a crime and it has been referred by Tū Ora to the police. Once we understood the nature and extent
of the cyber incident from the investigation, the second action we undertook on the 19th of September was that the Ministry of Health and the NCSC initiated a scan of the websites of all district health boards and PHOs across the country and to assess whether they had vulnerabilities similar to the ones exploited on the Tū Ora website and then to see if there is any evidence of illegal intrusion as a result of any vulnerabilities identified. That work is ongoing and is expected to be completed next week. At the same time, the Ministry asked DHBs and PHOs to assure themselves,
and confirm to us, that their externally-facing systems have appropriate security and privacy controls in place. Responses to this request are due by the 9th October and by yesterday we had received responses from 19 of 20 DHBs and 15 of 30 PHOs. I reiterated that request and the importance and seriousness of it during a teleconference yesterday with District Health Board and PHO chief executives The third action we have initiated is to commission independent external reviews of the externally-facing systems for all DHBs and PHOs. Now in some cases, these organizations have commissioned external audits or reviews themselves and we will arrange for these to be independently assessed to ensure they satisfy our expectations regarding appropriate security and privacy of information. That work is just getting underway and will take some months. We will take immediate action to address any problems identified and we will provide public updates as it progresses. I want to reiterate the seriousness, the seriousness with which the Ministry of Health is taking this event and the efforts underway to address the problem and to support people affected. The Ministry established an incident management team at the beginning of last week to oversee our response and we will continue to work closely with Tū Ora to support people affected through the dedicated helpline which you know about and if required, through through further referral to other services. I can also assure the public that we are working as quickly as possible to ensure that similar events do not occur at other PHOs or DHBs and we are initiating a program of work to strengthen cybersecurity across the health system so people can be confident that their health information is secure. Finally I would like to ask the media to take care in balancing the need to inform the public, with the need not to cause people undue concern or inadvertently increase the risk of further cyber intrusions, scams or fraud. Thank you very much. I’m open to questions now. In terms of the Ministry, what do you know about hacks? Do you know where this has come from? Anything in particular? What we know is, as you heard earlier, there have been four intrusions by different actors. Two of those would be described as ‘hackavists’ and two of them by more sophisticated actors and that’s extent of the information we have. Do you have reason to believe that it’s local or international? I simply can’t say – I don’t have that information. In your searching of the DHBs and PHOs, has anything come out of that so far? Yes, so far we have had three the DHBs identify a potential vulnerability in websites. Those websites have been taken down I understand or secured. Subsequently there’s no
evidence that any of those vulnerabilities had resulted in a breach. Is this good enough? Well what is good, is that we have found those and that they have been addressed. And in terms of the wider issue with this serious breach, is that good enough? It’s people’s sensitive data. Well what I can also say, is that none of those websites had any patient data on them, so those were websites, one for example was a website with health education information. The vulnerabilities were found and they’ve been addressed. Was that the same vulnerability that affected Tū Ora or a different one? Shayne can you comment on that? One of them is that is the vulnerability which was the webhack that hit Tū Ora, the other two I can’t comment on in terms of the vulnerabilities, I don’t know. What I do know is that they’ve been secured or that the service has been taken offline. Could you walk us through what the vulnerability is so that we can understand the issue? I don’t think it’s appropriate to get into the detail. One of the issues I think you would have heard Martin say, and we believe this is absolutely the right thing to do, is to not talk specifics, because it just opens up the opportunities for the cybercriminals to go after specific opportunities. So I’d rather not go into the detail. In terms of the scans – they’re generally routine checks about the security of all of us, or is it just not monitored before now and if not, will there be consistent checks, making sure that everything’s all good? Yes I’ll make a couple of comments
and Shayne may want to come in as well. First of all, we do require and rely on organizations including our DHBs and PHOs to have appropriate systems and appropriate measures in place to ensure patient information in particular is secure and private, and we require them to provide us with an assurance of that. As part of that they should be assuring themselves and periodically
getting independent audits of that. What we are doing at the moment, with the scan, is checking their websites to see if they have similar vulnerabilities to the one that was exploited on the Tū Ora Compass website. That process is underway and we are also going to do this deeper review of each PHO and DHB website. And as part of that review, what future regular monitoring or auditing we might either undertake or expect those organizations to do. Shayne did you have any further comments? What I would say is that since I’ve been in health, which goes back to the mid-nineties, security and privacy of information has been one of the top topics and I don’t think there’s a an IT manager, or a CIO, or chief digital officer in the
country that doesn’t worry about cyber, They do they do invest time and money and
ensuring that things are protected but it is a game of cat and mouse keeping up with these people, so there are regular audits that are done across the sector by different organizations that are either driven by external or internal audits so it’s certainly not passive. There is activity in order to protect, but it’s a challenge keeping up with these people from time-to-time, things will happen. I think one other comment, is that it’s a very reminder of the importance of doing the basics – in particular timely patching or updating of software, because that was the vulnerability that was exploited with Tū Ora and whilst they had
the intention of updating they were caught in that window so it’s a really timely reminder to all organizations to undertake any updating
of software or patching of software as quickly as possible as soon as any vulnerabilities are identified. I think they open themselves up to the
intrusion that happened and they have apologized for that and taken accountability for it. You mentioned something about five practices in the lower North Island. What were you talking about there? FIve different primary health organizations in the lower North Island which have data held by Compass because of the nature of the
different services provided but for most of those PHOs other than the Tū Ora Compass one, it includes just a small amount of patient information. What were those five organisations? So the the five primary health organisations are: Tū Ora Compass obviously, Think Health, Te Awa Kairangi Health Network in the Hutt Valley, Ora Toa PHO and Cosine PHO. In terms of worst case scenario, because Tū Ora can’t confirm that this data has been completely breached, if someone, in the long run, who has been impacted by this, does find that their identity or their medical records or whatever, is used in a way that is innapropriate, what steps, what happens next? Is there something that you can do? Well, we haven’t given that too much thought as yet. What we are interested at this point in time is ensuring there’s support for people
who either want to know information, or if people are particularly concerned or anxious, that they can talk to someone about that. At this stage we have no evidence, by the way, of whether the information or data has been actually taken or any evidence that if it has been taken, that it’s been used. Obviously, if there is evidence emerging of that, then we will absolutely look at that and be working with other agencies across government to see what actions we might need to take. This is another data breach – it’s been a year of data breaches hasn’t it? Have you got anything to say about what else could be coming? Well, no I can’t. What I can say is that
obviously, we’ve got a really key role to play as the stewardship role for the health system and we’ve undertaken a number of actions already off the back of this data breach, which is a very significant and important one because it involves people’s health information and so that’s why we’ve stepped up a very significant response and we’ll keep the public informed about that activity. You were made aware of this in early August. Why did it take two months to let the public know? That’s a good question . There are several reasons for that. First of all, we wanted to undertake the investigation with the National Cyber Security Center to look into the breach, and as you know now, that uncovered further additional illegal intrusions. We needed a good understanding of what that was. Secondly we wanted to then be able to ensure that the vulnerabilities identified weren’t present elsewhere in the system to the extent we could, so that we could head-off any further trouble and the third thing is we really wanted to get in place appropriate support and stand-up dedicated our 0800 number with people trained to talk to anyone who was concerned so we were wanting to do, what we know is a responsible disclosure and we were well down the path to planning and delivering that. As I said earlier, the scan that we’re doing to look at all other PHO and DHB websites is due for completion next week. We were planning to wait for that to be completed, then to go public, however we were ready and once the information was out there, we are now front-footing this. The 0800 number is live? Yes, that went live at three o’clock yesterday afternoon. If there are no more questions, let’s wrap things up. I am available if you want to do any one-on-one interviews. Thank you again. you

Leave a Reply

Your email address will not be published. Required fields are marked *