The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Showing posts with label New Zealand Healthcare. Show all posts
Showing posts with label New Zealand Healthcare. Show all posts

New Zealand Healthcare - Just Keeping its Head Above Water!

New Zealand Healthcare - Just keeping its head above water.
New Zealand Healthcare - Just keeping its head above water.  Photo: Hamish Clark.

Securing the delivery of healthcare services in New Zealand faces many of the same challenges as in other mixed public / private health systems. Chronic under-funding of the public health system by government austerity measures is putting pressure on a system already overloaded. Net immigration to New Zealand is combining with a rapidly aging population that is living longer, and contributing to increased patient numbers and demand for services. Hospital administrators have been forced to make tough decisions to prioritize what little resources are available to only the most critical of patients. The result is that many elective surgeries especially for the elderly are in decline and little funding remains to secure and defend hospitals from cyber attack.

As a result of the crisis in the public health system and waitlists approaching a year for patients requiring surgery, those who can afford it, are switching to private healthcare delivery and health insurance. The overall percentage of healthcare services delivered via the New Zealand public system has consequently dropped to roughly 75%. A growth in private care is picking up the rest.

Could New Zealand's Health System come crashing down?
Could New Zealand's Health System come crashing down?  Photo: Lindsey Costa.

New Zealand spends roughly a third of the per-capita expenditure on health compared with the United States. Despite this, healthcare in the country is comprehensive yet quite inefficient, and heavily reliant upon legacy models of care, including more expensive hospital treatment. A fragmented and decentralized system of twenty District Health Boards results in repetition and duplication with wasted spending on "unique solutions to common problems", disparate "stovepipe systems", and "widely different care paths for common conditions" according to a report by Deloitte.

A lack of national uniform IT and security strategy combines with moribund health IT computer systems across DHBs, and manual labour-intensive work practices by doctors and nurses to compound inefficiencies.

The reality is that much of the national health budget appears to be squandered on administrative overhead. In fact, according to the Deloitte study, "some OECD researchers have estimated that well over 2% of New Zealand’s GDP is wasted on administrative inefficiencies."

With budget deficits and almost no money to spend on security, an increasing number of people are concerned that the whole system could come crashing down. Cyber attacks on hospitals and primary care facilities in other countries have massively damaged already fragile health systems. Attacks have caused further delays to patients awaiting treatment and life sustaining operations. If nothing changes, then the same fate may befall New Zealand one day soon.

"Its not a matter of IF but WHEN a major cyber-attack will cause massive disruption to the country’s health sector" claims Scott Arrol, Chief Executive of NZ HealthIT (NZHIT).

But the security problem is not just one of sufficient funding, its also a one of prioritization and implementation of recommendations. The British National Health Service has many similarities to the New Zealand health model and is also chronically starved of resources. Out of date and out of support computer systems, combine with fragmented NHS Trusts to result in security vulnerabilities left unremediated, leaving much of the system open to attack when WannaCry struck in May last year.

According to the UK National Audit Office (NAO) more than a third of trusts in England were disrupted by the WannaCry ransomware, and at least 6,900 NHS appointments were cancelled as a result of the attack, 139 of which were considered urgent. NHS England data shows that at least 80 out of 236 trusts were affected – with 34 infected and locked out of devices. A further 603 primary care and other NHS organisations were infected by WannaCry, including 8 per cent of GP practices (595 out of 7,454).  No information has been published on the larger impact of the NHS outage including reduced patient outcomes or increased mortality, but one can only surmise that despite the best efforts of care givers, some patients were significantly impacted by the NHS's lack of security preparations.

The attack breached NHS Digital via open SMB holes in NHS firewalls and then spread quickly through thousands of unpatched Windows machines. Most infected systems ran Windows 7, but some 18% of systems were still running the no-longer supported Windows XP operating system, which went End of Life in April 2014, some 3 years earlier!

Securing healthcare delivery is not something that can be left on the side lines till next year, to a new budget, or a new administration. The potential impact on the population of a major cyber attack is too great. With the British NHS debacle as a recent example of what can happen if security is ignored, the New Zealand Ministry of Health needs to act now - before its too late!

New Zealand Healthcare steams forward with minimal security.
New Zealand Healthcare steams forward with minimal security.  Photo: Stephen Crowley.

Light at the end of the tunnel for New Zealand Healthcare


Despite continuing austerity measures across the country, there is light beginning to appear at the end of the tunnel for New Zealand Healthcare. This includes a number of measures underway to expand capacity to reduce waiting times. It also includes some long-needed improvements to cybersecurity and privacy. This was the message I received during meetings this week with the New Zealand Ministry of Health in Wellington.

The Ministry of Health oversees some 20 District Health Boards each of which is responsible for administering the delivery of health services in their designated area. While some of the DHBs have pooled their resources for shared IT and security services, there are little to no common IT or security solutions across the entire country. Each board is free to do it's own thing we were informed. The result is disparate clinical and health information technologies across a sparsley populated country of just over 4.6m people.

Some areas of New Zealand appear to be better served by IT and IS capabilities than others, though common areas of concern appear to exist across all DHBs. These include the need for improved identity and access management, threat intelligence and security operations center expertise to identity and respond quickly to cyber attacks.

The greatest challenges however appear to be political in nature, in getting the DHBs to agree to common systems and processes or shared cybersecurity expertise for threat intelligence, security operations and incident response. While at the Ministry level this need seems to be recognised, the DHBs appear to be fiercely protecting their turf - at least for now!