During the cyber incident that affected the former Waikato District Health Board systems in May 2021 (prior to the establishment of Te Whatu Ora), the Minister of Health instructed the Ministry of Health to commission an independent report into what happened. That report, by InPhySec Security, has been released today. 

The following is a statement from Sonny Taite, our National Chief Information Security Officer.

As we have seen from recent events, cyber incidents are an increasing threat globally and it is essential that we all take steps to educate and protect ourselves to the best of our ability.

The report reflects on the cyber incident that impacted our Waikato systems and provides us with lessons and actions that are helping us minimise future risk and strengthen the resilience of New Zealand’s health system to prevent or respond to subsequent attacks. The report includes a number of general and future-focused recommendations for the health system as a whole. 

We accept the recommendations in principle and Te Whatu Ora has already made significant progress towards further securing its IT systems. The National Cyber Security Uplift Programme was launched due to increasing cyber threats and digital innovation. With just over $75 million in funding from Cabinet, the programme began in late 2021. 

My role as National Chief Information Security Officer has recently been established and a team of regional Chief Information Security Officers has been established with local resources to support incident response activities.

The programme is already addressing some of the recommendations that the InPhySec report has provided to support development of a unified health system. We are doing this by:

  • Building a national security operations team as we become a national system. The National Security Operations Centre (or SOC as it is known) is in its formative stages and will be a single point of call when it comes to threat detection, response, and recovery.
  • Planning a series of incident response simulation exercises, including phishing simulations to support our staff across the motu to spot suspicious cyber activity.
  • Updating the Health Information Security Framework (HISF) to better suit the new health operating environment in Aotearoa and make the framework easier to understand and adopt.
  • Hiring additional security colleagues to join the uplift programme mentioned above.
  • Implementing new security technologies to help shield legacy systems. 

Planning is also underway for a Cyber Academy, which includes exploring a work-based pathway into cyber security for rangatahi. 

Cyber security is an ongoing process of risk management, and we will continue to develop and adapt our work programme in an ever-changing digital landscape.

We acknowledge our Waikato kaimahi whose outstanding work, expertise and commitment played a significant role in ensuring critical health services could still be delivered immediately following the incident, and also the contribution of the many agencies and partners who provided assistance across patient care and the investigation and restoration processes. 

Members of the public are encouraged to report any online internet safety concerns and harmful digital communications issues to Netsafe and to report cyber security issues to CERT NZ

Pātiki and Waharua Kōpito patterns

Read the InPhySec Report

InPhySec's Waikato District Health Board (WDHB) Incident Analysis Report is available to read below.