Waikato DHB warned of ‘catastrophic patient safety’ cyberattack
The Waikato District Health Board was warned that its IT security was inadequate and severely compromised just months before a massive ransomware attack that brought Waikato hospital to its knees.
An internal cybersecurity document dated December of last year also warned that a lack of training meant staff posed an unintended threat to their systems.
However, Waikato DHB said the strategy was just a project that was part of a larger digital strategy about to be heard by DHB commissioners when the hackers struck on May 18.
The draft strategy, seen by Local Democracy Reporting, says DHB’s IT security has been compromised by outdated systems, infrastructure and staff resources, making it a duck sitting down for a major cybersecurity attack.
* Waikato DHB Cyber ââAttack: Older malware-sensitive software was used by some staff
* Department of Health ditched cybersecurity system for Waikato and other DHBs due to budget issues
* Health Hacking and Computer Problems: An Overview of Past Computer Problems at Waikato DHB
As a result of the cyberattack, some cancer patients were transferred and elective surgeries were postponed as hackers shut down hundreds of servers and patient and staff information was dumped on the dark web.
The strategy stated at the time that there was no cybersecurity incident response plan and noted that the urgent incident response option available to staff at Waikato Hospital was to “unplug the network equipment “.
This is a damning indictment of the state of IT security at DHB five months before the cybersecurity breach.
MARK TAYLOR / STUFF
Waikato DHB CEO Kevin Snee talks about the dark web data dump following the cyberattack (video first posted July 1, 2021).
The 32-page report says Waikato DHB:
* Still using Windows XP on some systems, software released in 2001 that has not been supported for five years;
* Relied on âperimeter securityâ such as firewalls, blocking and malware protection which became obsolete as DHB moved to cloud-based services;
* Struggled with several computer applications with inconsistent functionality, most of them very old and with poor support where applicable;
* Has fallen behind on patches, installing critical software updates for security purposes;
* Did not have enough IT staff to manage and coordinate IT security without a cybersecurity specialist, and investments in cybersecurity were not a priority;
* Did not have cloud services continuously monitored for suspicious behavior;
* And did not have appropriate IT security policies or training for staff.
The strategy, written by two DHB employees, estimated that DHB had at least 800 software applications, many of which were known to duplicate important functionality.
âSome of the legacy systems don’t have security configurations that can be modernized to protect against today’s security threats, and the majority are based on technology so old that it can no longer be patched or updated to guard against against emerging security threats. “
There was no procurement policy designed to monitor and regulate the procurement of medical devices used in patient care.
This meant that they were often purchased on the basis of vendor demos without consideration for compatibility.
âAs a result, DHB has many systems and devices that were acquired to play a clinical role, but which have many security flaws that are difficult to close. “
The strategy gave an example of internet-connectable clinical devices that were running Windows XP.
âThese old control systems cannot be patched, and when the machines are connected to the network, they pose a significant risk to the DHB network and other devices. “
The devices had misconfigured computer security controls that could be compromised by malware, leading to bad reads, corrupted data, or even hacking of patient data.
“This creates a clinical risk for patients and for DHB.”
There was also no âfollow yourselfâ print template at DHB, meaning unauthorized people could potentially view the printed information at the printer.
The document states that a skills gap in the IT unit meant that DHB’s IT operations approach was to reduce cyber risks by locking down systems and limiting access.
âDHB clinical staff have responded by turning to ‘shadow IT’ – informal software applications and personal hardware devices – which, in turn, further increases IT risk, creating an endless cycle of risk that gets worse with each turn. “
With a limited budget, Waikato DHB faced a tough choice when allocating resources, according to the report, and cybersecurity was not a priority when DHB struggled to meet minimum supply requirements. IT to support health care delivery.
“This compromise is common at DHB, even though the consequences of a targeted cyber attack would be catastrophic for patient safety.”
Sources told Local Democracy Reporting that the draft strategy was scrapped due to cost, but Waikato DHB chief executive Dr Kevin Snee said: “This was a discussion paper that was contributed to the broader digital health strategy which then reached the executive on May 13. “
“It proposed a substantial investment in digital, was supported by the executive and was to be presented to the commissioners on May 26 but was interrupted by the cyberattack.”
A DHB spokesperson said work has been initiated by DHB’s new digital leadership to address any areas requiring special attention and support migration to new solutions such as cloud-based applications, which would introduce also new cybersecurity considerations when moving systems outdoors. setting up “perimeter security” for firewalls, intrusion and malware protection.
“The document had not yet reached final draft, had not been reviewed or qualified, and had not been presented to management or governance.”
The broader digital health strategy, which would have involved substantial investments, was presented to the executive and supported on May 13 and was due to be submitted to the financial risk and audit committee on May 26, the spokesperson said. .
“The security strategy work would have informed the digital health strategy as an aspect of this larger agenda.”
It had not been costed and no associated work program had been confirmed.
“This work was interrupted by the cyber attack but has now been restarted.”
When asked if the strategy could have prevented the attack if implemented, the spokesperson said that the elements outlined in the strategy are ongoing and in some cases accelerated, such as the migration to the cloud and organization-wide adoption of Windows 10.
â… There is currently no evidence as to whether the full implementation of the draft long-term strategy would have had an impact on the event of May 18. “
The spokesperson said Windows 10 was deployed to all compatible machines at the time of the cyber event.
âIt should be noted that it is not possible in all cases to run Windows 10 due to specific devices or medical compliance needs. Mitigation measures have been taken to protect these machines.
The DHB has now recovered from the attack and continues to investigate what led to it.
To date, he has not specified the cost of the incident, but more than 4,200 people have been affected and at least 22 people have reported a privacy breach to DHB.
Complaints have also been filed with the Privacy Commissioner, but a spokesperson did not say how many.