Is New Zealanders’ health information safe from attackers?
Thursday, 13 July 2017
Photo: Hector Rodriguez, the worldwide cyber security officer for Microsoft, and a colleague at the Vanderbilt Medical Centre in Tennessee
Recent cyber-attacks have shown that Kiwis’ health information is vulnerable and at risk and a global expert says that it's a matter of when not if the next attack will occur.
Microsoft’s worldwide health chief information security officer Hector Rodriguez, says healthcare organisations are extremely vulnerable as cybersecurity is not their main specialty.
Rodriguez, from Washington state, will be a key speaker at the New Zealand cyber security health symposium in Auckland on August 1. The event is being organised by NZ Health IT and Health Informatics New Zealand. The safety of Kiwis’ health records will be pivotal to discussions at the event.
He says Kiwis cannot pass the buck onto their IT department, management or board as it’s up to every individual involved in the health system to take responsibility for the safety and security of the health information that they are entrusted with.
This starts in the health worker’s home and goes right through to their workplace. Finger pointing after an attack is too late and unacceptable as there is now plenty of information and support in place to make sure that Kiwis’ and all health organisations are operating up to date cybersecurity programmes, he says.
New Zealand health organisations should not be complacent in preparing response plans for cyber-attacks, Rodriguez says. People need to be far more aware of the risks of attack and what they have to be doing to prevent them.
“Hackers are smart but also lazy and they go after easy targets. Health groups should not make themselves easy targets. They should begin to adopt a more comprehensive cybersecurity posture that starts from within, leverage the work by their trusted IT vendors and employ layered security to make it more difficult to be attacked,” he says.
Rodriguez says when a care organisation is cyber-attacked the reality is that the provider and patient experience declines, care outcomes are compromised, additional costs are incurred, and unfortunately patient’s lives are put at risk.
“Healthcare organisations should have an up-to-date incident response plan that they practice during the year as part of their business recovery or disaster recovery training. Everyone should be involved in the plan.
“They should also adopt and implement a timely risk assessment approach and not rely on an audit to tell them they’ve been breached. Good risk management and cybersecurity hygiene enables an organisation to constantly understand threats, reduce their attack surface, and when attacked avoid paying ransom by isolating the attack, recovering quickly and continuing to take care of their patients.
“The biggest global issue is two-fold. Firstly, hackers don’t care about the potential damage to human lives and secondly organisations still believe that not using cloud technology means it won’t happen to them.
“Cyberattacks can happen to any organisation and while data has value, the attackers aren’t just after the data. They are looking to collect quickly and move on.”
A recent global cyberattack using hacking tools crippled the United Kingdom’s national health service (NHS) and Rodriguez took a close look at the Wannacry virus and Microsoft took the unprecedented but critical step of issuing an immediate update to software that was out of support, unpatched, and end-of-life. But the lessons learned were more in-depth.
“We saw that hackers went after the easy, vulnerable targets like the UK NHS. This was a commodity attack, meaning that it wasn’t about just healthcare or the data, the attackers were after a quick pay-day.
“We also learned that adopting modern cybersecurity practices are a key to thwarting attacks and healthcare organisations are still running software that is 20 plus years old to solve modern healthcare and cybersecurity challenges. That does not add up,” he says.
- Make Lemonade