Results from cyber testing of 600 health websites

Media release

25 October 2019

The Ministry of Health has released the outcome of website security scans conducted following the illegal unauthorised access of Tū Ora Compass Health.

 

600 websites operated by District Health Boards (DHBs) and Primary Health Organisations (PHOs) were scanned by the Government Communications Security Bureau’s National Cyber Security Centre (NCSC) to assess if they had the same vulnerabilities as those which enabled the Tū Ora Compass breach.

The NCSC scanning identified five websites operated by three DHBs as having potential vulnerabilities. One was a “false positive” where subsequent analysis showed the vulnerability had been previously patched and to be secure. 

In the other four instances the vulnerabilities were confirmed and immediate actions were taken by the affected DHBs to mitigate the risk. 

The Ministry has been advised that none of these websites contained, or provided immediate access to, confidential health information relating to patients. 

As there is no patient information on the sites, because the risks have been mitigated, and to minimise the risk of inadvertently abetting further illegal activity, the Ministry is not currently naming the DHBs or the websites. 

Three steps are already underway to address the current sector cyber security concerns. 

The first is the NCSC scan of the websites of all DHBs, DHB shared service organisations and PHOs across the country, and the results outlined above. 

Secondly, the Ministry has asked DHBs, DHB shared service organisations and PHOs to assure themselves, and to confirm to it, that their externally-facing systems have appropriate security and privacy controls in place. 

As a result, all 20 DHBs and all 31 PHOs have provided information to the Ministry – either directly, or in the case of some PHOs, through their IT providers. 

These responses will assist the Ministry in prioritising further planned work.  The process of seeking further information - confirming details of external reviews where those have already been carried out - is expected to continue for some time. 

The third action is to commission independent external reviews of the externally-facing systems at all DHBs and PHOs where external assurance cannot be provided.   The Ministry will be working with companies with expertise in this area. The work will focus on testing and remedying vulnerabilities in externally facing information technology systems in key health sector agencies. 

Where organisations have separately commissioned external audits or reviews themselves, these are to be independently assessed to ensure they satisfy our expectations regarding appropriate security and privacy of information. 

This third stage is expected to take some months.