Servers not culprit in cyber-attack - Waikato DHB
A set of Waikato District Health Board servers were at end-of-life and unpatched when hackers struck in the early hours of May 18, a source claims.
Decisions that led to the poor security and ailing system were financially motivated, claims the source close to Waikato DHB.
However the DHB says the particular servers were not a contributing factor in the cyber-attack.
The information comes as those responsible for the ransomware attack dumped large tranches of the DHB’s private patient and employee details on the dark web on Tuesday, six weeks after the hack crippled services across five hospitals including Waikato.
The massive privacy breach shows swathes of files that contain personal and highly sensitive information about patients and employees.
The source claims servers containing Human Resources Information System data based in Caro Street, Hamilton, had not been patched for years.
Server patching refers to the installation of critical software updates in IT security to a server, when a software update is released.
“The Waikato DHB was relatively up-to-date with patching with the exception of Caro Street,” says the insider.
Compounding the problem was that the Caro Street servers were at end-of-life, which meant they were unsupported, the source claims.
“The underlying infrastructure hosting these servers became ‘end-of-life’, out of support, and subsequently no security or patches were applied to this equipment.”
It's understood the DHB had been migrating its information systems to a cloud host based in Auckland.
Migrating the HRIS servers from Caro Street to the cloud was initiated in January this year however due to risk the DHB brought on consultants to manage the project, the source says.
It’s understood different departments within the DHB have separate IT budgets, and the source claims the estimated cost of this project blew out to more than $1 million for the Human Resources department.
The migration did not continue due to budget and the servers remained unpatched, says the source.
“The hackers would have obviously exposed a vulnerability within the system and exploited that. I suspect Caro Street was that point of vulnerability.”
In 2018 the DHB initiated a tender process for renewal of HRIS, which at that stage was 17 years old, documents show.
The tender asked for a solution that would make the HRIS fully compliant with the New Zealand Information Security Manual and specifically in relation to the management of role-based security, including providing improved adherence to security.
Almost $460,000 was spent for the renewal preparations across the 2018/2019 financial year, an OIA response from last year shows.
National's health spokesperson Dr Shane Reti says by June last year the renewal project had been listed as "red status due to technical and resourcing issues", impacting the time, cost and scope.
He says the DHB's risk and impact register from the past 12 months showed HRIS software as a "highly probable risk with severe impact".
A DHB spokesperson says it has been confirmed HRIS servers were not a contributing factor to the breach of security.
He says the migration of the applications at the Caro Street site was largely completed prior to May 18 and they had now all been moved.
Exactly where the vulnerable point was and how the hackers found it is still unclear.
Hackers use a number of techniques including macros (bits of code) in emails, word documents and PDFs to get into a system, as well as port scanners to detect possible access points for infiltration and to identify what kinds of devices are running on the network, such firewalls, proxy servers or VPN servers.
In a statement on Tuesday night the DHB confirmed stolen information had made its way onto the dark web.
“While we had hoped this would not occur, the DHB was aware of the risk and had been preparing and working closely with cyber security experts to identify and manage any potential disclosures.
“Unfortunately, predicting the actions of cyber criminals can be challenging, however, we are monitoring the situation as closely as possible to protect our community.”
Minister of Health Andrew Little told Local Democracy Reporting the Ministry of Health had information standards that DHBs were expected to comply with.
“This includes keeping up with basic maintenance. There will be an independent inquiry into the Waikato DHB cyberattack which I expect will commence once services are fully restored.”
Many services including critical patient treatments such as radiation therapy have been restored but Local Democracy Reporting understands some Waikato Hospital departments face a backlog in patient care because of the delays caused by the attack.
IT security expert Daniel Ayers says if the DHB had servers that were no longer supported it meant the software would have been very old.
The forensic IT investigator says he couldn’t understand why an investigation into the cause of the hack had not already begun.
He says the threat of cyber security incidents within health was widely publicised from 2019 and that the attack at Waikato DHB was preventable.
Under Rule 5 of the Health Information Privacy Code, an agency must ensure health information it holds is protected by reasonable security safeguards against loss, access, use, modification, disclosure or other misuse.
Privacy Commissioner John Edwards says Waikato DHB must notify all individuals whose details were included in the data published on the dark web, and take steps to prevent further distribution of the information.
“If somebody has suffered loss or considerable distress as a result of having their information included in the hack, and it can be shown that the DHB failed in its duty to take reasonable care, then the Waikato DHB could be liable.”
Edwards says there is a risk the data dump could result in serious harm through identity theft and people fraudulently obtaining credit.