Results from cyber testing of 600 health websites

The Ministry of Health has released the outcome of website security scans conducted following the illegal unauthorised access of Tū Ora Compass Health.

600 websites operated by District Health Boards (DHBs) and Primary Health Organisations (PHOs) were scanned by the Government Communications Security Bureau’s National Cyber Security Centre (NCSC) to assess if they had the same vulnerabilities as those which enabled the Tū Ora Compass breach.

The NCSC scanning identified five websites operated by three DHBs as having potential vulnerabilities. One was a “false positive” where subsequent analysis showed the vulnerability had been previously patched and to be secure.

In the other four instances the vulnerabilities were confirmed and immediate actions were taken by the affected DHBs to mitigate the risk.

The Ministry has been advised that none of these websites contained, or provided immediate access to, confidential health information relating to patients.

As there is no patient information on the sites, because the risks have been mitigated, and to minimise the risk of inadvertently abetting further illegal activity, the Ministry is not currently naming the DHBs or the websites.

Three steps are already underway to address the current sector cyber security concerns.

The first is the NCSC scan of the websites of all DHBs, DHB shared service organisations and PHOs across the country, and the results outlined above.

Secondly, the Ministry has asked DHBs, DHB shared service organisations and PHOs to assure themselves, and to confirm to it, that their externally-facing systems have appropriate security and privacy controls in place.

As a result, all 20 DHBs and all 31 PHOs have provided information to the Ministry – either directly, or in the case of some PHOs, through their IT providers.

/Public Release. View in full here.