Another cyber breach for the health sector in the Waikato region

New Zealand has just had another Cyber Incident aimed at one of our Medical Providers, Pinnacle Midlands Health Network. The attack targeted patients NHI number, addresses and names, which have the potential to allow the hacker to access their medical records. This breach could lead to the patients enduring more stress and ultimately a lack of trust in the medical profession. This follows on from last year’s Waikato DHB’s cyber-attacks, which caused major disruptions and delays for vital health services including surgeries. This attack is again aimed at a Waikato-based provider and should serve as a wake-up call for any organisation operating within New Zealand. It is not just organisations in our largest cities being targeted, but those in our rural heartland. As patients are vulnerable and have a lot of trust in the medical system, more must be done to protect their data. Medical providers supposedly have more stringent regulations governing the use and storage of personal information under the Health Information Standards Organisation (HISO) but is this really the case? As we can see from these breaches that these standards have not been met.

With Covid-19 having forced most originations to alter their business model, adopting to a “work from home” model. Whether this is just a temporary model, or long term, this model exposes your organisation to a much larger attack surface. (The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure.) A much larger attack surface combined with the security debt is starting to look like a recipe for disaster. For too long leaders of organisations within New Zealand have bought into the erroneous mindset that due to our population size and geographical location, that hackers and other cyber criminals would simply ignore us and rather attack some bloated, wealthy overseas organisation.

Research paper after research paper highlights the fact that global organisations are not only being targeted by sophisticated cyber-criminal gangs and by state-sponsored cyber gangs, (The most obvious states involved in these are Russia, China and North Korea.) they have also been targeted by individuals who purchase so-called “hacking kits” on the dark web. Some recent media reports suggest that these kits go for around the $300 range, allowing any individual with an axe-to-grind access. These individual hackers will obviously target the easiest and most accessible targets, hello New Zealand businesses.

A recent SANS (SysAdmin, Audit, Network and Security) Institute survey of more than 300 ethical hackers has revealed some eye-opening statistics:

• 57% of the hackers stated they could successfully discover an exploitable exposure in ten hours or less.
• 58% of hackers need less than five hours to collect and steal sensitive data.
• 38% indicated they can break into an environment "more often than not" by repeated attacks.

So, what can you do to start becoming more cyber resilient? National Cyber Security Centre (NCSC) have amazing resources to help your organisation begin this journey, but for some businesses this may all seem a bit overwhelming. Not all organisations can afford to have their own CISO (Chief Information Security Officer), whilst those who can find it difficult to attract one as they are in high demand around the world. Cybercraft offers our customers a CISO service that allows them the ability to be prepared to deal with cyber incidents such as the Pinnacle Midlands Health Network Breach. If you believe your clients data is important and should be protected, the starting point is to understand your cyber risks and have the right type of help to get you on the cyber resilience journey. The important question is if your customers knew how you looked after their data would they do business with you?