Waikato DHB cyber attack ‘hackers’ make contact with health bosses
Hackers claiming to be behind a cyber attack that led to surgeries being postponed at Waikato public hospitals this week have made contact with health officials.
Tuesday’s attack brought the Waikato District Health Board’s entire IT network down, with officials now hoping to get the system back up and running by the weekend.
Police were investigating the attack that had affected Waikato testing laboratories, cancer treatments and email, phone and other services.
The crippling attack was also just one among a slew of daily cyber assaults hitting New Zealand’s health and hospital network, the Ministry of Health warned.
My 3 questions would be:
1 – Is it true Waikato DHB were cutting back on cyber security?
2 – What did Waikato DHB do when they heard the same attack had occurred in Ireland?
3 – This took weeks to set up,  are any other Public Services in danger of being compromisd?
Increasingly having independent opinion in a mainstream media environment which mostly echo one another has become more important than ever, so if you value having an independent voice – please donate here.
If you can’t contribute but want to help, please always feel free to share our blogs on social media
Of all the institutions in the world to target, they target a hospital? They hold a hospital to ransom rather than hacking the military, big finance or the elites? This is as putrid as bombing a hospital for political gain.
This doesn’t get military intelligence involved, at this point.. Which targeting military/police/banking/admin would do in a heartbeat.. This is a campaign for change, one must assume, so getting locked up or shot within a month of the outset is counterproductive..
Question; How many people died as a result of the hack? Wouldn’t we want to keep it that way?
It’s ridiculous to have a hospital run military grade counter measures against cyber attacks with no military involvement. Just.., oh my fucken God. The fuck.
Sadly in NZ, employers refuse to hire experienced and competent people and even if they do, managers often don’t listen to them, or senior executives don’t listen to what needs to be done and budget for it, so you actually have no ability to stop these types of attacks in NZ due to the culture of the organisations and companies.
Stoping attacks comes down to having competent employees, IT oversight at board level and competent IT policies. Most of this is rare in modern NZ organisations. Therefore it becomes a surprise when entire organisations are stopped in their tracks for days (or permanently) by something that the management have not even been aware of.
NZ Sharemarket suffered the same types of DDOS attacks. These attacks will continue in NZ. It is not just security but often entire flaws in design and architecture and policy of the IT that is a big part of the problem.
NZ Sharemarket hired big names to do their IT, but this fails as the big names in NZ have followed a profit driven policy of getting the cheapest people they can find, and fail to pay or retain experienced, qualified people who will in the long term be much cheaper for their clients. (Likewise construction and most other industries in NZ which have had their experienced, best people cut, to make way for more and cheaper people who do what they are told).
NZ’s policy of paying peanuts is getting monkeys.
Likewise throwing a lot of people at a problem doesn’t help either when they are not at the level required but does generate a lot of consulting fees!
Years of cost cutting and spending copious amounts on failed IT projects and not bothering to hire and retain the best people they can, is coming home to roost.
There was a IT expert on National radio this morning saying he warned the Health Ministry a year ago that this was going to happen. It seems it is happening in many other countries. The hackers have a 2 pronged attack .The first is the patient disruption the second is they release personnal details of patients.
I am retired now but the company I worked for had 2 hacks which cost thousands to sort out and huge disruption which hurt customer service . Both were caused by email attachments which should never have been opened.
In 2019 I notified Waikato DHB (incident #345436), the Ministry of Health and the NZ Police (Assistant Commissioner Andrews and Sgt Bell, Case#190708/7781) when I found out that my emails were being intercepted by a Waikato DHB employee. I even contacted the NZ Cyber Security Unit, Serious Fraud Unit, Health and Disability Commissioner (C20HDC00122; C20HDC01111), Privacy Commissioner (31126;31125), Ombudsman (519505), Independent Police Conduct Authority (19-0998; 20-4639), and Department of Internal Affairs.
I wrote to the board, including former professor of law, Margaret Wilson, as interception of communications without the consent of the intended recipient or the sender is unlawful under section 216B of the Crimes Act 1961, the Search and Surveillance Act 2012 (stating only law enforcement have the right given a warrant from a judge), section 21 of the NZ Bill of Rights 1990, Article 17 of the International Covenant on Civil and Political Rights which was ratified by NZ and affirmed under the purpose of the Privacy Act 2020 (section 3), Information Privacy Principle 4 of the Privacy Act 2020, Ministry of Health standards HISO 10064 and HISO 10029, clause 8.2, and thus Right 4(2) of the Health and Disability Commissioner (Code of Health and Disability Services Consumers’ Rights) Regulations 1996.
The former CE of Waikato DHB and the Waikato DHB employee who was intercepting the communications admitted to the interception in sworn affidavits, which were submitted to the District Court. The Waikato DHB IT department admitted to the interception in two recorded phone conversations. Clinical Records Team members, physicians, nurses and scheduling staff have sated, in writing and on recorded phone conversations, that they were unaware of the interception and they had not received my correspondence.
To date, not one of the NZ Government Agencies or Members of Parliament have taken steps to address the issue. Not one has found this to be an issue. The police have gone as far as to say to me in writing and recorded phone conversations, that computers are not interception devices, offences under the Crimes Act are not matters for the police to investigate but is a matter for the Employment Tribunal, and that they will take the word of the offender over the evidence because they are a government employee.
Check out FYI.org.nz: https://fyi.org.nz/request/14588-attn-mike-foley-interception-of-private-communications-by-waikato-dhb-staff
This is the reality of the NZ Government and the bodies that Parliament has legislated to protect NZ citizens. I have yet to see any evidence that the NZ Government is interested in protecting anyone other than government employees.
So here’s what I don’t get.
Even if you click on an attachment in an email to run in, it can still only run with the permissions of the account that opened it.
So to create the mess that it did, it either had to have been originally opened by somebody with some pretty elevated privileges, or the email passed from person to person being continually opened, until it found an account with sufficiently elevated privileges to cause havoc.
Either that, or the Waikato DHB IT infrastructure has no recognition of granular permissions, so any account on the network has rights to access the backend of the system to generate havoc.
Or, even worse, they are using an off the shelf system that hasn’t been secured correctly.
It smells funny, this idea that it all comes down to one junior staffer, who accidentally clicked on a link in an email. There’s a catalog of errors have contributed to this cluster. And either their CTO, or the Board – who dictate the rules the CTO can run under – have some explaining to do.
But unfortunately, in this country, it looks again like higher management never need to explain anything like this if a junior staffer can be found to throw under the bus.
Disappointed.
Comments are closed.