3 Questions about Waikato DHB hack

15
1211

Waikato DHB cyber attack ‘hackers’ make contact with health bosses

Hackers claiming to be behind a cyber attack that led to surgeries being postponed at Waikato public hospitals this week have made contact with health officials.

Tuesday’s attack brought the Waikato District Health Board’s entire IT network down, with officials now hoping to get the system back up and running by the weekend.

Police were investigating the attack that had affected Waikato testing laboratories, cancer treatments and email, phone and other services.

The crippling attack was also just one among a slew of daily cyber assaults hitting New Zealand’s health and hospital network, the Ministry of Health warned.

My 3 questions would be:

1 – Is it true Waikato DHB were cutting back on cyber security?

2 – What did Waikato DHB do when they heard the same attack had occurred in Ireland?

TDB Recommends NewzEngine.com

3 – This took weeks to set up,  are any other Public Services in danger of being compromisd?

Increasingly having independent opinion in a mainstream media environment which mostly echo one another has become more important than ever, so if you value having an independent voice – please donate here.

If you can’t contribute but want to help, please always feel free to share our blogs on social media

15 COMMENTS

  1. Of all the institutions in the world to target, they target a hospital? They hold a hospital to ransom rather than hacking the military, big finance or the elites? This is as putrid as bombing a hospital for political gain.

    • This doesn’t get military intelligence involved, at this point.. Which targeting military/police/banking/admin would do in a heartbeat.. This is a campaign for change, one must assume, so getting locked up or shot within a month of the outset is counterproductive..
      Question; How many people died as a result of the hack? Wouldn’t we want to keep it that way?

      • It’s ridiculous to have a hospital run military grade counter measures against cyber attacks with no military involvement. Just.., oh my fucken God. The fuck.

  2. Sadly in NZ, employers refuse to hire experienced and competent people and even if they do, managers often don’t listen to them, or senior executives don’t listen to what needs to be done and budget for it, so you actually have no ability to stop these types of attacks in NZ due to the culture of the organisations and companies.

    Stoping attacks comes down to having competent employees, IT oversight at board level and competent IT policies. Most of this is rare in modern NZ organisations. Therefore it becomes a surprise when entire organisations are stopped in their tracks for days (or permanently) by something that the management have not even been aware of.

    NZ Sharemarket suffered the same types of DDOS attacks. These attacks will continue in NZ. It is not just security but often entire flaws in design and architecture and policy of the IT that is a big part of the problem.

    NZ Sharemarket hired big names to do their IT, but this fails as the big names in NZ have followed a profit driven policy of getting the cheapest people they can find, and fail to pay or retain experienced, qualified people who will in the long term be much cheaper for their clients. (Likewise construction and most other industries in NZ which have had their experienced, best people cut, to make way for more and cheaper people who do what they are told).

    NZ’s policy of paying peanuts is getting monkeys.

    Likewise throwing a lot of people at a problem doesn’t help either when they are not at the level required but does generate a lot of consulting fees!

    Years of cost cutting and spending copious amounts on failed IT projects and not bothering to hire and retain the best people they can, is coming home to roost.

  3. Don’t worry about it. It’s just an online course been run in NZ for the kids to learn about how to write code.

    It looks like they all passed!

  4. This is not that hard to prevent. There’s even a good company with a good product here in NZ that could be used – RedShield: https://www.redshield.co

    The NZ Sharemarket was a great example SaveNZ. They actually had DDoS protection but didn’t want to pay to have it on all their online resources and actually instructed the company providing protection to do the wrong thing, against all their advice. Morons.

    The sad reality is that most NZ companies and public organisations:
    1. have nobody on their boards that understands or has experience in technology
    2. are a bunch of cheap asses who think of tech as a cost to be avoided, not an enabler for change
    3. reflexively won’t pay the rates needed to get really good people to advise and solve these sorts of issues
    4. once the shit hits the fan, they run to idiots like Big 4 accounting firms who routinely fuck up tech by hiring the cheapest people they can find and running them into the ground. e.g. Deloitte’s blowing more than $100m in wasted projects at Auckland Council.

    • It’s not just technical expertise that suffers. Almost all expertise is treated with badly concealed scorn by the NZ managerial classes. Those with MBAs and Marketing degrees are the worst. I think its because they understand their own disciplines and degrees are largely built on bullshit and so they project onto science engineering and the humanities.

      • For those that don’t have access to venture capital markets the Crypto currency market offers a lot of opportunities. Unfortunately from a regulatory standpoint New Zealand is seeding rapid industrialisation in general to overseas markets. We are basically going into a Crypto war and seeding our intelligence and advanced Miliatry Generals overseas. Not a good move.

      • +1 Richard Christie

        Sadly they put the marketing degree people in as the IT Tech managers and workers. Yep, you would be surprised how many personanal in marketing jumped into the IT space and now run IT projects with zero qualifications. Derek Handley was the governments choice for the CTO government role but left after having no IT qualifications, apparently government re-created the CTO role to share his salary over a group of people – so the $500k salary is now shared between a bunch of advisors who probably also have no high end IT qualifications. And that is the government’s approach to IT, get more, cheaper! No wonder the DHB’s now are not operable with a simple attack.

        • The MBA people are often even worse. Many have no qualifications and then get the quickie 1 year MBA to gain credibility … mixed with the professional neoliberals MBA holders who are the intellectual yet idiots types somehow leading IT (into ruins and the dark ages) to save costs that somehow are blown out instead and nothing works.

  5. There was a IT expert on National radio this morning saying he warned the Health Ministry a year ago that this was going to happen. It seems it is happening in many other countries. The hackers have a 2 pronged attack .The first is the patient disruption the second is they release personnal details of patients.
    I am retired now but the company I worked for had 2 hacks which cost thousands to sort out and huge disruption which hurt customer service . Both were caused by email attachments which should never have been opened.

  6. In 2019 I notified Waikato DHB (incident #345436), the Ministry of Health and the NZ Police (Assistant Commissioner Andrews and Sgt Bell, Case#190708/7781) when I found out that my emails were being intercepted by a Waikato DHB employee. I even contacted the NZ Cyber Security Unit, Serious Fraud Unit, Health and Disability Commissioner (C20HDC00122; C20HDC01111), Privacy Commissioner (31126;31125), Ombudsman (519505), Independent Police Conduct Authority (19-0998; 20-4639), and Department of Internal Affairs.

    I wrote to the board, including former professor of law, Margaret Wilson, as interception of communications without the consent of the intended recipient or the sender is unlawful under section 216B of the Crimes Act 1961, the Search and Surveillance Act 2012 (stating only law enforcement have the right given a warrant from a judge), section 21 of the NZ Bill of Rights 1990, Article 17 of the International Covenant on Civil and Political Rights which was ratified by NZ and affirmed under the purpose of the Privacy Act 2020 (section 3), Information Privacy Principle 4 of the Privacy Act 2020, Ministry of Health standards HISO 10064 and HISO 10029, clause 8.2, and thus Right 4(2) of the Health and Disability Commissioner (Code of Health and Disability Services Consumers’ Rights) Regulations 1996.

    The former CE of Waikato DHB and the Waikato DHB employee who was intercepting the communications admitted to the interception in sworn affidavits, which were submitted to the District Court. The Waikato DHB IT department admitted to the interception in two recorded phone conversations. Clinical Records Team members, physicians, nurses and scheduling staff have sated, in writing and on recorded phone conversations, that they were unaware of the interception and they had not received my correspondence.

    To date, not one of the NZ Government Agencies or Members of Parliament have taken steps to address the issue. Not one has found this to be an issue. The police have gone as far as to say to me in writing and recorded phone conversations, that computers are not interception devices, offences under the Crimes Act are not matters for the police to investigate but is a matter for the Employment Tribunal, and that they will take the word of the offender over the evidence because they are a government employee.

    Check out FYI.org.nz: https://fyi.org.nz/request/14588-attn-mike-foley-interception-of-private-communications-by-waikato-dhb-staff

    This is the reality of the NZ Government and the bodies that Parliament has legislated to protect NZ citizens. I have yet to see any evidence that the NZ Government is interested in protecting anyone other than government employees.

    • Well there’s your problem, right there. Mike Foley.

      He is one of those ‘faux experts’ in tech who cratered Watercare and Auckland Council’s IT capability and is now doing the same at Waikato DHB in his role as ‘Executive Director – Digital Enablement’. He is well known in the industry for not knowing what he’s doing and being an arrogant tool who won’t listen. Just another in the army of educated idiots that pass for the managerial class in NZ.

      • I was unfortunate enough to work with one of these types. Lauded by the senior executive and board level types who seem to go from job to job by acting as referees for one another. We went from having well structured and managed projects to a complete mish mash in nine months. All the capable staff had left within six months. Having spoken to people working at other organisations where this person was employed as a general manger in IT, the pattern was identical. Absolutely no technical expertise, constant hiring of contractors and consultants when expertise was in house and already well engaged in the project, bullying and intimidation of the in house expertise as they could see though the BS. Constant interference at a technical level this person was not capable of working at. I have attended many job interviews where a senior manager exhibited an entry level understanding of a technology, this no doubt widespread. Watch out for Agile evangilists. A great concept but often a smokescreen for incompetence.

  7. So here’s what I don’t get.

    Even if you click on an attachment in an email to run in, it can still only run with the permissions of the account that opened it.

    So to create the mess that it did, it either had to have been originally opened by somebody with some pretty elevated privileges, or the email passed from person to person being continually opened, until it found an account with sufficiently elevated privileges to cause havoc.

    Either that, or the Waikato DHB IT infrastructure has no recognition of granular permissions, so any account on the network has rights to access the backend of the system to generate havoc.

    Or, even worse, they are using an off the shelf system that hasn’t been secured correctly.

    It smells funny, this idea that it all comes down to one junior staffer, who accidentally clicked on a link in an email. There’s a catalog of errors have contributed to this cluster. And either their CTO, or the Board – who dictate the rules the CTO can run under – have some explaining to do.

    But unfortunately, in this country, it looks again like higher management never need to explain anything like this if a junior staffer can be found to throw under the bus.

    Disappointed.

Comments are closed.