Does New Zealand’s healthcare system have a mature cybersecurity posture?

The number and sophistication of cyberattacks is increasing around the world, and healthcare is traditionally one of the most targeted sectors. In the 2020/21 year, the NCSC (National Cyber Security Centre) recorded 404 incidents with a possible national impact. Healthcare was a primary target; the financial cost to the sector is staggering, but the human cost is incalculable.

In the future of health, data will be more widely shared, collected, and analysed. Healthcare organisations will be positioned to create new value from this previously unavailable information, using it to drive operational efficiencies and help enhance consumer engagement. As this transformation advances, organisations will need to pay closer attention to data privacy and take steps to modernise data protection standards. They will also face added pressure to establish better cyber threat awareness, detection, and response capabilities. Ironically, the more digital that healthcare becomes, the more vulnerable it is to threat actors.

In New Zealand, a 2020 update to the Privacy Act made it mandatory to report any serious data breach to the Privacy Commissioner, or risk a $10,000 fine. The same legislation allows a firm to be fined up to $10,000 for failing to apply reasonable security safeguards to protect the personal information it holds. In comparison, across the ditch in Australia, privacy legislation allows for a fine of up to A$2.2m and even possible jail time for executives involved for a health data breach. Further tightening of Australia's cybersecurity regulations is widely expected following the mass data breaches suffered by telco Optus last month and health insurer Medibank this month. In the EU, a firm can be fined a maximum of €20 million (about $34m) or 4% of annual global turnover, whichever is greater, for data breach infringements under the GDPR privacy regulations, and up to €10m or 2% of revenue under an updated cybersecurity directive introduced this year.

While it is not possible to fully eliminate cyber risks altogether, it is essential that we improve the resilience of our health and disability system so we can minimise the risk of disruptions to healthcare services in the event of a cyberattack and better protect sensitive health information.

A 'cybersecurity roadmap' has been drawn up by the ministry identifying areas of risk, and priorities for improvement. In addition, the National Cyber Security Uplift Programme is looking to significantly increase the security level of New Zealand's health system. Three core areas of improvement have been identified: Improving sector capability, Sector protect and Sector detect, respond and recover.