18 May 2021

Inside Waikato DHB’s cyber attack

And what can business learn from it?

By Dallas Gurney

While certainly the highest profile victim, the Waikato DHB weren’t the only organisation facing cyber security issues today.

The DHB, which is the main public health care provider from the Coromandel in the north to Taumarunui in the south, fell afoul of hackers this morning (Tuesday 18th May, 2021), causing major disruptions to health services throughout the entire region.

Phones went unanswered, patients turned up for appointments the DHB didn’t know they had, and staff were reduced to using pen and paper with even the most basic software like Microsoft Word inoperable due to the cyber intrusion.

It’s a stark reminder of the extent to which a cyber attack can bring an organisation to its knees.

In 2014 Sony Pictures suffered a similar catastrophic event when they were attacked likely by the North Korean state as revenge for the release of Seth Rogan’s movie The Dictator.  The movie told the fictional story the assassination of North Korea’s supreme leader, Kim Jong-un.

The North Koreans were not impressed.

The Sony hack led to the release of very delicate information such as staff salaries and personnel files, but even more embarrassingly revealed internal emails describing what the studio really thought of some particularly precious actors.  The hack affected every part of Sony Pictures, shutting down security systems, photocopiers, phones and even the EFTPOS machines at the cafes surrounding their Hollywood HQ.

This is much more than just not being able to access files for a day or two.  A hack like this quickly becomes the only thing an organisation is focused on.

The private nature of health care information will also be a major concern for the DHB.  If patient files get into the public domain, this could represent one of the most significant privacy breaches in New Zealand history.  At Serious, we’ve simulated a catastrophic data breach for health care clients before – when you start thinking about what could happen should patient records get into the wrong hands, downed phones and embarrassing emails are the least of your worries.

They probably won’t know the extent of this attack for some time.  The average hacker has been inside a system for months, slowly finding their way around your drives and discovering your most intimate secrets in their own sweet time.  Then one day, bam.  For the Waikato DHB, that day was today.

DHB leadership have made a good start, at least.  The CEO has been front-and-centre.  They’ve come out and said they’ve been breached which is always preferable to saying nothing and letting the public work it out by themselves.  Sadly, so many organisations fall into this trap – they’re embarrassed, so they try to hide it.  This approach very rarely works and more often leads to public mistrust and a sense the organisation is out of its depth.

An option most in this position flirt with is paying off the hackers.  I’ve spoken before about how tempting, albeit morally corrupt, this option can be.  Thankfully, this is clearly not a consideration for Waikato DHB, the government – let alone the public – would not stand for public money being funnelled to a gang of cyber criminals.

I trust the Waikato DHB is getting the best advice they can pay for from a trusted cyber security partner as well as government agencies like CERT NZ and the NCSC.

And I hope they will be to continue to be as open as possible about how they are resolving this issue.  The DHB shouldn’t be embarrassed, according to CERT NZ statistics at least 30 other organisations suffered a cyber breach today.  They might be a lot less public, but they have just as much to lose.