New Zealand’s Northern Region simulates major cyberattack on its health system
New Zealand’s Northern Region simulated a major cyberattack on its health system, saying it is a case of “when, not if” an attack will eventually occur.
healthAlliance systems operations manager Simon Long presented at the HiNZ Conference 2018 in Wellington on 23 November on the mock incident, called ‘hot chilli’, which was run by the shared services agency. healthAlliance is one of the most significant shared services organisations for the health sector in New Zealand and jointly owned by the four Northern Region district health boards (DHBs) : Northland, Waitemata, Auckland and Counties Manukau Health.
Long said low-scale cyberattacks on the health system happen on a daily basis and the mock incident escalated the scenario into a major attack that affected a number of systems.
“The objective was to create, test and improve a regional view of business continuity and the recovery capability,” he told attendees.
The exercise involved the four northern DHBs – Waitemata, Auckland, Northland and Counties Manukau – and was designed to be as close to real life as possible, so staff were not forewarned. Around 27,000 people work across the DHBs and healthAlliance.
The mock attack involved the email systems being unavailable due to hacking, no wi-fi access on the sites and the data integrity of the clinical systems being untrustworthy, meaning National Health Index numbers were not validated.
The simulation started at 9am and finished around 4pm followed by a debrief and “it was a really interesting day for everybody involved,” said Long.
Key learnings were that one can never over-communicate in a crisis situation and the huge value of practice to get better and become more efficient.
Long said other organisations had since asked healthAlliance for help in this area and the agency is happy to share its learnings.
Ministry of Health chief security adviser Nick Baty presented with Long on his involvement with ‘hot chilli’ and how the experience has fed into the development of a health sector cybersecurity event response plan.
In the article “Ethical hacking: What to look for in a pen tester”, author Jessica Davis notes that simulated attacks on a healthcare organisation can help infosec leaders assess their security posture, but not all pen testers are created equal and not every provider is ready to be tested.
Pen testing is the practice of simulated cyberattacks on an organisation’s network or a specific function, such as IoT devices or web apps. The goal is to identify any system flaws or weaknesses and just how likely it is that a hacker can exploit these vulnerabilities. Lee Kim, director of privacy and security for HIMSS North America, said that a pen tester should have “real world experience and experience in business environments like [healthcare].”