Source: Radio New Zealand
RNZ / Finn Blackwell
- Cyber-security expert says Manage My Health ignored warning about lax security two years ago
- Experts criticise “high trust” system of self-regulation
- Lack of government regulation is result of industry lobbying against “red tape” – political pundit
- Digital Health Association says “stronger penalties alone” won’t stop breaches and what matters most is having a clear, consistent regulatory framework
- Health NZ considering independent testing of third-party services such as patient portals
IT experts allege Manage My Health ignored warnings about vulnerabilities in its cyber-security for years – but the regulatory vacuum meant the company was not required to take action.
About 127,000 New Zealanders have had their information stolen in the ransomware attack after hackers were apparently able to obtain a password giving them access to part of its database containing more than 430,000 documents.
Auckland University cyber-security expert Dr Abhinav Chopra said he discovered the holes in Manage My Health’s system two years ago when he was trying to find out why it was still holding onto his health records after his GP moved to a new provider.
In an email to his GP, Manage My Health and eventually the Privacy Commission, he listed all the problems, including the lack of multi-factor authentication and the fact that multiple administrators had access to unencrypted files.
“This is the same pattern. They should have invested. They’ve had two years and these are the exact same areas that have caused them the issue.”
The company did not respond to him, he said.
Manage My Health has said it is required to hold onto patients’ data – even if their GP switches provider – unless patients de-register themselves.
However, Chopra believes Manage My Health could have another reason for holding onto patient records.
Its own website proudly notes its database of “1.8 million Kiwis” and its ability to get its customers’ message to them “when they’re thinking about their health”.
“If this company did not have any commercial gains to make out of this data, then they would not be paying the extra storage costs for this data,” Chopra said.
Terms and conditions gave company an ‘out’
A Wellington IT worker caught up in the Manage My Health data breach – whom RNZ has agreed not to name – also questioned the lack of regulatory checks and balances.
“Health services that have this information and these functions should be subject to the same scrutiny and compliance requirements and auditing as financial institutions.
“If your banking app is down, it’s a huge deal and it gets lots of scrutiny.”
However, Manage My Health’s users could not say they were not warned, she said.
“The irony is that I actually read their terms and conditions, and they haven’t breached them because their entire terms of usage is they can’t guarantee their system is any good or that they’ll fix it, even if it’s foreseeable and they know about it.
“It’s essentially, ‘We can’t guarantee our product doesn’t suck, but here, give it a go’.”
Digital specialist Callum McMenamin (who also alerted Manage My Health to its security vulnerabilities six months ago) said the 300-page Health Information Security Framework contained many good things – but entirely relied on “hand-wavy” self-regulation.
“It’s all just a high trust system where the government sets the standards but then closes its eyes and doesn’t check if the standards are actually being met.”
Industry has opposed regulation – commentator
According to political analyst Bryce Edwards from The Democracy Project, the lack of regulatory oversight was “not an accident”.
The Digital Health Association – the industry body for health software vendors – had lobbied against what it called “overly burdensome privacy laws and regulation”, he said.
“They have time and time again asked government to keep the rules on privacy quite weak and relaxed so the companies that deal with data are not subject to too much of what they call ‘red tape’ or essentially costs on them.”
Successive governments had ignored warnings from three Privacy Commissioners over the last 15 years of the need for stronger penalties, like in Australia, where errant companies faced multi-million dollar fines, Edwards said.
The Digital Health Association pushed for the repeal of the Therapeutic Product Act, which would’ve regulated software as a medical device with surveillance and penalties for non-compliance, he continued.
“If you don’t have these rules, if you don’t have penalties for companies not looking after data, it means they can often be quite lax. They don’t have good systems because they don’t have those incentives.”
Industry group advocates for “better” legislation
Digital Health Association chief executive Stella Ward said the organisation did not oppose the Therapeutic Products Act (TPA).
“Across all our submissions and briefings, we repeatedly advocated for better regulation – not less.
“Our concern was that the Bill, as drafted, lacked clarity and risked creating broad, impractical definitions that would not achieve best‑practice oversight.”
The association supported “the intent” of the Bill: ensuring modern, fit-for-purpose regulation that keeps New Zealanders safe, she said.
Current privacy penalties were low by international standards – but international experience showed that “stronger penalties alone do not prevent incidents” and continuous investment was required.
“What matters most is having a clear, consistent regulatory framework that supports safe, efficient delivery of digital health services while protecting patients’ rights.”
Health NZ mulls independent cyber-security auditing in future
Health NZ said it was Manage My Health’s responsibility to ensure the data they were contracted to manage was “safe”.
The Health Information Security Framework (HISF) – published by Health NZ – was intended to “guide” the health sector in the secure use and management of health and information technology.
“Health NZ expects health sector providers to have safeguards in place to protect health information, including assessing the security of their IT service providers, aligned to the recommendations of the HISF.”
However, a spokesperson indicated oversight could be introduced in future.
“As Health NZ progresses implementation of measures to increase the accessibility and security of health information, we are considering what further assurance of third-party providers against regulations and standards is required.
“This may include independent testing of third-party services such as patient portals.”
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
