Your leading voice in digital health news
Twitter X Logo

Cyber security at Health NZ faces “funding cliff” as vulnerabilities grow

10 December 2024
By Reesh Lyon
Image: iStock


A major cyber security project at Health New Zealand – Te Whatu Ora faced a $3.5 million funding shortfall this year, as well as a “funding cliff” in 2026, according to documents seen by Pulse+IT.

Obtained under the Official Information Act, an aide-mémoire regarding Health NZ’s Cyber Security Uplift (CSU) programme was provided to Health Minister Shane Reti by Health NZ’s then chief of data and digital Leigh Donoghue in September this year, about a month before Mr Donoghue’s role was disestablished.

In a section titled “key action required – internal management” a warning in bright red lettering stated that an extra $3.5 million was “urgently needed this year”, although additional information accompanying that warning was redacted in the version provided to Pulse+IT.

However, the document does indicate that while the three-year CSU programme was concluded in June 2024, Health NZ was now in the first of two maintenance years as part of an overall five-year investment.

Of $24.2m allocated to the CSU in the current year, $17m was spent on vendors and another $7.2m spent on contractors, the documents still list a shortfall of $3.5m in FY25.

Also included was a warning about a “funding cliff” in June 2026, because “no baseline funding is forecast for National Cyber Security beyond 2026”.

Pulse+IT has approached Health NZ for comment on the funding shortfall and funding cliff, as well as other details set out in the document.

The document also raises concerns about deferred technical debt remediation at Health NZ. ‘Technical debt’ refers to the cost of additional rework caused by choosing expedient systems over better approaches.

“This cost and complexity introduces rigidities – necessary updates, fixes, or improvements are delayed as a consequence.,” the document states. “Such outdated systems can be targeted by cyber attackers, particularly those that can no longer be updated or patched.”

Large parts of the document are redacted, including several lines after the words “Given the removal of B22 Contingency Funding…” referring to the return of contingency funding to treasury in the government’s 2024 budget.

Budget documents state this funding was “established in Budget 2022 to provide further funding to improve health system performance and achieve the aims of health system reform”.

The advice to Dr Reti in September includes a table titled “Impact of Deferred Remediation (insufficient improvement actions taken)” which lists “Specific Incident/Type of Incident” and “Impacts/Potential Impacts”. However, the contents of the table are also entirely redacted.

Meanwhile, another section titled “Future funding – Cyber Security Improvements,” states that “Health NZ’s current financial situation necessarily means significant reductions in Data and Digital spending and projects”, foreshadowing the major cuts announced this year.

“This means less investment to reduce tech debt (including new debt, as existing systems fall further behind). This means vulnerabilities will continue to grow.

“Addressing this, and further uplift of cybersecurity capabilities across the health sector, will be a key focus of the 10 Year Infrastructure Investment Plan (covering both physical and digital infrastructure in a more holistic way).”

A paragraph stating that “Work is underway on the plan. By way of an early indication of work direction (being current intentions and work-in-progress thinking, so subject to change)…” is followed by two paragraphs that are entirely redacted.

“Some improvement activity cannot wait, and any urgent funding requests will be internally considered, to ensure that risks are understood and investment options, even if requiring reprioritisation, are actively considered.”

Background

Following the Waikato DHB ransomware attack in 2021, the government approved a five-year funding package, including three years of the CSU programme and an additional two years of funding to maintain improvements.

The programme focused on 10 building blocks to improve cyber security across 20 former district health boards and continued under Te Whatu Ora following the organisation’s restructure from July 2022.

The documents state that the CSU programme aimed to improve security leadership, response times, resilience, recovery, risk reduction and population awareness in New Zealand’s health system.

The advice to Dr Reti said the CSU programme had faced challenges “due to evolving organisational structures and responsibilities, the distraction of cyber incidents, and the ‘journey of discovery’ as some of the challenges of the inherited environment became more evident, leading to iterative prioritisation and a focus on high-priority issues in the second year”.

Dr Reti was told the CSU programme concluded in June 2024, “meeting its maturity uplift targets, on time and on budget”.

“The CSU Programme was implemented from January 2022 to June 2024 with a budget of $75 million for 3 years and $48.4 million of operational funding for 2 ‘out years’ to maintain improvements.”

Dr Reti was told that one of the intended benefits of the CSU programme was a “better understanding of the threat landscape and our vulnerabilities”.

“The Programme was never intended to address all gaps, but knowing that these gaps exist means we can now make informed decisions about how we respond.”

Pulse+IT has questioned Health NZ about any ongoing cyber security “gaps” or vulnerabilities.

Another request regarding an update on the New Dunedin Hospital’s budget challenges was also refused “on the basis that the information requested will soon be publicly available”.

Not all gloom for CSU

Dr Reti was told that “despite challenges”, the CSU programme had achieved its primary objectives on time and within budget, “significantly enhancing Health NZ’s cybersecurity posture,” including the establishment of:

  • The cyber academy prototype, providing a new pathway for recruits to enter the digital health workforce, focusing on equity and diversity.
  • Dedicated security leadership and the National Cyber Security function within Data and Digital
  • 24×7 security monitoring through the National Security Operations Centre (NSOC) to prevent disruptions from ransomware attacks, and enhanced endpoint protection to safeguard critical systems against malware
  • Technical response (CSIRT) and security incident management services ensuring swift response and recovery from incidents
  • Services focused on identifying and mitigating vulnerabilities through a vulnerability management service
  • Security assurance, consulting, and design services, ensuring robust protections are in place, particularly for high-risk and critical systems, by embedding security by design best practices into the planning and design phases of projects, reducing the risk of breaches and system compromises
  • National security awareness and education capability, including proactive measures such as continuous employee training to reduce phishing and credential harvesting risks
  • A “refreshed” health information security framework (HISF) to address emerging threats, providing relevant guidance and tools for health sector organisations.

Leave a Reply

Your leading voice in digital health news

Twitter X

Copyright © 2024 Pulse IT Communications Pty Ltd. No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher. If your organisation is featured in a Pulse+IT article you can purchase the permission to reproduce the article here.
Website Design by Get Leads AU.

Your leading voice in digital health news 

Keep your finger on the pulse with full access to all articles published on 
pulseit.news
Subscribe from only $39
magnifiercrossmenuchevron-down