New Zealand’s Minister of Health Shane Reti was warned about potential cyber security risks and project shut downs stemming from massive funding cuts to Data and Digital at Health NZ just two days before this year’s budget announcement in May.
The warnings included that the national terminology service (NZHTS) could be shut down from next March, consumer digital health identity work restricted and work on the NZ Patient Summary ceased.
Dr Reti was also warned that there was “an operational risk of failure” of shared electronic health record services in three regions, and that the extension of IT systems beyond end of life was risking “ongoing security vulnerabilities and associated breaches”.
A document released under the Official Information Act – which was originally delayed then declined before finally being provided to Pulse+IT with substantial redactions – details a letter sent from Health NZ’s director of strategy & investment – data and digital Darren Douglass to the Minister’s private secretary on May 28.
The letter acknowledges the (then) pending cuts “related to the D&D B21 and B22 tagged contingencies,” which were funds allocated to data and digital in the 2021 and 2022 budgets that were cut in this year’s budget on May 30.
“As requested, I’ve summarised below the impact of the Budget24 savings related to the D&D B21 and B22 tagged contingencies,” Mr Douglass wrote to the Minister’s office, noting that the cuts were coming after a withdrawal of $106.3 million – $56.3m in operation expenditure over two years from FY25/26, and $50m capital expenditure over three years from FY23/24 – of Budget 22 Crown tagged contingency in August 2023.
Mr Douglass said the B21 Crown funding was intended to provide operational support, maintenance and improvements of the services established by previous investments in the health information sharing project Hira, as well as to fund technical debt efforts and enhanced cybersecurity services.
The B22 Crown funding was intended to fund “digital capability uplift investment in priority areas (modernisation flagships)” and in the immediate term, included such areas as enabling radiology transformation and strengthening data quality, reporting and insights.
“This is against the backdrop of a challenging legacy landscape with a large number of systems that are end-of-life/out-of-support/no longer fit-for-purpose (commonly referred to as technical debt), a significantly oversubscribed demand pipeline.”
Mr Douglass said the demand pipeline was a result of “long-term under-investment in digital”; a largely “unfunded” merger and acquisition effort that included “bringing together 28 entities and associated ICT ecosystems into a single integrated environment”; and the broader “emerging priorities” of health and digital modernisation.
Mr Douglass warned of the “continuation of legacy technology” and ways of working that included “paper heavy processes”.
He was also concerned about the extension of “end-of-life/beyond-end-of-life” systems which “also carries serious risks for the organisation.”
“These include ongoing security vulnerabilities and associated breaches, more frequent service outages, along with delayed response and recovery times.
“In addition, tech debt will continue to act as a drag on workforce productivity while impeding management’s ability to run services effectively.”
The letter then sets out a series of specific impacts, all of which were redacted in the OIA response provided to Pulse+IT, with the explanation that “as the information is under current active consideration and its release would harm the orderly and effective conduct of executive government decision making processes”.
“We have also considered the public interest in releasing the information. However, we do not consider that this public interest outweighs the need to withhold at this time,” Pulse+IT was told in relation to the redacted section of the document.
Meanwhile, a latter part of the letter explains that contingency funding of $20.1m annually was intended to operate and maintain services created by the foundational Hira Tranche 1 programme.
“Return of funding will necessitate pause/shutdown (or significantly reduced access) of a number of services,” Mr Douglass warned, foreshadowing Dr Reti’s confirmation of a pause on Hira in July.
Mr Douglass said a number of sector-facing services would be impacted from 1 July 2024, as a direct result of the budget cuts. These included:
- My Health Record app (with 70,000 registered users) would be restricted to only pandemic and disease response scope
- The National Terminology Service (which has 40 IT vendors connected) would be shut down at the expiry of the current service contract in March 2025 and further expansion deferred in the meantime.
- Consumer digital health identity (2.7m user accounts) used to access a wide range of services including the Aotearoa Immunisation Register, HPV screening and regulatory platforms such as assisted dying, would go into containment and utilised solely for pandemic and disease uses.
- Services to enable the NZ Patient Summary record to be integrated into vendor and sector products would be shut down.
- Hira’s underlying Connector (integration) platform infrastructure to advance sector interoperability will be shut down.
- Further budget demands that have recently come to light, such as ESR technology funding to cover retention of disease intelligence and laboratory data flows, would need to be funded from alternative budgets.
“Additionally, there is an operational risk of the failure of existing shared electronic health record services in three regions, which cannot be effectively mitigated without the services outlined above and this funding,” Mr Douglass said, adding that a “key primary care sector vendor” had signalled its intent to prevent the flow of data into the systems from the end of June 2024.
Mr Douglass said the immediate operational impacts of the budget cuts would be reduced access for consumers and clinicians to summary health data, continued lack of data standards adoption and systems interoperability, and reduced involvement in the trans-Tasman Sparked accelerator.
“Such collaboration has been the catalyst for a significant increase in NZ vendor and developer engagement in standards development. This activity will be paused,” Mr Douglass said.
The email cc’d Health NZ’s then chief data and digital Leigh Donoghue, whose role has recently been disestablished, with Mr Douglas filling the position on an interim basis.
Dr Reti has repeatedly told Pulse+IT that funding for data and digital is contingent on Health NZ’s expected 10-year infrastructure investment plan, which is due in December.
“Once Health New Zealand delivers a new 10-year plan that sets out the size and scale of investment needed for digital infrastructure, this will mean the Government can make informed decisions about putting resources where it will have the greatest impact.” Dr Reti has previously told Pulse+IT.
Health NZ has been approached for comment.