Your leading voice in digital health news
Twitter X Logo

 
close
News
/

Urgent funding approved for cyber security at Health NZ

11 December 2024
By Reesh Lyon
Image: iStockphoto

A second urgent request in as many months for cyber security funding at Health New Zealand – Te Whatu Ora has seen implementation of an “improvement programme” that will run until mid next year.

Yesterday, Pulse+IT reported on an apparent $3.5 million funding shortfall for Health NZ’s Cyber Security Uplift (CSU) programme, as well the threat of a “funding cliff” for the programme in 2026.

Obtained under the Official Information Act, an aide-mémoire regarding the CSU programme was provided to Health Minister Shane Reti by Health NZ’s then chief of data and digital Leigh Donoghue in September and included a warning that an extra $3.5 million was “urgently needed this year.”

The CSU Programme ran for 3 years to June 2024, with additional operational funding for 2 ‘out years’ to maintain improvements, and was set up following the 2021 Waikato DHB ransomware attack, in order to improve cyber security across the 20 former district health boards and then Health NZ.

Asked by Pulse+IT if any further urgent funding requests had since been made, Health NZ’s chief information security officer Sonny Taite confirmed there had been.

“Yes, an urgent funding request to address the most critical cyber security improvements was approved at the end of October 2024. As a result of this urgent funding request, an improvement programme is running between November 2024 and June 2025.”

He added that the $3.5m shortfall identified by Pulse+IT had been resolved as part of baseline operational budget allocation, although more money had still been needed for the minimum critical cyber security improvement programme.

In response to the risk of a looming “funding cliff” for the CSU next year, due to no baseline funding being forecast for National Cyber Security beyond 2026, Mr Taite said the issue would be presented to the Finance Risk and Audit Committee this week. 

“Cyber Security funding is part of the 10-year Infrastructure Investment Plan and will be assessed as part of the wider digital services strategy. We are working to finalise the 10-year Infrastructure Investment Plan. A date for release is to be finalised.”

In response to questions about any ongoing gaps or vulnerabilities in Health NZ’s cyber security, Mr Taite said the CSU had achieved “significant uplift in cyber security maturity.”

“Subsequent gaps and vulnerabilities have been identified through security incident response activities and these vulnerabilities have been targeted within a minimum critical cyber security improvement programme” which would run until June next year, Mr Taite said.

The document seen by Pulse+IT also raised concerns about deferred technical debt remediation at Health NZ – referring to the cost of additional rework caused by choosing expedient systems over better approaches. It said that these costs and complexities had led to “rigidities.” 

“Necessary updates, fixes, or improvements are delayed as a consequence. Such outdated systems can be targeted by cyber attackers, particularly those that can no longer be updated or patched,” the document stated.

 Mr Taite confirmed that concerns about technical debt were still active.

“Yes, we have concerns about technical debt as outlined in the aide-memoire, however cyber security services delivered by the CSU and maintained throughout the remaining 18-month cabinet funding are designed to detect incidents and respond/contain them quickly.”

The document also referred to the return of previously allocated contingency funding in this year’s Government budget, although the accompanying sentences were redacted in the version seen by Pulse+IT.

The returned funding was originally allocated in Budget 2022 to “provide further funding to improve health system performance and achieve the aims of health system reform,” according to budget documents at the time,

Mr Taite confirmed to Pulse+IT that the return of B22 contingency funding had caused “delays” at Health NZ.

“While the removal of B22 contingency funding has caused delays across several programmes of work and their expected outcomes, we anticipate further investment into digital capability uplift following the release of the 10-year Infrastructure Investment Plan, which will work towards mitigating existing operational impacts.”

Leave a Reply

Sign Up to your leading voice in digital health news 

Join 20,000+ professionals reading the latest in digital health news.

Log in to Pulse+IT

Not a member yet?
Subscribe here
Forgot your password?

Explore by category

Aged, community and disability care Allied Health Asia Pacific Health IT Australian Digital Health Digital Health Opinion EU Movers and Shakers Irish Digital Health Movers and shakers New Zealand Digital Health Opinion Pulse+IT Blog Uncategorised 

Your leading voice in digital health news

Twitter X

Copyright © 2024 Pulse IT Communications Pty Ltd. No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher. If your organisation is featured in a Pulse+IT article you can purchase the permission to reproduce the article here.
Website Design by Get Leads AU.

Privacy Policy

Your leading voice in digital health news 

Keep your finger on the pulse with full access to all articles published on 
pulseit.news
Subscribe from only $39
magnifiercrossmenuchevron-down