A monthslong outage at a district health board in New Zealand revealed that a number of missteps can happen during a cyberattack, in spite of having a response plan in place. Pictured: The New Zealand flag flies at half-mast at Parliament to mark the death of Queen Elizabeth II on Sept. 9, 2022. (Photo by Lynn Grieveson/Getty Images)

An assessment of the monthslong outage at New Zealand Waikato District Health Board last year revealed that despite being prepared and clear awareness of cybersecurity priorities, the response was dogged by a lack of practiced preparedness and a number of other missteps.

Although the health system “had extensive policies and procedures in place that covered topics of cyber and information security, awareness, and response” that were closely followed ahead of the May 2021 attack, the report confirmed that WDHB failed to test its plan for functionality in a practice environment before the incident.

The incident response plan even included the recommended addition of clear assignments of roles and responsibilities, and the workforce members “clearly understood that cybersecurity needed to be taken seriously.” WDHB also underwent independent security assessments and monitoring of security controls on a regular basis.

But the plans were generalized and didn’t take into account any specific threats or risks. And by failing to practice these measures, WDHB faced “issues in the plan's practicality in some areas,” such as prioritization for recovery and restoration.  

As Margie Zuk, senior principal cybersecurity engineer for Mitre and the cyber engagement lead for healthcare in the Mitre Cyber Solutions Technical Center, previously told SC Media: it’s crucial for organizations to both identify the systems needed to maintain patient care in tandem with well-practiced response plans. “Those are the critical pieces,” said Zuk.

WDHB was assessed by InPhySec in the wake of the cyberattack, but also amid an ongoing transformation of healthcare system management processes brought on by a merger into Te Whatu Ora in early 2022. The merger is just one factor of the report’s conclusion.

Notably, the report also compares its cyberattack and incident response to the Ireland Health Service Executive’s data exfiltration, ransomware attack, and network outage that occurred during the same time period in 2021.

While the report is concentrated on a global healthcare provider, U.S. covered entities should be keen to review the post-mortem report and adhere to the security team’s recommendations where applicable to prevent similar results.

WDHB ransomware attack, in brief

As previously covered by SC Media, WDHB was struck by a ransomware attack in May 2021. Electronic Health Record downtime procedures were launched, prompting the use of pen and paper processes, canceled appointments and surgeries, and prolonged care delays.

The report omitted the name of the ransomware actor, but specified that WDHB was hit by a ransomware-as-a-service group. “Therefore it can be hard to pin what group executed an attack.”

The health system hired hundreds of outside IT workforce members to support its recovery efforts, which allowed the team to restore 20% of its workstations and half of its servers within a month. However, outages persisted with its phone lines, clinical systems, and IT services. In fact, the only service untouched by the cyberattack was the email system.

At the time, on-site clinicians and staff members reported to local media outlets that there was “chaos” at the impacted hospitals, with no way to send lab images between departments, access patient notes or health records. The public was also urged to not visit emergency departments unless it was a life-saving incident.

In total, WDHB was down from May 2021 through November 2021. The report shows that, even then, some systems were still not fully functional after the five months of downtime. It remains one of the longest-standing network outages against a hospital.

Positive measures prevented worst-case scenario

The report is careful not to assign full blame to WDHB, given the sophistication and spate of ransomware attacks facing the sector as a whole. In particular, four other health systems were hit and brought into EHR downtime during the same time period of WHDB’s attack.

At the time of the initial hack, WDHB was undergoing a “significant reorganization,” including a “demanding agenda” of staffing and organizational changes. The report noted that “the board itself had been set aside, and its work placed in commission” by the government.

Those changes meant that workforce members were relatively new to their positions at the time of the incident, and “the whole organization was coping with a significant, demanding operational programme,” all while the COVID-19 pandemic continued to rage across the globe. 

“These challenges were demanding and at times preoccupying for all involved. In these circumstances, it is noteworthy that the impact of the ransomware attack on patient delivery was significantly less than might have been the case,” according to the report.

While all of these elements could have amounted to a worst-case scenario of significant care disruptions and a massive data breach, the report authors explained that WDHB avoided it completely as it kept its backups off site with a third party and weren’t accessible to WDHB.

As such, “restoration via backup was always feasible, and so these potentially dire outcomes were avoided,” the report stressed. That’s not to say the impacts were not severe. Rather, the situation could have been much worse if the hospital had not been operating under a reduced capacity.

WDHB was also spared by the rapid changes it made to support the pandemic response with an uptick in support measures for its remote workforce and adaptations made to its IT systems.

Further, the report authors lauded Te Whatu Ora for “putting a lot of effort into cybersecurity planning… Effective planning and security considerations from the start could greatly reduce the risk posed by legacy systems in the future. This needs to be well-targeted to allow for planning and resourcing decisions that reflect an accurate risk assessment.”

Te Whatu Ora should take it a step farther and perform “risk modeling based on actual health IT systems, including legacy tech to determine precise vulnerabilities and risk of compromise or degradation.

What goes wrong when response plans aren’t practiced

However, it was those same tech expansions during the pandemic that further complicated response and recovery of the IT network. As many U.S. entities were warned, the rapid expansion of remote services and tech equally expanded the threat landscape.

WDHB was not spared from those impacts, as its “health systems were more networked and more dependent on data exchanges than had been consciously realized.” Specifically, the evolution of its health data ecosystem over many years was largely driven by clinical needs, and “in many cases without the knowledge of IT teams.”

“This has implications for how risk and security was approached and managed, and how it should be considered in the future,” according to the report. It will remain a foundational challenge amid the Te Whatu Ora merger and will require the identification and further security for its digital assets, particularly as it’s in a constant state of change.

The report also reiterated the incident planning needs, including realistic exercises that will empower the response team to “experience and respond to significant adverse events.” A virtual IT environment was recommended, which would allow health IT and data systems to be “tested quite literally to destruction in a safe environment so that best responses may be evaluated.”

“Looking ahead, making future systems resilient… will be increasingly important as attacks and yet to be identified possible attacks continue,” the report authors wrote. To do this, WDHB, and frankly all provider entities, must understand and limit vulnerabilities within the enterprise environment.

The report suggested the use of SOC/SIEM services for continuous monitoring, network segmentation, access controls. By combining these steps, providers can reduce the probability of a successful attack and “greatly diminish the potential impact any successful attack may have.”