Source: Radio New Zealand
MediMap is used by some health providers in aged care, disability, hospice and the community to accurately record medication doses. RNZ/Calvin Samuel
A hack at a second healthcare portal is being labelled a concern and a worry by a cyber security consultant who also used to work at the National Cyber Security Centre.
MediMap has shut down access to its platform while it looks into how it was breached on Sunday.
Health New Zealand is supporting it but said as a privately owned company, it is MediMap that is solely responsible for its security and it needs to do everything it can.
“I think any incident involving health information is concerning,” Jan Thornborough from Outfox told RNZ.
“Because we expect our most sensitive information to be well protected.”
That’s what Health NZ says too.
Its digital services acting chief information technology officer Darren Douglass said New Zealanders expected companies involved in healthcare to secure systems and platforms so private information was safeguarded.
MediMap is widely used in the likes of aged residential care, disability services, hospices and community health for prescribing and giving medication, and administration.
Facilities using it are now back to manual pen and paper.
Palliative Care Nurses New Zealand said it was very worried by the breach.
“Palliative care nurses are deeply concerned about the impact this may have on the safety, privacy, and delivery of care for our patients,” the group said.
“Any disruption places vulnerable patients at risk.”
In a message provided by the Nurses Organisation, one of its members at George Manning Lifecare and Village in Christchurch said staff were worried for their residents.
“Since MediMap stopped working we have had to double the number of registered nurses on each shift just to give medication, this requires a paper form from the pharmacy, everything from paracetamol through to controlled drugs requires a second checker to observe and sign along with the registered nurse administering,” they said.
“This process makes each medication round longer and means the risk of residents not receiving their medicine on time is high.”
Jan Thornborough from Outfox said it was the right move by MediMap to close its platform down to put a halt to further damage.
“So usually in the first 24 to 48 hours, it’s really important for them to assess what’s happened so that they can contain the risk and preserve any evidence so that when they get the right experts in, they can investigate it properly and actually find out exactly how the hacker got in,” she said.
“And once they’ve contained the problem and they understand the scope of it, then they can determine what the impact is both on the service itself, but also for their customers and implement an appropriate recovery plan for them.”
MediMap said the breach, which it called unauthorised activity, resulted in patient records being modified.
It said this involved information like resident names, dates of birth, assigned prescriber, location of care and resident status.
Thornborough said users of software or platforms had their own responsibilities as well as the companies providing it.
“Really this is a wake-up call for all New Zealand organisations, if they haven’t worked it out yet that cybercrime is not going away,” she said.
“We’re all operating in a digitally connected environment these days and they need to take ownership of where they put their information and who they trust holding on to it because at the end of the day, it’s a shared responsibility between the business and the vendor of a particular piece of software or a portal.
She said software or platform users had to do their own due diligence.
“And until the general consumer says ‘okay, I expect this level of security’, they’re not going to get it, basically.”
The latest health portal breach comes after a top-level review into the earlier Manage My Health hack was already underway.
Health Minister Simeon Brown, who called that breach unacceptable, commissioned the review and said there were lessons that needed to be learned.
The review started on 30 January and was expected to provide a final report on 30 April.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
