Five per cent of Waikato District Health Board's workstations were running out-of-date software susceptible to viruses and malware shortly before a cyber attack paralysed services at its five hospitals in May.
Waikato Hospital. Photo: RNZ / Simon Rogers
Cancer patients had to be transferred and elective surgeries postponed amid the chaos of the attack by hackers, which brought down the DHB's 600-plus servers and resulted in the private information of employees and patients being leaked onto the Dark Web.
In March, just two months earlier, the DHB was using Windows 7 on some of its workstations, a 12-year-old software that Microsoft ended support for in January 2020.
On its website Microsoft said while Windows 7 could continue being used, without software and security updates it would be a greater risk for viruses and malware.
"Going forward, the best way for you to stay secure is on Windows 10. And the best way to experience Windows 10 is on a new PC. While it is possible to install Windows 10 on your older device, it is not recommended."
The DHB said it was using Windows 7 because of "application version compatibility between the Windows 7 operating system and certain applications in use".
According to the DHB's 2019/20 annual report, 33 per cent of computer devices used by staff were more than five years old and 41 per cent of staff computers were too old to run Windows 10.
The DHB refused to answer a number of wide-ranging questions lodged in June and July by Local Democracy Reporting about the cyber attack, including why such old computers were being used by some of its 8000 staff.
The questions were treated under the Official Information Act (OIA) and a response was only provided on 28 October, prompting criticism from the Chief Ombudsman who said the DHB failed its obligations under the OIA to respond within 20 working days.
In the response, the DHB's executive director of digital engagement, Mike Foley, declined to say how the hackers got in, what the cyber attack cost the DHB, or when the DHB's last information systems disaster recovery test was performed prior to the attack.
However Foley said server patching, which is the installation of critical software updates for IT security purposes, was up-to-date prior to the attack and that the DHB followed best practice guidelines when it came to server patching.
The DHB's annual reports show server patching targets were introduced in the 2020/21 financial year, with no targets for the five years prior.
The target for devices was 85 per cent while for servers it was 100 per cent, and Foley pointed to these being up-to-date when asked if the targets were being met.
Foley said the DHB introduced targets to ensure the objectives were met and track progress "in the interests of accountability".
Investigation into the cyber security incident was ongoing but Foley said, with the exception of eight production servers and eight test servers, the DHB's 611 servers had been restored to their original state.
Fourteen agencies helped Waikato DHB at various times during the ransomware attack recovery, including the Privacy Commissioner, police, the Ministry of Health, the NZ Transport Agency, ACC, IRD, the Department of Internal Affairs, the Government Communications Security Bureau and the National Cyber Security Centre.
When asked if it was correct 20 staff had resigned from the IT department following the attack, Foley - who joined the DHB in August last year - said the requested information did not exist.
Shortly after the attack the DHB was advertising for a chief information security officer, a role Foley said was initially advertised in the third quarter of 2020 following an organisational review.
A cloud/technology architect position also being advertised then was to fill a vacancy in the team, he said.
Between 1 July and 30 September the DHB had nine fixed-term and 35 permanent position vacancies in its 157-strong IT team. At the time of responding to Local Democracy Reporting, there were 18 open roles.
A spokesman said vacancy levels for Waikato DHB's Information Systems service were aligned with the industry average.
On 10 September the DHB said it planned to notify "another group of around 4200 people whose personal information was disclosed".
When asked how many people had contacted the DHB regarding potential privacy breaches, Foley said as of 28 October there had been 45 queries, about half of whom were "identified as having personal information contained in the impacted dataset" and requiring notification under the Privacy Act.
Foley said the DHB was not aware of any claims for damages or anticipated or threatened legal proceedings relating to privacy breaches.
When asked if the DHB could guarantee patient and employee data was now secure, Foley said: "We are fully committed to the privacy and security of data held by Waikato DHB".
"The protection of our digital systems remains an important focus. Waikato DHB continues to strengthen and improve our technical and operational security measures to deliver safe healthcare services to the community."
The DHB, in a separate OIA response, declined to release its IT risk register.
Local Democracy Reporting is a public interest news service supported by RNZ, the News Publishers' Association and NZ On Air.
