Waikato District Health Board was warned its IT security was inadequate and severely compromised just months before a massive ransomware attack that brought Waikato Hospital to its knees.
An internal cyber security document dated December 2020 also warned that a lack of training meant staff posed an unintentional threat to its systems.
However, Waikato DHB said the strategy was only a draft that was part of a wider digital strategy about to be heard by the DHB's commissioners when hackers struck on May 18.
The draft strategy, seen by Local Democracy Reporting, says the DHB's IT security was compromised by outdated systems, infrastructure and staff resourcing, making it a sitting duck for a major cyber security attack.
In the aftermath of the cyberattack, some cancer patients were transferred and elective surgeries postponed as hackers brought down hundreds of servers and patient and staff information was dumped on the dark web.
The strategy said at the time there was no cyber security incident response plan and noted the urgent incident response option available to staff at Waikato Hospital was to "unplug network equipment".
It appears to be a damning indictment of the state of IT security at the DHB five months before the cyber security breach.
The 32-page report said Waikato DHB:
- Was still using Windows XP on some systems, a software released in 2001 that has been unsupported for five years;
- Relied on "perimeter security" such as firewalls, blocking, and malware protection that was becoming outdated as the DHB moved to cloud-based services;
- Struggled with multiple IT applications with inconsistent functionality, most very old and with poor support if any;
- Was behind on patching, the installation of critical software updates for security purposes;
- Did not have enough IT staff to manage and co-ordinate IT security with no cyber security specialist, and investments in cyber security were not prioritised;
- Did not have continuously monitored cloud services to detect suspicious behaviour;
- And did not have appropriate policies or training for staff around IT security.
The strategy, authored by two DHB employees, estimated the DHB had at least 800 software applications, many of them known to be duplicating significant functionality.
"Some of the legacy systems do not have security setups that can be modernised to protect against current security threats, and the majority are based on technology that is so old that it can no longer be patched or updated to guard against emerging security threats."
There was no procurement policy designed to monitor and regulate the purchase of medical devices used in patient care.
This meant they were often bought based on vendor demonstrations without consideration of compatibility.
"As a result, the DHB has many systems and devices that were acquired to perform a clinical role but which have many security holes that are difficult to plug."
The strategy gave an example of clinical devices connectable to the internet that were running Windows XP.
"These old control systems cannot be patched, and when the machines are plugged into the network they pose significant risk to the DHB's network and other devices."
The devices had poorly-configured IT security controls that could be compromised by malware, resulting in bad readings, corrupted data, or even being hacked for patient data.
"This creates clinical risk for patients and for the DHB."
There was also no "follow-you" printing model at the DHB, meaning unauthorised parties could potentially view printed information at the printer.
The document said a skills deficit in the IT unit meant the DHB's IT operations approach was to reduce cyber risk by locking systems down and limiting access.
"DHB clinical staff have responded to this by turning to 'shadow IT' - informal software applications and personal hardware devices - which in turn increases IT risk even more, creating a never-ending risk cycle that gets worse with every turn."
With a limited budget, Waikato DHB was faced with a difficult choice when allocating resources, the report said, and cyber security had not been a priority when the DHB was struggling to meet minimum requirements for IT provision to support the delivery of healthcare.
"This trade-off is a common one at the DHB, even though the consequences of a targeted cyberattack would be catastrophic for patient safety."
Sources told Local Democracy Reporting the draft strategy was abandoned because of cost but Waikato DHB chief executive Dr Kevin Snee said: "This was a working document that was an input into the broader Digital Health Strategy that subsequently came to the executive on May 13."
"It proposed substantial investment into digital technology, was supported by the executive, and was due to go to the commissioners on 26 May but was interrupted by the cyberattack."
A DHB spokesperson said the work had been initiated by the DHB's new digital leadership to address any areas that required attention, and support the migration to new solutions such as cloud-based applications, which would also introduce new cyber security considerations as it moved systems outside the "perimeter security" setting of firewalls, intrusion and malware protections.
"The document had not yet reached final draft, had not been reviewed or qualified and had not been presented to management or governance."
The broader Digital Health Strategy, which would have involved substantial investment, was presented to the executive and supported on May 13 and was due to go to the Finance Risk and Audit committee on May 26, the spokesperson said.
"The security strategy work would have informed the Digital Health Strategy as one aspect of that wider programme."
It had not been costed and any associated work programmes not confirmed.
"This work was interrupted by the cyberattack but has now been restarted."
When asked whether the strategy could have prevented the attack if implemented, the spokesman said elements described in the strategy were under way and in some cases accelerated, such as the migration to the Cloud and organisation-wide adoption of Windows 10.
"...There is no current evidence to indicate whether full implementation of the draft long-term strategy would have impacted the May 18 event."
The spokesman said Windows 10 was deployed on all compatible machines at the time of the cyber-event.
"It is noted that it is not possible in all instances to run Windows 10 due to specific peripheral hardware or medical compliance needs. Mitigations were taken to protect those machines."
The DHB has now recovered from the attack and is continuing to investigate what led to it.
To date, it has not said what cost has been incurred by the incident but more than 4200 people were affected and at least 22 people have notified the DHB of a privacy breach.
Complaints have also been lodged with the Privacy Commissioner but a spokesperson would not say how many.
Local Democracy Reporting is a public interest news service supported by RNZ, the News Publishers' Association and NZ On Air.