Public health providers have to obey strict cyber security rules – so should private contractors

Following a series of significant health data breaches, the government released a cyber security strategy and action plan to establish a national framework for responding to escalating cyber threats.

The strategy covers New Zealand’s critical infrastructure, from the electricity grid to transport, financial payment systems and the health sector. The government held consultations with each sector this week.

We argue better regulatory oversight is particularly urgent for the health sector.

Late last year, more than 120,000 New Zealanders had their medical records compromised when the patient data portal Manage My Health was hacked.

Then in February, the prescription app MediMap was taken offline after patient information was found to have been altered in a cyber attack.

These security breaches have damaged trust in New Zealand’s entire health system. They are being investigated as part of a government review and an inquiry by the privacy commissioner.

To stop this from happening again, the government must require all parties holding, transferring or sharing health data to be subject to regulatory oversight and mandatory audits, regardless of whether they are in the private or public sector.

Lack of a single cyber security law

From a public standpoint, the distinction between public healthcare providers and their private IT service providers is immaterial.

This is reinforced by section 11 of the Privacy Act, which says healthcare providers remain responsible for information handled on their behalf, even when using IT service providers.

However, a clause in the Health Information Privacy Code also lists IT providers as “health agencies” which may result in confusion as to which agency is ultimately responsible.

Currently, New Zealand has no single piece of legislation that mandates enforceable minimum cyber security requirements. There are no explicit, binding due-diligence requirements in primary legislation for choosing IT services, beyond general privacy and security obligations.

We argue this needs to change.

Current issues with health data

When patients change doctors, their old records don’t disappear. They can remain on whichever system their previous practice used for many years.

One patient reported their medical files were still uploading to Manage My Health two years after their doctor’s practice stopped using the platform.

While providers are legally required to protect and manage this information, there is limited proactive auditing. Patients may not be notified unless or until a serious incident occurs.

Section 11 of the Privacy Act should be strengthened to require clear auditable contractual commitments between providers and those acting on their behalf to store or process information.

Government agencies face strict rules because New Zealand’s protective security requirements mandate how government departments must handle sensitive information. If data needs protection when held by the government, it needs equal protection when held by contractors.

In the UK, any public or private organisation accessing patient data held by the public health system must complete a mandatory data security and protection toolkit annually. In the US, federal audits of healthcare providers are conducted under the Health Insurance Portability and Accountability Act.

Another example is Finland, which responded swiftly to a 2020 data breach at the private psychotherapy centre Vastaamo, mandating security audits for all healthcare providers, with no exceptions.

Vastaamo’s system, holding records of 33,000 psychotherapy patients, had stored sensitive data without encryption. Investigations found Vastaamo’s patient database was exposed through very weak administrator access controls and inadequate network restrictions, and that the system had not been subject to effective external security audits.

Since Finland strengthened and broadened mandatory external security audits for those handling patient information, no breach on the same scale has been reported. New Zealand should follow a similar approach.

As we await the findings from the inquiry and review on how the breaches occurred, the government should consider the following points:

Data storage and sovereignty

If data is stored on foreign-owned servers, foreign laws may apply regardless of the physical location. This is particularly relevant when we consider the implications for Māori data.

Due diligence and mandatory oversight

Government agencies must follow clear and auditable processes before trusting private vendors with patient data.

All private companies handling sensitive health data are already categorised as health agencies and must comply with the conditions of the Health Information Privacy Code 2020. Clear guidance should be given to doctors and health providers to help them determine whether they should entrust patient data to private companies.

Historic data

At present, rules regarding the retention and deletion of health data are found across multiple legislative codes. The ability to delete data is limited. We need better transparency and supervision across the system.

We argue New Zealand needs mandatory security audits for all healthcare data systems. We hope the government will enforce this.