Dr. Strangelove or: How I learned to stop worrying and love the Pentest – Health NZ collabor-action story

Dr. Strangelove or: How I learned to stop worrying and love the Pentest – Health NZ collabor-action story

Cyber security is such a critical element of your business, I strongly endorse having this testing done.

At the end of 2021 Tū Ora Compass Health, Medical IT Advisors and PenTest.NZ identified a major gap in the New Zealand primary healthcare ecosystem as most practices and service providers are unlikely to have tested their information security posture, either from an external or an internal attacker perspective.

Reasons for cybersecurity gaps in health are easy to understand, from conflicting priorities to lack of risk understanding, perceived costs, “we’ll be fine” culture, workloads, lack of skills, etc.

Either way, the trusting and heavily linked nature of health networks combined with increased cyber-attacks, accounts and systems compromises and data breaches, and malware and ransomware activity, presents a severe risk to the entire New Zealand health environment.

Durin 2022 Tū Ora together with Medical IT Advisors and PenTest.NZ collabor-action project resulted in funding at no cost to practices, co-design and implementing a penetration testing programme dedicated to primary health, aiming to both identify and report cybersecurity vulnerabilities, and to provide rapid cyber incident response for any historical incidents detected and/or existing breaches.

Outcomes and lessons learned

The pilot programme has been very successful, identifying many vulnerabilities that could be (or have been) exploited by malicious actors, as well as detecting and responding to account and system compromises and historical or active data breaches.

Some of the results were presented at the cybersecurity session of Digital Health Week NZ conference, Rotorua 5-8 DEC 2022, showcasing the project status, lessons learned, recommendations and next steps.





Disclaimer: By submitting and downloading our presentation you will be automatically subscribed to our newsletter and can unsubscribe at any time.


Testimonials and feedback

Feedback from the testing has been extremely positive, here is what Dr. Richard Medlicott at Island Bay Medical Centre has to say:

“We supported Tū Ora and Medical IT Advisors to run penetration testing on our systems here at Island Bay Medical Centre recently. Cyber security is such a critical element of your business, I strongly endorse having this testing done.

The test was thorough and professional and led on to good discussions with our IT providers about ways to make our system more secure.

And Darryl Elwin, the IT Manager for Masterton Medical Centre, has the following to say about how valuable the testing was for them:

“Being busy with the day-to-day running of the practice, it can sometimes be difficult to spot the cracks in the security of our networks especially if things seem to be running smoothly. It’s like the saying goes, you can’t see the forest for the trees.

When approached by Tū Ora with the offer of a pen test at no cost, my only thought was why would we not accept this offer? It was an opportunity to have a third-party specialist have an unbiased look at our on-premises and cloud-based systems and practices. The pen test itself was unobtrusive and we were unaware the tests were being run.

The resulting report gave us a clear direction on what work was needed and what work had priority. This gave us a clear action plan. We have completed the action plan and have a more robust environment as a result.

I would recommend any practice that is offered the opportunity of this pen test, seize it!

TOP 5-ish vulnerabilities

  1. Default passwords and weak password policies
  2. Unprotected admin interfaces
  3. Unpatched software and legacy unsupported services
  4. Software misconfigurations
  5. Inadequate network isolation and segregation
  6. Lack of MFA, email protection, advanced controls
  7. Inadequate logging and auditing

Top recommandations

  • Yearly independent security assessment
  • Quarterly security assurance report from IT/third-parties
  • Review findings, understand root cause, maintain a risk registry
  • Consider the potential historical abuse of the vulnerabilities
  • Create a roadmap for mitigations and budget improvements
  • Test at least yearly your incident response policy, plan
  • Monthly train and test staff cyber awareness
  • If nothing else, close ports, change the defaults, and enforce MFA!

Call to action

The programme is ongoing and open to any other health organisation, primary or not, NZ and beyond

Just give us a shout, don’t wait for a severe incident to test your cyber security resilience!

Penetration testing was provided by PentestNZ (pentest.nz) and Managed Security Service Provider for Healthcare Organisations – Medical IT Advisors (meditadvisors.com)