Unusual activity: How to deal with cyber crime
06/03/24
Healthcare executive Justin Butcher likens hearing news of a cyber-security breach to being on a rollercoaster – “but not the fun kind”.
The CEO of Pinnacle Health will be speaking at the APHA 41st National Congress in April about the experience of dealing with an online attack on the group’s practices in five regions of New Zealand’s North Island.
“As Murphy’s Law would have it, I was driving home after about an eight-hour day when we first got word that there was some unusual activity in our systems,” Mr Butcher said.
“Initially we didn’t know the extent of that, and I was thinking ‘what does that mean?’ Those words, ‘unusual activity’ – it does open up a pit in the bottom of your stomach.”
In September 2022, it was determined that ‘malicious actors’ had accessed a third-party IT server used by Pinnacle Midlands Health Network.
The attacker took health information dating from about 2016 to 2022 and some of Pinnacle’s corporate information.
At the time, Pinnacle announced about 93 gigabytes of data were taken from the third-party IT server, with more than 18 gigabytes containing health information.
“The first thing to remember is that these cyber breaches are crimes, so Pinnacle was essentially the victim of a crime,” Mr Butcher said.
“For us, we had expertise in-house in our IT department, people who had been through this before at other organisations, so they knew what they were doing, and we looked to them first.
“We had the benefit of their expertise, and we had access to other resources as well, as we were finding our feet.
“And I have to say it wasn’t just our organisation, but the whole of New Zealand healthcare really wrapped around us to help.”
He said one of the first priorities was providing reassurance to Pinnacle patients.
“There was a lot we didn’t know initially, and we were upfront with that,” Mr Butcher said.
“We felt it was better to be honest and say, ‘We don’t know this yet’, rather than wait until the information was perfect before putting it out there.
“We knew that this would be very concerning for our patients.”
When Pinnacle first became aware of the incident, the affected IT system was taken offline and contained, and the company implemented its backup systems “safely and promptly”.
Mr Butcher said although subsequent analysis of systems showed no further evidence of malicious activity, it was important to remain vigilant.
“My advice to any organisation, is that this is a matter of when, not if, it will happen to you,” he said.
“Cyber-crime is escalating, it is so prevalent now, so you must assume it’s going to happen to you.
“It’s important to have a business plan in place.
“We all have business plans for events like natural disasters, or similar, but you also have to have a plan for cyber breaches.”
Mr Butcher will deliver a keynote speech about cyber security on day three of the APHA 41st National Congress, which is being held on the Gold Coast from Wednesday 10 April to Friday 12 April 2024.
