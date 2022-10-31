New Zealand’s geographical isolation makes no difference in cyberspace, CyberCX’s Adam Boileau said, and we need to learn from overseas examples (file photo).

New Zealand needs a dedicated cyber security minister, says an expert in the industry, on the back of a healthcare provider hack.

A cyber attack siphoned data and patient information from Pinnacle Health network on September 28 and it was uploaded to the dark web.

Attacks are ramping up around the globe, CyberCX executive director of security testing and assurance Adam Boileau said, and governments need dedicated resources to protect cyber and civil infrastructure.

“We need a dedicated Minister for Cyber Security to protect and regulate a sector that’s at the core of everything we do.”

New Zealand’s privacy laws were enacted when cyberspace and security were different issues, and needed to keep pace as security, privacy and information were foundational to society, he said.

“Trusting security and protection of data to the private sector is no longer enough,” he said.

“Australia appointed its first ever minister of cyber security a few months ago, and already we’ve seen the value in a dedicated role.”

He said following a “massive” data breach at Australia’s largest telecommunications company Optus, the new Minister of Cyber Security Clare O’Neill moved swiftly and publicly to hold the company to account and beef up legislation.

“It’s an example we should learn from - while New Zealand is isolated geographically, that makes no difference in cyberspace.”

MARK TAYLOR/Stuff Pinnacle chief executive Justin Butcher (right) said patient information was compromised in the cyber attack.

Privacy Commissioner Michael Webster would not comment on whether there should be a single minister for cyber security – as opposed to having several ministers whose portfolio responsibilities included a cyber-security component.

But he said the Pinnacle breach was a timely reminder for everyone to respect the personal information of others by not accessing any stolen information that gets published online.

“Any information which has come from this breach could be sensitive, which could cause a great deal of anxiety to the people affected.”

People affected by the breach should be on the lookout for emails, phone calls and text messages purporting to be from Pinnacle, financial institutions, telecommunications carriers, Government or other agencies that request you click on a link, provide personal or credential information, or request that you provide remote access to your device.

He encouraged those affected to enable two-factor authentication on their accounts to add an extra layer of security.

“Unfortunately, scammers and cybercriminals leverage privacy breach events in seeking to deceive community members to provide personal, account or credential information, infect devices, or motivate individuals to perform actions as part of a scam.

“If you are sent or find this information, do the right thing – let Pinnacle and the police know. Do not access or share the information and keep it quarantined until you are told to delete it.”

He said privacy and cyber-security protection required vigilance and regular review to ensure processes remain fit for purpose.

“Cyber criminals are constantly evolving their approaches.”

MARK TAYLOR/Stuff A Pinnacle spokesperson said the 0800 number set up for those impacted had received 187 calls.

Webster said one of the major lessons from the Optus breach in Australia was the “critical importance” of only collecting and holding onto the information you need.

“The more data an organisation is holding, the bigger the potential harm. Organisations can mitigate this risk by ensuring they only collect personal information that they need for business purposes, that they adequately ensure it is safeguarded from harm, and then safely destroy it as soon as it is no longer required.”

He said all organisations should have a privacy or data breach response place, that was tested in the same way you would have an emergency response plan for a fire or earthquake.

“It needs to be part of an organisation’s muscle memory. This includes how you would communicate with potentially impacted individuals while you are undertaking triaging to identify those who are actually affected.”

“Cyber criminals and scammers won’t wait for you to complete your processes and your customers/clients have the right to take action to protect themselves.

“Cyber attacks are growing, as are the costs of preventing and responding to them.”

A Pinnacle spokesperson said the 0800 number set up for those impacted had received 187 calls – as of noon on Tuesday – and no particular themes had emerged.

The information and data taken related to past and present patients and customers of the Pinnacle group in the Waikato, Lakes, Taranaki and Tairāwhiti districts.

It also included Primary Health Care Ltd practices from across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.

This attacked followed the hacking of the Waikato District Health Board in May last year when sensitive patient data stolen.

Netsafe would not comment on whether New Zealand needed a cyber security minister or about cyber security and legislation in New Zealand.