During a visit to Microsoft and Google headquarters in California six years ago, their software systems analysts went to great pains to stress to our group of Whānau Ora health service providers the need for adequate cyber security.
At the time I felt they went a little overboard, kept insisting the information and data we collected was always at risk and might be of interest to someone else other than just ourselves.
Tradeable in fact. Software protection must be taken seriously otherwise it could be our undoing.
We learnt American businesses live daily with cyber attacks. They accept it can occur at any time and particularly vulnerable are the large, multimillion-dollar health and insurance companies.
And when their cyber security systems are hacked these big boys pay up.
This surprised us, but they explained that Americans hold information about their health, income, assets and taxes to be sacrosanct. Must remain protected and private. Surely this applies to New Zealanders as well.
Businesses pay up when ransom is demanded to restore what is hijacked. The reputational damage, shareholder and client reaction and loss of public trust would be so damaging if the hacking became public knowledge, the conglomerates would not survive.
Better to pay up and shut up, let the cyber criminals win.
It was further explained that the boards of directors and executive teams of these corporations have significant stock holdings, viewed as their savings and retirement funds. This plays a major role in the decision to pay ransom.
They pay rather than see their stock value wiped out.
I would hazard a guess that by raising administration fees and premiums over the next two years, the ransom amount would be recuperated. These are huge organisations with thousands of members.
What I found particularly disturbing was that the cyber attacks are usually detected only after three months of hacking activity. Think of the damage that can be done over that period. The criminals would have a field day knowing no adequate cyber security software systems are in place.
Nothing to warn the business; no early signals, red flag alerts.
"We can take our time on this job, let's come back next week" might be brazenly trumpeted by the hackers.
Both Microsoft and Goggle stressed the responsibility for cyber security rests squarely with boards of directors. The CEO, IT management and software consultants may be coerced to take the fall but ultimately, the board must accept responsibility.
It is their job to ensure all business risks, including cyber security, are identified and tackled, no matter how challenging.
The cyber attack on the Waikato District Health Board is unfortunate, but we should not be surprised. Sensitive information makes a business vulnerable, no matter the size of the business and I suspect the other 19 district health boards are sweating at present, painstakingly reviewing what they currently have in place to protect patient and staff confidentiality.
The insistence by Microsoft and Google that we need to be proactive in the area of cyber security made our small group sit up and take notice. We know we are entrusted to keep all information and data collected private, safe and secure. We know we do not have businesses in New Zealand comparable to these huge American ones, but we were grateful for the opportunity to hear first hand how the businesses are handling this significant business risk.
This was my second business trip to America and once again I couldn't fault the warmth and generosity of Americans.
They willingly shared information that might assist us to design models of healthcare provision better suited for long-term, family-driven health outcomes. We looked at systems that can track progress and measure real-time impacts.
The Whānau Ora Commissioning Agency viewed the trip as a necessary business investment. Through the contacts we made and with the vast amount of information so generously shared with us, we continue to receive a significant return on our investment.
- Merepeka Raukawa-Tait is chairwoman of the Whānau Ora Commissioning Agency, a Lakes District Health Board member and Rotorua district councillor.