The tragic death of a female patient in Germany, which is being blamed on a ransomware attack, illustrates how cyber-security and health and safety issues can intersect, Kordia chief information security officer Hilary Walton says.
NZ's Health And Safety At Work Act (2015) makes directors and other company officers directly liable if they fail to exercise due diligence to ensure they know about risks, and put processes in place to minimise them.
Hackers disabled computer systems at Düsseldorf University Hospital on Friday NZ time and demanded a multi-million dollar ransom to unscramble their data.
The hospital was forced to turn away emergency patients, according to a New York Times report. A female woman with a life-threatening condition was sent to a hospital 30km away but died en route - sparking German authorities to open a homicide investigation. The BBC say it is believed to be the first death caused by ransomware.
Walton says a major point of concern is that the Düsseldorf hackers exploited a flaw in Citrix remote-access software that was well known. Our Government's Computer Emergency Response Team (Cert NZ) first issued a warning about it in June, she points out.
Part of good security practice is keeping software up to date, including applying security patches where necessary.
Boards, and senior managers, need to make sure this is happening, Walton says. And if it's not, because of under-resourcing or poor organisation or another issue, they need to address it to avoid liability - and, of course, to keep their organisation safe.
"You should know which are your critical systems, and what's being done to keep them secure," she says.
Are our health authorities running a tight ship?
A spokesperson for Auckland District Health Board declined to field questions, saying the organisation had a policy of not commenting on its IT setup for security reasons.
A spokesperson for the Ministry of Heath said, "Regular monitoring of cyber threats, including ransomware, and routine cyber stress testing for health sector agencies' computer security is recommended by the Ministry.
"District health boards and other sector agencies are responsible for keeping their systems secure, and the Ministry works with them to advise and assist on strengthening defences to ensure resilient IT systems. This work is ongoing to ensure health agencies have good monitoring systems and preparations in place and processes to respond effectively to any incidents arising.
"The Ministry of Health also works alongside Cert NZ, the Government Chief Data Officer and the Government Chief Information Security Officer in helping health sector agencies better understand and build resilience to cyber security threats, including regular training for staff."
Steep rise in attacks
The Times says hospitals are a favoured target for ransomware attackers, because the life-and-death urgency of the situation makes it more likely they will pay up.
And we've seen other organisations pay up this year, amid a steep rise in cyber-attacks by criminal gangs who have seen a lot of their traditional, "real-world" shakedowns crimped by global lockdowns.
Last month, there were signs that fitness-tracker and small plane navigation system maker Garmin had paid a reported US$10 million ($14m) ransom to retrieve data from hackers.
And in July, the Nasdaq-listed Blackbaud (a competitor of sorts to PushPay in the US) said in a market filing that it had paid an undisclosed sum to hackers to secure clients' data - which included Auckland University and Otago University alumni who had made donations (the two universities stressed they were not party to the decision to make the payoff).
"Toughing it out against ransom demands might have been worse. At least it's a wake-up call for the universities and the provider, so improved cybersecurity is likely," lawyer Michael Wigley told the Herald.
For him, Blackbaud's decision was understandable.
For Kordia's Walton, it's not.
In her opinion, it's not ethical.
"Paying a ransom only encourages an attacker to reoffend," she says, echoing the advice of police and Cert NZ.
"It would be good to have some legal weight behind that."
That doesn't appear to be the case at present.
"The Crimes Act was written in an age when a ransom was only demanded for a person, not data," says Auckland University Law Faculty professor Bill Hodge.
"But my reading is that it would not be illegal to succumb to a hacker's demands and pay a ransom.
"It would be almost impossible for police to mount a prosecution."
NZ Herald technology columnist Juha Saarinen recently called for it to be made illegal to pay a ransom.
And Emsisoft - a global security company run by its Austrian founder Christian Mairoll's hideaway in high country NZ, which figured in the Garmin escapade - has this week called for collective government action to ban ransomware payments.
Asked if there were any plans to amend the Crimes Act to make ransom payments illegal, Justice Minister Andrew Little replied only, "The Government's strong recommendation continues to be that victims of cyber-crime should not pay ransoms."
The Herald recently noted the cyber-security spending gap between New Zealand and Australia. Labour has so far not released any IT policy for its next term, while National's tech policy, released earlier this week, made only passing reference to the issue.