Original article posted in eHealthNews.nz: Views

Regular column by Scott Arrol, NZHIT CEO

With New Zealand spending only 50 per cent of global averages on health IT, it’s likely that under-investment includes cybersecurity and a breach was inevitable.

The recent news of a cybersecurity breach at Tū Ora Compass Health clearly raised the issues of data governance, security and privacy.

I’m not often sorry to be proven right but back in January this year I publicly stated that, “It has only been a matter of pure luck that New Zealand’s health system hasn’t yet been subject to a major cybersecurity breach. It’s going to happen, and we’re currently not prepared for it.”

Rather than gloat about having an accurate crystal ball (and rush out to buy a Lotto ticket), I’d rather focus on the positive aspects of the position Tū Ora sadly found themselves in.

Firstly, this was a real test of leadership when it came to the way it was handled at the time. Sure, it may have been avoidable in the first place (hindsight is always perfect) but the public announcements by both the Ministry of Health and primary health organisation representatives made it clear that this was being taken seriously and responsibly.

Secondly, nobody likes to be the first with this type of thing, but the Tū Ora situation makes it loud and clear that there is no immunity to cybersecurity attacks, locally or internationally. The resulting audits have highlighted other organisations where actions must and will be taken. I’m sure this won’t stop at just the small handful currently being worked on and we’ll see an increased level of effort being taken from now on.

Thirdly, like all areas of digital health, there is a growing understanding that the levels of gross under-investment for at least the past 20 years is being felt now and must be addressed if we want technology to fully enable health services in the future.

This is a collective situation and not solely directed at Tū Ora, as we know from the best possible estimates of health IT spend in this country that we’re only at approximately 50 per cent of global averages.

In other words, we currently should be spending double (in the vicinity of $600–$700 million per annum minimum) targeted at health IT systems across the public health sector with 75 per cent of this amount spent on what’s called the ‘run’ category. Essentially this relates to $450–$525 million on basic infrastructure.

We’re not even spending this amount on all health IT expenditure, which goes a long way to explain the current predicament. We want all the bells and whistles but not the investment that comes with them.

The right tools for the job

Would we expect a surgeon to operate with a rusty scalpel? Of course not, just as we’ve got to move our thinking away from IT being able to do all sorts of magic without the core infrastructure being able to support it.

Obviously, this is a simplistic approach to a complex matter and the incredibly fast pace that we now see technology moving (the Moore’s Law effect) means we find ourselves playing catch-up. There was no way that this could be foreseen 20 years ago, just as we’re not able to fully predict how things will look in 20 years from now (even my crystal ball can’t see that far into the future).

While it’s difficult to reliably state that cybersecurity itself has been subjected to the same proportional levels of under-investment, this does point to an overall approach that is no longer sustainable. We know what the current problems are and can predict at least three to four years ahead, so now is the time to move aggressively to move far more quickly up the curve than has previously been the case.

Therefore, it is very pleasing that there is progress now being made with the Ministry of Health’s National Health Information Platform that will encapsulate the range of digital enablers (including security and privacy) that must be at their best to support the levels of interoperability required for our health and disability system.

The leadership from the Ministry is very encouraging and we’re seeing a multi-faceted approach to a complex set of challenges that will have an agile approach rather than the usual ‘big bang’, project-based methodology.

Security and privacy trade-offs

Finally, when it comes to the security and privacy of citizens’ data and information, I’m told that we can have it completely secure if that’s what we really want. This is if we’re prepared to pay for it both in a monetary and societal sense.

In this regard, it’s the latter that is the bigger problem, as a totally secure system demands a fully, ‘not to be trusted’ environment. This means that it is assumed that no system can ever be trusted, therefore individually we must all take far greater levels of responsibility for our own data than is currently the case.

For starters, what does this mean for the 2.9 million Facebook users in New Zealand (as of March 2019), or those using a smartphone without having read the terms and conditions before ticking the accept box, or the same for all those personal mobile devices where health-related data is being captured – do you know where it’s actually stored and have you given consent?

The alternative is a closed system where nothing gets stored or exchanged without you first giving permission each time, and we wouldn’t get social media platforms for free. This also means that innovators, researchers and clinicians would find it very difficult to function where even anonymised data can’t be accessed without climbing over high and costly barriers. Perhaps if you have a Luddite view of the world then this would be an exciting eventuality but I’m not sure that we can ever put that genie back in the bottle even if we wanted to.

Shared responsibility

So, there’s a trade-off, as organisationally there is a lot more that can be done, while individually we’ve got to become more aware of our own responsibilities especially if we want technology to fully enable our health and wellbeing.

We need to see directors of public and private sector organisations (big and small) taking a much higher profile when it comes to understanding that they have ultimate responsibility over the security of data and information. If they want to be fully protected then let’s see them make the required investment, set the tone of expectations and positively support their managers and staff to be more cyber safe.

As individuals, we also need to make a commitment to keeping our organisation and their customers’ data secure. Regardless of the levels of security infrastructure in place this can be brought to its knees by a reckless opening of an unsafe attachment or link, accessing unsafe sites on work systems or simply (and most often innocently) plugging in a corrupted thumb drive.

While they might not think it now, hopefully the future will show that Tū Ora Compass Health has helped us all to take an important step that seemed to be too hard to make at the time.

Scott Arrol is the CEO of NZ Health IT (NZHIT)