/cloudfront-ap-southeast-2.images.arcpublishing.com/nzme/654PMI5AHVA57MM3RSRK4VXATE.jpg)
[ad_1]
The tragic death of a patient in Germany, which is attributed to a ransomware attack, illustrates how cyber security and health and safety issues can intersect, says Kordia’s chief information security officer, Hilary Dalton.
The New Zealand Occupational Safety and Health Act (2015) holds company directors and other officers directly responsible if they do not exercise due diligence to ensure they are aware of risks and put processes in place to minimize them.
The hackers deactivated the computer systems at the Düsseldorf University Hospital on Friday New Zealand time, demanding a multi-million dollar ransom to decrypt their data.
The hospital was forced to turn away emergency patients, according to a New York Times report. A woman with a life-threatening condition was sent to a hospital 30 kilometers away but died en route, prompting German authorities to open a murder investigation. The BBC says it is believed to be the first death caused by ransomware.
Dalton says a major point of concern is that Düsseldorf hackers took advantage of a well-known flaw in Citrix’s remote access software. Our Government’s Computer Emergency Response Team (Cert NZ) issued a warning in this regard for the first time in June, it notes.
Part of good security practice is to keep your software up to date, including applying security patches when necessary.
Boards and senior managers need to make sure this is happening, Dalton says. And if not, due to lack of resources or poor organization or other problem, they need to address it to avoid liability and of course to keep their organization safe.
“You need to know what your critical systems are and what is being done to keep them safe,” he says.
Are your health authorities operating a narrow boat?
A spokeswoman for the Auckland District Health Board declined to answer questions, saying the organization had a policy of not commenting on its IT setup for security reasons. The Health Ministry acknowledged but did not immediately respond to the Herald’s questions.
The Times says hospitals are a favorite target for ransomware attackers, because the life-and-death urgency of the situation makes it more likely they will pay.
And we’ve seen other organizations pay up this year, amid a sharp increase in cyberattacks by criminal gangs that have seen many of their traditional “real world” attacks hampered by global lockdowns.
Last month, there were indications that fitness tracker and small aircraft navigation system maker Garmin had paid a US $ 10 million ($ 14 million) ransom to recover data from hackers.
/cloudfront-ap-southeast-2.images.arcpublishing.com/nzme/W4DK7OLUUNCSNIN7RQWZVZRKNA.jpg)
/cloudfront-ap-southeast-2.images.arcpublishing.com/nzme/W4DK7OLUUNCSNIN7RQWZVZRKNA.jpg)
And in July, Blackbaud, which is listed on Nasdaq (a kind of competitor to PushPay in the US), said in a market presentation that it had paid an undisclosed sum to hackers to protect customer data, which included alumni from the University of Auckland and the University of Otago who had made donations (the two universities emphasized that they were not part of the decision to make the payment).
“Resisting the ransom demands could have been worse. At least it is a wake-up call for the universities and the provider, so cybersecurity is likely to improve,” attorney Michael Wigley told the Herald.
For him, Blackbaud’s decision was understandable.
For Dalton of Kordia, it is not.
In his opinion, it is unethical.
Or practical.
“Paying a ransom only encourages an attacker to re-offend,” he says, echoing the advice of the police and Cert NZ.
“It would be nice to have some legal weight behind that.”
That does not appear to be the case today.
“The Crimes Act was written at a time when a ransom was only required for one person, not for data,” says Bill Hodge, a professor at the University of Auckland School of Law.
“But my reading is that it would not be illegal to succumb to the demands of a hacker and pay a ransom.
“It would be almost impossible for the police to mount a prosecution.”
NZ Herald technology columnist Juha Saarinen recently called for a ransom payment to be outlawed.
And Emsisoft, a global security company run by Austrian founder Christian Mairoll’s hideout in Uptown New Zealand, featured in the Garmin venture, this week called for a government class action to ban ransomware payments.
/cloudfront-ap-southeast-2.images.arcpublishing.com/nzme/QZZAKBYO4RECLIERMZJ6EIB5HQ.jpg)
/cloudfront-ap-southeast-2.images.arcpublishing.com/nzme/QZZAKBYO4RECLIERMZJ6EIB5HQ.jpg)
When asked if there were any plans to amend the Crimes Act to make ransom payments illegal, Justice Minister Andrew Little replied only: “The government’s strong recommendation remains that victims of cybercrime not they must pay ransoms. “
The Herald recently noted the gap in cybersecurity spending between New Zealand and Australia. Labor has so far not released any IT policy for its next term, while National’s technology policy, released earlier this week, made only a passing reference to the issue.
