Key Takeaways:
- Manage My Health, a health software company, ignored warnings about lax security two years ago, which led to a ransomware attack that stole the information of 127,000 New Zealanders.
- The lack of government regulation in the industry is a result of lobbying against "red tape" by the Digital Health Association.
- Experts criticize the "high trust" system of self-regulation, which relies on companies to follow standards without proper oversight.
- The Digital Health Association advocates for a clear, consistent regulatory framework that supports safe and efficient delivery of digital health services while protecting patients’ rights.
- Health NZ is considering independent testing of third-party services, such as patient portals, to ensure the security of health information.
Introduction to the Issue
The recent ransomware attack on Manage My Health, a health software company, has raised concerns about the lack of regulation in the industry. The attack resulted in the theft of personal information of 127,000 New Zealanders, highlighting the vulnerabilities in the company’s cyber-security system. According to cyber-security expert Dr. Abhinav Chopra, the company was warned about the lax security two years ago, but failed to take action. This incident has sparked a debate about the need for stronger regulations and oversight in the industry.
Lack of Regulation and Oversight
The lack of regulation in the industry is attributed to the lobbying efforts of the Digital Health Association, which has opposed what it calls "overly burdensome privacy laws and regulation". The association has argued that such regulations would create "red tape" and increase costs for companies dealing with data. However, experts argue that this lack of regulation has created a "high trust" system where companies are not held accountable for their actions. The Digital Health Association’s chief executive, Stella Ward, claims that the organization did not oppose the Therapeutic Products Act, but rather advocated for better regulation. However, political analyst Bryce Edwards argues that the association’s actions have contributed to the lack of oversight in the industry.
Consequences of Lax Security
The consequences of lax security are severe, as evident from the recent ransomware attack on Manage My Health. The company’s terms and conditions gave it an "out" by stating that it could not guarantee the security of its system. This lack of accountability has raised concerns among patients and experts alike. The attack has also highlighted the need for stronger penalties for companies that fail to protect patient data. The current penalties are low by international standards, and experts argue that this has created a culture of complacency among companies.
Need for Stronger Regulations
The need for stronger regulations is evident from the recent incident. Experts argue that a clear, consistent regulatory framework is necessary to support the safe and efficient delivery of digital health services while protecting patients’ rights. The Digital Health Association agrees that stronger penalties alone are not enough, but rather a comprehensive framework is required. Health NZ, the organization responsible for overseeing the health sector, has indicated that it may introduce independent testing of third-party services, such as patient portals, to ensure the security of health information.
Conclusion and Future Steps
In conclusion, the recent ransomware attack on Manage My Health has highlighted the need for stronger regulations and oversight in the industry. The lack of regulation has created a culture of complacency among companies, and it is essential to introduce stronger penalties and a clear, consistent regulatory framework to protect patient data. Health NZ’s consideration of independent testing of third-party services is a step in the right direction, but more needs to be done to ensure the security of health information. The industry must work together to create a safe and secure environment for patients, and this requires a concerted effort from companies, regulators, and policymakers.
