New Zealand's health sector must be prepared for a case of 'not if, but when' a major cyber attack causes massive disruption, despite intense security efforts to ward them off.

HZ HealthIT chief executive Scott Arrol says that there are no guarantees that risk mitigation will be successful.

“None of us can pass the buck and assume that its up to the government and big corporates to protect New Zealand health organisations. We have all got to play our part to protect confidential health information," he says.

Despite government spy agencies boosting security of critical infrastructure, government departments and key businesses, health organisations have some catching up to do.

Less than 5% of New Zealand organisations have invested in cyber insurance, despite a global increase in cyber attacks, NZ Health IT claims.

You only have to look as far as the WannaCry attack, he says. “A recent global cyberattack using hacking tools crippled the United Kingdom's national health service.

That attack hit at least 16 health service organisations, including hospitals and GP surgeries. Hospital staff had to turn away patients and cancel appointments because their computer systems were crippled.

“We have seen ransomware attacks against the NHS in the past including Barts Health Trust in January," comments Digital Shadows vice president of strategy, Rick Holland.

Citizens were also asked to seek medical care only in emergencies because of the crisis.

Staff members were also forced back to pen, paper and their own mobiles to continue working as the WannaCry attack hit.

According Tenable Network Security, healthcare may be bigger targets because of their predilection to pay ransom demands.

While Arrol says that the Ministry of Health is working with district health boards and government agencies as a precaution against ransomware attacks such as WannaCry.

Next month NZHIT will be holding a national Cybersecurity in Health symposium in Auckland. The symposium will bring together organisations including the National Cyber Policy Office, National Cybersecurity Centre and Cyber Toa.

Fortinet offers these tips for all organisations to protect against cyber attacks:

1.      Establish a regular routine for patching operating systems, software, and firmware on all devices. For larger organisations with lots of deployed devices, consider adopting a centralised patch management system.

2.      Deploy IPS, AV, and Web Filtering technologies, and keep them updated.

3.      Back up data regularly. Verify the integrity of those backups, encrypt them, and test the restoration process to ensure it is working properly.

4.      Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.

5.      Schedule your anti-virus and anti-malware programs to automatically conduct regular scans.

6.      Disable macro scripts in files transmitted via email. Consider using a tool like Office Viewer to open attached Microsoft Office files rather than the Office suite of applications.

7.      Establish a business continuity and incident response strategy and conduct regular vulnerability assessments.