The question of whether Health New Zealand should have a Chief Information Security Officer dedicated to primary health is well worth considering, in the aftermath of the leak of personal health data held (not too securely) by ManageMyHealth.
“Dedicated to primary health” are the key words in this proposition.
Labour’s Dr Ayesha Verrall raised the matter at Question Time in Parliament last Thursday.
She asked Health Minister Simeon Brown:
She asked Health Minister Simeon Brown:
Does he stand by his statement that the Ministry of Health’s review into the ManageMyHealth data breach will “identify lessons to strengthen protections for patient data held by the private sector”; if so, does Health New Zealand currently have a Chief Information Security Officer role dedicated to primary care?
Hon SIMEON BROWN (Minister of Health): In the context it was made, yes.
But because “dedicated to primary care” was the critical element of the question, as you will see, perhaps he should have said “no”.
He did declare his appreciation of the need for personal health information to be kept confidential.
Patients expect that their health data is held securely, and they deserve to have assurances that this is the case, whether in the private or public healthcare systems.
And then he mentioned the responsibilities of the National Chief Information Officer at Health NZ.
I’m advised that Health New Zealand has a National Chief Information Security Officer, who has responsibility for engagement and support for primary care.
Support functions provided include the creation of a health information security exchange, a collaborative healthcare initiative that drives better security outcomes across primary care; a health information security framework providing small to medium sized support guidance for primary care; Health New Zealand’s security incident guide specifically for primary care; and, as we’ve seen in the case of the Manage My Health incident, incident control support.
Verrall raised a point of order to complain she had asked about “a specific dedicated role” in her question.
The Minister’s answer identified that there was a National Chief Information Security Officer. He outlined responsibilities that that officer had, but it was not clear from his answer, which is a primary question on notice, whether or not that role was dedicated to primary care.
The Speaker said the question had been answered.
Verrall tried to drill down further on the matter of a “dedicated” position:
Hon Dr Ayesha Verrall: Will the Minister confirm that that position is a single position dedicated to supporting the primary care sector with its information security needs?
Hon SIMEON BROWN: I’m advised that that position has a number of responsibilities, one of which is to engage and support primary care, as I outlined in the answer to the primary question.
Not “dedicated”, then.
Verrall took us back a few few years with her next question:
Hon Dr Ayesha Verrall: Why is he seeking lessons for how to strengthen protections for patients’ data now when the Ministry of Health advised back in 2021 that the Government should build a core set of cybersecurity capabilities for the primary sector?
Hon SIMEON BROWN: There is a range of investments the Government is making into data security continuously. We need to make sure we also learn the lessons from what happened with Manage My Health. That is why we’ve launched a review. That’s why we have a terms of reference.
And then we learned of a post that has been disestablished:
Hon Dr Ayesha Verrall: Is it correct that the role Chief Information Security Officer – Primary Health Sector that existed in 2023, following the 2021 review, was disestablished due to funding cuts in Budget 2024?
Hon SIMEON BROWN: I’m advised there was a title of a role and that the position description and the roles and responsibilities exist within the function of primary care relationship manager, who exists within—
Hon Dr Megan Woods: So you cut it?
Hon Member: Just listen up, love.
SPEAKER: Hang on. There’s only one Minister answering.
Hon SIMEON BROWN: —the team of the National Chief Information Security Officer and supports that individual with those responsibilities.
Verrall asked Brown to confirm that in 2021 the ministry had developed a plan for primary care cybersecurity, but his Government has cut that plan, “and now he is having to revert to work that should never have been cancelled in the first place?”
Maybe this was an own goal.
Brown responded by pointing out that in 2023, “the then Government” (in which Verrall had been Minister of Health) had made reductions in health data and digital foundations and innovations, and the reduction in Government expenditure in August 2023 had had an impact on data and digital investment in the healthcare system.
We heard no more from Verrall on that point, because Parliament moved on to the next question.
And PoO moved on to see if we could learn more about information security at Health NZ.
Our Google search tells us Peter Booth stepped into the Health New Zealand National Chief Information Security Officer role in August 2025.
He brings a wealth of security experience to Health NZ, having originally joined as CISO for the central region in late 2020, before moving into the role of GM Security Services and Performance. Previously he was the Head of Security at Waka Kotahi for more than three years.
His predecessor – it seems – was Tatahau (Sonny) Taite.
Nancy Taneja in 2023 was “Te Whatu Ora chief information security officer – primary health sector”.
PoO supposes this is the “dedicated” role which Verrall was talking about.
In an interview in May 2023, Taneja was asked: What is the role of CISO for Primary Health Sector?
She replied:
It’s my job as Chief Information Security Officer – Primary Health Sector, to oversee and advise on cyber security for everyone in the sector, from general practices to community pharmacists, allied health professionals, community aged care, Māori health organisations, and primary health organisations.
It’s a big job because the primary health sector is in every community across the motu, and there are different needs, expertise, and resources required. Because of this, relationship management and sector engagement are as important in the role, as specific technical advice.
Next, she was asked: why is it important to have a primary care CISO?
She replied:
Health systems all around the world are being targeted by cyber criminals and it’s not surprising when you consider the size of these systems and the sensitivity of the information they deal with.
In New Zealand, the primary health sector is made up of around 170,000 people, working at roughly 2,500 small to medium sized businesses – all of whom deal with massive amounts of sensitive health information every week. Just one wrong click on an unprotected system, and you can very quickly have a major security incident.
That’s where my team and I come in – we’re trying to demystify cybersecurity and point the sector in the right direction in terms of building up cybersecurity capability.
Explaining what her role involved, Taneja said there was a growing awareness in the sector about what cybersecurity is and why it’s important.
The problem is there’s still a lack of understanding about what organisations can practically and affordably do to protect themselves.
There is a common perception that cybersecurity is something for IT departments to worry about. What I’m trying to do is to get people thinking about cybersecurity as shared mahi. Yes, you might need specialist skills to install specific software and patches and all that sort of thing. But there’s a lot we can all do as a matter of course to make it harder for cybercriminals.
She proceeded to tender advices such as not clicking on suspicious links and using strong, secure passwords and multi-factor authentication.
She was named the Cybersecurity Woman of the Year 2023 by Digitally Enabled.
And where is she now?
At Toyota New Zealand, maybe.
In August last year ITBrief reported on female students from Palmerston North Girls’ High School, St Peter’s College, and Freyberg High School attending a day-long ShadowTech25 event aimed at providing insights into technology careers.
The keynote address was delivered by Nancy Taneja, Chief Information Officer at Toyota New Zealand. She shared her pathway into ICT and addressed topics such as overcoming self-doubt and the importance of leadership and resilience in the sector.
But fair to say, Google found no public information in its search results to indicate she had left Health New Zealand. She was still identified as the manager for security capability and partnerships there in May 2024.
Our search of the Toyota NZ website (not too deep, we admit) found no mention of her.
We may credit her – apparently – with keeping information about her own whereabouts under close wraps.
Bob Edlin is a veteran journalist and editor for the Point of Order blog HERE. - where this article was sourced.
No comments:
Post a Comment
Thank you for joining the discussion. Breaking Views welcomes respectful contributions that enrich the debate. Please ensure your comments are not defamatory, derogatory or disruptive. We appreciate your cooperation.