Private and confidential documents were found to be accessible on two health board web servers
The IT security of two health regulators has been found wanting after an Upper Hutt IT security firm found confidential documents available online.
Echo IT found that the Optometrists and Dispensing Opticians Board and the Physiotherapy Board were storing internally sensitive and private information on their public websites.
Echo IT security engineer James Winstanley said while he was confident that both organisations were committed to their privacy obligations, there was evidence that poor understanding of information security practices was a factor in both boards’ decisions to store private documents in unsecured and publicly accessible areas of their websites.
“As companies move to adopt technological frameworks, the question of security becomes directly relevant to one of privacy," Winstanley said.
“It is imperative that organisations consider how their privacy obligations extend into the fields of cyber security, and that they receive the support appropriate for their level of digital exposure."
Echo IT undertook what it described in a report as an independent research project covering a range of organisations and sectors.
The Optometrists and Dispensing Opticians Board of New Zealand was found to be leaking a large volume of private information, including one instance of a credit card.
The Physiotherapy Board of New Zealand was found to also be leaking private information and was potentially violating a name suppression order.
ECHO IT’s full report can be viewed here.
The Physiotherapy Board said it could assure the public that no confidential personal information has been made public.
"However a weakness in our website security has been identified and has been dealt with: we have removed all confidential personal information from our web server, and we have shut down the ability for the public to place further information on this server," board CEO Jeanette Woltman-Black said.
The board also expressed its concern at what it described as "unauthorised access" made to its server.
"In our view the actions taken to bypass our website’s front-end were unethical and wrong," Woltman-Black said.
"We take confidentiality of personal information entrusted to us extremely seriously. The public can be assured that when they engage with us on sensitive issues they can do so in complete confidence."
Winstanley said he believes Echo IT's investigation complied with relevant frameworks.
"Our research has helped both organisations identify and remove the sensitive personal information that was accessible to the wider public.
"Although Echo IT acknowledges that dealing with leaks of sensitive information can be distressing, we encourage organisations to work with security professionals to address the points of failure, rather than to react with hostility."
The chair of the Optometrists and Dispensing Opticians Board, associate professor Jennifer Craig, said after being notified by Echo IT of the issues this was immediately passed on to the board's website hosting firm for investigation. They helped the board to resolve the issue and also upgraded the Board’s firewall as an extra measure of protection.
"The digital consultancy firm was thanked for bringing this issue to the board’s attention and notified of the action taken to resolve the issue. The Board believes it has taken all possible steps to resolve this issue within its control in accordance with advice provided by the Office of the Privacy Commissioner."
The board has not utilised its ‘member only’ section for a few years, so it does not anticipate any future breaches of this kind.
Craig said the board had no further comment other than that it takes security of information very seriously and will be reviewing all of its policies and procedures.
The two board cases are not identical. The Optometrists and Dispensing Opticians Board website was provided through a custom CMS developed by a web design company that ceased operating in late 2015.
"This could mean that the website is unsupported or faces reduced access to security updates and improvements," the report said.
Users had the ability to enumerate all the website's hosted documents, the report said. While that was not ideal, it was not strictly a vulnerability.
"The function works as intended, even if some might argue it is not the most secure method for handling file requests. It was the board's decision to store sensitive files using this method that created problems."
The Physiotherapy Board used a Drupal 7 website. Like the other website, the board's used a single endpoint to reference individual documents.
"Whilst this method has advantages over the method we believed the Optometrists site used, it is still subject to the same enumeration problem. The only difference here was that our method required an extra step, and a modification to the script previously used."
