News
Guide for the media
Health messages on TV
Media releases
General News
Board Committee Matters
Public Health
Patient updates for media
Meet the team
Newsletters
Our Korero
Photo library
Showcase
What's happening?
Waikato DHB news feed
 
Waikato Hospital celebrating 125 years

Waikato DHB Conficker attack resulted in global fix

Two months after the Conficker virus attacked Waikato District Health Board’s computer network, the vendor updated the software in a global fix aimed at ensuring other organisations with similar patches didn’t suffer the same fate.

Two new reports presented to the Waikato DHB board in Thames today (eds 9.30am start) show the Conficker virus was able to get into the DHB’s network on Wednesday 16 December last year because its virus protection software could not eliminate the threat.

Board Agenda

In management comment to an Audit NZ report, chief information officer Alan Grainer said: “the antivirus software did not work.”

Chief executive Craig Climo said weaknesses in the DHB’s own system enabled the virus to spread. Information Technology (IT) staff made the decision to take down the DHB’s 3000 PCs  leaving 5800 staff in five hospitals, a mental health facility, two continuing care facilities and a number of rural bases, without computer access.

 “We made that decision to protect the system and speed recovery,” said Mr Climo.

“Conficker didn’t get us, we got it.”

Within two days most of the DHB’s computers were up and running.

“We have heard of a major New Zealand site where recovery took five weeks,” he said.

Board members received three reports at the meeting. The first was an independent Audit NZ report with extensive management comment and a memorandum from the Director of Media and Communications over the involvement of the media.

The second was an executive summary of the incident management report done by the IT department.

The third was the executive summary of an October 2009 PriceWaterhouseCoopers report on IT effectiveness.

“Our attack was public because of the way we chose to deal with it,” said Mr Climo.

That involved a number of communication methods including co-operation from the media to convey information to outpatients and staff, mass text messaging and use of runners to relay messages and test results.

“Services operated surprisingly well in that time. The virus, in its various versions, has infected many major sites before and after our attack.”

Estimates suggest close to seven million computers worldwide are infected with Conficker which can now also infect mobile devices like cellphones and medical equipment.

In February this year the Greater Manchester Police computers were crippled by Conficker forcing police officers to depend on computers in other jurisdictions to access criminal records. Affected organisations included the West Middlesex NHS Primary Care Trust and Sheffield Hospital in the UK and in New Zealand the Ministry of Health, Canterbury DHB and a major bank.

Mr Climo told the board broader issues of IT infrastructure soundness are being addressed.

“IT should be more prominent as a risk given our high reliance on it.”

Mr Grainer said USB sticks were still banned from use in Waikato DHB’s network.

“We need to ensure provisions to control risks associated with them are fully worked out and in place before reinstating them,” he said.

The Audit NZ report found that:
  • A USB stick carrying the Conficker virus was used by a third party to load files onto their unprotected workstation
  • The third party workstation was connected to the DHB network
  • The virus entered the network by exploiting a server operating system
  • The antivirus software reported the virus but was unable to effectively capture and disable the virus
  • Conficker obtained domain administration rights from a logged on user; used those privileges and took hold throughout the server and workstation environment.
Date: 14 April 2010

Contact:

Mary Anne Gill
Director
Media and Communications
Waikato District Health Board
Ph: 07 834 3684
Mobile: 021 705 213


Summary

Here is a summary of the Conficker virus that affected Waikato DHB on December 16 last year:
  1. The virus attack was due to our virus protection software not being able to eliminate the incoming Conficker virus.  The vendor subsequently updated the software in a global (worldwide) fix on 16 February.

  2. Weaknesses in our system enabled its spread.  Those weaknesses included:
    a. Low password sophistication.  A new system that enables password control had been planned for March and is now in place.

    b. Some users were using their system administrator sign-ons to perform their non system administration work.  This enlarged the path for the virus.

    c. No patching on some old servers.  The software on them was not amenable to patching and the servers run low priority systems.
  3. The virus did not take our systems down.  We made that decision, to protect the system and speed recovery.  We have heard of a major New Zealand site where recovery took five weeks.

  4. Our attack was public because of the way we chose to deal with.

  5. IT did well to have us up and running in about two days.

  6. Services operated surprisingly well in that time.

  7. The virus, in its various versions, has infected many major sites before and after our attack.

  8. The Audit NZ report touches on many matters that did not cause the Conficker attack.

  9. The issues that caused the attack have been addressed. 

Within chief executive Craig Climo's report to the board are the following : 

  1. Audit NZ report.  The report is final with extensive management comment included.  A memorandum from Mary Anne Gill, the Director of Media & Communications has been added.

  2. The executive summary of the Incident Management report. The Incident Management report is a standard product where that process has been invoked.

  3. The executive summary of the last PriceWaterhouseCoopers report on IT effectiveness.  Members via the Audit committee see these reports.  It is included here as a reminder, as it shows in a very straightforward way where we were at the last report (October 2009) and where we have come from (March 2007), across the areas that can be broadly thought of as IT infrastructure.  We have a way to go but have made substantial progress.  Board members should see the next report in December 2010.