The National Information Regulator has demanded details on the protection of personal information that was in place when a cyber attack knocked out the National Health Laboratory Service (NHLS) system in July 2024 – which was apparently hopelessly out of date at the time.
Spokesperson Nomzamo Zondi told Daily Maverick they are not investigating the actual hacking but want to determine compliance with the Protection of Personal Information Act (Popia).
This would mean those whose information was compromised must be notified and this notification must include:
• A description of the possible consequences of the security compromise;
• A description of the measures the responsible party (the NHLS) intends to take or has taken to address security;
• A recommendation relating to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise;
• If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information; and
• Whether the responsible party had reasonable technical and organisational measures in place to protect the integrity and confidentiality of personal information in its possession or under its control in terms of the law.
Zondi said that in the past, they had fined one government department R5m – the Department of Justice & Constitutional Development – for not complying with legal measures to keep personal information safe, and failing to comply with an enforcement notice compelling it to upgrade its antivirus software.
The notice had required that it submit proof to the Regulator within 31 days that the Trend Anti-Virus licence, the SIEM licence (security information and event management) and the Intrusion Detection System licence, had been renewed.
The department also had to institute disciplinary proceedings against the official or officials who failed to renew the licences.
This followed a ransomware attack in 2021 that led to all information systems being encrypted. Neither employees nor the public could access information, which included letters of authority, bail services, e-mail and its website.
In 2024, the same department suffered another cyber attack that compromised the child maintenance payout system.
This month, while testifying before the Parliamentary Portfolio Committee on Health, the CEO of the NHLS admitted that its IT systems were out of date and could not be updated, and that its staff had not been warned of the dangers of clicking on unknown links when its system was hacked in June 2024.
Patient information, however, was held on a separate server and was not compromised, but the data warehouse, where historical information was kept was also rendered useless by the attack
Parliament heard that security upgrades to the IT system were not possible and it was vulnerable to attack because of several IT-related issues.
Acting IT executive manager John Mukomana said the NHLS was still working to get its IT system up to “minimum acceptable standards”.
BlackSuit, an extortion syndicate, gained access to the NHLS’ database on 21 June 2024 after an employee clicked on a phishing link, said the service.
Previously, the NHLS had explained that the hackers used ransomware which encrypts data until the syndicate is paid – freezing the system. The ransom was not paid, it added.
Around 400 000 tests are done daily at the NHLS, which plays a critical role in the public health system. Most significantly, the attack rendered the TrakCare laboratory information system unusable, so although it was possible for medical tests to be done, the results could not be seen by the requesting doctors.
Mukomana said most of the NHLS’ IT infrastructure was out of date. “We were not able to update our systems or put security patches in place,” he said.
Since the attack, however, extensive upgrades have been made to the service’s security measures, but “we need to improve our governance structures”, he added. “Also, IT issues must be listened to.”
He said that before the attack there was a lack of IT skills at the NHLS and even its executive lacked technology skills.
The CEO of the NHLS, Professor Koleka Mlisana, told Parliament that they are investing at least R300m in strengthening their systems – with more that needs to be done. This included R15m for security operations services for three years; R28m for new desktops and laptops; R164m for safe switches, firewalls and enhanced security for five years; and R94m for an upgrade of the data warehouse.
See more from MedicalBrief archives:
Private labs help NHLS through cyber crisis
NHLS system still faltering as cyberattacks hit global healthcare