Cyber breach in real time: trust and verify  

Shayne Hunter

The human cost of cybercrime might not be something we think about in the immediacy of a cyberattack. But director Shayne Hunter, who assisted the Waikato DHB through what was deemed by the media as New Zealand’s worst-ever health cyber breach, says it was an experience he would not wish upon anyone.    

“It’s one of those things you hope never happens to you, but it’s best to assume it may, therefore, be prepared,” he says.  

Hunter’s career has taken him from IBM and systems engineering to consulting across strategic planning, business and policy development, along with various executive and operational management roles. But the health sector is where his heart is.

Hunter is chief digital officer at RHCNZ Medical Imaging Group and sits on the board of Whakarongorau Aotearoa, which operates national telehealth services.   
Despite many years in the tech industry, Hunter says it is not possible to be truly prepared for a cyber breach when it happens in real time. There are so many unknowns and, as soon as there is knowledge of an attack, everything comes to a standstill.

Hunter says it is not a time for quick decisions but “cool heads” because acting too quickly increases the likelihood of risk. 
Recalling what it was like to assist Waikato DHB through a cyber response, a slight tremor tiptoes at the edge of Hunter’s voice – weighted with the tension of the memory itself.

“It’s a bit scary because you just don’t know what you’re dealing with. The adrenaline is pumping and everyone wants to know what’s going on and when it’s going to be fixed. You just don’t know. It’s pretty intense,” he says.  

While directors are used to dealing with uncertainty, Hunter reinforces that there is only so much boards can do to prepare for a cyber breach.

“This is not something that you can practise, but you should at least be practised – if that makes sense? You need to have a plan and be ready to respond. You can’t build that on the fly.”  

The stakes are incredibly high. There is a direct impact on the organisation and, in this case, the health system needed to function for the sake of patient care, some of which was life-dependent. 

The risk of leaked data also puts people at risk, including those whose whereabouts are critical to their safety, and for whom having their address made public could put them in danger. 

“You do think a lot about the people – essentially, their information is out there to be seen. Some people don’t care [but] for other people, it’s really important. There’s this whole concern for the patients and the information and the management of their privacy,” says Hunter. 

This reinforces the need for boards to operate with a “not if, but when” mindset. Hunter says pretending an attack won’t happen leaves organisations more vulnerable because cybercriminals will always look for a way in. 

He is quick to add that being part of a cyber incident response also comes with emotional strain due to the intensity of the situation. That is why boards need to ensure the right people are in place to handle a response before an attack takes place. 

“You need to be really clear about the roles and responsibilities in a response,” he says. “It’s pretty daunting. There’s a lot of media interest, a lot of patient interest and a lot of anxiety going on. Services may need to be provided to people to help them through what can be a pretty tough time. These are all decisions that boards need to make.”    

In the latest episode of Board Talk: Off the Cuff, Hunter talks about what boards need to consider before, during and after a cyberattack, including why responding to media should wait. The episode also features the IoD’s Susan Cuthbert, who discusses director liability, and Aura Information Security General Manager Patrick Sharp, who explains why complacency can lead to substantial repercussions and loss of revenue.