**The Manage my Health Fiasco: A Wake-Up Call for Health Software Security**
The recent hacking of Manage my Health (MMH) has left many users stunned and concerned about the security of their sensitive health information. The incident, in which a hacker demanded a $60,000 ransom to not release stolen files containing uploaded health documents, is a stark reminder of the importance of robust cybersecurity measures in healthcare software.
While it's impossible to be completely hack-proof, MMH's slow response to the breach and subsequent mistakes have raised serious questions about their preparedness. It took them an astonishing 10 days to email users to inform them if they had been affected or not. And to make matters worse, they got it wrong in their initial communication, requiring a second wave of emails to correct the mistake.
As one of those who received both emails, I can attest to the frustration and anxiety caused by MMH's inadequate response. As an overseas user, I'm even more disadvantaged, as they won't allow me to log in and access any details about my account.
A well-governed and managed health software company should have hacking as a top priority risk in their risk matrix, with a detailed contingency plan in place for such events. Unfortunately, it appears MMH were woefully unprepared, forced to call in external advisors only after being prompted by the Ministry of Health.
The MMH software itself is good – I can book GP appointments, view test results and vaccinations, and access specialist reports with ease. My GP uses them, and I'm grateful for that. However, software security is just one aspect of a company's overall management. A company needs to be well-governed and managed to handle crises like this.
The potential consequences of this breach are immense, as pointed out by Bryce Edwards: "The potential harms are immense... Psychiatric diagnoses. Sexual health information. Details of domestic violence. Records of abortions... People could be blackmailed over sensitive diagnoses or traumatic histories. Identities could be stolen." The stories of outraged patients, like the one who told RNZ she was "one part terrified, one part really angry" at the prospect of her past sexual assault being made public, are a stark reminder that this is not just a bureaucratic failure – real people will suffer real consequences.
This incident highlights the importance of robust cybersecurity measures in healthcare software. MMH needs to take immediate action to improve their security and response protocols. The Ministry of Health must also review its guidelines for health software companies to ensure they are prepared to handle such breaches.
The Manage my Health fiasco is a wake-up call for all stakeholders involved in the healthcare software industry. It's time to acknowledge that cybersecurity is not just an IT issue, but a matter of public trust and safety. By learning from this incident and taking proactive steps to prevent similar breaches, we can ensure that sensitive health information remains secure and protected.