The National Health Laboratory Service (NHLS) is still feeling the effects of the June 2024 cyber attack that rendered its ICT systems and infrastructure inaccessible, internally and externally.
As a result, the national government institution did not meet 25% of its annual targets, says Dr Sylvia Sathekge, CIO of the NHLS.
Sathekge was part of a panel discussing cyber security for all and building resilience, at the 28th Annual National Conference of the Institute of Internal Auditors SA, earlier this week.
The moderator premised the panel’s topic by stating it’s not meant to confuse the audience with technical jargon, rather to make cyber security relatable and actionable for everyone.
Due to the fact that the attack impacted 25% of the NHLS’s annual targets, cyber attacks had to be elevated to a top risk for the organisation and not a ‘by-the-way’, Sathekge said.
Explaining the aftereffects of the attack, the CIO said: “You can imagine the country was up in arms in terms of results, with people worried that their HIV results would be leaked.”
The NHLS is SA’s diagnostic pathology service responsible for supporting health departments to deliver healthcare. According to Sathekge, it does digital pathology services for about 85% of the South African population.
“When you are attacked, you’ll find everybody wanting to come and help you...but not everybody is coming with best intentions. Some are coming to make money out of you more than help.
“We still get the Information Regulator asking what we’ve done about it [the cyber attack]; we still get the South African Police Service saying they can’t do anything about it − there’s no-one to go after.
“Research data shows that it takes on average 18 months to recover after a cyber attack. Many of us face cyber attacks but we don’t talk about these things.”
According to a NHLS preliminary investigation at the time, no patient data had been lost or compromised due to the hack.
“All patient data is safe. The investigation indicated that a ransomware virus was utilised to target selected points in the NHLS IT systems, rendering them inaccessible and blocking communication from the laboratory information system and other databases to and from users,” the NHLS said last year.
“It has been established that sections of our system have been deleted, including in our backup server and this will require rebuilding the affected parts. Unfortunately, this will take time and investigations thus far have not advanced enough for us to give a timeframe toward the restoration of our systems and full service.”
In March, the NHLS reportedly told the Parliamentary Portfolio Committee on Health that most of the IT infrastructure was out of date and could not be updated. In addition, staff members were not fully apprised of the danger of clicking on unknown links.
John Mukomana, NHLS head of IT governance and reporting, further indicated the organisation was still in the process of getting its IT system up to “minimum acceptable standards”. He also flagged limited IT skills within the organisation.
Sathekge told conference attendees that the organisation was attacked via phishing on e-mails, adding that it is still trying to figure out the extent of the impact on data subjects.
Responding to a question as to how internal auditors can practically influence the board of directors to understand that cyber security is imperative and inculcates the culture, the CIO said when she started at the NHLS, she insisted cyber security should be considered among the strategic risks within the organisation.
“When I assessed the risks and strategic risks, I told the head of internal audit at NHLS that one is missing, and it’s called cyber security and it’s not for IT. It must be the responsibility of the board, the CIO or the CEO, and we added it as a strategic risk that the board has accepted.
“As technology leaders, we have the responsibility of educating why some things have to be a certain way. I would also advise that organisations should have cyber attacks among the top five risks. It’s not a matter of if, but when.”
Cyber or data breaches are estimated to cost local organisations R44.1 million per incident in 2025.
South African government entities have increasingly fallen victim to cyber attacks, raising concerns about the public sector’s cyber security readiness, amid rising global threats.
In January, the South African Weather Service (SAWS) confirmed its ICT systems went down due to a criminal security breach. It revealed its aviation and marine services were affected, as well as e-mails and website.
After the attack, SAWS CEO Ishaam Abader told members of Parliament that the entity did not achieve most of its targets during its fourth quarter, largely as a result of the cyber security breach.
In May, South African Airways revealed it was hit by a significant cyber incident. SA’s flagship carrier said the breach temporarily disrupted access to the airline’s IT systems, prompting swift response measures to mitigate its effects.
Other government entities that have recently been impacted by cyber attacks include the Department of Justice and Constitutional Development, South African National Space Agency, Transnet and the Companies and Intellectual Property Commission.
Further to this, in the 2022/2023 audit outcomes on local government, the Auditor-General of SA found that 71% of municipalities still had ineffective information security controls, indicating a widespread gap in fundamental cyber security practices.
Share