Sometimes it takes a big wake-up call to show us where we stand. The recent patient portal incident, which impacted over 120,000 New Zealanders, along with extended outages of critical clinical systems and multiple reported data breaches, is a reminder that we’re all in this together.
It’s good that reviews by the Ministry and Privacy Commissioner are underway. We need to understand what happened. But to really move forward, we can’t stop there. Real change means going beyond good intentions and voluntary standards, and backing up what matters with action and accountability everyone can trust.
Learning from Australia
Last week, the Australian Medical Association released findings that highlight what many of us already know. Their conclusion? “Without enforcement, having systems that talk to each other will remain a pipe dream.”
Australia’s challenges mirror ours: isolated databases, incompatible systems, fragmented standards. As one Australian GP observed: “It is a commercial choice to remain siloed. An industry-led approach hasn’t led to much on the ground.”
But Australia is also showing us what coordinated action looks like. The Australian Digital Health Agency’s Sparked AU FHIR Accelerator brings together government, vendors, and providers to implement interoperability standards collaboratively. It’s the kind of coordinated approach our Centre for Digital Modernisation could emulate, bringing sector capability together with clear standards and shared purpose.
Setting clear, enforceable standards isn’t a radical idea. It’s just common sense, and countries are doing it because voluntary approaches haven’t delivered.
How industry can step up, and why we’re keen
As the Digital Health Association, we’re here to help make these standards work for everyone. Our role isn’t just about ticking boxes or meeting requirements. We’re passionate about showing what “good” looks like, every day. That’s why our Special Interest Groups and Communities of Practice are focusing on how to meet security baselines, build real-world interoperability, and deliver on the promises we make together.
The value industry brings is in rolling up our sleeves and finding practical ways to make standards achievable, quickly and at scale. Sometimes, the pathways aren’t straightforward, but that’s okay. Working things out together is where we find the best solutions. Our job is to share what works, learn from each other, and help everyone move forward, step by step.
What does that look like in practice? Systems connecting to national infrastructure meeting defined security expectations. System-level certification with ongoing monitoring. Transparent incident protocols (every organisation needs a plan for when, not if, breaches occur). And crucially, supporting general practices with clear guidance and shared tools, not pushing responsibility downstream.
Investing in the people who make it work
None of this happens without the right people. Interoperability and cybersecurity aren’t products you buy once. They’re capabilities you operate every day. We need sustained investment in the people who design, integrate, secure, and run these systems across providers, vendors, and agencies. Without workforce capability, even the best standards will fail in implementation.
Building trust, one honest step at a time
Trust isn’t built by good intentions or reassurance, but by action. We earn trust when everyone can see that privacy and security aren’t afterthoughts. They’re built in from the start, our communication is open, and we own our responsibilities.
This recent breach, so early in 2026, is a reminder that our digital health systems are only as strong as their weakest part. Voluntary standards can leave gaps, but when we set mandatory standards and really follow through, we close those gaps together.
Australia is learning this lesson, and we have an opportunity to do the same (maybe even better) if we’re ready to support and require positive change.
What happens next is what matters
The reviews will show us what needs fixing. What we do next (how we support each other, develop practical pathways to compliance, invest in our workforce, and act on what we learn) will show if we’re genuinely committed.
Let’s embrace the moment. By working together, setting clear standards, and following through, we can make New Zealand’s digital health infrastructure safer and more trusted for everyone. The opportunity is ours, and I know we’re up for it.
