Health and safety: How Tu Ora Compass Health became a security superstar

 |   Microsoft New Zealand News Centre


Tū Ora Compass Health looks after a significant number of Kiwis, as the fourth-largest Primary Health Organisation in New Zealand. Delivering high quality care while managing privacy and securing patient data has become a critical focus with the changing landscape of cyber security. With support from partners Aceso Health, Telesmart and Medical IT Advisors, Tū Ora underwent a life-saving operation that mapped out its vulnerabilities, migrated its systems and data to Azure and integrated Microsoft’s advanced security features across its entire network. Now it not only has a clean bill of health – it is leading the health world.

If asked to name their most valuable asset, until recently most people would probably have mentioned their house, retirement savings, creativity or go-getting attitude. Over the past three years, however, one asset has shot to the top of the list: our health.

As a Primary Health Organisation (PHO), Tū Ora Compass Health is responsible for protecting this most valuable taonga for more than 330,000 New Zealanders across Wellington, Porirua, Kāpiti Coast and Wairarapa. It supports a network of fifty-seven general medical practices and collaborates closely with other providers to offer frontline services ranging from radiology to podiatry, sexual health, mental health, and immunisations.

Tū Ora is also responsible for managing claims and payments made by general practices on behalf of three DHBs and for Ministry of Health Programmes, such as free cardiovascular health checks for at-risk Māori men, as well as the High-Tech Imaging and Falls programmes funded through ACC.

It is a massive role – so it is no surprise Tū Ora also has massive amounts of data to manage. Having good insight of data across the social determinants of health as well as core clinical data enables Tū Ora to provide better care and social insights and outcomes for the population they serve.

By 2018, Tū Ora’s systems had bloated to more than 160 databases hosted on around eighty virtual and physical servers, using 60 bespoke developed in-house applications that required more than fifty additional pieces of code to run them.

“We had old equipment, limited governance, no deep analytics capability, and we were relying on many different service providers. Software was old, and patch management was becoming a nightmare,” explains Alistair Vickers, Chief Information Officer at Tū Ora.

“It was not only highly inefficient, in terms of security, it was virtually non-existent. To make things worse, every user had full admin rights to enable the old code to run.”

Managing payments for clinical services used to require paper forms that took a lot of time, people and resources and was not exactly secure.

For an organisation looking after people’s most valuable asset, their health, this situation just could not continue. Protecting patient data and privacy is critical to any healthcare organisation. Governments around the world increasingly require agencies to demonstrate advanced data protection standards – like New Zealand’s own Health Information Security Framework.

While all Tū Ora’s member practices use their own IT systems, any compromise to Tū Ora’s data estate could also have compromised theirs, something that would significantly impact their trust (and that of their patients). And in August 2019, the almost-worst happened – Tū Ora suffered a major cyber event. Thankfully, as far as can be established, no data was leaked publicly, but it was a chilling wake-up call for every single health organisation in the country.

Tū Ora was determined to adopt a secure, modern tech stack that would protect every patient in its care, while also adding resilience and enabling it to deliver better services as befits an organisation dedicated to serving a diverse population expecting the best care.

Operation Shift and Secure

First, the scale of work needed to be identified. Tū Ora’s digital transformation strategy was divided into ten workstreams, to update and refresh all aspects of the technology stack.

The Sorsix Pinga platform, distributed in New Zealand by health IT specialist Aceso Health, was selected to replace most of the legacy applications. It delivered new application capabilities in tandem with the core capabilities PHOs require around practice management, claims and payments and the ability to deliver ongoing education and engagement of Primary Care clinicians.

The next phase was to “improve, secure and leverage” Tū Ora’s resources. All files were moved into SharePoint as the one central point of access, ensuring private records were restricted to the relevant people (and only as needed), while also adding resilience to the system.

Using Microsoft cloud technologies and their unmatched security capabilities, all devices used by the PHO’s staff were enrolled in Microsoft Defender for Endpoint Security by the Tū Ora IT team, enabling Alistair to monitor any potential security vulnerabilities, or hacking attempts. Via the Microsoft Defender dashboard, the Tū Ora team proactively manages all devices, software, and users.

“We got rid of all the disparities, making everything easy to manage and deploy while building a security posture that was offensive rather than defensive.

“We’re able to really fulfil our role as a PHO in a way we couldn’t before

To evaluate the strength of its new security capabilities, Tū Ora was recently assessed against the INFRAM standard for healthcare infrastructure maturity, overseen by the global Healthcare Information and Management Systems Society (HIMSS). It is seen by many as the gold standard for health IT around the world.

Tū Ora was awarded Level 6 – the second-highest rating possible. Only one other organisation in the world has ever achieved it. (Level 7 remains the Holy Grail – most organisations hover between 1 and 3.)

“We could not have done it without Microsoft’s commitment to the cloud and delivering highly managed and capable technology as a service. With Microsoft and our key vendors we have completely validated the power of Azure,” Alistair says. “Microsoft Defender coaches us each day to do better, we went from a security baseline score of 50 per cent security to more than 92 per cent according to the Microsoft Defender dashboard. It is this real time analytics and capability in Microsoft’s offering that enables us to constantly tune, learn and improve how we can do better.”

Tū Ora’s digital transformation journey has drastically reduced its exposure to risk, going from 160 databases down to thirty, all hosted on Microsoft Azure, along with only five Virtual Machines. Modern cloud software designed for health combined with the Microsoft cloud means Tū Ora has been able to bring management of its IT estate back in-house, with just a small team innovating on new services instead of a host of different IT providers.

Another real change for the better during Covid was Microsoft Teams. This really came into its own as the Covid lockdown arrived. March 2020 had luckily been chosen as “deployment month”, and Tū Ora with Telesmart and Aceso worked against tight deadlines to roll out Teams calling across the organisation to enable staff to conduct their business, including consultations, via videoconferencing.

“We have this incredible opportunity in health to bring clinicians closer to their patients and their data. The work Microsoft does in delivering productivity for end users and the work we do in making the process of delivering care more productive for our customers like Tū Ora is an incredibly symbiotic relationship,” says Aceso CEO, Gabe Rijpma.

Automation is another huge bonus. Using the Pinga platform to automate manual processes means no more paper forms to load, reducing keying errors while improving data protection and disaster recovery and enabling employees to work from anywhere.

Power BI enables clinicians and the Tū Ora team to analyse and visualise data in a feature-rich tool to make better decisions to improve clinical care.

“We now can provide incredibly rich insights to every practice in our network, their clinicians and the DHBs,” Alistair says. “We’re able to really fulfil our role as a PHO in a way we couldn’t before.”

A good case in point is how, during the recent COVID-19 outbreak in February-April 2022, modelling provided by the Tū Ora BI team was able to give insights as to when its local sub-regions were likely to see diagnosed cases peaking.

“This gave us the ability to predict pressures on the primary care workforce in our sub-regions, for better situational awareness and workforce planning,” Alistair says.

From helping one organisation – to helping many

Thanks to the reduced costs required to manage their own IT using the Microsoft 365 toolset, Alistair and his team are now keen to help other healthcare providers.

“We now have the capacity through the automation and scale we have achieved. We are looking to help very low-cost access general practices with free IT support. They are going to save thousands. We are getting all the team trained on different Azure capabilities, and ensuring they teach those skills to younger people. This is going to become the skillset for New Zealand IT for at least the next generation to come,” Alistair says.

Microsoft Public Sector Director, Emma Barrett, says this collaborative mindset is exactly what New Zealand healthcare needs.

“Everyone who works in healthcare goes into the profession to make a difference and help as many people as possible. But with the ongoing and increasing demand on health resources, we know it is a constant battle for healthcare organisations to deliver all the services that are needed, to the standard they would like. That is why it is so wonderful to see leaders with strengths like Tū Ora supporting other frontline services and helping more people upskill. They are not only building healthier IT systems, but a stronger future for Aotearoa’s health and IT sectors as those skills are passed on,” she says.

And of course, Level 7 waits for an organisation dedicated to going above and beyond.

As Alistair puts it: “For me, one of the greatest outcomes of going through this transformation and achieving the results we have is building that trust. We are being recognised for our standards and approach and making people proud of what a New Zealand healthcare organisation can do.”

Tags: ,