The government and district health boards were warned last year the country's health IT systems are vulnerable to "significant" cyber threats.
An IT stocktake for the Ministry of Health found the IT systems lacked "tools to detect security attacks".
It noted a "lack of technical support for data security".
The DHBs also lacked skilled IT staff to focus on security.
Use of insecure and non-integrated systems was widespread, and IT infrastructure, networks and security were not up to it, the stocktake said.
"These are outdated and not adequate to support the introduction of new systems and to manage the increased cyber security issues," it said.
"While digital health has become critical to the delivery of services, there are significant risks to services from a lack of system capacity, resilience and business continuity arrangements."
There was lack of money, and a large number of "obsolete" systems - but virtually no end to the multiplicity and duplication of them:
- DHBs had up to 6000 devices in use, many old and not supported
- Northern Region's four DHBs had 1200 apps in use by exasperated staff
- Security policies and training were lacking
- Large numbers of users repeatedly joined and left agencies as they did training, without being removed from systems
In the Northern Region - where the four DHBs were those most widely surveyed - 60 percent of core systems at data centres had no disaster recovery arrangement in place.
The five data centres were in "average to poor condition".
Half of all DHB operating systems nationwide needed upgrading by 2020 to avoid being out of support from vendors.
It is unclear where that got to.
It also remains unclear if the MOH followed through, after Director-General of Health Dr Ashley Bloomfield asked after the stocktake for DHBs to look at what spending could be reprioritised into IT upgrades.
The MOH is responsible for the security of the shared health systems.
A more detailed IT stocktake was ordered last year and is meant to be done by next year.
The first stocktake said $2.3 billion was needed to address the "ageing", "slow" and "not fit for purpose" IT.
But 90 percent of current IT funding was just going into keeping old systems limping along.
The MOH said from mid-2020 it was working on revised principles to guide IT upgrades that are meant to be put in place this year.
The aim was for more consistency, and to accelerate cloud adoption to "support improved security and system resilience".
Asked to update the public on this work, the ministry said in a statement:
"The ministry provides advice and assistance for DHBs and other health sector agencies to help ensure they are prepared and they have appropriate security systems in place and have access to advice.
"All health agencies will be involved in a series of investments to improve security - this includes using the latest patches for known software vulnerabilities as well as regularly implementing software upgrades to improve security.
"A key part of the ministry's assistance is helping with information and advice to support significant IT upgrades planned by sector agencies as investment decisions are considered and prioritised by individual agencies."
The health and disability system review in 2020 said: "Planning for the level of digital technology needed to support an effective health and disability system is lagging behind.
"The quality of data, the ability to transfer data securely, and the interconnectedness of the various systems operating around the country are all barriers."
'Preventable problem'
IT security consultant Daniel Ayers told Morning Report for Waikato DHB to be in this situation it must be one of the weakest of the health boards in managing its IT systems.
Among the things that must have gone wrong was a failure to detect the original malware and security weaknesses that allow it to spread, he said. The network may not have been segmented into areas sealed off from each other.
"The DHB must have either had no, or inadequate, intrusion protection - that's the burglar alarm that detects a problem.
"They haven't designed their network to be malware proof - in the sense that it's possible to encrypt stuff.
Ayers said the DHB had had about seven major security incidents in the last 15 years including in 2009 virus attack that knocked out computers.
"One of the difficulties of having lots of DHBs is that some of them will do IT well, some of them will do it poorly and some of them will be average. I would conclude that the Waikato DHB is one of the weaker if not the weakest.
"The issue is we need to find a way in our public sector for this to stop happening - it's a purely preventable problem.
"If it wasn't a preventable problem we wouldn't just have just one DHB with this problem right now."