EHEALTH SECURITY INADEQUATE
Provincial auditor warns precautions to protect data ‘not sufficiently robust’
Auditor warns door open for hackers
After finding numerous security gaps on laptops, tablets and smartphones connected to the ehealth system, Saskatchewan’s provincial auditor warned they could increase the risk of cyberattacks.
Judy Ferguson’s office identified unencrypted devices, inappropriate security settings, unrestricted USB ports and untrained staff that could make the system vulnerable to malware, viruses and unauthorized access.
She said ehealth’s plan for protecting laptops with access to confidential data “is not sufficiently robust.” The agency is responsible for managing sensitive patient records within the health system.
In a report published on Tuesday, Ferguson’s office warned that ehealth did not sufficiently monitor its network for security risks. A team with just 3.5 positions was only performing “limited monitoring ” to detect unauthorized access.
“Without effective network monitoring, ehealth may not detect malicious activity or mitigate risks of a successful attack on the network within sufficient time to prevent a security breach,” said a news release detailing the findings.
Ferguson’s audit covered the 12-months ending August 31, 2019. That was about four months before ehealth discovered it had been hit by a major ransomware attack.
Health officials still do not know exactly how much personal data was compromised after cybercriminals struck on Dec. 17. Their activities were only detected when they began extorting ehealth for ransom on Jan. 6.
Ferguson did not specifically look at that attack in her review, but she suggested that the problems her office identified increased the risk of it happening.
“The matters that we raised to the attention of ehealth, if the organization would have dealt with them earlier, it probably would have reduced the risk,” she told reporters on Tuesday.
ehealth CEO Jim Hornell agreed that the lapses detailed in Ferguson’s report “clearly” could have made it easier to breach the systems.
It seems that ehealth connected USB drives, which were mentioned in the audit, were connected to the ransomware attack in some way. In a Jan. 13 memo on the malware incident obtained by Postmedia, ehealth staff were told to suspend using personal USB drives on ehealth computers.
It also advised employees to destroy any thumb drives that had been used between December 19 and January 10.
A memo sent the next day suddenly reversed that decision, saying new software had been acquired that could scan thumb drives for viruses, but cautioned they shouldn’t be used until that program was in place.
The NDP’S health critic, Vicki Mowat, called the state of ehealth “outrageous.” She cited a list of past controversies, like inappropriate vendor-sponsored travel, to cast the agency as a “resounding failure.”
“The Sask. Party has been mismanaging ehealth,” Mowat said during question period on Tuesday.
“Has the minister tried turning it off and turning it back on again?”
Health Minister Jim Reiter was skeptical about whether it’s even possible to “start completely over.” He said the focus right now is on the auditor’s recommendations. Hornell said he accepts them all, though he could not give a timeline for implementing them.
Ferguson’s audit specifically focused on portable devices like laptops, tablets and smartphones, which her report called “attractive targets for attackers.”
About 12,900 devices have access to the ehealth network through those devices, but ehealth only manages less than one-third of them.
Her office found that more than 80 per cent of the laptops with access to the network were unencrypted and used unsupported operating systems.
Most of the laptops with access to the system use the outdated Windows 7 operating system. Microsoft no longer supports that system, which means security updates to protect against vulnerabilities are not being provided.
Hornell said that some of the issues Ferguson identified are already being corrected. That includes encryption, examining password protocols and ensuring that Windows 10 is used.
Ferguson’s office also raised concerns about poor training. She found that ehealth did not require annual confidentiality and privacy training for those with access to its network, and only one half of users had received such training.
“Uninformed staff are susceptible targets and are more likely to click on something that they should not, infecting their device with malware or a virus,” said Ferguson’s report.
Staff did not always take proper measures after laptops or smartphones were stolen, according to the report.
The audit found issues in three of 14 cases it looked at, including one where a laptop’s access to the ehealth network was not removed after it went missing.
Ferguson recommended that ehealth work with the Saskatchewan Health Authority to ensure annual security awareness training, standardize configuration of devices, work to minimize risks from lost or stolen devices and implement a “written risk-informed plan” to protect laptops with access to its network.
She recommended a plan to better control access and improve measures to monitor the system and detect malicious activity.
She also asked ehealth to look at the costs and benefits of moving to a central mobile device management system. Such a plan did not exist as of January 2020.
— with files from Zak Vescera