Call for more work on ehealth security
Problems in wake of 2019 cyberattack still need to be addressed, auditor says
Saskatchewan's provincial auditor says ehealth has made only limited improvements to its cybersecurity months after her previous report found vulnerabilities that increased the risk of a cyberattack.
Her renewed warnings came in an audit published Tuesday that identified last year's ransomware attack as a “spear phishing attack.”
Provincial auditor Judy Ferguson called the breach a “disaster.” The December 2019 attack encrypted data from several servers, leading to serious disruptions as officials opted not to pay the ransom. ehealth, which handles vital statistics, electronic health records and IT systems for the health system, faced extended delays in recovering data saved elsewhere.
Ferguson published a June audit pointing to numerous cybersecurity risks, including poor monitoring, inappropriate security settings and untrained staff. Now, in a new audit published on Tuesday, she found those problems hadn't been totally fixed in the months that followed. She said progress was “very limited.”
“It's an area that they actively need to work on to develop a strategy,” she said during a news conference Tuesday.
Ferguson's new audit noted that ehealth still did not sufficiently control access to its network, evaluate the effectiveness of controls or properly monitor security logs to detect malicious activity during the 2019-20 fiscal year.
She also faulted ehealth for not completing disaster recovery plans for all of its critical systems. As of March 31, it only had seven of 38 done, and hadn't completed testing for any. Without planning in place, Ferguson warned that ehealth could waste valuable time trying to restore its systems following an attack.
Ferguson said it was tough for her to determine whether ehealth's response to last year's ransomware attack was slower than it could have been had proper planning been in place, since the agency didn't have any benchmarks for her to form that conclusion.
“Really, what we found is that some systems they got up relatively quickly and others took weeks to get them up and going,” she said.
“But without that benchmark, for us as auditors, it's frankly not a fair comparator for us to say that you should have had this one up faster.”
Health Minister Paul Merriman said he'll reach out to ehealth immediately to ensure they're following up on Ferguson's recommendations.
“They are working on this,” he said. “It's something that is consistently happening ... my expectation is that they're going to be able to get this done.”
The NDP'S health critic, Vicki Mowat, noted that the auditor first raised the issue of a disaster recovery plan 13 years ago. Indeed, the 2007 auditor's report recommended a “tested disaster recovery plan” for the branch of the health ministry that then handled IT.
Mowat called it “shocking” that such plans aren't widely in place today, even after last year's ransomware attack.
It's clear the ransomware attack had a severe impact on health services. Ferguson noted it hindered the work of more than 40,000 health sector employees and led to “significant costs” for ehealth.
She revealed previously unreported details of the “spear phishing attack,” that was undetected until it led to a ransomware attack on Jan. 5. Spear phishing targets a fraudulent email at a specific recipient, often to persuade them to click a link that installs malware on their computer. From there, attackers can access sensitive systems.
Merriman said that error likely resulted from a “momentary lapse of judgment.” He said training at ehealth is good, though it could be better.
Ferguson's audit noted that ehealth sought to contain the threat with measures that “indirectly impacted the accessibility of certain clinical IT systems” used by health professionals. ehealth restored data from back ups made before the attack. That took time and “made a number of IT systems unavailable for extended periods.
What we found is that some systems they got up relatively quickly and others took weeks to get them up and going.