‘Not doing enough’: Provincial auditor takes eHealth to task over network security issues

The provincial auditor has a number of recommendations for eHealth after finding its network security lacking in an audit finished just four months before the agency was hit with a ransomware attack.

The first volume of this year’s report was released on Tuesday.

It found the 13,000 laptops and smartphones that had access to the eHealth network were a possible risk. The report found “much more” needs to be done to prevent unauthorized access to health info on those devices.

An analysis discovered that 80 per cent of the laptops aren’t encrypted and 80 per cent of them used an unsupported operating system, both of which meant the devices are susceptible to “compromised and failure”.

“These devices can access and store private and confidential health information. They are attractive targets and they may become infected with viruses and malware and are often easy to lose, hence a higher risk,” said provincial auditor Judy Ferguson on Tuesday.

The report also says eHealth needs to do more training with staff on security practices, that only half of the people with access to the network had security awareness training annually. It also found eHealth doesn’t exert enough control over access to the network – who can look at what and when – and that it doesn’t do enough monitoring of the network.

“Without sufficient control or monitoring, ehealth is not doing enough to prevent malicious activity or mitigate within sufficient time risks of a successful attack to prevent a breach,” said Ferguson.

Ferguson said the agency isn’t taking a centralized approach to these things, which has led to a variance in practices.

The process began in January 2017 to move IT services from the former Regina Qu’Appelle Health Region and Saskatoon Health regions to eHealth. As of when the audit was finished in August 2019, the transition still wasn’t finished.

“They need to give careful consideration to when they need to be pushing out that centralized approach and reassessing the timing of that,” said Ferguson.

The ransomware attack against eHealth happened in December 2019. Ferguson said her office hasn’t looked at whether the problems pointed out in the report contributed to that attack.

“We do feel a number of the recommendations that we are making and the matters that we’ve raised to the attention of eHealth, if the organization would have dealt with them earlier and promptly it would have reduced the risk,” said Ferguson.

The recommendations are:

• eHealth should implement an annual security awareness training program for users of devices with access to the eHealth network;
• eHealth should implement a written risk-informed plan to protect laptops with access to the network from security threat and vulnerabilities;
• eHealth should standardize the configuration settings for mobile devices with access to the network;
• eHealth should do a cost-benefit analysis of the use of a central mobile-device management system to secure and monitor mobile devices with access to the network;
• eHealth should take action to minimize the risk of security breaches when a device is lost or stolen;
• eHealth should implement a risk-based plan for controlling network access;
• eHealth should use network security logs and scans to monitor the network and detect malicious activity.