Saskatchewan’s auditor is currently reviewing cyber security at eHealth, amid the aftermath of a ransomware attack. While the recent cyber breach is not the main focus of the audit, it’s become a part of what the auditor’s office will be examining.
“Our office is currently auditing eHealth’s processes for securing portable computing devices. Portable computing devices can be attractive targets for attackers, making effective security management essential. We expect to report our findings in our 2020 Report – Volume 1 in June 2020,” provincial auditor Judy Ferguson said in an emailed response.
“Also, our office, as part of our annual integrated audit, will review eHealth’s work to resolve the issues caused by the recent ransomware attack and consider the impact of any security weaknesses on the overall effectiveness of its controls.”
While the agency’s cybersecurity has been called effective by the province’s auditor in prior reviews, her office found vulnerabilities.
The auditor’s office probed cybersecurity for eHealth’s Saskatchewan Lab Results Repository (SLRR) in 2015. Five recommendations were made following this audit.
In December 2017, the auditor published a follow-up. It found eHealth did not ensure accounts with access to privileged information had passwords that expire. The auditor noted this increases the risk for a system to be breached.
Alec Couros, an information and communications technology professor at the University of Regina, said it’s important to modify passwords frequently, as they are commonly bought and sold on the dark web.
“Because people don’t often change their passwords very often from service to service or site to site, they can often be reused on other sites. For instance, if someone has a URegina account or an eHealth account, they might use that same password or user authentication on a different site. Once it’s exploited on one site, it can easily be used by hackers on a different site,” Couros explained.
“It’s hard for us to remember everything, and unless you’re using a password manager of some sort, it’s very typical that these passwords are reused on a number of different sites. It’s just the way it is.”
The auditor also reported that not all security updates were applied on a timely basis for SLRR systems. Some updates were available since 2012 and there was no documented reason why they hadn’t been updated.
Couros echoed this, saying installing security updates can help cover exploitable flaws in a computer system. This played a big role in 2017 when the “Wannacry” ransomware attack infected over 200,000 Windows XP systems in 150 countries. Victims included Britain’s National Health Service and FedEx.
eHealth did apply security patches to the servers that support the SLRR system in a proper timeframe, the report noted.
In a statement, eHealth said the organization continues to assess and mitigate the damage of the virus that entered their system on Sunday. Their focus is ensuring no confidential patient information left their systems.
So far, eHealth says they have not found evidence of this.
Global News requested an interview with eHealth for an update on what has been done since the 2017 auditor’s report, but the request was declined.
It is not known exactly what led to the ransomware attack, but Couros said these commonly are the result of social engineering.
“They pretend to be a client or customer for instance, and once they get a single employee to provide some trust they may hand over some information, they may pay an invoice that they’re not supposed to pay for instance. Once that happens, you have some entry into the system as well,” Couros explained.
“It’s very easy to perform fraud if your employees are not up to date on some of the tactics that these ransomware and other cybercriminals take up.”
He said this can be helped by keeping all employees up to date on potential risks through cyber-security training.
Couros said the nature of health documents can make them a valuable information target, and having this information stored digitally can make it a potential target for hackers around the world.
“Ultimately, anything online is vulnerable. There’s no doubt about it,” Couros said.
“Everything we connect to the internet is connected to another potential scammer or cyber-criminal. There’s no layer of protection that’s totally going to get us around this.”