The provincial auditor says eHealth Saskatchewan needs to do more to protect its customers when it comes to security.
In Judy Ferguson’s audit report, she outlines the importance in preventing unauthorized access to health information stored on and accessed by portable computing devices including laptops and smartphones.
eHealth Saskatchewan was hit with a ransomware attack in January where files were stolen.
“Properly controlling access to the eHealth IT network is critical given security breaches can impact the ability of these agencies to deliver effective health services,” Ferguson said.
eHealth CEO Jim Hornell said it is still unclear what information was obtained during its ransomware attack in January.
“At this point, we cannot say that it was even personal health information. We do not know what kind of files were taken. They were locked down and it’s our understanding a packet did leave the system,” Hornell said.
“They may have taken things that they think might be interesting and found out there is no value whatsoever.
“It’s been six months now, we’ve been scouring the web to see if there is any use of that material, nothing has shown up.”
eHealth’s IT network is home to critical IT health systems for many health agencies in the province including the Saskatchewan Health Authority and Saskatchewan Cancer agency.
Ferguson examined the steps eHealth takes to secure health information on its portable computing devices and learned less than one-third of nearly 13,000 devices, all with access to the eHealth IT network, were actually managed.
“eHealth’s plan to manage health sector laptops is not sufficiently robust. It does not contain sufficient detail on how to mitigate security threats and the vulnerabilities of laptops with access to the eHealth IT network. We found risks associated with unencrypted laptops, unsupported operating systems, and unrestricted USB ports and DVD burners not adequately mitigated,” Ferguson said her in report.
READ MORE: eHealth files stolen in ransomware attack
The audit found that more than 80 per cent of the laptops with access to the eHealth IT network were not encrypted while 80 per cent of them used an unsupported operating system, making those devices susceptible to compromise and failure.
Ferguson also noted eHealth did sufficiently monitor its IT network, which can cause malicious activity to go undetected.
“eHealth needs to use key network security logs and scans to effectively monitor the IT network and detect malicious activity,” Ferguson said.
She also learned that about only one-half of individuals with access to the eHealth IT network have received annual security awareness training.
“Laptops and smartphones are attractive targets for attackers and present many risks to an organization. Having proper controls over these portable computing devices reduces the risk of personal health information falling into the wrong hands,” Ferguson said in her report.
“To mitigate this risk, eHealth Saskatchewan must implement risk-informed plans to properly secure portable computing devices and to protect devices with access to the eHealth IT network from security threats and vulnerabilities.”
Ferguson provided these recommendations to eHealth.
- Enhance and standardize how it sets up portable computing devices.
- Require personnel accessing its network to receive security awareness training each year.
- Take appropriate action if a device is reported lost or stolen.
- Better network access controls, sufficiently monitor its network.
“Centrally, managing and controlling portable computing devices does reduce the risk of breaches occurring and when such breaches occur it reduces the impact on the delivery of health service and can reduce the risk of personal health information being inappropriately accessed,” Ferguson said.
The recommendation is something Hornell said eHealth takes very seriously.
“We certainly accept them, no question about it. And as we discussed with the provincial auditor this takes time and money and she understands that,” Hornell said.
“We are working towards that, some are underway right now. The security training will be complete by the fall and other things are in flight. To say when we will be finished, it’s going to depend on the cooperation of our partners.”
Hornell said eHealth fights off hundreds of thousands of attacks each week.
The full Provincial Auditor’s 2020 Report – Volume 1 can be found here.