Advertisement

eHealth needs to strengthen IT procedures to limit disruptions: Saskatchewan auditor

Provincial auditor Judy Ferguson said eHealth must do a better job of controlling and monitoring IT network access, and testing disaster recovery plans. File / Global News

Saskatchewan’s provincial auditor said eHealth needs to do more when it comes to controlling and monitoring IT network access and testing disaster recovery plans.

Judy Ferguson released her Provincial Auditor of Saskatchewan 2020 Report–Volume 2 on Dec. 8.

“To successfully provide uninterrupted services, eHealth must have stronger security and disaster recovery elements in its IT infrastructure to prevent unauthorized access to the network, and limit the downtime from security breaches should they occur,” she was quoted saying in the report.

eHealth Saskatchewan, which delivers health-care services in the province, was hit with a ransomware attack in January where files were stolen.

Fortunately, eHealth recovered systems from backups made prior to the attack and did not pay the ransom.

Story continues below advertisement

“In this case, from what I understand, it was a judgement error by clicking on something when it wasn’t supposed to be clicked on,” said Paul Merriman, Saskatchewan’s health minister.

For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.

Get breaking National news

For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.
By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy.

“In general, people don’t do that, it only takes one mistake like that and there can be huge repercussions.”

Ferguson’s report indicates the recovery took time and that several health sector IT systems were out of service for an extended period of time.

By controlling and monitoring IT network access better, Ferguson’s report said eHealth will be less vulnerable to ransomware attacks in the future.

“Effective IT network monitoring helps detect and limit the impact of a successful attack on a corporate network,” the report read.

“In addition, it mitigates the risk and extent of security breaches that can cause serious business disruptions.”

eHealth has identified 38 critical IT systems requiring detailed recovery plans, but Ferguson said no disaster recovery testing has been completed for any of them.

Story continues below advertisement

“Not having complete or tested plans increases the risk of not being able to successfully restore IT systems within a reasonable time,” Ferguson’s report said.

“Delays in restoring IT systems could significantly impact the delivery of health services across the province.”

The province said it’s something it continues to work on.

“As soon as we get an upgrade of a system, there’s a new a threat or a new aspect of some malware or some cyber-attacks,” Merriman said.

“My expectation is that they are going to be able to get this done and get done in a very timely manner and I will be following up with them.”

In June, eHealth CEO Jim Hornell said it fights off hundreds of thousands of attacks each week.

Click to play video: 'eHealth must do ‘much’ more to prevent security breaches: Saskatchewan auditor'
eHealth must do ‘much’ more to prevent security breaches: Saskatchewan auditor

Sponsored content

AdChoices