Saskatchewan’s provincial auditor said eHealth needs to do more when it comes to controlling and monitoring IT network access and testing disaster recovery plans.
Judy Ferguson released her Provincial Auditor of Saskatchewan 2020 Report–Volume 2 on Dec. 8.
“To successfully provide uninterrupted services, eHealth must have stronger security and disaster recovery elements in its IT infrastructure to prevent unauthorized access to the network, and limit the downtime from security breaches should they occur,” she was quoted saying in the report.
eHealth Saskatchewan, which delivers health-care services in the province, was hit with a ransomware attack in January where files were stolen.
Fortunately, eHealth recovered systems from backups made prior to the attack and did not pay the ransom.
“In this case, from what I understand, it was a judgement error by clicking on something when it wasn’t supposed to be clicked on,” said Paul Merriman, Saskatchewan’s health minister.
“In general, people don’t do that, it only takes one mistake like that and there can be huge repercussions.”
Ferguson’s report indicates the recovery took time and that several health sector IT systems were out of service for an extended period of time.
- Posters promoting ‘Steal From Loblaws Day’ are circulating. How did we get here?
- Canadian food banks are on the brink: ‘This is not a sustainable situation’
- Video shows Ontario police sharing Trudeau’s location with protester, investigation launched
- Solar eclipse eye damage: More than 160 cases reported in Ontario, Quebec
By controlling and monitoring IT network access better, Ferguson’s report said eHealth will be less vulnerable to ransomware attacks in the future.
“Effective IT network monitoring helps detect and limit the impact of a successful attack on a corporate network,” the report read.
“In addition, it mitigates the risk and extent of security breaches that can cause serious business disruptions.”
eHealth has identified 38 critical IT systems requiring detailed recovery plans, but Ferguson said no disaster recovery testing has been completed for any of them.
“Not having complete or tested plans increases the risk of not being able to successfully restore IT systems within a reasonable time,” Ferguson’s report said.
“Delays in restoring IT systems could significantly impact the delivery of health services across the province.”
The province said it’s something it continues to work on.
“As soon as we get an upgrade of a system, there’s a new a threat or a new aspect of some malware or some cyber-attacks,” Merriman said.
“My expectation is that they are going to be able to get this done and get done in a very timely manner and I will be following up with them.”
In June, eHealth CEO Jim Hornell said it fights off hundreds of thousands of attacks each week.
Comments