Saskatoon

Sask. eHealth failed to fully secure patient data on work laptops and smartphones, auditor says

Auditor Judy Ferguson found that devices weren't wiped after being stolen or lost and not all health workers received annual security awareness training.

Not all health workers received annual security awareness training, Judy Ferguson finds

Saskatchewan's provincial auditor says the eHealth system is not properly protecting itself against viruses and malicious malware. (saskatchewan.ca)

Saskatchewan's eHealth network failed in several ways to fully secure private patient data on health workers' work laptops and phones, the provincial auditor says in a new report.

Auditor Judy Ferguson wrote that the people managing the eHealth IT network directly managed less than one-third of the nearly 13,000 laptops with access to the network, 80 per cent of the laptops were not encrypted to protect against malicious activity and only about half of employees with access to the network were trained annually in IT security awareness.

The report, tabled in the Saskatchewan legislative assembly Tuesday afternoon, documents the state of the network's security apparatus as of August 2019 and comes several months after a ransomware attack that left eHealth unsure of what information was taken. 

"If the organization would have dealt with [the issues] earlier and promptly, it would have reduced the risk," Ferguson said in a news conference. "Unfortunately, we're not in a world [where it's] if you will be attacked. It's a matter of when." 

Not all stolen devices wiped 

Ferguson said the audit was undertaken because 30 per cent of health care workers in the province access data on the network to do their jobs. 

"Properly controlling access to the eHealth IT network is critical given security breaches can impact the ability of these agencies to deliver effective health services," Ferguson wrote. 

Ferguson also found that not all devices were wiped from the network after the devices were reported stolen or lost. 

She recommended that the province hasten the process of amalgamating Saskatoon and Regina IT staff into eHealth, given that the process started in January 2017.

"Consolidating all IT security policies into a single set of overarching policies would reduce complexity and inconsistencies," she wrote. 

Ferguson also recommended eHealth start doing all the things it wasn't doing. 

Health Minister Jim Reiter took some questions about the issues Tuesday in the legislative assembly. 

"It's important that people are relying on it and that it be a reliable source of IT for government," Reiter said. "We'll do everything within our power to ensure that that happens."

Read Ferguson's full critique of eHealth below. Don't see it? Click here

Mobile users: View the document
(PDF KB)
(Text KB)
CBC is not responsible for 3rd party content

eHealth responds

Jim Hornell, the CEO of eHealth, said some fixes are already in play, including the encryption of all laptops.

"Much of this is a legacy issue that takes time, Hornell said. "It goes back to the [former] health regions and some of the challenges they encountered to moving to a single provincial system."

Training people to be security-smart is also key, Hornell said. 

"The most sophisticated equipment in the world is not going to stop someone within your system from opening up the door to bad actors getting in," he said. "That's why we spent so much time in all the organizations that I know of trying to get people to practise proper etiquette."

ABOUT THE AUTHOR

Guy Quenneville

Reporter at CBC Ottawa

Guy Quenneville is a reporter at CBC Ottawa born and raised in Cornwall, Ont. He can be reached at [email protected]