$62.3 million for eHealth Sask. upgrades are not enough, warn cybersecurity experts
eHealth Saskatchewan, which runs the province’s healthcare IT system, has been authorized to spend up to $62.3 million on upgrades, but cybersecurity experts warn more needs to be done as a result of the 2019 ransomware cyberattack that affected millions of files.
Cabinet recently approved the money, which will be spent over the next three fiscal years, through an Order in Council.
The state-owned company says the money will go towards replacing its data center equipment, Windows 10 upgrades, investments in security technology, and replacing computers and other devices.
In an unattributed statement, eHealth wrote, “it would not be in the interest of the public or the health care system to give specific details about our security measures.”
eHealth is responsible for the operation, maintenance and renewal of all computer systems that serve the province’s healthcare sector, from diagnostics to pharmaceuticals to patient records.
In 2019, the agency fell victim to a ransomware attack that Saskatchewan’s Privacy Commissioner called one of the biggest privacy breaches ever in the province.
On December 20, 2019, a Saskatchewan Health Authority (SHA) employee opened an infected Microsoft Word document on a personal device while the device was being charged by a USB cord at his workstation.
Opening the document triggered a Ryuk ransomware attack between December 20, 2019 and January 5, 2020.
Commissioner Ron Kruzeniski’s damning report in January 2021 found the attack allowed criminals to steal millions of files, including more than half a million containing personal information about Saskatchewan people.
Alec Couros, cybersecurity expert and professor of technology and educational media at the University of Regina, said software and hardware upgrades are important, but upgrades alone could not prevent a cyberattack like that of 2019.
He said employees need to be trained on how not to let attackers into their computers, noting that many cyber incidents involve a human element.
“Unless serious sums are invested in human training, none of this will be worth the long-term,” he said.
Couros said some training must be a prerequisite for employees to gain access to systems that contain the most vulnerable data.
“It’s really important to make sure employees are aware of all these different factors and these different ploys and tricks,” he said.
Regina cybersecurity expert Brennan Schmidt said surveillance needs to be stepped up.
“When we talk about resources, we are also talking about people, that is, eyes on the glass, ensuring that all kinds of activities are monitored 24/7,” he said. -he declares.
He added that everyone who has access to the healthcare system, including patients, should be “active participants in maintaining the confidentiality, integrity and availability of their data.”
Schmidt said the provincial government needs to think about cybersecurity across all sectors, including health and education, and advocated for the creation of a critical infrastructure and cybersecurity advisory committee.
The Privacy Commissioner’s review also revealed numerous ways that eHealth, the SHA and the Department of Health failed to adequately protect the personal information of Saskatchewan residents.
CBC News has obtained an October 2020 briefing note, written by eHealth for Saskatchewan’s Minister of Health, warning that eHealth has been underfunded for years and is at increasing risk of failure. eHealth said $150 million is needed over the next three years to update outdated and failing equipment.
The 2020-21 provincial budget allocated $7.4 million for eHealth to support security upgrades, maintenance and licensing, and $15.3 million the following year for operations, including Security. This year’s budget promises a $9.8 million increase for eHealth, bringing its total operating budget to $135.6 million.
