Provincial auditor says eHealth needs to do more to protect IT network

Provincial auditor Judy Ferguson tables a report in the Saskatchewan Legislature on Dec. 5, 2019. -- Troy Fleece / Regina Leader-Post

Saskatchewan’s provincial auditor says eHealth Saskatchewan needs to do more to prevent unauthorized access to health information stored on and accessible by portable computing devices like laptops and smartphones.

There are 13,000 portable computing devices with access to the eHealth IT network. Provincial auditor Judy Ferguson found that more than 80 per cent of those devices were not encrypted. Another 80 per cent used unsupported operating systems.

Ferguson said those devices were susceptible to compromise and failure, which places the eHealth IT network at risk.

“These devices can access and store private and confidential health information. They are attractive targets and they may become infected with viruses and Malware,” Ferguson said during a press conference on Tuesday. “(They) are often easy to lose and are higher risk. We found eHealth needs to do much more to prevent unauthorized access to health information stored on and accessed by the almost 8,000 laptops and 5,000 smartphones that currently have access to the eHealth IT network.”

Employee training was also a major concern. Roughly half of the individuals who used these devices have not received up to date security awareness training, and Ferguson said that made them susceptible targets for malicious software attacks.

The report also found eHealth did not sufficiently monitor its IT network for signs of malicious activity, or reduce risks of a successful attack on the network.

“We do feel a number of the recommendations that we are making and the matters we are bringing to the attention of eHealth, if the organization would have dealt with them earlier and promptly, it would have reduced the risk. We recognize in today’s world, unfortunately, (it’s) not ‘if’ you will be attacked, it’s a matter of ‘when’ you will be attacked. What we are saying to organizations is make sure you reduce the risk of those attacks.”

Ferguson’s office made seven recommendations focused on four different areas. They include enhancing and standardizing how it sets up portable computer devices, requiring employees to receive annual security awareness training, and improving network monitoring and access controls.

Ferguson said she hopes eHealth is already developing a stronger security plan, since applying it could take some time. However, she expects eHealth to implement the rest of the recommendations sooner rather than later.

“They do a good job on a certain component of their laptops. It’s a matter of pushing that out to all of the laptops that have access to the network,” she explained. “That is one we’re hoping they can move a little bit faster on.”

Ferguson and her office conducted the eHealth audit last Fall, and tabled the report in the legislature on Tuesday, June 23.

The Daily Herald has requested a response from eHealth to the auditor’s findings. We will update this story with more information once it becomes available.