Despite warnings, N.L. health officials didn't bolster cyberdefences before ransomware attack - Action News
Home WebMail Friday, November 22, 2024, 09:17 PM | Calgary | -11.3°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
NL

Despite warnings, N.L. health officials didn't bolster cyberdefences before ransomware attack

Health officials didn't act on a series of warnings and failed to adequately protect sensitive health information of hundreds of thousands of people before a devastating cyberattack in 2021, says a new report from the information and privacy commissioner's office.

Report by privacy commissioners office finds security was lacking in important areas

A silhouetted man hunched over a computer with data illuminated in the background.
Hundreds of thousands of people in Newfoundland and Labrador had their privacy breached in a 2021 cyberattack, according to a new report by the province's privacy watchdog. (Kacper Pempel/Reuters)

Newfoundland and Labrador health officials did not act on a series of warnings and failed to adequately protect sensitive health information of hundreds of thousands of people before a ransomware gang launched a devastating cyberattack in 2021 that surreptitiously scooped up 200 gigabytes of data and paralyzed the province's health-care system.

That's among the findings of a 115-page report on the attack issued Wednesday morning by the Office of the Information and Privacy Commissioner.

"The biggest question at the outset of this investigation for us was whether this cyberattack succeeded despite these [provincial health] entities having cybersecurity practices that met recognized international standards, or if it succeeded because those standards were not being met at the time," the provincial watchdog noted in the report.

"Unfortunately, we found the latter."

Security in the health information system "was lacking in a number of important areas" and internationally recognized, industry-standard cybersecurity measures were "either not in place or not fully implemented."

The report found that deficit left the personal health information and personal information of citizens of the province vulnerable to cyberattack "which, under the circumstances, was almost an inevitability."

Investigators concluded that these vulnerabilities were known within the health-care systembut officials failed to fix them.

"The Department of Health and Community Services was informed in 2020 over a year prior to the cyberattack that a threat assessment rated the chances of a cyberattack as high, and the impact of such an event as high," said Sean Murray, a senior official in the commissioner's office who led the probe.

"In other words, the ransomware attack against our publichealth information systems was a foreseeable event. Efforts to reduce these vulnerabilities prior to the cyberattack were inadequate."

A man in a suit wearing glasses speaks in front of a microphone.
Sean Murray is director of research and quality assurance in the Office of the Information and Privacy Commissioner for Newfoundland and Labrador. He was lead investigator for a report on a 2021 cyberattack that affected the province's health-care system. (Patrick Butler/Radio-Canada)

As well, investigatorsbelieve more people were affected by the breach than previously disclosed by government and health officials.

"The total number of privacy breaches caused by the cyberattack is unknown but is likely to be in the hundreds of thousands," the report advised.

"In other words, it is likely that the vast majority of the population of the province had some amount of personal information or personal health information taken by the cyberattackers, although the specific number may never be known."

The report noted that:

  • Patients of Central Health from 2006 to 2021 had their personal health information accessed and taken in the cyber attack;
  • Patients of Labrador-Grenfell Health from 2013 to 2021 had their personal health information accessed and taken in the cyber attack;
  • Patients of Eastern Health from 2010 to 2021 had their personal health information accessed and taken in the cyber attack.

Additionally, it advised thatall patients across the province who had COVID-19 testing up to 2021had their personal health information accessedand taken by hackers.

In general terms, the report called datataken in the cyberattack "highly sensitive information that deserved the highest degree of protection."

However, the report found that "an impressive amount of work" has happened since the attack, to ensure that appropriate cybersecurity measures are in place across the health information system.

"There is some good news," Murray said. "The havoc caused by the cyberattack is not the end of the story."

He said "substantial effort" has since been expended, work that has "significantly enhanced" cybersecurity for the province's health information systems.

Murray called cybersecurity "an ongoing arm's race with organized crime as well as state-sanctioned actors, who will not only seek to extort us and breach our privacy, but also cause us to incur significant costs to the public purse and harm actual health-care delivery."

The report stresses thatthis is not a one-time fix, noting howessential it is that "sufficient focus and resources continue to be directed to this task."

The report notes that accountability for what happened is shared by the Newfoundland and Labrador Centre for Health Information, as well as provincialhealth authorities.

But it adds that leadership of the entire health-care system falls to the Department of Health and Community Services, and the minister must ensure there are appropriate resources for the province's cybersecurity to meet internationally recognized industry-accepted standards.

The commissioner's office made 34 findings, and six recommendations to improve the system going forward.

Those recommendations includeperiodic external reviews, assessments, or auditsto assess the status of cybersecurity across the provincial health information system, and the creation of a chief privacy officer position within the new provincial health authority.

Political reaction to watchdog's report

At the House of Assembly Wednesday afternoon, interim Opposition leader David Brazil asked about the conclusions in the just-released report that more people were affected by privacy breaches than previously disclosed.

"This is the first time that the public have been informed of the true magnitude of this attack," Brazil said.

"I ask the premier, why did your government hide the sheer scale of this attack on the health-care system?"

Premier Andrew Furey brushed aside the question.

"We were very open in our communicationsin fact we said immediately, upon recognition, that there was a problem," Fureyresponded.

"We said we didn't know the scope of the problem but we that said it was a potential, that many Newfoundlanders and Labradorians could have been involved in this."

A man in a suit gestures while answering a question with people behind him seated.
Newfoundland and Labrador Premier Andrew Furey answered questions at the House of Assembly Wednesday afternoon about a report into the 2021 cyberattack that affected provincial health systems. (House of Assembly)

Meanwhile, NDP Leader Jim Dinnsaid the province seems to react, rather than be proactive, when advised of problems that need to be fixed as happened in this case, before the cyberattack actually occurred.

"When you identify deficiencies, the whole purpose of it is to try, to the best of your ability, to at least point out where you need to make changes to ensure the protection of the information," Dinn told reporters.

"No guarantee that putting locks on your house is going to prevent a break in, but I would argue that you put all the measures in place to make sure that you have that security."

Justice Minister John Hogan said it's too early to discuss whether there will be any accountability for that lack of action to fix security gaps before the attack.

"The report is very fresh, very new," he said. "I'm not sure where the health authority is going to go with that, but I'm sure they'll look at it, along with the recommendations in the findings."

Read more from CBC Newfoundland and Labrador