Israeli cyber experts who reviewed the information security arrangements of Newfoundland and Labrador’s largest health authority confirmed “numerous vulnerabilities, security issues and compliance issues” that needed to be addressed within its network.
Details can be found in a business plan prepared for Eastern Health in September 2020 and recently obtained by CBC/Radio-Canada.
“The provincial system may currently experience cybersecurity breaches without any knowledge or possible response due to the lack of qualified personnel, lack of established processes and appropriate technology in place for the inevitable cybersecurity threats,” the proposal states.
The report was completed more than a year before last fall’s cyberattack crippled the province’s health care system.
There is no indication that the issues identified are related to the breach last fall.
In fact, there has been no public disclosure of what caused the cyberattack. Provincial government officials have repeatedly refused to answer questions about the attack, citing security concerns.
Ronald Johnson, vice president of innovation and rural health at Eastern Health, told CBC/Radio-Canada that the business plan was created as part of a process to create a center for excellence in cybersecurity in the province.
But he wouldn’t say exactly what was done to address the concerns raised in the report.
“Some actions would have taken place from those assessments. But again, those assessments were meant to set the stage for this larger project,” Johnson said.
“These issues that have been identified, these larger issues, are what I would call challenges to the health system. And the goal of the WCC, this cyber center of excellence, is to address those challenges.”
Johnson said the work aims to identify “global issues” that could affect health care organizations across the country.
“This project aims to address cybersecurity in the long term. It doesn’t necessarily rule out anything that happens in the short term.”
Johnson said he couldn’t discuss short-term efforts.
The Department of Health declined to make anyone available for an interview to address concerns raised by the report.
“That could absolutely be taken as a warning”
Eastern Health has been working with partners since 2019 on the Center of Excellence concept.
The 2020 business plan was prepared by an Ottawa-based company called Canada Israel Technology Solutions.
It included an “extensive exposure analysis” of Eastern Health’s computer system and the Newfoundland and Labrador Center for Health Information, which is responsible for network security for all health authorities in the province.
The analysis itself, carried out by the Israeli company CyberMDX, remains confidential. But the outline of its findings are outlined in the 2020 business proposal.
CBC/Radio-Canada provided this 40-page document to half a dozen cybersecurity experts to get their views.
“I think this could absolutely be taken as a warning,” said Simon Woodworth, director of the Center for Health Information Systems Research at University College Cork in Ireland.
“And in that regard, it is significant that the cyberattack happened a year after the warning.”
Sam Harper, journalist and programmer at Crypto Quebec, said: “The alarms [were] ring while I was reading it.”
‘Insufficient security analysts’
A section of the cybersecurity needs report refers to a number of potential issues.
They ranged from outdated technology to understaffing to an inadequate database used to track asset information.
According to the report, there were outdated components in some computer systems that could not be appropriately managed or corrected, and would most likely need to be upgraded or completely retired.
The document recommended more security personnel to identify, respond to, mitigate and defend against cyber threats.
He said that while the Eastern Health and NLCHI systems are built to best practices and security standards, there is “an insufficient number of security analysts capable of ensuring full compliance.”
As a result, only a partial audit was performed each year on a number of critical security systems.
“If you don’t have the staff to maintain the system, it’s like having a car whose oil, bulbs or tires you never plan to change,” said Iva Tasheva, co-founder and head of cybersecurity management for the Brussels consulting firm CyEn.
“So it would eventually fade and become stale very quickly.”
Sam Harper of Crypto Quebec agreed.
“Everyone always says everything is up to standard and everything, but unfortunately it’s how you maintain it afterwards that’s important,” Harper said.
“I mean, you can build the house the best way you can, but if you never make the necessary repairs, if you don’t fix things when they’re broken, well, after 20 years, after 10 years, you might get in trouble.”
New risks evolve, and so do practices, including criminal ones, said Solange Ghernaouti, professor of cybersecurity at the University of Lausanne in Switzerland.
“That means we need technicians to do security, but above all we need analysts who can understand the situation, what needs to be protected, the risks,” Ghernaouti said.
“Compliance issues to be resolved” in the network
The 2020 business plan also noted the lack of a comprehensive database of current configuration items, either in place or maintained, making it difficult to determine the full scope of upgrades and fixes. required.
This database is essentially an inventory of hardware and software assets.
“In this case, there’s obviously a very clear lack of network visibility,” said Ronan Murphy, executive chairman of SmartTech247, an Irish cybersecurity company that operates globally.
“Even if you have visibility, it’s a vicious circle if you don’t have the analysts or the ability to fix the issues you see. That’s a moot point.”
According to the report, Eastern Health has hired CyberMDX for a month-long “proof of value” engagement to passively monitor Carbonear’s hospital systems.
“During the brief period of operation of the system, CyberMDX findings confirmed that there are numerous vulnerabilities, security issues, and compliance issues to be addressed within the EH Network,” the 2020 business proposal states.
CyberMDX, which was recently acquired by another company, declined a request from CBC/Radio-Canada to provide more information about its work in Newfoundland and Labrador.
Canada Israel Technology Solutions officials could not be reached for comment.
Center of Excellence Status
A number of cybersecurity experts contacted by CBC/Radio-Canada pointed out that the 2020 business plan was part of a sales pitch to the health authority and that context should be kept in mind when review of its findings.
Eastern Health made the document available to potential private sector partners last year as the process progressed to gauge industry interest and feedback on the Center of Excellence idea. .
Vice President Ronald Johnson said the plan continues to progress, with “bricks and mortar” potentially happening by the end of this year.
The goal is to protect provincial healthcare infrastructure from cyber threats, while building industry expertise.
“We’ll protect our assets, but at the same time, we’re going to have job creation and economic development,” Johnson said.
“That’s why we did it.”
According to an Eastern Health presentation from last summer, the center of excellence would almost break even after five years, having incurred net costs of more than $28 million.
Questions about cyberattacks remain unanswered
Government officials have remained silent on most aspects of the cyberattack, which took down many healthcare IT systems in the province.
They confirmed that the personal information of thousands of health authority employees was stolen, dating back years or even decades, along with 200,000 Eastern Health records that may contain patient health data. Surgeries and medical procedures were delayed last fall.
But the provincial government won’t say who was responsible for the attack, whether it was ransomware, whether a ransom was paid, or if anything has since been done to fix the issues.
“I think it would be safe to say that we have taken action to address the issues that we have discovered,” Health Minister John Haggie said in late March.
“I think beyond that it would be unwise to go into too much detail again. For security reasons, it’s a bit like giving a burglar your password to your alarm system. .”
But Simon Woodworth of University College Cork says there should be transparency and openness.
“There’s just a terrible habit among individuals, businesses and government departments to be very quiet about cyberattacks and their consequences,” he said.
“It’s the patient data they’re dealing with. People have a right to know how protected the data is.”
And Woodworth asked why the business plan didn’t focus more on short-term solutions rather than long-term goals.
“The document might have said a bit more about ‘this is what you need to do immediately before we jump into the big plan,'” he said.