Israeli internet experts who reviewed information security arrangements at Newfoundland and Labrador’s largest health authority emphasized “several weaknesses, security concerns and compliance issues” that must be addressed within its network.
Details are in a business plan prepared for Eastern Health in September 2020 and recently obtained by CBC/Radio-Canada.
The proposal noted that “the boycott system may now encounter cybersecurity breaches without possible knowledge or response due to lack of skilled personnel, lack of specific processes and appropriate technology for inevitable cybersecurity threats.”
The report was completed more than a year before the cyberattack last fall that paralyzed the county’s health care system.
There is no indication that any of the issues identified are related to last fall’s breach.
In fact, there was no public disclosure of the reason for the cyber attack at all. Regional government officials repeatedly refused to answer questions about the attack, citing security reasons.
Ronald Johnson, vice president of innovation and rural health at Eastern Health, told CBC/Radio-Canada that the business plan was drawn up as part of a process to build a cybersecurity center of excellence in the province.
But he did not say exactly what was done to address the concerns raised in the report.
“Some action could have happened through those assessments. But again, those assessments were meant to pave the way for this larger project,” Johnson said.
“Those issues that have been identified, those larger issues, are what I would call challenges to the health system. And the goal of the COE, this online center of excellence, is to address those challenges.”
Johnson said the goal of the work was to identify “global issues” that could affect health care organizations across the country.
“This project aims to address cybersecurity in the long term. This does not necessarily prevent anything from happening in the short term.”
Johnson said he could not discuss the short-term effort.
The Ministry of Health refused to make anyone available for an interview to address any concerns raised by the report.
It certainly can be taken as a warning
Eastern Health has been working with partners since 2019 on a concept center of excellence.
The 2020 business plan was prepared by an Ottawa-based company called Canada Israel Technology Solutions.
It included an “in-depth exposure analysis” of the IT system at Eastern Health and the Newfoundland and Labrador Center for Health Information, which is responsible for network security for all county health authorities.
The actual analysis, conducted by the Israeli company CyberMDX, remains classified. But the outlines of its results are described in the 2020 Business Proposal.
CBC/Radio-Canada submitted that 40-page document to half a dozen cybersecurity experts to get their opinion on it.
“I think it could be taken as a warning at all,” said Simon Woodworth, director of the Center for Health Information Systems Research at University College Cork in Ireland.
In this regard, it is significant that the cyber attack occurred a year after the warning.
“Alerts . said Sam Harper, journalist and programmer at Crypto Quebec [were] off when I was reading it.”
Not enough security analysts
Part of the report on cybersecurity needs pointed to a number of potential problems.
They ranged from outdated technology and understaffing to an inadequate database used to keep track of information about assets.
According to the report, there were outdated components in some IT systems that could not be adequately managed or patched, and they would most likely need to be upgraded or shut down completely.
The document recommended more security personnel to identify, respond to, mitigate, and defend against cyber threats.
She said that while Eastern Health and NLCHI’s systems are built on best practices and security standards, there are “insufficient security analysts able to ensure full compliance.”
As a result, only a partial audit was performed annually on a select number of critical security systems.
“If you don’t have the staff to maintain the system, it’s like having a car that never plans to change the oil, light bulbs, or tires,” said Eva Tasheva, co-founder and leader of the company’s cybersecurity department. The Brussels-based CyEn consulting firm.
“So eventually it will fade and become obsolete very quickly.”
Sam Harper of Crypto Quebec agreed.
“Everyone always says it’s all based on standards and everything, but unfortunately, how you maintain it afterwards matters,” Harper said.
“I mean, you can build the house in the best possible way, but if you never do the repairs that are required, if you don’t fix things when they break down, well, 20 years later, 10 years later, he might be in trouble.”
Solange Gernauti, professor of cybersecurity at the University of Lausanne in Switzerland, said new risks are evolving as well as practices, including criminal ones.
“This means that we need technicians to do the security, but above all we need analysts who are able to understand the situation, what to protect, and the risks,” said Grenauti.
“Compliance issues to be addressed” in the network
The 2020 Action Plan also indicated that there is no complete database of existing configuration items either in place or maintained, making it difficult to determine the full scope of upgrades and patches required.
This database is basically an inventory of hardware and software assets.
“In this case, there is clearly a distinct lack of visibility across the network,” said Ronan Murphy, CEO of SmartTech247, an Irish cybersecurity company that operates globally.
“Even if you have a vision, it’s a vicious cycle if you don’t have the analysts or the ability to solve the problems you see. It’s a moot point.”
According to the report, Eastern Health has hired CyberMDX for a month-long Proof of Value share to passively monitor systems at Carbonear Hospital.
The 2020 Business Proposal noted that “in the short period that the system has been operating, CyberMDX’s findings have confirmed that there are many vulnerabilities, security concerns, and compliance issues that need to be addressed within the EH Network.”
CyberMDX – which was recently acquired by another company – declined a request by CBC/Radio-Canada to provide more information about its work in Newfoundland and Labrador.
Officials with Canada Israel Technology Solutions could not be reached for comment.
Center of Excellence
A number of cybersecurity experts contacted by CBC/Radio-Canada confirmed that the 2020 business plan was part of a sales promotion for the health authority, and this context should be taken into account when considering its conclusions.
Eastern Health made the document available to potential private sector partners last year as the process moved forward to gauge industry interest and feedback at the center of an idea of excellence.
Vice President Ronald Johnson said the plan was continuing to move forward, with “stone and mortar shells” likely to occur by the end of this year.
The goal is to secure the county’s healthcare infrastructure against cyber threats, while building expertise in the industry.
“We will protect our assets, but at the same time, we will create jobs and economic development,” Johnson said.
“That’s why we’ve been doing this.”
According to Eastern Health’s presentation from last summer, the Center of Excellence could nearly collapse even after five years, after incurring net costs of more than $28 million.
Questions about a cyber attack remain unanswered
Government officials have been silent about most aspects of the cyber attack, which destroyed many of the county’s health computer systems.
They confirmed that the personal information of thousands of health authority employees had been stolen, years or even decades ago, along with 200,000 records from Eastern Health records that could contain patients’ health data. Surgical procedures and medical procedures were delayed last fall.
But the county government will not determine who was responsible for the attack, whether it was related to ransomware, whether any ransoms were paid, or whether anything has been done since then to address any problems.
“I think it would be safe to say we’ve taken steps to address the problems that we found,” Health Secretary John Hagee said in late March.
“I think after that, it would be unwise to go into too much detail again. For security reasons, it’s a bit like giving your passcode to your alert system.”
But Simon Woodworth of University College Cork says there has to be transparency and openness.
“There is a shocking habit of individuals, companies and government departments to remain extremely silent about cyberattacks and their consequences,” he said.
“This is the patient data they interact with. People have a right to know how protected the data is.”
Woodworth wondered why the action plan did not focus more on short-term solutions rather than long-term goals.
“Maybe the document could have said more about ‘these are the things you need to do right away before we get caught up in the big plan,'” he said.
Read more from CBC Newfoundland and Labrador