2020 Report - Volume 1: eHealth-Action Needed to Secure Health Information

2020 Report - Volume 1: eHealth-Action Needed to Secure Health Information June 22, 2020

eHealth Saskatchewan needs to properly control portable computing devices with access to the eHealth IT network to keep health information secure

REGINA, SK., June 23, 2020: In her 2020 Report – Volume 1, Chapter 6, Provincial Auditor Judy Ferguson reports eHealth Saskatchewan needs to do much more to prevent unauthorized access to health information stored on and accessed by portable computing devices (laptops, smartphones).

The eHealth IT network houses critical IT health systems and data of various health agencies (e.g., Saskatchewan Health Authority, Saskatchewan Cancer Agency) essential to the provincial delivery of health services. eHealth is consolidating the IT services and IT staff of the various health agencies, and in the meantime, it continues to have variations of IT security policies and practices.

“Properly controlling access to the eHealth IT network is critical given security breaches can impact the ability of these agencies to deliver effective health services,” says Ferguson.

  • At August 2019, IT staff of the Saskatchewan Health Authority who were part of the former Regina Qu’Appelle and Saskatoon health regions had not yet transitioned to eHealth—transition started in January 2017.
  • Consolidating all IT security policies into a single set of overarching policies would reduce complexity and inconsistencies.

Our audit examined eHealth’s processes to secure health information on portable computing devices (laptops, smartphones) used in the delivery of Saskatchewan health services.

At the time of the audit, eHealth directly managed less than one-third of the almost 13,000 portable computing devices with access to the eHealth IT network.

Ferguson reports, “eHealth’s plan to manage health sector laptops is not sufficiently robust. It does not contain sufficient detail on how to mitigate security threats and the vulnerabilities of laptops with access to the eHealth IT network. We found risks associated with unencrypted laptops, unsupported operating systems, and unrestricted USB ports and DVD burners not adequately mitigated.”

The audit found over 80 percent of the laptops with access to the eHealth IT network were not encrypted, and over 80 percent used an unsupported operating system. Laptops that are unencrypted and using unsupported operating systems are susceptible to compromise and failure. Not keeping laptops properly secured can place IT systems on the eHealth IT network at risk.

The audit also found eHealth did not sufficiently monitor the eHealth IT network. Without effective network monitoring, eHealth may not detect malicious activity or mitigate risks of a successful attack on the network within sufficient time to prevent a security breach.

“eHealth needs to use key network security logs and scans to effectively monitor the IT network and detect malicious activity,” says Ferguson.

At the time of the audit, only about one-half of individuals with access to the eHealth IT network had received IT security awareness training annually. Uninformed individuals are susceptible targets with increased risk of providing a potential access points for malicious software. Requiring an annual security awareness training program would help reduce the risk of users of portable computing devices clicking on something they should not.

“Laptops and smartphones are attractive targets for attackers and present many risks to an organization. Having proper controls over these portable computing devices reduces the risk of personal health information falling into the wrong hands,” Ferguson reports. “To mitigate this risk, eHealth Saskatchewan must implement risk-informed plans to properly secure portable computing devices and to protect devices with access to the eHealth IT network from security threats and vulnerabilities.”

 

 

 

 

View All News Releases