HALIFAX 鈥 Nova Scotia doesn鈥檛 provide effective cybersecurity for its digital health networks, and as a result is exposed to unnecessary risk, says a new report by the province鈥檚 auditor general.
Kim Adair鈥檚 report published Tuesday found a lack of accountability and collaboration between the three government entities that oversee the system: the health department, the cybersecurity and digital solutions department, and Nova Scotia鈥檚 health authority.
The situation is problematic because of the province鈥檚 growing reliance on digital networks to store people鈥檚 personal and sensitive health information, the report says.
Citing attacks in other provinces, like Newfoundland and Labrador and Ontario, she said, 鈥淲e鈥檝e seen several health-care organizations fall victim to serious cyberattacks that have compromised sensitive information, disrupted patient care and disabled networks."
Nova Scotia's "lack of IT governance gives minimal accountability for cybersecurity during a time of rapid expansion" of the province's digital health network, Adair said.
The report says key governance structures established to manage and monitor the network, along with cybersecurity efforts, were abandoned by 2022.
The auditor said her office hired Toronto-based independent experts from Packetlabs to run cybersecurity tests between April 2021 and June 2023, which revealed a 鈥減ervasive tolerance鈥 for accepting risk and a failure to manage ongoing risks. More specifically, the report found that external health sector contract holders 鈥 such as pharmacies and doctors鈥 offices 鈥 weren't required to include cybersecurity training before accessing the network.
The report also said testing showed most proposed technology projects that added to or changed the data flow or architecture of the digital health system didn鈥檛 fully comply with a mandatory three-phase review process put in place by a government panel. As well, the report said the review board allowed projects to connect to the network without meeting cybersecurity standards.
To strengthen the system, the 42-page report makes 20 recommendations, including the creation of an information technology governance framework to manage the digital health system, the completion of all outstanding cybersecurity assessments and regular mandatory cyber awareness training for all health network users.
Adair said her office would follow up on the progress of the digital health network a year from now. So far, she said, response from the government agencies involved has been positive.
In an emailed statement, a provincial spokesperson said the departments of health and of cybersecurity and digital solutions, along with Nova Scotia鈥檚 health authority said changes in the system are already underway.
鈥淲e are making investments and reducing risk as much as possible, while we modernize our digital health infrastructure. We have already begun work on many of the auditor general鈥檚 recommendations and will continue to work on the rest,鈥 spokesperson Rachel Boomer said in an email.
The province said it will not disclose details of the changes underway to prevent further cyber threats from bad actors.
This report by The Canadian Press was first published Oct. 22, 2024.
Cassidy McMackon, The Canadian Press
