“In this audit we found that the Winnipeg Regional Health Authority could not keep up with the growth in demand, nor properly control the use of end-user devices. As a result, the WRHA was unnecessarily vulnerable to personal health information falling into the wrong hands,” said Ricard in the report.
The study, called “WRHA’s Management of Risks Associated with End-user Devices,” was prompted by the theft last year of a doctor’s personal laptop which contained the records of more than 300 patients. The audit says there is a significant risk of people gaining unauthorized access to data systems and health records, in part because not enough records have been encrypted.
The report also says the health authority has failed to ensure that data remains protected when accessed by thousands of personal laptops, smartphones and other devices used by workers.
The health authority and the provincial Health Department say they accept the report and are working on implementing its recommendations for stricter security.
“Throughout our audit we observed that the WRHA was focused on ensuring compliance with the Personal Health Information Act (PHIA). While PHIA does include some security requirements, we believe that implementing a cybersecurity program based on sound risk management would invariably result in the WRHA accomplishing their goal of complying with PHIA security requirements,” the auditor general says in the report.
“Focusing first on a control framework is important because compliance with PHIA does not ensure strong cybersecurity.”
The audit found that the WRHA did have some cybersecurity controls in place, but there were insufficient controls over:
• remote access to the health system’s networks
• the use of unmanaged USB Flash Drives
• laptops and desktops
Of note, the report said neither Manitoba eHealth nor the WRHA have developed plans for how to manage the proliferation of end-user devices within the WRHA. The growing demand by healthcare professionals within the organization to access information through mobile devices has resulted in a Bring-Your-Own-Device program without first putting in place the necessary strategies, risk assessments and cybersecurity controls.
The commissioner also observed the need for regular assessments of cybersecurity controls, something that is currently not being done for end-user device controls. “Such audits may have identified and addressed many of the cybersecurity control deficiencies we found in this audit,” the report said.
According to the commissioner’s report, awareness training programs have not been sufficiently developed. “Additionally, attendance to the training sessions has been poor, training content is missing important elements, and additional techniques are not used to promote information security awareness.”
The report offers 12 recommendations to improve the security of cybersystems at the WHRA. The PDF report can be accessed at: http://www.oag.mb.ca/