Auditor finds increased security risk in Saskatchewan

REGINA – The Crown corporation responsible for safeguarding the digital health records of Saskatchewan residents is under an increased risk of security breaches and system failure, due to the lack of a finalized IT agreement with the SHA. That was the conclusion of the provincial auditor in a report released in December.

eHealth Saskatchewan is the provincial Crown which oversees IT services to patients, healthcare providers, the Ministry of Health and the Saskatchewan Health Authority (SHA).

While an IT agreement between the SHA and eHealth does exist, the auditor’s report found that several key aspects were not finalized, CTV News reported.

These aspects include disaster recovery, service levels, security requirements and IT change management.

“Without an adequate agreement, the SHA risks being unable to effectively monitor the quality and timeliness of IT services delivered by eHealth, or know whether its critical IT systems and data are secure and will be restored in a reasonable timeframe in the event of a disaster,” the report read.

eHealth took over the SHA’s IT systems when the health authority moved them to its data centre in 2017.

The Crown is currently responsible for 35 IT systems deemed “critical” for the delivery of healthcare in Saskatchewan.

The report laid out two recommendations made by the auditor in 2019.

The first outlines installing centralized Network Access Controls (NAC) for all health sector agencies, while the second has to do with utilizing network security logs and scans to monitor systems for malicious activity.

Both have been partially implemented by eHealth.

The report went on to say that the organization’s five-year disaster recovery roadmap includes assessing potential risks to IT systems and establishing appropriate measures for recovery. The roadmap is expected to be finalized in 2023-24.

“eHealth needs to begin disaster recovery testing when its Roadmap is complete. Without fully tested disaster recovery plans, eHealth, the [SHA], Saskatchewan Cancer Agency, and the Ministry of Health may not be able to restore their critical IT systems and data (such as the personal health registration system or provincial lab systems) in a timely manner in the event of a disaster,” the recommendation read.

“As ransomware and cyberattacks are steadily rising and evolving, organizations (like eHealth) need disaster recovery plans that enable speedy and easy recovery of data from the point of attack.”