Skip to main content

eHealth Saskatchewan under increased risk of security breaches, provincial auditor finds

Share

The Crown corporation responsible for safeguarding the digital health records of Saskatchewan residents is under an increased risk of security breaches and system failure – due to the lack of a finalized IT agreement with the SHA.

The concerns were laid out in the province’s most recent auditors report – released on Dec. 6.

ehealth Saskatchewan is the provincial Crown which oversees IT services to patients, health care providers, the Ministry of Health and the Saskatchewan Health Authority (SHA).

While an IT agreement between the SHA and eHealth does exist – the auditor’s report found that several key aspects were not finalized.

They include disaster recovery, service levels, security requirements and IT change management.

“Without an adequate agreement, the SHA risks being unable to effectively monitor the quality and timeliness of IT services delivered by eHealth, or know whether its critical IT systems and data are secure and will be restored in a reasonable timeframe in the event of a disaster,” the report read.

eHealth took over the SHA’s IT systems when the health authority moved them to its data centre in 2017.

The Crown is currently responsible for 35 IT systems deemed “critical” for the delivery of health care in Saskatchewan.

The report laid out two recommendations made by the auditor in 2019.

The first outlines installing centralized Network Access Controls (NAC) for all health sector agencies – while the second has to do with utilizing network security logs and scans to monitor systems for malicious activity.

Both have been partially implemented by eHealth.

The report went on to say that the organization’s five year disaster recovery roadmap includes assessing potential risks to IT systems and establishing appropriate measures for recovery.

The roadmap is expected to be finalized in 2023-24.

“eHealth needs to begin disaster recovery testing when its Roadmap is complete. Without fully tested disaster recovery plans, eHealth, the [SHA], Saskatchewan Cancer Agency, and the Ministry of Health may not be able to restore their critical IT systems and data (such as the personal health registration system or provincial lab systems) in a timely manner in the event of a disaster,” the recommendation read.

“As ransomware and cyberattacks are steadily rising and evolving, organizations (like eHealth) need disaster recovery plans that enable speedy and easy recovery of data from the point of attack.”

CTVNews.ca Top Stories

9 suspects face charges after Quebec organized crime operation

Nine people appeared in court in Quebec City on Saturday as part of a major operation by the Sûreté du Québec to investigate violent conflicts between independent drug dealers and a group of outlaw motorcycle gangs in the east of the province.

Stay Connected