Manitoba

'Significant' weaknesses found in WRHA's cybersecurity, report says

An audit has found flaws in the Winnipeg Regional Health Authority's cybersecurity that left personal health information vulnerable to falling into the wrong hands.

Healthcare organizations must protect sensitive info accessed from computers and smartphones: audit

An audit found the WRHA was not identifying the risks to personal health information accessed by end-user devices and that there were weaknesses in its cybersecurity controls. (Ryan Remiorz/Canadian Press)

An audit has found flaws in the Winnipeg Regional Health Authority's cybersecurity that left personal health information vulnerable to falling into the wrong hands.

Manitoba's Auditor General Norm Ricard released a report Wednesday after looking into the WRHA's management of risks associated with end-user devices (personal computers, smartphones, tablets).

"Healthcare organizations must ensure they are properly protecting the sensitive information that is accessed from, and stored on, these devices," Ricard said in his report.

The audit found the WRHA was not identifying the risks to personal health information accessed by end-user devices and that there were weaknesses in its cybersecurity controls.

"Because of these significant cybersecurity control weaknesses, the WRHA was unnecessarily vulnerable to personal health information falling into the wrong hands," said Ricard.

The report notes the WRHA was focused on ensuring compliance with the Personal Health Information Act, including its security requirements, "but compliance to the PHIA security requirements does not ensure strong cybersecurity," Ricard said.

"We believe that focusing first on a cybersecurity program based on sound risk management would better protect personal health information and invariably result in compliance with the Act's security requirements."

The report contains 12 recommendations for both the WRHA and the provincial health department.