NL

Haggie downplays cyber-risk 'business proposal,' says threat assessment found no red flags

Health Minister John Haggie is minimizing the significance of a report that was critical of cybersecurity issues at Newfoundland and Labrador’s largest health authority two years ago.

Situation is 'extremely alarming,' PC Opposition leader contends

A man wearing glasses and a suit is speaking, facing the camera.
Health Minister John Haggie answers questions from reporters outside the House of Assembly on Thursday afternoon. (Mark Quinn/CBC)

Health Minister John Haggie is minimizing the significance of a report that was critical of cybersecurity issues at Newfoundland and Labrador's largest health authority two years ago.

"That was received in the department as a business proposal, as a business development proposal," Haggie told reporters outside the House of Assembly on Thursday afternoon.

"The department never received any vulnerabilities or an assessment thereof."

The September 2020 report was a business plan provided to Eastern Health as part of an initiative to create a cybersecurity centre of excellence in the province.

As part of that process, Eastern Health engaged Israeli security experts to do "in-depth analysis of the exposure" of the IT system at Eastern Health and the Newfoundland and Labrador Centre for Health Information (NLCHI).

According to the report, they found "numerous vulnerabilities, security concerns and compliance issues to be addressed."

Asked whether those issues were addressed, Haggie said, "They weren't brought to our attention."

He said "there was no mention of any specific problems" in the business proposal that was submitted and steered inquiries back to Eastern Health.

"Those questions about vulnerabilities you'd better address with them," he said.

"We simply got a business proposal."

Haggie said he independently asked NLCHI for a threat assessment of cyber systems in September 2020 — around the same time the Eastern Health report was completed.

"I received a threat assessment which highlighted no red flags," Haggie said.

Haggie reiterated that the province is following the advice of national and international experts in declining to discuss cybersecurity measures.

He wouldn't identify who was giving that advice, saying it would be unwise to do so.

The health minister also dismissed the views of experts contacted by CBC News who believe the province could be providing more information.

"If you want to go and trawl the Internet and speak to people, you obviously have done [that]. And that's fine," Haggie said.

"But this is a security issue. You don't see the Department of National Defence going out there and talking about its cyber issues or the Canadian Centre for Cyber Security doing this. We are following national and international best practices, and that's what we are going to stick with."

Opposition leader David Brazil was critical Thursday of how the government handled a 2020 business proposal that flagged potential cybersecurity concerns at Newfoundland and Labrador's largest health authority. (Mark Quinn/CBC)

Opposition leader David Brazil called it an "extremely alarming" situation.

"It outlined a number of the inadequacies and the concerns and the fears of the information being vulnerable," Brazil said Thursday.

The interim Progressive Conservative leader rejected Haggie's comments about a cybersecurity threat assessment turning up no red flags.

"If you read the report, that's not what the report says. It's not what the people in the industry say," Brazil said.

"So the minister here either misinformed people or doesn't understand exactly the implications of what was outlined in that report."

The report was written a year before last fall's cyberattack plunged the province's health-care system into chaos.

Government officials have confirmed that the personal information of thousands of health authority employees was stolen, going back years or even decades, along with 200,000 Eastern Health records that could contain patient health data. Surgeries and medical procedures were delayed.

Haggie said, "This issue with Eastern Health and the cybersecurity centre is not related to the cyberattack."

Read more from CBC Newfoundland and Labrador