Ineffective cybersecurity posing risks to N.S. health data, report finds
Kim Adair says there is lack of accountability between departments overseeing system
Nova Scotia doesn't provide effective cybersecurity for its digital health networks, and as a result is exposed to unnecessary risk, says a new report by the province's auditor general.
Kim Adair's report published Tuesday found a lack of accountability and collaboration between the three government entities that oversee the system: the Health Department, the Cyber Security and Digital Solutions Department, and Nova Scotia's health authority.
The situation is problematic because of the province's growing reliance on digital networks to store people's personal and sensitive health information, the report says.
Citing attacks in other provinces, like Newfoundland and Labrador and Ontario, she said, "We've seen several health-care organizations fall victim to serious cyberattacks that have compromised sensitive information, disrupted patient care and disabled networks."
Nova Scotia's "lack of IT governance gives minimal accountability for cybersecurity during a time of rapid expansion" of the province's digital health network, Adair said.
'Pervasive tolerance' for accepting risk
The report says key governance structures established to manage and monitor the network, along with cybersecurity efforts, were abandoned by 2022.
The auditor said her office hired Toronto-based independent experts from Packetlabs to run cybersecurity tests between April 2021 and June 2023, which revealed a "pervasive tolerance" for accepting risk and a failure to manage ongoing risks.
More specifically, the report found that external health sector contract holders — such as pharmacies and doctors' offices — weren't required to include cybersecurity training before accessing the network.
The report also said testing showed most proposed technology projects that added to or changed the data flow or architecture of the digital health system didn't fully comply with a mandatory three-phase review process put in place by a government panel. As well, the report said the review board allowed projects to connect to the network without meeting cybersecurity standards.
Report makes 20 recommendations
To strengthen the system, the 42-page report makes 20 recommendations, including the creation of an information technology governance framework to manage the digital health system, the completion of all outstanding cybersecurity assessments and regular mandatory cyber awareness training for all health network users.
Adair said her office would follow up on the progress of the digital health network a year from now. So far, she said, response from the government agencies involved has been positive.
In an emailed statement, a provincial spokesperson said the departments of health and of cybersecurity and digital solutions, along with Nova Scotia's health authority said changes in the system are already underway.
"We are making investments and reducing risk as much as possible, while we modernize our digital health infrastructure. We have already begun work on many of the auditor general's recommendations and will continue to work on the rest," spokesperson Rachel Boomer said in an email.
The province said it will not disclose details of the changes underway to prevent further cyber threats from bad actors.