Nova Scotia

Ineffective cybersecurity posing risks to N.S. health data, report finds

A new report says Nova Scotia doesn't provide effective cybersecurity for its digital health networks, exposing the system to risk.

Kim Adair says there is lack of accountability between departments overseeing system

A woman sits in front of a microphone, with Nova Scotia flags visible in the background.
A new report from Nova Scotia Auditor General Kim Adair says the province's digital health networks do not have effective cybersecurity. (Robert Short/CBC)

Nova Scotia doesn't provide effective cybersecurity for its digital health networks, and as a result is exposed to unnecessary risk, says a new report by the province's auditor general.

Kim Adair's report published Tuesday found a lack of accountability and collaboration between the three government entities that oversee the system: the Health Department, the Cyber Security and Digital Solutions Department, and Nova Scotia's health authority.

The situation is problematic because of the province's growing reliance on digital networks to store people's personal and sensitive health information, the report says.

Citing attacks in other provinces, like Newfoundland and Labrador and Ontario, she said, "We've seen several health-care organizations fall victim to serious cyberattacks that have compromised sensitive information, disrupted patient care and disabled networks."

Nova Scotia's "lack of IT governance gives minimal accountability for cybersecurity during a time of rapid expansion" of the province's digital health network, Adair said.

'Pervasive tolerance' for accepting risk

The report says key governance structures established to manage and monitor the network, along with cybersecurity efforts, were abandoned by 2022.

The auditor said her office hired Toronto-based independent experts from Packetlabs to run cybersecurity tests between April 2021 and June 2023, which revealed a "pervasive tolerance" for accepting risk and a failure to manage ongoing risks.

More specifically, the report found that external health sector contract holders — such as pharmacies and doctors' offices — weren't required to include cybersecurity training before accessing the network.

The report also said testing showed most proposed technology projects that added to or changed the data flow or architecture of the digital health system didn't fully comply with a mandatory three-phase review process put in place by a government panel. As well, the report said the review board allowed projects to connect to the network without meeting cybersecurity standards.

Report makes 20 recommendations

To strengthen the system, the 42-page report makes 20 recommendations, including the creation of an information technology governance framework to manage the digital health system, the completion of all outstanding cybersecurity assessments and regular mandatory cyber awareness training for all health network users.

Adair said her office would follow up on the progress of the digital health network a year from now. So far, she said, response from the government agencies involved has been positive.

In an emailed statement, a provincial spokesperson said the departments of health and of cybersecurity and digital solutions, along with Nova Scotia's health authority said changes in the system are already underway.

"We are making investments and reducing risk as much as possible, while we modernize our digital health infrastructure. We have already begun work on many of the auditor general's recommendations and will continue to work on the rest," spokesperson Rachel Boomer said in an email.

The province said it will not disclose details of the changes underway to prevent further cyber threats from bad actors.

Add some “good” to your morning and evening.

Get the latest top stories from across Nova Scotia in your inbox every weekday.

...

The next issue of CBC Nova Scotia newsletter will soon be in your inbox.

Discover all CBC newsletters in the Subscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.