Manitoba needs to do more to protect information systems from attacks, misuse: auditor general
Shared Health didn't immediately revoke some workers' access when they left their jobs, report says
The Manitoba government needs to better protect its information systems from internal misuse and outside attacks, the provincial auditor general said Thursday.
Tyson Shtykalo's 21-page report focused on system administrators and other people with deep access to systems in a few departments that contain personal, corporate and health information. The audit ran from 2018 to March of this year.
The report says password requirements are not strong enough in some areas.
"For example, improvements are needed to the standards that govern identification and authentication, and information systems have not been configured to enforce quality passwords as required by Manitoba and Shared Health password standards," the report states.
"Good identification and authentication standards include multifactor authentication, minimum number of failed login attempts, inactive session terminations, minimum password length, password complexity ... and password history."
Shared Health, which co-ordinates provincial health care, has given out privileged access to some workers without formal, documented approval and did not revoke some workers' access immediately when they left their jobs, Shtykalo wrote.
Some Shared Health workers were given higher levels of access than they need for their jobs, he added.
A Shared Health spokesperson told CBC the agency accepts the auditor general's findings, and work is ongoing to address the recommendations relating to privileged access to programs and networks.
The auditor general's report also calls for better monitoring of people who use information systems, in order to detect any unauthorized activity.
"An unauthorized person with privileged access could steal data or funds, disrupt operations or cause system outages," Shtykalo said.
Shtykalo said he shared more detailed information with the departments involved in his audit, but did not include it in the report.
"If this information is disclosed publicly, cyber threat actors could misuse it to compromise systems operated by these entities," the report states.
Province has already moved to fix some problems
Central Services Minister Reg Helwer says some of Shtykalo's recommendations, which were made directly to the departments before the report was published, have already been implemented.
"We moved on them quickly to ensure that we could make sure that Manitobans' data was safe," he said in an interview at the legislature on Thursday.
Helwer said unauthorized users are no longer able to access systems, and there is now a privileged access project to identify who should and should not have access to certain information.
He said there are still recommendations outstanding that the province is working to put in place, including one recommendation that calls for monitoring the activity of privileged users.
"Those are very personal things. Some people obviously don't enjoy being monitored. Most of us don't. So we have to make sure we work with the individuals on ... what's done on the systems as opposed to a broad brush approach to everybody being subjected to the same outcomes," Helwer said.
He said the province agrees with the idea of the policy, but thinks there should be different monitors for different departments.
The Opposition New Democrats called for tighter cybersecurity immediately.
"In today's knowledge economy, good digital security to protect your private personal information is as important as having a lock on the front door of your house," NDP Leader Wab Kinew said in a statement.
With files from the CBC's Rachel Bergen