British Columbia

B.C. health authority isn't effectively managing cybersecurity threat on medical devices, audit finds

B.C.'s auditor general says the Provincial Health Services Authority is not effectively managing cybersecurity threats for medical devices and has not evaluated the risk to patients.

Audit covered more 18,000 devices, ranging from infusion pumps to MRI systems

A psychiatrist points to an image of a brain from an MRI machine. B.C.'s auditor general has found the Provincial Health Services Authority did not evaluate all cybersecurity threats and their risks to patients on its medical networks and devices. (Chris Young/The Canadian Press)

A report by British Columbia's auditor general says thousands of medical devices used to diagnose and treat people lack effective cybersecurity protections.

The Provincial Health Services Authority, which works with regional health authorities, lacks cybersecurity controls for its medical networks and is not effectively managing threats on medical devices, auditor general Michael Pickup said Tuesday.

The audit also found the authority did not evaluate all cybersecurity threats and their risks to patients.

It covered more than 18,000 devices in the Lower Mainland, ranging from infusion pumps to MRI systems, and the infrastructure supporting their operation.

Pickup said ineffective cybersecurity management also means the authority might not be able to detect cyberattacks.

"This is concerning to me," he told a news conference. "Addressing these shortcomings is critical to detecting cyberattacks that could put patients at risk."

The audit recommends that the authority evaluate cybersecurity risks and take action, and that it identify all hardware and software on its medical device networks.

The authority accepted the four recommendations and outlined steps it has taken to improve security, including reviewing with the government, industry and others how best to defend against cyberthreats.

"Work is underway on a number of planned improvements for 2021, including an expansion of cybersecurity for medical devices," Ron Quirk, the authority's executive vice-president of digital information and innovation, said in a statement.

"The AG's findings are timely and will help inform these efforts."

'Health-care organizations are key targets for attackers'

Pickup said he was encouraged by the response, but the report also serves as a warning to health organizations to provide better protections.

"Unfortunately, what could go wrong is you may end up in a situation where treatment wouldn't be available if there was a cyberattack or you could have treatment based on inaccurate data if there was a cyberattack that did something," Pickup said.

The audit also warned about the potential harms associated with cyberattacks at health-care facilities.

"Health-care organizations are key targets for attackers because health information is so sensitive," says the 27-page audit. "A successful cyberattack on network medical devices could harm patients and significantly disrupt hospital operations."

Pickup's report, released Tuesday, followed another last month that found the B.C. government did not have adequate cybersecurity practices in place to manage its computer systems in a review of five ministries, including finance and health.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?

now