Long before N.L. cyberattack, report flagged flaws in system
Israeli security firm found ‘numerous vulnerabilities’ within Eastern Health network
Israeli cyberexperts who reviewed information security arrangements at Newfoundland and Labrador's largest health authority confirmed "numerous vulnerabilities, security concerns and compliance issues" that needed to be addressed within its network.
The details are in a business plan prepared for Eastern Health in September 2020 and recently obtained by CBC/Radio-Canada.
"The provincial system may be experiencing cybersecurity breaches now with no knowledge or response possible due to the lack of skilled staff, the lack of set processes and the proper technology in place for the inevitable cybersecurity threats," the proposal noted.
The report was completed more than a year before last fall's cyberattack paralyzed the province's health-care system.
There is no indication any of the issues it identified are connected to last fall's breach.
In fact, there has been no public disclosure of what caused the cyberattack at all. Provincial government officials have repeatedly refused to answer questions about the attack, citing security reasons.
Ronald Johnson, Eastern Health's vice-president of innovation and rural health, told CBC/Radio-Canada the business plan was created as part of a process to build a cybersecurity centre of excellence in the province.
But he wouldn't say exactly what was done to address the concerns raised in the report.
"Some action would have happened out of those assessments. But again, those assessments were meant to set the stage for this larger project," Johnson said.
"Those issues that were identified, those larger issues, are what I would call challenges for the health system. And the goal of the COE, this cybercentre of excellence, is to address those challenges."
Johnson said the work was meant to identify "global issues" that could affect health-care organizations across the country.
"This project is to address cybersecurity for the long haul. This does not necessarily preclude anything that happens in the short haul."
Johnson said he could not discuss shorter-term efforts.
The Department of Health declined to make anyone available for an interview to address any concerns raised by the report.
'It absolutely could be considered a warning'
Eastern Health has been working with partners since 2019 on the centre of excellence concept.
The 2020 business plan was prepared by an Ottawa-based company called Canada Israel Technology Solutions.
It included an "in-depth analysis of the exposure" of the IT system at Eastern Health and the Newfoundland and Labrador Centre for Health Information, which is responsible for network security for all health authorities in the province.
The actual analysis, done by Israeli company CyberMDX, remains confidential. But the broad strokes of its findings are described in the 2020 business proposal.
CBC/Radio-Canada provided that 40-page document to a half-dozen cybersecurity experts to get their take on it.
"I think it absolutely could be considered a warning," said Simon Woodworth, director of the Health Information Systems Research Centre at University College Cork in Ireland.
"And in that respect, it's significant that the cyberattack happened a year after the warning."
Sam Harper, a journalist and programmer with Crypto Quebec, said, "Alarms [were] going off when I was reading it."
'Insufficient security analysts'
A section of the report about cybersecurity needs referenced a number of potential issues.
They ranged from outdated technology to a lack of staff to an inadequate database used to keep track of information about assets.
According to the report, there were antiquated components in some IT systems that could not be appropriately managed or patched, and would most likely need to be upgraded or decommissioned altogether.
The document recommended more security staff to identify, respond to, mitigate and defend against cyberthreats.
It said that while the Eastern Health and NLCHI systems are built to best practices and security standards, there are "insufficient security analysts able to ensure full compliance."
As a result, only partial auditing was being conducted annually on a select number of the critical security systems.
"If you don't have the personnel to maintain the system, it's like having a car that you never plan to change the oil, or the light bulbs, or the tires," said Iva Tasheva, co-founder and cybersecurity management lead for Brussels-based consulting firm CyEn.
"So eventually it would wear off and it would very quickly become obsolete."
Crypto Quebec's Sam Harper agreed.
"Everybody always says that everything's built up to standards and everything, but unfortunately, it's how you maintain it afterwards that's important," Harper said.
"I mean, you can build the house in the best way possible, but if you never do the repairs that are needed, if you don't fix things when they're broken, well, after 20 years, after 10 years, you might be in trouble."
New risks evolve and so do practices, including criminal practices, said Solange Ghernaouti, a cybersecurity professor at the University of Lausanne in Switzerland.
"This means that we need technicians to do security, but above all we need analysts who are able to understand the situation, what needs to be protected, the risks," Ghernaouti said.
'Compliance issues to be addressed' in network
The 2020 business plan also noted the lack of a complete current configuration item database either in place or maintained, making it difficult to determine the full scope of the upgrades and patching required.
That database is basically an inventory of hardware and software assets.
"In this case, there's obviously a very clear lack of visibility across the network," said Ronan Murphy, executive chairman of SmartTech247, an Irish cybersecurity firm that operates globally.
"Even if you have visibility, it's a vicious circle if you don't have the analysts or the capability to resolve the problems you see. It's a moot point."
According to the report, Eastern Health hired CyberMDX for a one-month "proof of value" engagement to passively monitor the systems at the Carbonear hospital.
"In the brief time that the system was functioning, the findings of CyberMDX have confirmed that there are numerous vulnerabilities, security concerns and compliance issues to be addressed within the EH network," the 2020 business proposal noted.
CyberMDX — which was recently acquired by another firm — declined a CBC/Radio-Canada request to provide more information on its work in Newfoundland and Labrador.
Officials with Canada Israel Technology Solutions could not be reached for comment.
Centre of excellence status
A number of the cybersecurity experts contacted by CBC/Radio-Canada stressed the 2020 business plan was part of a sales pitch to the health authority, and that context should be kept in mind when looking at its conclusions.
Eastern Health made the document available to potential private-sector partners last year, as the process moved forward to gauge industry interest and feedback in the centre of excellence idea.
Vice-president Ronald Johnson said the plan continues to progress, with "bricks and mortar" possibly happening by the end of this year.
The aim is to secure the provincial health-care infrastructure against cyberthreats, while building expertise in the industry.
"We will protect our assets, but at the same time, we're going to have job creation and economic development," Johnson said.
"That's why we've been doing it."
According to an Eastern Health presentation from last summer, the centre of excellence would nearly break even after five years, after incurring net costs of more than $28 million.
Questions about cyberattack remain unanswered
Government officials have remained silent about most aspects of the cyberattack, which took down many of the health computer systems in the province.
They have confirmed that the personal information of thousands of health authority employees was stolen, going back years or even decades, along with 200,000 Eastern Health records that could contain patient health data. Surgeries and medical procedures were delayed last fall.
But the provincial government won't say who was responsible for the attack, whether it involved ransomware, whether any ransom was paid, or whether anything has been done since to address any problems.
- N.L. cyberattack costs approach $16M, health minister says
- N.L. health-care cyberattack is worst in Canadian history, says cybersecurity expert
"I think it would be safe to say we have taken steps to remedy the issues that we have found," Health Minister John Haggie said in late March.
"I think beyond that, it would be unwise to go into too many specifics again. For reasons of security, it's a bit like giving a burglar your passcode for your alarm system."
- $200K public relations aid for N.L. cyberattack didn't result in transparency, says expert
- More health info stolen in N.L. cyberattack than government originally reported
But University College Cork's Simon Woodworth says there should be transparency and openness.
"There's just an awful habit with both private individuals and companies and government departments to stay very quiet about cyber attacks and the consequences," he said.
"This is patients' data they're dealing with. People are entitled to know how well protected the data is."
And Woodworth questioned why the business plan didn't focus more on near-term solutions instead of long-term goals.
"The document maybe could have said a little bit more about 'this is the stuff you need to do immediately before we get stuck into the big plan,'" he said.