$62.3M for eHealth Sask. upgrades not enough, cybersecurity experts warn

eHealth Saskatchewan, which runs the province’s health-care IT system, has been approved to spend up to $62.3 million on upgrades including security services, but cybersecurity experts caution more needs to be done.

Money will be used for Windows 10 upgrades, equipment renewal, security initiatives

A closeup shows the hands of a person typing on a keyboard in a darkened room.
eHealth Saskatchewan has been approved for more than $60 million in upgrades, but cybersecurity experts caution more needs to be done. (PabloLagarto/Shutterstock)

eHealth Saskatchewan, which runs the province's health-care IT system, has been approved to spend up to $62.3 million on upgrades, but cybersecurity experts caution more needs to be done in the aftermath of the 2019 ransomware cyberattack that affected millions of files.

Cabinet recently approved the money, to be spent over the next three fiscal years, through an order in council.

The Crown corporation says the cash will go toward replacing equipment in its data centre, Windows 10 upgrades, investments in security technology, and replacement of computers and other devices.

In an unattributed statement, eHealth wrote, "it would not be in the best interests of the public or the health system to give specific details around our security measures."

eHealth is responsible for operating, maintaining and renewing all computer systems that serve the province's health-care sector, from diagnostics to pharmaceuticals to patient records.

In 2019, the agency was hit with a ransomware attack that Saskatchewan's privacy commissioner called one of the largest privacy breaches ever in the province.

On Dec. 20, 2019, a Saskatchewan Health Authority (SHA) employee opened an infected Microsoft Word document on a personal device while the device was being charged by USB cord at their workstation.

Opening the document triggered a Ryuk ransomware attack between Dec. 20, 2019, and Jan. 5, 2020.

Commissioner Ron Kruzeniski's damning report in January 2021 found the attack allowed criminals to steal millions of files, including more than half a million containing personal information of Saskatchewan people. 

Saskatchewan's Information and Privacy Commissioner Ron Kruzeniski found the 2019 eHealth cyberattack allowed criminals to steal millions of files, including more than half a million containing personal information of Saskatchewan people. (Samanda Brace/CBC)

Alec Couros, a cybersecurity expert and professor of educational technology and media at the University of Regina, said software and hardware upgrades are important, but that the upgrades on their own wouldn't be able to prevent a cyberattack like the 2019 one.

He said employees need to be trained on how to not let attackers get into their computers, noting many cyber incidents involve a human element.

"Unless there's serious dollars put into human training, none of that's going to be worthwhile in the long run," he said. 

Couros said some training must be a prerequisite for employees getting access to the systems that have the most vulnerable data.

"Making sure that employees are aware of all of these different factors and different schemes and tricks is really important," he said.

Regina-based cybersecurity expert Brennan Schmidt said there needs to be increased monitoring. 

"When we're talking about resourcing, we're also talking about people, that's to say eyes on glass, making sure that any sort of activities are being monitored 24/7," he said.

He added that everyone that has access to the health system, including patients, should be "active participants in maintaining the confidentiality, integrity and availability of their data."

Schmidt said the provincial government needs to think about cybersecurity in all sectors, including health and education, and has been advocating for the establishment of an advisory panel on critical infrastructure and cybersecurity.

The privacy commissioner's review also uncovered many ways eHealth, the SHA and the Ministry of Health failed to adequately protect the private information of Saskatchewan residents. 

CBC News obtained a briefing note from October 2020, written by eHealth for Saskatchewan's minister of health, warning that eHealth has been underfunded for years and was at growing risk of failure. eHealth said $150 million was needed over the next three years to update outdated and failing equipment.

The 2020-21 provincial budget earmarked $7.4 million for eHealth to support security upgrades, maintenance and licensing, along with $15.3 million the next year for operations including security. This year's budget promises a $9.8-million increase for eHealth, bringing its total operating budget of $135.6 million.

With files from Geoff Leo and Bryan Eneas