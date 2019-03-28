Saskatchewan's eHealth network failed in several ways to fully secure private patient data on health workers' work laptops and phones, the provincial auditor says in a new report.

Auditor Judy Ferguson wrote that the people managing the eHealth IT network directly managed less than one-third of the nearly 13,000 laptops with access to the network, 80 per cent of the laptops were not encrypted to protect against malicious activity and only about half of employees with access to the network were trained annually in IT security awareness.

The report, tabled in the Saskatchewan legislative assembly Tuesday afternoon, documents the state of the network's security apparatus as of August 2019 and comes several months after a ransomware attack that left eHealth unsure of what information was taken.

"If the organization would have dealt with [the issues] earlier and promptly, it would have reduced the risk," Ferguson said in a news conference. "Unfortunately, we're not in a world [where it's] if you will be attacked. It's a matter of when."

Ferguson said the audit was undertaken because 30 per cent of health care workers in the province access data on the network to do their jobs.

"Properly controlling access to the eHealth IT network is critical given security breaches can impact the ability of these agencies to deliver effective health services," Ferguson wrote.

Ferguson also found that not all devices were wiped from the network after the devices were reported stolen or lost.

She recommended that the province hasten the process of amalgamating Saskatoon and Regina IT staff into eHealth, given that the process started in January 2017.

"Consolidating all IT security policies into a single set of overarching policies would reduce complexity and inconsistencies," she wrote.

Read Ferguson's full critique of eHealth below. Don't see it? Click here.