Saskatchewan’s Provincial Auditor Judy Ferguson released Volume 2 of her report on Tuesday December 8th. The report provides critical information on “whether the Government issued reliable financial statements, used effective processes to administer programs and services, and complied with governing authorities.” The role of the Office of the Provincial Auditor is to promote accountability through an independent assessment of the Government’s use of public resources. In this second volume of the 2020 Report, the Office completed audits of 166 different agencies with fiscal year-ends between January and June 2020, which included 75 crown corporations and agencies, 19 government ministries, 36 pension and benefit plans and special purpose funds, and 36 health care affiliates. Of those only 20 had issues that need to be addressed.
The report goes into great detail about the good news and the bad of what was found through the audits, with one of the main shortfalls being in the area of Information Technology (IT). Certain ministries, the Auditor found, continued to not promptly remove access for individuals who were no longer part of the ministry staff which directly impacts the security and confidentiality of the data stored in their services. Notably the ministries of Corrections and Policing, Justice and Attorney General, and Highways and Infrastructure, as well as Northlands College were the in this grouping. Of even greater concern however, is the lack of follow-through in developing and testing disaster recovery plans for eHealth’s IT network of 38 critical systems used by health care professionals to administer and deliver health care services in Saskatchewan. In January 2017, the Ministry of Health ordered the consolidation of the IT services of the Saskatchewan Health Authority, Saskatchewan Cancer Agency and 3sHealth into a single service with eHealth, but as of March 31, 2020 this is still not complete. In 2018 the Provincial Auditor recommended eHealth Saskatchewan and the SHA sign a service level agreement which would outline in detail the services provided, availability requirements, service delivery targets, and security and disaster recovery requirements. Disaster recovery plans enable an organization to speedily recover data when it experiences a malware attack the like of which eHealth experienced in January 2020. Malware refers to any type of malicious software, including viruses. While malware can have a variety of goals some of the common ones are identity theft, stealing financial information, and assuming control of networks and denying usage until a “ransom” is paid, thus called a ransomware attack. A “spear phishing” attack (an attack directed to a specific entity) occurred in late December 2019 to a computer with access to the eHealth network but was not detected until a ransomware attack on January 5th, 2020 which seriously disrupted the ability of over 40,000 health sector employees to work effectively. The attack encrypted a significant number of servers and data rendering them unusable. eHealth did not pay a ransom to retrieve the files and instead was able of recover them from back ups made prior to the attack, but the recovery took considerable time resulting in some systems being unavailable for extended periods of time. Tested disaster recovery plans, the Provincial Auditor sited, are critical as entities such as the personal health registration system or the provincial labs system, rely on the availability of the IT systems to deliver time-sensitive health services. While eHealth has since started working on disaster recovery plans for the 38 critical IT systems, by the end of March a “recovery playbook” had been written for seven, but no disaster recovery testing had been completed. This recommendation has been ignored since 2007. “We recommended eHealth Saskatchewan have an approved and tested disaster recovery plan for systems and data.” (2007 Report – Volume 3; p. 248, Recommendation 6; Public Accounts Committee agreement January 8, 2008)
Another concerning issue the Provincial Auditors report highlighted lies in the Screening Program for Colorectal Cancer. Colorectal cancer is the second leading cause of cancer death in Saskatchewan and is on the rise. For more than ten years the Saskatchewan Cancer Agency has provided a screening program focussing on individuals between the ages of 50 and 74 because of the higher risk associated with this age group, but since 2014 the level of participation in the program has remained relatively unchanged. As time is of the essence when it comes to cancer detection and treatment it is imperative that colonoscopies and the providing of results should occur within a reasonable timeframe. Two recommendations for improvement were made by the Auditor. The audit revealed that 22 individuals waited longer than the 60-day national benchmark (61 days to 159 days) for a colonoscopy and 12 individuals with a cancer diagnosis waited between 15 and 104 days to receive the results from their colonoscopy, therefore the report recommends the Cancer Agency work “with the Saskatchewan Health Authority to reduce the time patients wait for colonoscopies and determine a timeframe (benchmark) for providing diagnosis reports to patients.” A colonoscopy is called for when there is an abnormal result from a fecal immunochemical test (FIT) and a patient is then referred by either the Saskatchewan Cancer Agency or a primary care provider. In some parts of the province, it is the responsibility of the Agency and in other parts it is the primary care providers. In the parts of the province not under the jurisdiction of the Agency, the average wait time for a follow-up colonoscopy ranged from 66 to 95 days.
Results from colonoscopies are provided to patients and primary care providers through the SHA who also provides the information to the Cancer Agency. While Canada does not have a national benchmark for timely reporting of results from colonoscopies to patients, the European standard of good practice is within 14 days of the procedure. In Saskatchewan the auditor found that of the 2650 individuals who had colonoscopies between August 1, 20119 and March 31, 2020, 95% received pathology reports within two weeks, however twelve individuals who had tested positive for colon cancer waited between 15 and 104 days for the results. One individual waited 125 days for a colonoscopy and another 59 days for the resultant cancer diagnosis. Approximately 90% of colorectal cancers can be prevented or successfully treated if detected early. “Timely receipt of pathology results assists in determining and providing appropriate and timely treatment, and reduces the risk of the abnormality growing or spreading to other parts of the body.” (2020 Report – Volume 2; p.168)
At a time when the attention of the residents of the province is focussed on the actions and performance of the Saskatchewan Health Authority the issues identified by the Auditor in eHealth, take on a larger significance. The breach in the IT system could be overlooked as part of the reality of a technological world if it wasn’t for the fact that the Auditor’s Report of 2007 had pointed out the need for a disaster recovery plan. Having a plan would not have prevented the attack, but a tested plan would have made the recovery of the files quicker and created less of an impact on the health care system. The general public does not differentiate between the SHA and eHealth and a lack of confidence in one equals a lack of confidence in both. As the province sets out on the biggest immunization program in its history, the need for a reliable and secure IT system is a necessity.
Carol Baldwin, Local Journalism Initiative Reporter, The Wakaw Recorder