The Saskatchewan government says its investigation into a cyberattack on the province's health information system earlier this year was unable to determine whether or not personal information was breached.
The province released an update on the months-long investigation into the malware attack on eHealth Saskatchewan Tuesday. The attack affected systems used by eHealth, the Saskatchewan Health Authority (SHA) and the Ministry of health.
The province said it is notifying the public of the potential breach of personal information after being unable to confirm that such a breach did not occur.
Investigators found that some information was sent to a suspicious IP address, but the files were encrypted.
"Therefore, it is impossible to say with any accuracy precisely what information from the larger group of files was sent to the IP address."
Earlier this month, provincial auditor Judy Ferguson said in a report that the SHA was not yet sufficiently monitoring for cyberattacks against eHealth. Her audit also found that 38 eHealth systems did not have complete disaster recovery plans in case there were ransomware attacks. Without the recovery plans, the SHA risks not being able to restore its systems within a reasonable time, her report said.
The cyberattack started after an employee in the health-care sector opened a suspicious attachment in an email and malware was spread throughout Saskatchewan's IT system.
eHealth said it continued to monitor the internet for signs that files from Saskatchewan found their way into improper hands and that the latest six-week scan, completed in November, showed no evidence it had happened.
No timeline for aftermath
Dr. Alec Couros, a professor of information and media technology at the University of Regina, said that if pesonal health info was compromised it could be used for a variety of purposes and there's no telling when it could resurface.
"They might not need it for any other particular purpose, other than to have some blackmail to leak it at a later time," he said.
"It's probably not going to be used in an individual case or to attack someone individually. Most of the time it's used to show the vulnerability of government, to amplify some bad practices, or to reduce the public trust in organizations."
Couros said the information could be used as ransom at some point down the road, but that's something he said could happen tomorrow, next week or next year.
He said it's likely the information already found its way to the dark web and someone else who was not an original perpetrator of the attack may use it for their own interests.
eHealth touts new security
In a statement published Tuesday, eHealth CEO Jim Hornell outlined measures being taken to prevent a similar attack from happening in the future.
"Security training is being improved and intensified through-out the health-care sector," Hornell said.
"For example, eHealth has introduced new training to help employees identify and thwart phishing attacks."
New vulnerability management tools were introduced to scan the entire health care IT system. A new email security system that uses machine learning to detect patterns and identify suspicious emails being introduced.
Systems are now continuously monitored by a new threat intelligence software.
A multi-factor authentication authentication system was brought in, requiring employees to verify their identity via randomly-generated passwords sent to their phones.
System-wide password resets were done and stale accounts were deactivated.
Couros said it was good to see the extra training and security measures being taken to prevent future attacks, but noted that sometimes — as appears to be the case here — it simply comes down to human error.
"A lot [of these attacks] happen due to social engineering. Finding the weak link in the company, someone who perhaps uses a bad password, is subject to bad information that comes in through their email and they take bad action," Couros said.
He questioned if it's safer for public institutions to host their own information, versus using a large reliable external company to host the information and determine the type of access that's given to individuals.
Couros said at this point it appears the province is acting accordingly to address the faults that exist in the system, human and IT alike.
The provincial news release said the Office of the Information and Privacy Commissioner advised eHealth, the Sask. Health Authority and the Ministry of Health the cyberattack and their responses to the attack would be the subject of a forthcoming investigation.