A warning issued a year before the cyberattack in N.L.

In a document submitted to the Eastern Health Authority in September 2020, the Ottawa firm Canada-Israel Technology Solutions made a list of numerous vulnerabilities, security issues and compliance issues that needed to be addressed to prevent data breaches and computer failures.

The provincial system may be experiencing cybersecurity breaches without being aware of or reacting to them, due to the lack of qualified personnel, the absence of established processes and appropriate technologies to deal with the inevitable cybersecurity threatscan we read in the business plan aimed at establishing a center of excellence on cybersecurity in Saint-Jean.

In October 2021, a cyberattack led to the cancellation of thousands of surgeries and tests, including chemotherapy and heart procedures. A data breach also killed thousands. Hackers gained access to over 200,000 files.

Ron Johnsonvice-president responsible for innovation at the Régie de santé de l’Est, indicates that some problems mentioned in the report have since been resolved, including the updating of several operating systems. He gave no further details.

These assessments would have been actionable, but they were done to prepare the ground for the larger project. [le centre d’excellence]explains Mr. Johnsonadding that this project is underway and will make Newfoundland and Labrador a leader in cybersecurity.

Mr. Johnson declined to comment further on the cyberattack and the steps taken to protect the Eastern Health Authority, which encompasses more than 300,000 patients.

A wake-up call, experts say

Radio-Canada/CBC asked seven cybersecurity experts to read the business plan of Canada-Israel Technology Solutions and let us know their impressions of the system’s vulnerabilities.

I think it can absolutely be seen as a red flagasserts Simon Woodworthdirector of a research center on medical information systems at theUniversity College Corkin Ireland. In this regard, it is important to note that the cyberattack took place a year after this warning.

According to the document, the Eastern Health Authority did not have a detailed inventory of its assets, that is, a database that lists the hardware and software resources that must be monitored and protect.

The reason for having it is that we can’t really secure our systems if we don’t know what we have.explains Sam Harper, journalist at Pivot and contributor to Crypto Quebec.

Too few analysts

The report indicates that the computer systems were built according to the best practices, but points out that the health authority did not have enough security analysts to monitor the entire network. As a result, it monitored only a fraction of its most important systems.

If you don’t have the staff to maintain the system, it’s a bit like having a car where you never get the oil changed, and where you never replace the lights and the tires.explains Iva Tasheva, co-founder of CyEn, a European firm of cybersecurity consultants.

Like Ron Johnson admitted, the document also indicates that the Eastern Health Authority was using dated technologies that needed to be upgraded or removed altogether.

Hospital assessment

The business plan also mentions an evaluation of the hospital’s computer systems in Carbonear, in the Avalon Peninsula. This evaluation, carried out by the Israeli firm CyberMDX, was not provided to Radio-Canada for reasons of confidentiality. But the business plan summarizes its findings.

In the brief period the system has been running, data from CyberMDX has confirmed that there are numerous vulnerabilities, security issues, and compliance issues to be addressed within the network. [du Régie de la santé de l’Est]can we read in the report.

Sam Harper points out that CyberMDX had performed a passive scanning.

That is, without someone actively trying to hack into the system, they used different scanners to try to see if there were any vulnerabilitieshe explains. With just a passive scan, he seems to have found plenty.

CyberMDX, which was recently purchased by another company, declined to comment on the work it did for the health authority.

Radio-Canada/CBC tried, without success, to get in touch with the leaders of Canada-Israel Technology Solutions.

A report that could have been produced in any other country

Several experts consulted by Radio-Canada/CBC pointed out that the business plan was drawn up by a private firm whose aim was to build a center of excellence that would cost some $28 million.

The objective is to sell security solutions and I only have as information those described in the reportunderlines Solange Ghernaouti, professor of cybersecurity at the University of Lausanne, in Switzerland.

However, Ms. Ghernaouti points out that in North America, as in Europe, there is underinvestment in all hospital structures or health systems.

This report, which was produced for Canada, could have been produced in any other countryshe says.

The provincial Department of Health redirected our questions to the Eastern Health Authority. Since last fall, several ministers have systematically refused to answer questions about the cyberattack and the measures taken to protect the health system in the future.

In a statement, the Department of Health and Community Services says it has taken a wide range of measures to contain the breach to ensure that it will not cause further problems to the healthcare system.

We continue to monitor and review our IT systems and cybersecurity protocols as technologies change and evolve, making updates as necessary.

With information from CBC’s Rob Antle and Peter Cowan