Newfoundland and Labrador’s healthcare system was deficient in IT security ahead of the 2021 cyberattack and data theft, the province’s privacy commissioner’s office says, adding that more than 500 days of government-to-public information There was no justification for not disclosing that it was ransomware. ,
“Internationally recognized, industry-standard cyber security measures were either not in place or not fully implemented,” A detailed report on the attack released this week said,
“The release of personal health information and personal information of citizens of the province that came under the cyber attack, which was almost an inevitability in the circumstances.
“Moreover, these weaknesses were known within the health care system, but there was a failure to take adequate and timely steps to correct them,” it adds.
The report said the blame must be shared by the province, the three district health authorities and the Provincial Center for Health Information, an IT health sharing service provider. (Since the attack, the health authorities and the center have been merged into a provincial health authority called the Newfoundland and Labrador Health Service.)
In March 2022, the government said the cost of the attack was $16 million, including $5 million for victim credit monitoring services.
More than 100,000 patients, current employees and former employees were officially notified that their personal data had been stolen. However, the report says, it is likely that “the vast majority of the province’s population” – hundreds of thousands of people – had some personal information or personal health information taken by the cyber attackers.
The specific number, the report says, may never be known.
In a provincial report released in March The government said the attack began by penetrating the VPN of a provincial health service information managed environment using compromised credentials of a legitimate user. It is not known how the attacker got that username and password.
In that report, for the first time – 18 months after the attack – the government acknowledged that the Hive ransomware gang was responsible. The province said it could only reveal it because the gang was taken down,
The report from the Office of the Privacy Commissioner doesn’t buy it. “The length of time before the public was notified when a ransomware cyberattack occurred is of concern, and the rationale provided for such delay was insufficient to justify it,” the report said.
The government’s response to the report did not directly deal with complaints about the lack of cyber security of the healthcare IT system, or the delay in admitting it to ransomware. Instead, in a statement Justice Minister John Hogan said the government is pleased the Office of the Information and Privacy Commissioner found the province took appropriate steps to investigate and contain the cyberattack after discovering it.
The report states that ransomware “should be a more prominent item on the radar of those leading the health care system”.
It acknowledges that the COVID-19 pandemic may have made it difficult to make the necessary progress on cyber security during that period. But, the report said, there were known vulnerabilities in IT health care systems, and progress toward addressing them was “insufficient.”
And while creating an IT shared service model in 2019, run by the Health Information Centre, was an opportunity to bring all regional health authorities up to the same standard in terms of cyber security, the report says it was an “inadequate priority”. In fact, three months before the implementation of the shared services, the Center received a privacy and security posture assessment from Deloitte, which identified several cyber security vulnerabilities and shortcomings, the report said.
For security reasons, the report does not reveal details explaining how the threat factor moved through IT systems or describe what attack methods were used. Nor does it say whether the province paid the ransom or not. The report states that many of the tools and techniques used by the threat actors were common and well-known, and should have been identified and responded to by an appropriate defense ecosystem.
The report also misses a two-week deadline: On October 15, 2021, the intruder used an employee’s credentials to log into a managed IT system, which included the domains of four regional health authorities. Ten days later, the attackers moved laterally through the environment, elevated their privileges and connected to other IT systems through an account with administrative privileges. Between October 26 and 29, the attacker stole over 200 GB of data. On October 30, ransomware was deployed, causing widespread disruption to IT healthcare services.
The report states that there were some IT alerts before October 30. However, they were not properly investigated and/or not answered. “Had this been done, it could have prevented or minimized malicious extraction of data,” the report said.
Some of the stolen data unnecessarily included social insurance numbers of individuals. This was collected when patients registered for treatment. Why? Because, the report says, the computer patient entry module had room to enter it on the screen. However, the provincial health privacy law states that institutions “shall not collect more personal health information than is reasonably necessary to fulfill the purpose of collection.”
Another problem was that some regional health authorities held on to data for more than 10 years, leading to large amounts of data being stolen. Health officials failed to implement appropriate records management policies and procedures related to retention
and destroying personal information and personal health information, the report says. It recommends the new Integrated Health Authority “continue to take diligent steps to ensure
that information management policies and procedures address the retention and
Destruction of personal information and personal health information are developed.”
The report also criticizes provincial authorities for the careful language used in describing the attack and data theft. By November 8, 2021 “The [Health] The Department and the Center were aware that the highly sensitive information described in the initial privacy breach public advisory briefing was taken by the threat actor, but failed to provide this warning to the public,” the report said. Instead, the government initially spoke of the data being “accessed,” “obtained,” or “taken.” In fact, in a November 10 press conference, Hogan said, “In the cyber world, and specifically access to that data, this bad actor has access and had access to the data at some point, doesn’t mean it was copied.” was, it does not mean that it was taken.
The report commented that the emphasis on the distinction between “accessed” and “taken” was a misrepresentation of the information known by the authorities at the time, and ultimately downplayed the risk of harm. [to victims],
“Critical information was already held by both the Center and the Department and was withheld from the public,” the report said.
One of the report’s recommendations is that provincial health authorities update notification policies to reflect that where there is a breach of personal information or personal health information and that public notification is required in the case of a ransomware cyberattack, notification should include information about them. Circumstances at the earliest reasonable opportunity;
“The Hive ransomware group and the tactics and tools used in this cyber attack
were not invulnerable,” says the report. “Indeed, many of the techniques used in this cyber attack were basic techniques commonly used in cyber attacks and were well known within the cyber security community. An adequate cyber security defense system can identify such techniques in its system and provide incident response measures to prevent or mitigate onward movement within the system and/or to prevent or delete data.
It mentions things like backing up data to the cloud, keeping computers, devices, and applications patched and up-to-date, and using multifactor authentication to protect login credentials.
About a year before the ransomware attack, the Center prepared an information note for the health minister stating that the chances of a ransomware attack were “high”. The briefing note noted that significant IT vulnerabilities exist, including outdated operating systems, unpatched systems and software flaws. It also said that the Centre’s priorities would be security training and awareness for all healthcare workers, patch management, backing up critical data, enhanced monitoring and vigilance, and credential hygiene.
Among the report’s recommendations is the creation of a Provincial Health Chief Privacy Officer to ensure that the Integrated Health Authority adheres to privacy best practices.