Many numbers have been linked to the cyberattack on Newfoundland and Labrador’s health-care system in the fall of 2021.
More than a half million people in the province, most of whom had their privacy breached.
More than 200,000 files on an Eastern Health network drive, accessed and taken.
More than 200 gigabytes of data exfiltrated, or stolen, by cyberthieves affiliated with the Hive ransomware gang.
But there is another number that perhaps best describes the lack of resources in the system before everything went wrong: three.
That’s how many IT security staff there were for the entire provincial health system, according to a post-attack report by the Canadian Centre for Cyber Security.
The regional health authorities and the Newfoundland and Labrador Centre for Health Information were “severely understaffed from a technical resource perspective,” the federal agency concluded.
That report was among the records reviewed by investigators in the office of Newfoundland and Labrador’s privacy commissioner — records that would otherwise have largely remained off-limits to the public.
Investigators scanned through internal emails and unredacted government briefing materials that shed new light on what did — and, more importantly, didn’t — happen in the lead-up to the devastating cyberattack in the fall of 2021.
Sean Murray of the province’s Office of the Privacy Commissioner unveiled a report on May 24 which concluded that efforts to reduce known vulnerabilities prior to a cyberattack were inadequate.
In the wake of the ransomware strike, provincial government officials have largely skated around questions about whether the province’s cyberdefences were as sturdy as the Rock of Gibraltar or as porous as the Maginot Line.
To a large degree, the provincial privacy watchdog’s report answers those questions. And the answers are not reassuring.
Shared services model for health IT
It began, as many government initiatives do, with a consultant’s report and a press release.
The consultant looked at eHealth services, and completed its report in early 2017. It recommended combining IT of the province’s four regional health authorities and the Newfoundland and Labrador Centre for Health Information, or NLCHI.
That review stressed that ensuring privacy protection was a “critical success factor.”
It added that “the inclusion of privacy and security” of personal health information is “an overarching priority.”
Later that year, in the fall of 2017, then health minister John Haggie announced a move to the so-called “shared services” model.
It came into effect two years later, in October 2019, and put NLCHI in charge of information technology and information security for all health authorities.
According to the privacy commissioner’s recent report, that “resulted in the centre inheriting responsibility over a vast and fragmented IT landscape, comprising hundreds of physical locations, together with thousands of workstations, software applications, network devices and servers, which store our province’s most sensitive information.”
Months before NLCHI took over, another consultant’s report — this one by Deloitte — found cybersecurity weaknesses and gaps.
But it turns out there was no money to fix them.
After the shared services transition, the overall IT budget had an annual deficit of $3 million. NLCHI told investigators that “financially limited [the centre’s] ability to comprehensively address cybersecurity.”
Not only that, NLCHI said it “was subject to government direction to make no new operational budget requests for fiscal years 2020-22.”
But that Deloitte report was not the only warning — and not the only time top health officials discussed the importance of cybersecurity.
Issue highlighted, but action lacking
There were emails from Eastern Health CEO David Diamond in 2019 and 2021 to other top health officials flagging news articles about cybersecurity breaches in Baltimore and Saskatchewan.
Between those messages, there were more concerns — a flurry of reports or advisories came in during the fall of 2020.
In late October, the Canadian Centre for Cyber Security issued an alert about renewed cyberthreats to Canadian health organizations.
Days later, the health-care insurance provider called HIROC circulated an alert about ransomware attacks being on the rise.
But weeks before those advisories were two other significant cautions — cautions that also do not appear to have resulted in significant action.
Israeli cyberexperts who reviewed information security arrangements at Eastern Health confirmed “numerous vulnerabilities, security concerns and compliance issues” that needed to be addressed within its network.
The privacy commissioner’s report footnotes CBC News reporting that would later reveal those findings.
When that CBC story ran a year ago, Haggie offered some commentary on global cyberexperts who were interviewed for their analysis of the Israeli firm’s work.
“If you want to go and trawl the Internet and speak to people, you obviously have done [that],” Haggie said. “And that’s fine.”
Haggie also minimized the significance of the consultant’s report.
“That was received in the department as a business proposal, as a business development proposal,” Haggie told reporters a year ago.
“The department never received any vulnerabilities or an assessment thereof.”
But then Haggie went a step further, saying he independently asked NLCHI for a threat assessment of cybersystems in September 2020 — around the same time the Eastern Health report was completed.
“I received a threat assessment which highlighted no red flags,” Haggie said.
Those comments stood for nearly a year. No one in the government publicly disputed them, or suggested “no red flags” may not be entirely accurate.
But this past March, the Furey administration went to court to get privacy commissioner Michael Harvey removed from the cyberattack investigation.
As part of that process, government court filings helpfully uncovered portions of that “no red flags” threat assessment that had previously been withheld from the public.
Among the previously blacked-out portions were these comments:
- “Significant IT vulnerabilities exist, with new vulnerabilities identified daily such as outdated [operating system], unpatched systems, software flaws.”
- “NLCHI, under the existing mandate, will require significant effort to elevate all eHealth IT environments to an acceptable level of security.”
Haggie then defended his earlier “no red flags” comments by noting that he actually hadn’t read the report in question but relied instead on a briefing from staff.
The Health Department went on to tell investigators that top bureaucrats received the note in September 2020 and shared it with the CEOs of the regional health authorities. Haggie was given a verbal briefing more than a year and a half later, in May 2022.
Given all that, it’s not clear why Haggie cited the document to rebut critical news coverage of cybersecurity preparedness and suggest there were no warnings of potential problems.
He declined an interview request sent to a spokesperson in the Education Department, where he had most recently served as minister until a cabinet shuffle moved him to Municipal Affairs this past week.
Accountability unclear
No one else in the Newfoundland and Labrador government has expressed any particular interest in addressing the report’s findings about what happened in the lead-up to the cyberattack.
The current health minister, Tom Osborne, wouldn’t speak with CBC News on the topic.
The day the privacy commissioner’s cyberattack report was released, when asked whether there would be any accountability for the lack of preparation it revealed, Justice Minister John Hogan told reporters it was too early to say.
“The report is very fresh, very new,” Hogan said last month. “I’m not sure where the health authority is going to go with that, but I’m sure they’ll look at it, along with the recommendations in the findings.”
CBC News requested an interview with David Diamond — the former CEO of Eastern Health who was appointed to lead the transition into one amalgamated province-wide health authority — more than two weeks ago. There was no reply.
By law, Newfoundland and Labrador Health Services had 10 business days to respond to the commissioner’s report.
It did so last week. CBC asked for a copy of that response on Monday, June 5.
At 4:41 p.m. on Friday, June 9, a spokesperson wrote to advise that the health authority had accepted all six recommendations in the report and was pleased the watchdog found that reasonable steps were taken to investigate and contain the situation after the attack happened.
But the health authority wouldn’t provide the actual response it sent to the privacy commissioner, saying a formal access-to-information request would be required for that.
When pressed, officials continued to insist it must go through their privacy office, to ensure any information released was in line with provincial legislation.
Finally, late this week, the privacy commissioner’s office provided the entire response to CBC News.
It was a one-page letter, comprising just three paragraphs, from a high-profile Toronto-based law firm.
“While the PHA [provincial health authority] disagrees with a number of findings in the report, the PHA will comply with all of the recommendations,” wrote Alex Cameron of Fasken Martineau DuMoulin LLP.
The letter did not identify which findings the health authority believed were wrong.
More Stories
Fair share: the right office solution can take finding the right partner
Ontario faces crew shortages, aircraft issues in fight against wildfires | Globalnews.ca
Refugee attends open house at Downtown Eastside affordable housing facility – BC | Globalnews.ca