The IT security of Newfoundland and Labrador’s healthcare system before a crippling 2021 cyber attack and data theft was lacking, says the province’s privacy commissioner’s office, which also said there was no justification for the government not telling the public for over 500 days that it was ransomware.
“Internationally recognized, industry-standard cyber security measures were either not in place or not fully implemented,” said a detailed report on the attack released this week,
“leaving the personal health information and personal information of citizens of the province vulnerable to cyber attack, which, under the circumstances, was almost an inevitability.
“Furthermore, these vulnerabilities were known within the health care system, but there was a failure to take sufficient and timely steps to remedy them,” it adds.
The report says blame should be shared by the province, three district health authorities and the provincial Centre for Health Information, the IT health shared services provider. (Since the attack, the health authorities and the Centre have been combined into a single provincial health authority called Newfoundland and Labrador Health Services.)
In March 2022, the government said the attack cost it $16 million, including $5 million for victim credit monitoring services.
Officially over 100,000 patients, current employees and former employees were notified their personal data had been stolen. However, the report says, is likely that “the vast majority of the population of the province” — hundreds of thousands of people — had some amount of personal information or personal health information taken by the cyber attackers.
The specific number, the report adds, may never be known.
In a provincial report released in March the government said the attack started with an intruder getting into the VPN of a provincial healthcare information managed environment, using the compromised credentials of a legitimate user. It isn’t known how the attacker got that username and password.
In that report, for the first time — 18 months after the attack — the government acknowledged the Hive ransomware gang was responsible. The province said it could only reveal that then because the gang had been taken down.
The privacy commissioner’s office’s report doesn’t buy it. “The length of time that elapsed prior to the public being notified of this being a ransomware cyber attack is concerning, and the rationale provided for such a delay was insufficient to justify it,” says the report.
The government’s response to the report didn’t directly deal with the complaints that the cybersecurity of the healthcare IT system was lacking, or the delay in admitting it was ransomware. Instead, in a statement Justice Minister John Hogan said the government is pleased the Office of the Information and Privacy Commissioner found that the province took reasonable steps to investigate and contain the cyberattack after it was discovered.
Ransomware “should have been a more prominent item on the radar of those in leadership throughout the health care system,” the report says.
It admits the COVID-19 pandemic would have made it difficult to make the necessary progress on cyber security during that period. But, the report adds, the vulnerabilities in the IT health care systems were known, and progress towards plugging them “was insufficient.”
And while creating an IT shared services model in 2019, run by the Centre for Health Information, was an opportunity to bring all of the Regional Health Authorities up to the same standard in terms of cyber security, the report says it was “insufficiently prioritized.” In fact, three months prior to the implementation of shared services, the Centre received a privacy and security posture assessment from Deloitte that identified a number of cyber security weaknesses and gaps, the report notes.
For security reasons, the report doesn’t reveal details outlining how the threat actor moved through the IT systems or describe what attack methods were used. Nor does it say whether the province paid a ransom. The report does say that many of the tools and techniques used by the threat actor were common and well-known, and should have been identified and responded to by an appropriate defence ecosystem.
The report also recounts the two-week timeline: On Oct. 15, 2021 the intruder used an employee’s credentials to get into the managed IT system, which included the domains of the four regional health authorities. Ten days later, the attacker moved laterally through the environment, escalated their privileges through an account with administrative privileges and connected to other IT systems. Between Oct. 26 and 29, the attacker exfiltrated over 200 GB of data. On Oct. 30, the ransomware was deployed, causing widespread disruption of IT health services.
The report says before Oct. 30, there were some IT alerts. However, they were not properly investigated and/or responded to. “Had this been done, it may have prevented or reduced the extent of the malicious extraction of data that followed,” the report says.
Some of the stolen data unnecessarily included individuals’ Social Insurance numbers. This was collected when patients registered for treatment. Why? Because, says the report, there was a place for it to be entered on the screen in the computer patient admissions module. However, provincial health privacy law says institutions “shall not collect more personal health information than is reasonably necessary to meet the purpose of the collection.”
Another problem was that some regional health authorities held onto data for over 10 years, contributing to the huge amount of data stolen. The health authorities failed to implement appropriate records management policies and procedures relating to retention
and destruction of personal information and personal health information, the report says. It recommends the new unified health authority “continue to take diligent steps to ensure
that information management policies and procedures addressing retention and
destruction of personal information and personal health information are developed.”
The report is also critical of the careful language provincial officials used in describing the attack and data theft. By Nov. 8, 2021 “the [Health] Department and the Centre knew that the highly sensitive information being described at the initial privacy breach Public Advisory Briefings had been taken by the threat actor, but failed to provide this warning to the public,” the report says. Instead, the government initially talked about data being “accessed,” “obtained,” or “taken.” In fact, at a Nov. 10 press conference Hogan said, “In the cyber world and specifically access to that data, this bad actor has access and had access to data at some point in time, does not mean that it was copied, it does not mean that it was taken.”
The report comments that “the emphasis on the distinctions between “accessed” and “taken” were an inaccurate account of what was known by officials at that time, and ultimately minimized the risk of harm [to victims].”
“Key information was already known by both the Centre and the Department and withheld from the public,” the report says.
Among the report’s recommendations is that the provincial health authority update notification policies to reflect that, where there is a breach of personal information or personal health information and public notification is required, in the case of a ransomware cyber attack, notification should include information about those circumstances at the earliest reasonable opportunity;
“The Hive ransomware group and the tactics and tools that they used in this cyber attack
were not unstoppable,” says the report. “In fact, many of the techniques used in this cyber attack were basic techniques commonly used in cyber attacks and were well known within the cyber security community. An adequate cyber security defence system can identify such techniques in its system and provide incident response measures to prevent further movement within a system and/or prevent or reduce the removal of data.”
It mentions things like backing up data to the cloud, keeping computers, devices, and applications patched and up-to-date and using multifactor authentication to protect login credentials.
About a year before the ransomware attack, the Centre prepared an information note for the Health Minister saying the likelihood of a ransomware attack was “high.” Significant IT vulnerabilities exist, that briefing note said, including outdated operating systems, unpatched systems and software flaws. It also said the Centre’s priorities would be security training and awareness for all health-related staff, patch management, backing up critical data, enhanced monitoring and alerting, and credential hygiene.
Among the report’s recommendations is the creation of a provincial health chief privacy officer to ensure that the unified health authority follows privacy best practices.