Shared Health urged to test cyberattack plan
Advertisement
Read this article for free:
or
Already have an account? Log in here »
We need your support!
Local journalism needs your support!
As we navigate through unprecedented times, our journalists are working harder than ever to bring you the latest local updates to keep you safe and informed.
Now, more than ever, we need your support.
Starting at $14.99 plus taxes every four weeks you can access your Brandon Sun online and full access to all content as it appears on our website.
Subscribe Nowor call circulation directly at (204) 727-0527.
Your pledge helps to ensure we provide the news that matters most to your community!
Read unlimited articles for free today:
or
Already have an account? Log in here »
WINNIPEG — Shared Health has a system to protect sensitive information from cyberattacks, but its plan to let the public know when it has been breached is lacking and must be put to the test.
Tyson Shtykalo, the province’s auditor general, said while Shared Health has procedures and technology to minimize its risk of falling victim to a cyberattack, he wanted to check what the provincial health authority would do if hackers were successful.
“What I wanted to do for this report is choose what might very well be a prime target, which would be Shared Health because of the amount and types of information that it holds and see what is your plan if you were cyberattacked,” Shtykalo said on Thursday.
“What we found is, they do have a plan on what to do and what the process would be in the event that they were attacked, but as auditor generals do, we found some areas and some places to make some recommendations where they could ensure that that plan is most effective.”
The report was released after high-profile cyberattacks at the University of Winnipeg and Pembina Trails School Division.
The report found that training sessions are not held with all staff members, a plan to communicate with external stakeholders and procedures to respond to ransomware incidents are incomplete, and incident-response tests were not done.
“Since no tests were performed, the effectiveness of the (response) plan cannot be evaluated to ensure that Shared Health is prepared to promptly respond to a major cybersecurity event,” the report states.
Shtykalo said while the audit focused on Shared Health, it should encourage all public-sector organizations to bolster efforts to respond to cybersecurity attacks.
Shared Health is responsible for province-wide health services as well as the Health Sciences Centre and the Selkirk Mental Health Centre.
Kevin Holowachuk, chief information and security officer of Digital Shared Services, said it “is committed to ensuring the security and integrity of the Manitoba health system and has robust processes in place to safeguard our systems from a malicious cyberattack.
“Work to implement the four recommendations has either been completed or is underway and has strengthened our cybersecurity incident response plans to ensure that we can detect, respond to, and manage cybersecurity incidents in a manner that would minimize impact and/or harm to IT assets and delivery of health-care services and patient needs.”
Shtykalo said he recommends Shared Health do table-top exercises and run through various scenarios in the event of a cyberattack.
“What we are calling for in the report is recommending that they actually test that response … just make sure it is most effective, if and when it is called upon.”
Shtykalo said the audit of Shared Health wasn’t sparked because of a cyberattack and there were no cyberattacks while the audit was being done.
“That’s good news,” he said. “It may have made for a more exciting report, but certainly I have my medical information there too, so I was glad nothing happened.”
» Winnipeg Free Press