Nova Scotia’s digital health network is on track for a cyber attack

  The digital health network in Nova Scotia is at serious risk of cyber attacks due to a lack of efficient cybersecurity.

That point was made clear by NS Auditor General Kim Adair as she presented her report to the House of Assembly on Oct. 22, undertaken to analyze the security of a system which is becoming increasingly prevalent as the provincial government seeks to use digital technologies to deliver healthcare services.

A summary of her report claims the three government organizations responsible for the security of this network—the Department of Health and Wellness, Cybersecurity and Digital Solutions, and Nova Scotia Health—are all at fault for a lack of accountability, a tolerance for accepting cybersecurity risks for sensitive health information and a failure to manage those risks accordingly.

While there was a governance framework for digital health services, the province abandoned it in 2021-22, stalling cybersecurity initiatives. In the wake of its abandonment, as Adair tells it the DHW did not set out to prioritize cybersecurity, while NSH did not seek to establish “meaningful accountability.” And although CSDS could make suggestions to improve cybersecurity, they could not take action to provide that security themselves.

A summary of the report also notes there are no key performance indicators to measure and track cybersecurity. There are also weaknesses in the system that haven’t been communicated; policies and standards that haven’t been reviewed or updated; incomplete digital asset inventory lists; and a cybersecurity training program that is not mandatory for all users of the digital health network.

A recent example

As more health services move to a digital model, the risk of personal health information being compromised is growing significantly, with the report mentioning other Canadian provinces having suffered cyber attacks that have disrupted patient care and disabled networks, on top of stealing confidential health information. In 2021, a ransomware attack on Newfoundland and Labrador’s healthcare system claimed the personal data of over 100,000 patients, employees and former employees, and cost the government $16 million.

According to a 2023 report on the attack, the IT security for Newfoundland and Labrador’s healthcare system was deemed insufficient. Although its digital health network is not as extensive as Nova Scotia’s is today, Newfoundland’s Centre for Health Information told the health minister that it was at high risk for a ransomware attack a year before it occurred. The note to the health minister mentioned issues with their system including using old operating systems and a lack of software patches, and it encouraged cybersecurity training for all health-related staff.

When the government failed to act on these risks and suggestions, they were the victim of a cybersecurity attack, costing the government millions while hundreds of thousands of people had their information stolen. The 2023 report claims this was “almost an inevitability.”

In the case of Nova Scotia, the auditor general’s report claims vendors and projects connected to the digital health network do not need to meet cybersecurity standards to attain access, also noting that contract management is lacking. NSH policy is also allowing decision makers to decide whether cybersecurity measures apply on a case-by-case basis, which the report states is taking on a higher level of risk.

Between the lack of necessary training, low accountability and allowing users who do not have to be cyber secure, the Auditor General is clearly warning that Nova Scotia’s digital health network is at risk for a cyber attack, which could similarly mean thousands having their data stolen and a price tag in the millions for recovery efforts.