The inside story of how Dutch health officials failed to act before a ransomware gang hit
Many numbers have been linked to the fall 2021 cyberattack on Newfoundland and Labrador’s health care system.
More than half a million people in the province, most of whom have had their privacy violated.
Over 200,000 files on an Eastern Health network drive, opened and ingested.
More than 200 gigabytes of data exfiltrated or stolen by cyber thieves affiliated with the Hive ransomware gang.
But there’s another number that perhaps best describes the lack of resources in the system before everything went wrong: three.
That’s how many IT security personnel there were for the entire provincial health system, according to a post-attack report from the Canadian Center for Cyber Security.
The regional health authorities and the Newfoundland and Labrador Center for Health Information were “seriously understaffed from a technical resource standpoint,” the federal agency concluded.
That report was one of several documents reviewed by researchers in the office of the Newfoundland and Labrador privacy commissioner — documents that would otherwise have remained largely off-limits to the public.
Researchers scanned through internal emails and unredacted government briefing materials that shed new light on what did and did not happen leading up to the devastating fall 2021 cyberattack.
Sean Murray of the county’s Office of the Privacy Commissioner unveiled a report May 24 that concluded that efforts to mitigate known vulnerabilities prior to a cyberattack were inadequate.
In the wake of the ransomware attack, provincial government officials have largely skated around with questions about whether the province’s cyber defenses were as sturdy as the Rock of Gibraltar or as porous as the Maginot Line.
The report of the provincial privacy watchdog largely answers those questions. And the answers are not reassuring.
Shared services model for health IT
It started, like many government initiatives, with a report from an advisor and a press release.
The consultant looked at eHealth services and completed his report in early 2017. He recommended combining IT from the province’s four regional health authorities and the Newfoundland and Labrador Center for Health Information, or NLCHI.
That review emphasized that ensuring privacy protection was a “critical success factor”.
It added that “the inclusion of privacy and security” of personal health information is “an overarching priority”.
Later that year, in the fall of 2017, then Secretary of Health John Haggie announced a move to the so-called “shared services” model.
It took effect two years later in October 2019 and put NLCHI in charge of information technology and information security for all health authorities.
According to the privacy commissioner’s recent report, “as a result, the center became responsible for a vast and fragmented IT landscape, consisting of hundreds of physical locations, along with thousands of workstations, software applications, network devices and servers, storing our province’s most sensitive data.” information.”
Months before NLCHI took over, another consultant’s report—this one from Deloitte—discovered cybersecurity weaknesses and gaps.
But it turns out there was no money to fix them.
After the transition to shared services, the total IT budget had an annual shortfall of $3 million. NLCHI told researchers that “financially constrained [the centre’s] ability to fully address cybersecurity.”
Not only that, NLCHI said it was “subject to government approval not to file new operating budget requests for fiscal years 2020-22.”
But that Deloitte report wasn’t the only warning — and not the only time top health officials discussed the importance of cybersecurity.
Problem marked, but action is missing
There were emails from David Diamond, CEO of Eastern Health, in 2019 and 2021 to other top health officials highlighting news articles about cybersecurity breaches in Baltimore and Saskatchewan.
In between those messages, there were more concerns – in the fall of 2020, a wave of reports or advisories came in.
In late October, the Canadian Center for Cyber Security issued a warning about renewed cyber threats to Canadian health organizations.
Days later, health insurance company HIROC issued a warning about increasing ransomware attacks.
But weeks before those advisories, there were two other important warnings — warnings that also seem to have failed to lead to significant action.
Israeli cyber experts reviewing information security arrangements at Eastern Health confirmed “numerous vulnerabilities, security vulnerabilities and compliance issues” that needed to be addressed within the network.
The privacy commissioner’s report includes footnotes from CBC News reporting that would later reveal these findings.
When that CBC story came out a year ago, Haggie was commenting on global cyber experts being interviewed for their analysis of the Israeli firm’s work.
“If you want to scour the internet and talk to people, you’ve obviously done it [that]Haggi said. “And that’s fine.”
Haggie also downplayed the importance of the consultant’s report.
“That was received in the department as a business proposal, as a business development proposal,” Haggie told reporters a year ago.
“The department has never received any vulnerabilities or an assessment of them.”
But then Haggie went a step further and said he independently asked NLCHI for a threat assessment of cyber systems in September 2020 — around the same time the Eastern Health report was completed.
“I received a threat assessment that showed no red flags,” Haggie said.
Those comments stood for nearly a year. No one in government publicly disputed them, or suggested that “no red flags” might not be entirely accurate.
But last March, the Furey administration went to court to remove privacy commissioner Michael Harvey from the cyber-attack investigation.
As part of that process, government court documents helpfully exposed parts of that “no red flags” threat assessment that had previously been withheld from the public.
Among the previously obscured parts were these comments:
- “There are significant IT vulnerabilities, with new vulnerabilities being identified on a daily basis, such as outdated [operating system]unpatched systems, software bugs.”
- “NLCHI will require significant efforts under the existing mandate to raise all eHealth IT environments to an acceptable level of security.”
Haggie then defended his earlier “no red flags” comments by noting that he hadn’t actually read the report in question, relying instead on a staff briefing.
The health department further told investigators that top bureaucrats received the note in September 2020 and shared it with the CEOs of the regional health authorities. Haggie received an oral briefing more than a year and a half later, in May 2022.
Given all that, it’s not clear why Haggie cited the document to refute critical coverage of cybersecurity preparedness and suggest that there were no warnings of potential problems.
He turned down an interview request sent to a spokesman for the Ministry of Education, where he had last served as minister, until a cabinet change moved him to Municipal Affairs last week.
Responsibility unclear
No one else in the government of Newfoundland and Labrador has expressed interest in addressing the report’s findings about what happened leading up to the cyberattack.
The current Secretary of Health, Tom Osborne, would not speak to CBC News on the subject.
On the day the privacy commissioner’s cyber-attack report was released, Attorney General John Hogan told reporters it was too early to say, when asked if there would be any responsibility for the lack of preparation that brought it to light brought.
“The report is very fresh, very new,” Hogan said last month. “I’m not sure where the health authority is going with that, but I’m sure they’ll look into it, along with the recommendations in the findings.”
More than two weeks ago, CBC News requested an interview with David Diamond — the former CEO of Eastern Health who was assigned to lead the transition to one unified county-wide health authority. There was no answer.
Under the law, Newfoundland and Labrador Health Services had ten business days to respond to the commissioner’s report.
It did last week. CBC requested a copy of that response on Monday, June 5.
At 4:41 pm on Friday, June 9, a spokesperson wrote that the health authority had accepted all six recommendations in the report and was pleased that the watchdog felt reasonable steps had been taken to investigate and contain the situation after the attack occurred.
But the health authority wouldn’t provide the actual response it sent to the privacy commissioner, as that would require a formal request for access to information.
When pressed, officials insisted it should go through their privacy office, to ensure that any information released was in compliance with provincial law.
Finally, late this week, the privacy commissioner’s office gave the full answer to CBC News.
It was a one-page letter, consisting of just three paragraphs, from a high-profile law firm in Toronto.
While the PHA [provincial health authority] disagrees with some of the report’s findings, the PHA will comply with all recommendations,” wrote Alex Cameron of Fasken Martineau DuMoulin LLP.
The letter did not specify which findings the health authority believed were incorrect.
