Without Robust Cybersecurity, Nova Scotia’s Digital Health Network is at Serious Risk
For release October 22 -- The Province does not provide effective cybersecurity for Nova Scotia’s digital health networks, potentially exposing the rapidly growing system to risk, says Auditor General Kim Adair.
In a new audit released today, Adair reveals the disconnect between the three government entities that share responsibility for Nova Scotia’s digital health network but lack accountability for cybersecurity.
That’s critical because of the Province’s growing reliance on digital networks to store the personal and sensitive health information of most Nova Scotians.
Currently, the Departments of Health and Wellness; Cyber Security and Digital Solutions; and Nova Scotia Health share responsibility for cybersecurity.
Our report outlines key governance structures put in place to monitor network cybersecurity ended by 2022 and were not replaced. The resulting lack of IT governance gives minimal accountability for cybersecurity during a time of rapid expansion of Nova Scotia’s digital health network.
Recently, several healthcare organizations in Canada have fallen victim to serious cyberattacks that stole sensitive information, disrupted patient care, and disabled networks.
To detect vulnerabilities and threats within Nova Scotia’s online healthcare system, the Auditor General hired independent cybersecurity experts to run a multitude of cybersecurity tests.
Additional work has revealed a pervasive tolerance for accepting cybersecurity risk and a failure to manage ongoing risks.
The results of the audit are so concerning, the Auditor General makes 20 recommendations including:
- creating an effective IT governance framework to manage cybersecurity across the digital health network
- completing all outstanding cybersecurity assessments and implementing minimum cybersecurity contract provisions for all projects connecting to the network
- instituting mandatory and regular cyber awareness training for all health network users
- preparing action plans to respond to the technical reports by our cybersecurity experts.
“Given the significant concerns about cybersecurity across Nova Scotia’s digital health network, we’ll follow up in one year to evaluate Government progress on the creation and implementation of those detailed action plans to mitigate risk.”