B.C. health authority isn't effectively managing cybersecurity threat on medical devices, audit finds - Action News
Home WebMail Sunday, November 10, 2024, 08:35 PM | Calgary | 1.4°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
British Columbia

B.C. health authority isn't effectively managing cybersecurity threat on medical devices, audit finds

B.C.'sauditorgeneralsays the Provincial Health Services Authority is not effectively managing cybersecurity threats for medical devices and has not evaluated the risk to patients.

Audit covered more 18,000 devices, ranging from infusion pumps to MRI systems

A psychiatrist points to an image of a brain from an MRI machine. B.C.'s auditor general has found the Provincial Health Services Authority did not evaluate all cybersecurity threats and their risks to patients on its medical networks and devices. (Chris Young/The Canadian Press)

A report by British Columbia's auditor general says thousands of medical devices used to diagnose and treat people lack effective cybersecurity protections.

The Provincial Health Services Authority, which works with regional health authorities, lacks cybersecurity controls for its medical networks and is not effectively managing threats on medical devices, auditor general Michael Pickup said Tuesday.

The audit also found the authority did not evaluate all cybersecurity threats and their risks to patients.

It covered more than 18,000 devices in the Lower Mainland, ranging from infusion pumps to MRI systems, and the infrastructure supporting their operation.

Pickup said ineffective cybersecurity management also means the authority might not be able to detect cyberattacks.

"This is concerning to me," he told a news conference. "Addressing these shortcomings is critical to detecting cyberattacks that could put patients at risk."

The audit recommends that the authority evaluate cybersecurity risks and take action, and that it identify all hardware and software on its medical device networks.

The authority accepted the four recommendations and outlined steps it has taken to improve security, including reviewing with the government, industry and others how best to defend against cyberthreats.

"Work is underway on a number of planned improvements for 2021, including an expansion of cybersecurity for medical devices," Ron Quirk, the authority's executive vice-president of digital information and innovation, said in a statement.

"The AG's findings are timely and will help inform these efforts."

'Health-care organizations are key targets for attackers'

Pickup said he was encouraged by the response, but the report also serves as a warning to health organizations to provide better protections.

"Unfortunately, what could go wrong is you may end up in a situation where treatment wouldn't be available if there was a cyberattack or you could have treatment based on inaccurate data if there was a cyberattack that did something," Pickup said.

The audit also warned about the potential harms associated with cyberattacks at health-care facilities.

"Health-care organizations are key targets for attackers because health information is so sensitive," says the 27-page audit. "A successful cyberattack on network medical devices could harm patients and significantly disrupt hospital operations."

Pickup's report, released Tuesday, followedanother last month that found the B.C. government did not have adequate cybersecurity practices in place to manage its computer systems in a review of five ministries, including finance and health.