Sask. auditor's report says eHealth doesn't have full recovery plans for future cyberattacks

Saskatchewan's provincial auditor says more work needs to be done to reduce wait times for cancer screening and that eHealth needs to be better prepared for ransomware attacks.

Judy Ferguson's latest report was tabled in the legislature Tuesday. It highlights how some provincial ministries are improving processes,but also focuses on improvements needed.

Ferguson's audit found the Saskatchewan Health Authority is not yet sufficiently monitoring for cyberattacksagainst eHealth.

Her audit also found that 38 eHealth systems did not have complete disaster recovery plans in case there were ransomware attacks. Without the recovery plans, the SHA risks not being able to restore its systems within a reasonable time.

The report comes almost a year after eHealth was hit by a ransomware attack in December2019.

eHealth didn't discover the attack until employees tried to open files in early January. Jim Hornell, the CEO of eHealth Saskatchewan, said at the time that patient data was secure.

Howeverit was discovered in February that some information may have been sent to suspicious IP addresses in Europe. In February, Hornell said it appears the organization "may never know" if personal data was affected.

In June, Toronto cybersecurity expert Claudiu Popa said anyone with a Saskatchewan health card should be alarmed.

Ferguson's report sayseHealth needs to complete the disaster recovery plans for all systems and better monitor and control who has access to the online system.

"There's logging capabilities, looking at those logs on a very regular basis, making sure that you're identifying the risks and appropriately taking mitigating steps," Ferguson said.

Ferguson said eHealth is making improvements and has a draft disaster recovery plan inmultiple systems, but that more should be done to move forward on recovery plans.

"Right now is so pivotal. We know that it's in its environment. It's not a matter of if you're going to be subject to an attack, it's when."

Cancer screening wait times, result times need to be shorter

Ferguson is also calling on the SHA and Canadian Cancer Agency to reduce wait times for colorectal cancer screening and for people to get their results.

The screening program is a partnership between the Canadian Cancer Agency and SHA has been in place since 2009.

"We found the agency is following best practices in many areas with improvements needed in only three key areas: improving participation rates reducing wait times for colonoscopies, and third, having set a set benchmark for providing patients with colonoscopy results," Ferguson's report says.

Ferguson said the audit found participation in screening has decreased slightly in the past six years.

As well, 22 people had to wait more than 60 days for a colonoscopyand 12 people had to wait from15 to 104 days for colonoscopy results. All were diagnosed with cancer.

"Any time that you're slower than those timelines, you're increasing the risks of the patients in terms of delaying that treatment plan and really reducing the risk of success."

Ferguson said she doesn't know if any of the people who had to wait for results died.

Provincial Capital Commissionmaking progress:auditor

Another part of the report focused on the Provincial Capital Commission. The auditor previously critiqued two controversial projects in Wascana Park: the Conexus building and the Brandt/CNIB building.

In December 2019, Ferguson said the Conexus building was approved by the PCC board, despite the fact it "knew the project did not conform to the plan when it approved it at the conceptual design stage."

She also said the PCC did not get proper evidencethatthe Brandt/CNIB project is consistentwith the Master Plan governing the park.

Now, Ferguson said the PCC has improved some of its processes related to oversight of major developments in the park. The PCC has now published its process for approvingproposed developments and provides status updates on each major development, she said.