Saskatchewan Health Authority

April 4, 2024
Featured image for Saskatchewan Health Authority
Anne Genge

Anne Genge is on a mission to make dentistry safer online. With over two decades of experience, Anne has become a leading expert and trainer in privacy & cybersecurity for dental practices.

Can Charging Your Phone Cause A Healthcare Breach? Yes.

It’s just a USB port…It happens everywhere. People use USB ports in their workstations to charge their smartphones with no idea that they could unwittingly cause a breach.

It seems everywhere we turn these days, we’re learning about organizations that have suffered from data breaches that compromise individuals’ personal and private information.

A report by Check Point Software Technologies has found that cyberattacks targeting healthcare organizations and hospitals in Canada increased significantly since 2020. This information should be concerning to anyone running a healthcare practice.

Although it’s never a good thing when these happen, it’s important to review the details of these breaches and learn from them, so similar events can be avoided in the future.

Today we’re going to look at the circumstance of one such incident that occurred at the Saskatchewan Health Authority, and how it highlights the importance of training as well as enforcement of security and information technology policies.

So, What Happened?

In December 2019, the Saskatchewan Health Authority experienced a large-scale data breach, one of the largest such incidents in the province.

The breach affected as many as 50 million files, 5.5 million of which were believed to contain personal information or personal health information.

At least 547,145 patient files that held personal health information were stolen or exposed to malware, from the Saskatchewan Health Authority, eHealth, and the ministry of health, but they were unable to determine which specific files were affected.

Approximately 40 gigabytes of data was taken from the network and sent to computers located in the Netherlands and Germany, and servers were locked from use through encryption.

Hackers demanded money in return for releasing encrypted data, however eHealth Saskatchewan said they would not be engaging in negotiations with the attackers.

Files were taken between December 19, 2019 and January 5, 2020 but the breach was not discovered until January 21, 2020.

One question I ask is “why are USB ports left open and accessible to anyone? At Alexio we manage dental and medical practices, and even in these small networks we have the ability to block the USB ports so that an incident like this cant happen.” Said Anne Genge co-founder of Alexio, founder myla Training Co.

Root Cause Was a Cell Phone

The Saskatchewan Health Authority reported this breach originated from an employee who opened an attachment on their personal device that contained malware.

The device had been plugged into their workstation to charge with a USB cord.

Even if an organization has robust security for computer terminals and other devices owned by the organization, it’s not uncommon for personal devices to fall short in these areas. And, if USB ports are left open to anyone, a variety of threats can be introduced to the network.

Although the employee had been trained on privacy-related issues, it came to light during an investigation that they had not been trained in the Saskatchewan Health Authority’s Acceptable Use of Information Technology Assets policy.

This shows the need for organizations to not only develop clear policies for the use of technology but to ensure all employees have been adequately trained in these issues to avoid these types of incidents. Moreover, it emphasizes the need for all organizations to implement technology that will block human error.

Could This Have Been Prevented?

An investigation into the attack found several opportunities where the ransomware may have been detected.

The breach prompted calls for an independent review of the governance, management, and program of the health authority, as well as an in-depth review of their security protocols.

Even though the start of this incident was traced to a particular individual and workstation, it seems that there were multiple opportunities for vulnerabilities within the system.

It was determined eHealth did not provide satisfactory alerting of the attack, and patient data contained on workers’ laptops and phones had not been fully and properly secured. Regular risk assessments in this scenario, just like in dental and medical practices can find the gaps and help mitigate risk

Furthermore, up to 80 percent of the laptops with access to the network were found to be not encrypted against malicious activity, and only fifty percent of the employees had up-to-date security awareness training.

The audit also found many of the eHealth systems in the province didn’t have adequate disaster recovery plans in place.

All of these are examples of areas which, had they been dealt with appropriately ahead of time, could have helped mitigate this risk.

The Saskatchewan Health Authority attack shows the need for not only strong policies regarding the use of technology but also training on those policies and follow-up when they’re broken.

Originally posted by Anne Genge on LinkedIn.

Anne Genge, Certified Information Privacy Professional, Certified Healthcare Cybersecurity Professional, Certified Healthcare Security Risk Assessment Specialist BOOK A MEETING

Anne is the founder of Myla Training Co., Canada’s first-ever online privacy and cybersecurity training platform for dental professionals. With over two decades of experience, Anne has become a leading expert and trainer in this field. Anne collaborates closely with practice owners, managers, dental teams, and IT providers to ensure the safety of patients and practice data while enabling compliance with privacy regulations.

Program thumbnail

Cybersecurity Essentials for Dental Teams

Cybersecurity awareness training that provides dental professionals with the skills needed to prevent breaches, ransomware, and data theft at work (and at home). Get immediate access and complete training in less than 40 minutes.
Learn More