Cybersecurity framework still not finalized after 3 years, N.L. agency blames COVID for delay
The Newfoundland and Labrador Centre for Health Information is defending the fact that its cybersecurity framework has remained in draft format for nearly three years and is still not finalized.
The framework was drafted in 2019, when all technical support for the province's four regional health authorities was transitioning into a "shared-service model" under NLCHI.
"Further activities related to establishing the new model were delayed due to managing the provincial COVID-19 response," NLCHI said in an emailed statement.
The Department of Health and Community Services steered CBC News inquiries to NLCHI, which did not make anyone available for an interview.
The centre instead sent a brief statement via email from a generic communications account with no name attached to it.
"Although the formal cybersecurity framework has not yet been finalized, both NLCHI and the regional health authorities had previous safeguards and security policies in place, and continue to do so," that statement noted.
"As always, NLCHI remains committed to continuously reviewing and further strengthening security measures to meet current security demands."
According to an internal NLCHI email sent in November 2019, obtained through a public-records request, the goal of the framework is to "identify the criteria we want to use to implement and measure cybersecurity."
Information security issues came to the forefront last fall, when a devastating cyberattack threw Newfoundland and Labrador's health-care system into chaos.
The lack of a finalized cybersecurity framework was revealed by a recent report from the province's information and privacy commissioner, as part of an investigation into a complaint by CBC News.
'3 years is a fair amount of time'
Cybersecurity expert and author Mark Sangster says frameworks like the one referenced by NLCHI try to encompass all aspects of a cybersecurity program to identify what specific controls and policies need to be in place, and how to measure whether they are effective.
He acknowledged that a lot of resources and efforts would have been diverted during the pandemic.
"That said, from a cybersecurity perspective, three years is a fair amount of time," said Sangster, who is chief strategy officer at Adlumin, a company that provides cybersecurity solutions.
CBC News provided Sangster with more than 200 pages of heavily redacted internal NLCHI documents, obtained through an access-to-information request, for him to review.
He said the overall framework appears to show a comprehensive model, based on what he would consider to be best practices.
"Because of the redacted information, it's tough to know where they are on that journey, how much has been implemented and hasn't," he said.
Ajay Unni, founder and CEO of Australian cybersecurity firm StickmanCyber, said there are well-established frameworks globally available.
Unni wondered why officials in this province wouldn't have simply adopted one of them.
He said three years is an "alarming" length of time to complete work on the framework.
"The whole world operated quite efficiently during COVID," Unni said. "I can't comprehend a reason why it couldn't have been finalized."
In addition to running his company, Unni was a member of the cybersecurity task force created by the state government of New South Wales in 2020.
Access-to-information complaint and investigation
In 2019, NLCHI conducted a cybersecurity risk assessment of the province's health-care system.
Last fall, CBC News filed an access-to-information request for reports, briefing materials, identified plans and priorities and/or needs, audit findings, and lessons learned documents related to the assessment.
Transparency watchdog Michael Harvey concluded that most information related to that work can be kept under wraps, in part because of the recent cyberattack.
NLCHI had highlighted for Harvey "the particular sensitivity of this information" in the wake of last fall's cyber incident.
"There is a risk that other malicious actors may develop an interest in exploiting the systems in the NLCHI managed environment," officials said in a submission to the information commissioner.
"Given some of the details in the documents being withheld, their public disclosure could potentially be misused for inspiration or intelligence gathering purposes in support of a cyber attack."
But NLCHI did release some additional documents that it had initially blacked out, after Harvey's review.
That included PowerPoint slides composed mostly of years-old headlines from media websites about past privacy breaches.
NLCHI had initially contended that showing those publicly posted articles would harm law enforcement because they could "reveal the arrangements for the security of property or a system."
Newfoundland and Labrador government officials have remained silent about most aspects of last fall's cyberattack, which took down health computer systems in the province.
The province has cited expert advice for refusing to say who was responsible for the attack, whether it involved ransomware, whether any ransom was paid, and what has since been done to address any problems.
Government officials have also declined to identify those experts.
Gloss