Cyber Security

Cyber ​​security framework still not finalized after 3 years, Netherlands agency blames COVID for delay

Cyber ​​security framework still not finalized after 3 years, Netherlands agency blames COVID for delay
Written by ga_dahmani
Cyber ​​security framework still not finalized after 3 years, Netherlands agency blames COVID for delay

The Newfoundland and Labrador Center for Health Information stands by the fact that its cybersecurity framework has been in draft form for nearly three years and is still not finalized.

The framework was drafted in 2019, when all technical support for the province’s four regional health authorities was transitioning to a “shared service model” under NLCHI.

“Other activities related to the establishment of the new model were delayed due to the management of the provincial response to COVID-19,” NLCHI said in an emailed statement.

The Department of Health and Community Services directed inquiries from CBC News to NLCHI, which did not make anyone available for an interview.

Instead, the center sent a short statement via email from a generic communications account with no name attached.

“Although the formal cybersecurity framework has not yet been finalized, both NLCHI and regional health authorities had prior security safeguards and policies, and continue to do so,” that statement noted.

“As always, NLCHI remains committed to continually reviewing and further strengthening security measures to meet today’s security demands.”

According to an internal NLCHI email sent in November 2019, obtained through a public records request, the goal of the framework is to “identify the criteria we want to use to implement and measure cybersecurity.”

Information security issues came to the fore last fall, when a devastating cyberattack threw Newfoundland and Labrador’s health care system into chaos.

The lack of a finalized cybersecurity framework was revealed by a recent report from the province’s information and privacy commissioner, as part of an investigation into a CBC News complaint.

‘3 years is quite a long time’

Cybersecurity expert and author Mark Sangster says that frameworks like the one referenced by the NLCHI attempt to encompass all aspects of a cybersecurity program to identify what specific controls and policies need to be in place and how to measure whether they are effective.

He acknowledged that many resources and efforts would have been diverted during the pandemic.

“That said, from a cybersecurity perspective, three years is a good amount of time,” said Sangster, chief strategy officer at Adlumin, a company that provides cybersecurity solutions.

CBC News provided Sangster with more than 200 pages of highly redacted internal NLCHI documents, obtained through an access to information request, for review.

He said that the general framework appears to show a comprehensive model, based on what he would consider best practices.

“Because of the redacted information, it’s hard to know where they are on that journey, how much has been implemented and how much hasn’t,” he said.

Ajay Unni is the founder of StickmanCyber, an Australian company that helps businesses mitigate their cybersecurity risks. Unni was selected to join the 2020 NSW Government Cyber ​​Security Task Force and also contributed to the 2021 NSW Government Cyber ​​Security Strategy. (Submitted by StickmanCyber)

Ajay Unni, founder and CEO of Australian cybersecurity firm StickmanCyber, said there are well-established frameworks available globally.

Unni wondered why the officials of this province hadn’t just adopted one of them.

He said three years is an “alarming” time frame to complete work on the framework.

“The whole world operated quite efficiently during COVID,” Unni said. “I can’t understand a reason why it couldn’t have been finished.”

As well as running his company, Unni was a member of the cyber security task force set up by the NSW state government in 2020.

Complaint and investigation of access to information

In 2019, NLCHI conducted a cybersecurity risk assessment of the province’s health care system.

Last fall, CBC News submitted an access to information request for reports, briefing materials, identified plans and priorities and/or needs, audit findings, and lessons learned documents related to the evaluation.

Transparency monitor Michael Harvey concluded that most of the information related to that work can be kept secret, in part due to the recent cyberattack.

NLCHI had highlighted to Harvey “the particular sensitivity of this information” in the wake of last fall’s cyber incident.

“There is a risk that other malicious actors may develop an interest in exploiting systems in the NLCHI-managed environment,” the officials said in a submission to the information commissioner.

“Given some of the details in the documents being withheld, their public disclosure could be misused for the purposes of inspiration or intelligence gathering in support of a cyberattack.”

The Newfoundland and Labrador Health Information Center initially hid this entire PowerPoint presentation slide from public release media headlines. Officials argued that its disclosure would be detrimental to law enforcement by revealing arrangements for the security of a computer system. (NLCHI)

But NLCHI released some additional documents that it had initially blacked out, after Harvey’s review.

That included PowerPoint slides made up mostly of years-old headlines from media websites about past privacy breaches.

NLCHI had initially argued that showing such published articles would harm law enforcement because they could “reveal arrangements for the security of property or a system.”

Newfoundland and Labrador government officials have remained silent on most aspects of last fall’s cyberattack, which brought down healthcare IT systems in the province.

The province has cited expert advice for refusing to say who was responsible for the attack, whether it involved ransomware, whether any ransom was paid, and what has been done since to fix any issues.

Government officials have also refused to identify those experts.

Read more from CBC Newfoundland and Labrador

About the author

ga_dahmani

Leave a Comment