It is very unfortunate to see a Report from an Information and Privacy Commissioner in one of Canada’s provinces right at the beginning of a new year.
Yet, there are lots of learnings. Canadian privacy regulators prepare extremely well documented and articulated reports, chock-full of advice and guidance we should all pay attention to.
In early January 2021 we learned that eHealth Saskatchewan (eHealth), the Saskatchewan Health Authority (SHA) and the Ministry of Health (Health) were the victims of a ransomware attack which originated in early 2020, resulting in approximately 40 gigabytes of encrypted data being stolen from eHealth.
The International Association of Privacy Professionals (IAPP) warned us of additional risks due to the COVID-19 pandemic, and it was no surprise to find out that Saskatchewan Health authorities were a victim of a ransomware attack[1].
We need to understand what happened and the Information and Privacy Commissioner’s investigation report[2] provides ample detail to help us do just that.
The incident occurred in early 2020 and it was caused by a Saskatchewan Health Authority (SHA) employee who opened an infected Microsoft Word document on two occasions which deployed the ransomware and infiltrated eHealth, SHA and the Ministry of Health Saskatchewan computer networks. This infiltration ultimately led to files being extracted from the networks by the malicious actors.
After this first ransomware attempt, the Information and Privacy Commissioner in Saskatchewan reached out several times to obtain more details from the affected health authorities. Finally, information emerged in September 2020 (yes, over eight months later). Here are three important take-aways for SMBs:
MPC Must Have Practice #1: Your organization must have the ability to detect incidents, prioritize them and react promptly and without delay
What happened in this case caused a chain reaction that made things much much worse. It is of paramount importance for an organization to realize and prepare for situations where one successfully exploited vulnerability will have a reaction throughout the supply chain, just like it happened here.
For SMBs to stay ahead, they need early detection and investigation of incidents before they turn into a very undesirable situation. SMBs should:
- Install key network security logs and scans to effectively monitor the IT network in order to detect malicious activity
- Understand if this malicious activity has a pattern that is pointing to confidential or personal information (some ransomware campaign are very sophisticated and may utilize a multiple-part attack to ensure infection)
- Implement network security monitoring tools thoroughly to be able to obtain reports related to vulnerability scans, network usage, potential security violations like invalid login attempts, or unauthorized attempts to modify sensitive servers or files and the status of patch management [2](when you implement tools, understand what outcome/benefit you are looking for and configure these tools accordingly)
- Add security safeguards for portable devices, as they present additional security risks if not properly configured or monitored
- Isolate and shut down the infected source early (regulators look for you to know how to investigate the root-cause of an incident)
- Block traffic up stream so as not to proliferate the breach
- Be prepared that ransomware may happen to your organization and pre-emptively address this potential scenario.
MPC Must Have Practice #2:..
Protection of critical cyber systems: Canada introduces new legislation under Bill C-26
On June 14, 2022 the Government of Canada introduced Bill C-26, An Act Respecting Cyber Se…