Manitoba protection of sensitive data lacking: auditor general

Hey there, time traveller!
This article was published 13/10/2022 (1063 days ago), so information in it may no longer be current.

Sensitive information held by the Manitoba government and the provincial health authority was not adequately protected from unauthorized access, a report by the Office of the Auditor General has concluded.

Auditor general Tyson Shtykalo issued five recommendations to the Manitoba government and Shared Health in a report released Thursday after finding numerous lapses in managing privileged access to personal, health and corporate information.

“An unauthorized person with privileged access could steal data or funds, disrupt operations, or cause system outages,” Shtykalo said in a statement.

According to the report, the province failed to put controls in place to ensure only people who are authorized can access sensitive information; standards for identification and authentication were not adequate; and monitoring of access by authorized users was lacking.

The audit covered a period between January 2018 and 2022, and focused specifically on the digital and technology solutions branch of the government services department and Shared Health.

Both organizations failed to promptly revoke privileged access rights from former employees and did not routinely review access rights, according to the report. Password standards and user authentication processes also needed to be improved to prevent unauthorized use, the document noted.

The organizations also failed to adequately monitor users with privileged access rights to prevent or detect malicious activity, while Shared Health failed to document approvals for privileged access rights in all cases.

Government Services Minister Reg Helwer said the department and Shared Health have already taken action on many of the auditor general’s recommendations to “make sure Manitobans’ data was safe.”

Immediate steps were taken to remove access for unauthorized people and initiated a “privileged access project” to determine who should and who should not have access going forward, the minister said Thursday.

“There are still recommendations outstanding that we are working with the auditor general on those, and some of them have to do with oversight, and those are things that we do on an individual basis rather than a broad basis.”

Specifically, the province is looking at how it can better monitor users who have privileged access rights, Helwer said.

“Those are very personal things. Some people obviously don’t enjoy being monitored,” he said. “So we have to make sure that we work with the individuals on… what’s done on the systems as opposed to a broad-brush approach.”

Helwer attributed some of the security lapses identified by the auditor general to significant staff movement within Shared Health and the government in recent years.

“As we have those movements, we have to ensure that we follow up and make sure that security is intact,” Helwer said. “With that movement, that created some challenges in making sure everything was done appropriately.”

Earlier this year, the auditor general also found much of the digital infrastructure propping up day-to-day operations of the Manitoba government was on its final leg.

The report released in February determined the province failed to adequately manage its network, leaving itself vulnerable as it relied on operating systems, databases and programming languages nearing obsolescence, while using inadequate processes to measure and respond to risks.

The province has set aside $152 million to modernize its enterprise resource planning software, which is used to manage core business processes.

In a statement, a spokesperson for Shared Health said the organization accepts the auditor general’s findings and work is ongoing to address the recommendations. The health authority is also working with the province to align future security practises where possible.

“The nature of security is it perpetually evolves, prompting our digital health team to continually work to identify, assess and address any potential risks in a timely manner,” the spokesperson said.

“Investments to improve various work processes and improve capabilities that further enhances our cybersecurity services have also been recently made, which will allow us to address other recommendations made in the report.”

danielle.dasilva@freepress.mb.ca