Good privacy relies on solid information technology and governance practices and knowing your information assets
It is very unfortunate to see a Report from an Information and Privacy Commissioner in one of Canada’s provinces right at the beginning of a new year.
Yet, there are lots of learnings. Canadian privacy regulators prepare extremely well documented and articulated reports, chock-full of advice and guidance we should all pay attention to.
In early January 2021 we learned that eHealth Saskatchewan (eHealth), the Saskatchewan Health Authority (SHA) and the Ministry of Health (Health) were the victims of a ransomware attack which originated in early 2020, resulting in approximately 40 gigabytes of encrypted data being stolen from eHealth.
The International Association of Privacy Professionals (IAPP) warned us of additional risks due to the COVID-19 pandemic, and it was no surprise to find out that Saskatchewan Health authorities were a victim of a ransomware attack.
We need to understand what happened and the Information and Privacy Commissioner’s investigation report provides ample detail to help us do just that.
The incident occurred in early 2020 and it was caused by a Saskatchewan Health Authority (SHA) employee who opened an infected Microsoft Word document on two occasions which deployed the ransomware and infiltrated eHealth, SHA and the Ministry of Health Saskatchewan computer networks. This infiltration ultimately led to files being extracted from the networks by the malicious actors.
After this first ransomware attempt, the Information and Privacy Commissioner in Saskatchewan reached out several times to obtain more details from the affected health authorities. Finally, information emerged in September 2020 (yes, over eight months later). Here are three important take-aways for SMBs:
MPC Must Have Practice #1: Your organization must have the ability to detect incidents, prioritize them and react promptly and without delay
What happened in this case caused a chain reaction that made things much much worse. It is of paramount importance for an organization to realize and prepare for situations where one successfully exploited vulnerability will have a reaction throughout the supply chain, just like it happened here.
For SMBs to stay ahead, they need early detection and investigation of incidents before they turn into a very undesirable situation. SMBs should:
- Install key network security logs and scans to effectively monitor the IT network in order to detect malicious activity
- Understand if this malicious activity has a pattern that is pointing to confidential or personal information (some ransomware campaign are very sophisticated and may utilize a multiple-part attack to ensure infection)
- Implement network security monitoring tools thoroughly to be able to obtain reports related to vulnerability scans, network usage, potential security violations like invalid login attempts, or unauthorized attempts to modify sensitive servers or files and the status of patch management (when you implement tools, understand what outcome/benefit you are looking for and configure these tools accordingly)
- Add security safeguards for portable devices, as they present additional security risks if not properly configured or monitored
- Isolate and shut down the infected source early (regulators look for you to know how to investigate the root-cause of an incident)
- Block traffic up stream so as not to proliferate the breach
- Be prepared that ransomware may happen to your organization and pre-emptively address this potential scenario.
MPC Must Have Practice #2: Your SMB must have an Incident/Privacy Breach Management protocol and should be able to follow it as soon a breach is identified
At MPC we understand both the information security side of incidents and/or privacy breaches as well as the privacy side. What many Information Security specialists are not aware of is that Privacy Breaches are the result of a law requirement violation and as such they need to be managed in conjunction with a privacy or legal specialist. The most important aspect an Information and Privacy Commissioner is looking for is the ability for an organization to correctly identify a breach and know and execute notification requirements (in addition to root cause identification, being able to contain the breach and learn from it): to the Commissioner themselves, to the involved parties, to the public (if they are impacted) and to third parties that may be impacted. This is the level of due diligence they expect because it tells them that:
- You have an established Protocol or Procedure to manage breaches
- You have roles and responsibilities (therefore accountability) and
- You actually know where your data is, what data was breached and the impact
- Last but not least (and possibly most importantly) that you are working on stopping the “leak” and learning from your past so that a similar situation can be prevented
Having a Privacy Breach Protocol is not sufficient and it does not constitute “Plenty of Privacy” breach protection. This can quickly lead to a False Sense of Privacy (FSP) if the protocol or procedure is not “rehearsed” and simulations run with all the appropriate team members: legal, C execs, privacy, security and business.
MPC Must Have Practice #3: An accurate data inventory linked to an IT (systems and servers and networks) inventory is no longer a “nice to have”
It was not possible for the Health authorities in Saskatchewan to know how many files were exfiltrated and therefore what personal information and the level of sensitivity of the information contained. Luckily the files were encrypted. Yet, the fact remains that the custodians of the information are in the dark as to what type of information entrusted to them was in fact exfiltrated. In the case of ransomware, the information may never be recovered.
The responsible way for a custodian of personal information to manage what is entrusted to them is through a comprehensive and accurate inventory and a mapping of data flows so they can understand all routes and systems involved as well as all the stakeholders actions in the information processing chain.
A complete inventory of servers, data stores and information security tools, their configuration and functionality (and not a hodgepodge of desynchronized technologies) is considered “IT Service Provider 101” by the Information and Privacy Commissioner of Saskatchewan.
To help SMBs with these “Must Have Practices” MPC has created a Practical Privacy Playbook which you can find on our website. We have many resources that will help you create your data inventory and bring you a step closer to understanding how to manage a privacy breach, should this occur.
For additional insights and certified expertise:
 IAPP Privacy Governance Report 2020 https://iapp.org/resources/article/iapp-fti-consulting-privacy-governance-report-2020/
 Auditor report: https://auditor.sk.ca/pub/publications/public_reports/2020/Volume_1/2020%20Report%20–%20Volume%201.pdf,