B.C. health authority isn't effectively managing cybersecurity threat on medical devices, audit finds
Audit covered more 18,000 devices, ranging from infusion pumps to MRI systems
A report by British Columbia's auditor general says thousands of medical devices used to diagnose and treat people lack effective cybersecurity protections.
The Provincial Health Services Authority, which works with regional health authorities, lacks cybersecurity controls for its medical networks and is not effectively managing threats on medical devices, auditor general Michael Pickup said Tuesday.
The audit also found the authority did not evaluate all cybersecurity threats and their risks to patients.
It covered more than 18,000 devices in the Lower Mainland, ranging from infusion pumps to MRI systems, and the infrastructure supporting their operation.
Pickup said ineffective cybersecurity management also means the authority might not be able to detect cyberattacks.
"This is concerning to me," he told a news conference. "Addressing these shortcomings is critical to detecting cyberattacks that could put patients at risk."
The audit recommends that the authority evaluate cybersecurity risks and take action, and that it identify all hardware and software on its medical device networks.
The authority accepted the four recommendations and outlined steps it has taken to improve security, including reviewing with the government, industry and others how best to defend against cyberthreats.
"Work is underway on a number of planned improvements for 2021, including an expansion of cybersecurity for medical devices," Ron Quirk, the authority's executive vice-president of digital information and innovation, said in a statement.
"The AG's findings are timely and will help inform these efforts."
'Health-care organizations are key targets for attackers'
Pickup said he was encouraged by the response, but the report also serves as a warning to health organizations to provide better protections.
"Unfortunately, what could go wrong is you may end up in a situation where treatment wouldn't be available if there was a cyberattack or you could have treatment based on inaccurate data if there was a cyberattack that did something," Pickup said.
The audit also warned about the potential harms associated with cyberattacks at health-care facilities.
"Health-care organizations are key targets for attackers because health information is so sensitive," says the 27-page audit. "A successful cyberattack on network medical devices could harm patients and significantly disrupt hospital operations."
Pickup's report, released Tuesday, followed another last month that found the B.C. government did not have adequate cybersecurity practices in place to manage its computer systems in a review of five ministries, including finance and health.