Canada’s health-care system needs to adopt better security practices as cyberattacks, including data breaches and ransomware, become increasingly common in the country, experts say.
Since 2015, at least 14 major cyberattacks have targeted Canadian health information systems, according to an article published in the Canadian Medical Association Journal Monday.
Most recently, five Ontario hospitals, along with their shared IT provider, were affected by a ransomware attack last month that caused an outage of some online services, forcing many surgeries and appointments to be postponed.
The province was hit by another massive cybersecurity breach in May, with the personal health information of 3.4 million people who sought pregnancy care and advice in Ontario compromised.
Canada ranks 10th in breach count globally, with more than 207.4 million compromised accounts since 2004, according to Surfshark’s annual index on digital well-being.
The Canadian Centre for Cyber Security warned in an August report that over the next two years, Canada’s critical infrastructure will “almost certainly” continue to be targeted by cybercriminals.
While the digitization of health information systems on shared networks has helped with convenience, access and quality of care, the technology has also presented security risks, co-authors from the University of Toronto, Unity Health Toronto and the University of British Columbia said in the CMAJ article.
“Although some clinicians have dedicated information technology (IT) training, most do not, and navigating increasingly complex health information systems can create considerable stress,” they said in the paper.
Get weekly health news
Health organizations are “financially lucrative” targets and often have a history of relying on outdated systems, which make them vulnerable to cyberattacks, the researchers noted.
In an effort to clamp down on cyberattacks, the federal government tabled legislation last year that would give Ottawa sweeping new powers, including access to confidential information, in order to “direct” how critical infrastructure operators prepare for and respond to such attacks.
Bill C-26, which would enact the Critical Cyber Systems Protection Act, has completed its second reading in the House of Commons but has yet to be considered in committee.
The proposed legislation, however, includes telecommunications, pipelines, nuclear energy, federally regulated transportation and banking — but not health organizations, the CMAJ article noted.
The authors also said there needs to be more co-ordination between the federal government, provinces and territories on common security standards and shared service models.
How to tackle cyber threats
To help doctors, clinics and hospitals prevent, mitigate and navigate cyberattacks, researcher pointed to four measures as outlined by the U.S. National Institute of Standards and Technology.
For prevention, they urged installing anti-virus and VPN software on devices, remaining vigilant to phishing emails, setting a strong password and two-factor authentication.
Cyberattacks include any suspicious behaviour, such as pop-up messages, emails from unfamiliar senders, and the deletion or installation of unrecognized files. Antivirus and malware scans can detect these threats.
In the event of a cyberattack, doctors should first disconnect affected machines from the internet and shut them down.
If access to electronic medical records is lost, hospital staff should transition to alternative workflows such as using paper records.
The Canadian Medical Protective Association (CMPA) says it should be contacted as soon as possible after a possible breach. If a ransomware attack has occurred, police should be notified.
The recovery phase will rely heavily on the capacity of the health information systems to restore data from backups and making sure external vendors help with data recovery, according to the CMAJ article.
“With respect to cybersecurity, a bit of prevention is worth a terabyte of cure,” the authors said.
Sami Khoury, head of the Canadian Centre for Cyber Security, said with cybercriminals getting more sophisticated and increasingly going after private information, it is important to make the health-care sector and other infrastructure more resilient to cyber threats.
“I think every organization, every hospital needs to do a self-assessment on where they are on the cybersecurity maturity and adjust their needs,” he told Global News in an interview Monday.
Khoury said while the centre is there to support entities defend itself against and recover from cyberattacks, he also encouraged reaching out in the event of an incident so they can be better informed for the future.
“It’s a two-way street,” Khoury said. “We are here to support you, but we also want to learn from the incident itself so that we can warn others if we find any threats or any new techniques used by cybercriminals.”
— with files from The Canadian Press and Global News’ Uday Rana and Kyle Benning.
Comments