On Wednesday, the Newfoundland and Labrador government confirmed that a cyberattack has crippled its health network’s data centre.
While officials are not giving further details, cybersecurity experts say it has all the markings of a ransomware attack which is designed to encrypt data, systems and servers and deny their use in an effort to extract an extortion payment in order for a user or organization to retrieve access to their systems.
“Cyberattacks are designed to disrupt three things: the confidentiality, the integrity or the availability of information,” said David Shipley, CEO of New Brunswick-based Beauceron Security.
“A ransomware attack is designed to disrupt all three, most impactfully on health care. You’re talking about the availability of systems and data, and health care runs on data nowadays.”
Newfoundland and Labrador has confirmed that the cyberattack has already caused the cancellation of thousands of medical appointments across the country.
Shipley says in most circumstances he would strongly advise against paying the ransom to retrieve data as it only encourages cyberattackers to keep using this method, but he says in this case it’s not so easy.
“I can’t give that advice when it comes to health care because we’re literally talking about the potential for life and death decisions on this information,” said Shipley.
The CEO also calls this attack one of the “most destructive and disruptive” attacks seen in Canada.
“We’re talking about the disruption to health-care delivery, and while emergency room care and hospitals are generally well-rehearsed to be able to deal with IT outages or power outages in the short term, they’re not well-equipped to operate without the access to things like diagnostic imaging, patient records, things particularly for more complex cases.”
Cyberattacks on the rise
While the cyberattack targeting Newfoundland and Labrador is one of the most complex, it’s not a one-off.
Canada’s National Cryptologic Agency, Communications Security Establishment (CSE) has observed a rise in cyber threats over the last two years. The agency also notes that there’s specifically been an increase of threats targeting front-line health-care and medical research facilities across the country throughout the COVID-19 pandemic.
And the problem isn’t unique to Canada.
“There are organized criminal groups operating internationally who have made hundreds of millions of dollars doing exactly this,” said Shipley.
“They have taken out 400 American hospitals in the last year or so alone.”
Shipley says organized groups are working day and night on these attacks and that defending against them may be very challenging.
“The teams that have to defend these hospitals and health-care networks who are dramatically under-resourced across the country, they have to be right 100 per cent of the time,” said Shipley.
“Imagine you’re an NHL hockey team but the only player you can put on the ice is a goalie, and the best you can hope for is 0-0. That is what it’s like to be a defender in health care right now.”
Auditor General Reports Identify cybersecurity as risk in Nova Scotia
Last year, Nova Scotia’s auditor general found that the province was slow to act on cybersecurity as the risk continues to rise.
The report found that 10 provincial government departments, nine public service units and 19 government organizations had not completed fraud risk assessments and that many departments had not established security training for employees.
Michael McGuire, a cybersecurity analyyst with NSCC, says ensuring employees are trained to identify threats is the first line of defence in preventing breaches.
“The easiest entry into a system is through a person,” said McGuire.
“You can spend millions of dollars on cybersecurity hardware and software, but if one person clicks a link in an email, that can blow it all up because that lets the attacker in.”
Minister for Internal Services Colton LeBlanc said that due to security concerns, he could not provide specifics on the province’s security practices but said that there is a team of over 600 employees for whom cybersecurity is “top of mind.”
“Monitoring and working with our jurisdictions, working with the Centre for Cybersecurity in the country and looking to learn from other jurisdictions and learn how to mitigate any possible cyberattack,” LeBlanc said.