Canada’s health-care system needs to adopt better security practices as cyberattacks, including data breaches and ransomware, become increasingly common in the country, experts say.
Since 2015, at least 14 major cyberattacks have targeted Canadian health information systems, according to an article published in the Canadian Medical Association Journal Monday.
Most recently, five Ontario hospitals, along with their shared IT provider, were affected by a ransomware attack last month that caused an outage of some online services, forcing many surgeries and appointments to be postponed.
The province was hit by another massive cybersecurity breach in May, with the personal health information of 3.4 million people who sought pregnancy care and advice in Ontario compromised.
Canada ranks 10th in breach count globally, with more than 207.4 million compromised accounts since 2004, according to Surfshark’s annual index on digital well-being.
The Canadian Centre for Cyber Security warned in an August report that over the next two years, Canada’s critical infrastructure will “almost certainly” continue to be targeted by cybercriminals.
While the digitization of health information systems on shared networks has helped with convenience, access and quality of care, the technology has also presented security risks, co-authors from the University of Toronto, Unity Health Toronto and the University of British Columbia said in the CMAJ article.
“Although some clinicians have dedicated information technology (IT) training, most do not, and navigating increasingly complex health information systems can create considerable stress,” they said in the paper.
Health organizations are “financially lucrative” targets and often have a history of relying on outdated systems, which make them vulnerable to cyberattacks, the researchers noted.
In an effort to clamp down on cyberattacks, the federal government tabled legislation last year that would give Ottawa sweeping new powers, including access to confidential information, in order to “direct” how critical infrastructure operators prepare for and respond to such attacks.
Bill C-26, which would enact the Critical Cyber Systems Protection Act, has completed its second reading in the House of Commons but has yet to be considered in committee.
The proposed legislation, however, includes telecommunications, pipelines, nuclear energy, federally regulated transportation and banking — but not health organizations, the CMAJ article noted.
The authors also said there needs to be more co-ordination between the federal government, provinces and territories on common security standards and shared service models.
How to tackle cyber threats
To help doctors, clinics and hospitals prevent, mitigate and navigate cyberattacks, researcher pointed to four measures as outlined by the U.S. National Institute of Standards and Technology.
For prevention, they urged installing anti-virus and VPN software on devices, remaining vigilant to phishing emails, setting a strong password and two-factor authentication.
Cyberattacks include any suspicious behaviour, such as pop-up messages, emails from unfamiliar senders, and the deletion or installation of unrecognized files. Antivirus and malware scans can detect these threats.
In the event of a cyberattack, doctors should first disconnect affected machines from the internet and shut them down.
If access to electronic medical records is lost, hospital staff should transition to alternative workflows such as using paper records.
The Canadian Medical Protective Association (CMPA) says it should be contacted as soon as possible after a possible breach. If a ransomware attack has occurred, police should be notified.
The recovery phase will rely heavily on the capacity of the health information systems to restore data from backups and making sure external vendors help with data recovery, according to the CMAJ article.
“With respect to cybersecurity, a bit of prevention is worth a terabyte of cure,” the authors said.
— with files from The Canadian Press and Global News’ Uday Rana
© 2023 Global News, a division of Corus Entertainment Inc.