Cyber ​​attacks on Canadian health care are becoming more common. What can be done? |

Canada's health care system must adopt better security practices as cyberattacks, including data breaches and ransomware, become more common in the country, experts say.

Since 2015, at least 14 major cyberattacks have targeted Canadian health information systems. According to the article Published Monday in the Journal of the Canadian Medical Association.

Most recently, five Ontario hospitals, along with their shared IT provider, were hit by a ransomware attack last month that shut down some online services, forcing many surgeries and appointments to be delayed.

The province was hit by another massive cyber security breach in May, with the personal health information of 3.4 million people seeking pregnancy care and advice in Ontario compromised.

Canada ranks 10th globally for the number of breaches, with more than 207.4 million hacked accounts since 2004, according to Surfshark's annual Digital Wellbeing Index.

Story continues below ad

Canada's critical infrastructure will “almost certainly” continue to be targeted by cybercriminals over the next two years, the Canadian Cyber ​​Security Center warned in an August report.

Click to play video:

Cyber ​​attack targets personal information of BC health workers

While the digitization of health information systems across shared networks has helped improve convenience, access and quality of care, the technology has also presented security risks, said co-authors from the University of Toronto, Unity Health Toronto and the University of British Columbia. CMAJ article.

“Although some clinicians have specific information technology (IT) training, most do not, and navigating increasingly complex health information systems can cause significant stress,” they said in their paper.

The researchers noted that healthcare organizations are “financially lucrative” targets and often have a history of relying on outdated systems, making them vulnerable to cyberattacks.

In an effort to stop cyberattacks, the federal government introduced legislation last year that would give Ottawa new powers, including access to confidential information, to “direct” how critical infrastructure operators prepare for and respond to such attacks.

Story continues below ad

Bill C-26The bill, which enacts the Protecting Critical Cyber ​​Systems Act, has completed second reading in the House of Commons but has yet to be considered in committee.

However, the proposed legislation would cover telecommunications, pipelines, nuclear power, federally regulated transportation and banking — but not health care organizations, the CMAJ article noted.

The authors also said there is a need for more coordination between the federal government, provinces and territories on common safety standards and shared service models.

How to deal with cyber threats

To help doctors, clinics and hospitals prevent, mitigate and navigate cyberattacks, the researcher pointed to four measures outlined by the US National Institute of Standards and Technology.

For prevention, they called for installing antivirus and VPN software on devices, being vigilant against email phishing, setting strong passwords, and using two-factor authentication.

Story continues below ad

Cyberattacks include any suspicious behavior such as pop-up messages, emails from unknown senders, and the deletion or installation of unrecognized files. Antivirus and malware scans can detect these threats.

Click to play video: 'Ransomware attack delays results at Toronto's SickKids lab, systems could be offline for weeks'

Ransomware attack delays results at Toronto's SickKids lab, systems could be offline for weeks

In the event of a cyber attack, doctors should first disconnect the affected devices from the Internet and shut them down.

If access to electronic medical records is lost, hospital staff must switch to alternative workflows, such as using paper records.

The Canadian Medical Protective Association (CMPA) says it should be contacted as soon as possible after a potential breach. If a ransomware attack occurs, the police should be notified.

The recovery phase will rely heavily on health information systems' ability to restore data from backups and ensure that outside vendors help with data recovery, the CMAJ article said.

Story continues below ad

“When it comes to cybersecurity, a little prevention is worth a terabyte of cure,” the authors say.

— With files from The Canadian Press and Global News' Uday Rana

and copy 2023 Global News, a division of Corus Entertainment Inc.