Prevention key to reducing cyberattacks in hospitals, protecting patients: researchers

Hospitals must do more to protect personal patient data from cyberattacks that could lead to delays in care, an article published Monday in the Journal of the Canadian Medical Association urges.

Since 2015, there have been about 16 separate cyberattacks on health care organizations across the country, but more have gone unreported, said lead author Vinias Harish, a medical student at the University of Toronto and Unity Health Toronto.

Publicly funded systems are lucrative targets for hackers who can demand ransom for patient information that can be sold on the dark web, according to an article co-authored by three Unity Health Toronto doctors with expertise in the use and management of medical information and more. at the University of British Columbia.

Harish noted that last month's ransomware attack on five Ontario hospitals forced an unknown number of patients, including those needing cancer treatment, to be transferred to other sites because their medical records may have been inaccessible. Some data, such as laboratory results, would be available from other common electronic sources.

Clinicians who handle medical records should be trained annually to recognize phishing attempts, which hackers use to install malware that can infect systems and encrypt data, he said.

“I think sometimes the risk we run is that people roll their eyes and look at it as something else they have to do in addition to their busy clinical practice and all the paperwork they have to do to take care of patients. .”

The call for action comes after a national standard for cyber attack measures against healthcare organizations is due to be published next week.

Sponsored by Public Safety Canada, it was created by the Digital Government Standards Institute and HealthCareCAN, which represents hospitals and healthcare organizations.

“The main driver of all of this is that we've seen too many of our health care facilities in Canada attacked,” said HealthCareCAN President Paul-Emile Cloutier.

“If there's no framework, if there's no planning — which the standards will talk about — that's when you're really in a mess,” he said of the standards, which are expected on Nov. 29.

“Everything related to a cyber attack is not an IT issue. It's a governance issue. So that means everyone in the organization needs to know what needs to be done to prevent it because it's often a human error. A hospital that causes a cyber attack,” – Cloutier said.

Harish urged hospitals, laboratories and clinics to stop relying on legacy systems with outdated security measures and use two-factor authentication and strong passwords.

When an attack occurs, staff must respond immediately by taking measures such as disconnecting devices from the Internet, restoring systems from backups and getting help from outside vendors, said Harish, who also has a degree in computer science.

Yvette Coffey, president of the Registered Nurses Union of Newfoundland and Labrador, said the October 2021 cyber attack paralyzed the primary network shared by all four regional health authorities. Some surgeries, lab tests and appointments have been canceled, adding to the delays caused by the pandemic.

“When that happened, we basically went back to the 1980s, with no access to patient data or medical records. Emergency operations had to go on, but even that was difficult because they had to create a paper chart,” he said.

“We had a hard time finding lab supplies and X-ray supplies. We couldn't even call patients to say, ‘Sorry, the surgery was canceled,' because we didn't even have their phone number.”

A March provincial report said legitimate user credentials were compromised to access records of existing and former patients dating back to 1996. The breach exposed names, addresses, health care numbers, diagnoses, types of procedures, email addresses, and banking and financial services. information. Hackers obtained the social security numbers of 2,514 patients.

Sami Khoury, head of the Canadian Cybersecurity Centre, urged healthcare organizations to report cyberattacks to learn more at the national level.

“Maybe this is one ransomware group going after all hospitals, or just a target of opportunity. There's a lot more we need to share about this ransomware group so hospitals can protect themselves.”

This report by The Canadian Press was first published on November 20, 2023.