Hospitals must do more to protect patients’ personal data from cyberattacks that can lead to disruptions in care, urges an article published Monday in the Canadian Medical Association Journal.
About 16 separate cyberattacks have occurred at health organizations across the country since 2015, but more go unreported, said lead author Vinyas Harish, a medical student at the University of Toronto and Unity Health Toronto.
Publicly funded systems are lucrative targets for hackers who may demand a ransom for patient information that could be sold on the dark web, says the article, co-authored by three Unity Health Toronto doctors with expertise in the use and management of medical information and another at the University of British Columbia.
Harish noted that a ransomware attack on five Ontario hospitals last month forced an unknown number of patients, including those that needed cancer treatment, to be diverted to another site because their medical records may have been inaccessible. Some data, such as lab results, would have been available through other shared electronic sources.
Clinicians who access medical records should be trained annually to recognize phishing attempts hackers use to install malware that can infect a system and encrypt data, he said.
“I think sometimes the risk that we run is people sort of rolling their eyes and looking at this as just another thing that they need to do on top of their busy clinical practice and all the documentation that they need to do to take care of patients.”
The call for action comes as a national standard for cyberattack measures on health organizations is set to be released next week.
Funded by Public Safety Canada, it was developed by the Digital Governance Standards Institute and HealthCareCAN, which represents hospitals and health-care organizations.
“The main driver of all this is that we saw that too many of our health institutions in Canada were being attacked,” said HealthCareCAN president Paul-Emile Cloutier.
“If there’s no framework, if there’s no planning — which the standards will talk about — that’s when you’re really in a mess,” he said of the standards, expected Nov. 29.
“Anything that has to do with a cyberattack is not an IT issue. It’s a governance issue. So, that means everyone in the organization should be made aware of what needs to be done to prevent it because often there’s an error from a person in the hospital that triggers a cyberattack,” said Cloutier.
Harish urged hospitals, labs and clinics to stop relying on older systems that have outdated security measures and use two-factor authentification and strong passwords.
When an attack does occur, staff should respond immediately by taking measures such as disconnecting devices from the internet, restoring systems from backups and getting help from external vendors, said Harish, who also has a computer science degree.
Yvette Coffey, president of the Registered Nurses Union Newfoundland and Labrador, said an October 2021 cyberattack paralyzed a primary network shared by all four regional health authorities. Some surgeries, lab tests and appointments were cancelled, adding to delays caused by the pandemic.
“When it happened, we basically went back to pre-1980s, with no access to patients’ data or medical records. Emergency surgeries had to go ahead but even that was difficult because they had to produce a paper chart,” she said.
“It was difficult to find a lab requisition and X-ray requisitions. We couldn’t even call patients to say, ‘Sorry your surgery is cancelled’ because we didn’t even have their phone number.”
A provincial report in March said the credentials of a legitimate user had been compromised to access records of current and former patients going back to 1996. The breach revealed names, addresses, health care numbers, diagnoses, procedure types, email addresses and banking and financial information. Hackers obtained the social insurance numbers of 2,514 patients.
Sami Khoury, head of the Canadian Centre for Cyber Security, encouraged health organizations to report cyberattacks so more can be learned on a national level.
“Maybe it’s one ransomware group that is going after all hospitals, or it’s just a target of opportunity. We need to share a lot more about that ransomware group so that hospitals can protect themselves.”
This report by The Canadian Press was first published Nov. 20, 2023.