Written By: Heather Cresswell, NP, Dr. H. Wong
The use of software in healthcare across the province has become an accepted standard. The COVID-19 pandemic accelerated this uptake by encouraging widespread demand and adoption of virtual care and digital information sharing. Despite this, healthcare continues to lag behind many other industries in protecting our information and safeguarding our systems from attack.
The growing prevalence of cyberattacks
Healthcare organizations are at an exceptionally high risk of attack, with almost 50% of Canadian breaches reported in 2019 occurring in the health sector. Cyberattacks, malware, ransomware, and phishing are terms we hear regularly in the news and the workplace.
There have been several recent examples of cyberattacks in the healthcare space. In 2020, the Scarborough Health Network experienced a data breach spanning three hospitals and eight satellite sites. In 2022, both SickKids Hospital and Mackenzie Health reported a significant breach that affected personal and medical files. More recently, a cyberattack on TransForm in 2023 affected clinical care and personal health information of a large group of healthcare providers in Ontario, including Bluewater Health, Windsor Regional Hospital, Hôtel-Diu Grace Healthcare, Erie Shores Healthcare, Chatham-Kent Health Alliance.
The consequences of these cyberattacks are catastrophic. They include reverting to manual operations, straining resources, slowing or ceasing critical care delivery, and longer patient wait times.
Why are these cyber attacks happening?
Healthcare organizations are particularly vulnerable to cyberattacks due to the sensitive nature of patient data and the critical need for operational continuity. Several factors make healthcare organizations prime targets for cybercriminals:
- Hospitals store vast amounts of valuable personal information that criminals can sell on the dark web or use for identity theft.
- Healthcare organizations rely on interconnected systems and medical devices, making them vulnerable to ransomware attacks–when hackers lock essential data or systems and demand ransom.
- Hospitals are under pressure and need immediate access to life-saving information.
- Healthcare organizations often have inadequate cybersecurity measures, increasing the risk of successful attacks.
So, why are these cyber attacks still happening?
The Personal Health Information Protection Act (PHIPPA) is the provincial governing legislation that defines personal health information and the obligations of individuals and organizations to keep that information secure and safe. The Information and Privacy Commissioner investigates privacy breaches in healthcare and can penalize entities not compliant with PHIPPA. However, PHIPPA does not guide organizations with specifics about how to protect their data.
There are at least three main problems that contribute to ongoing attacks:
- Limited regulatory bodies are monitoring our system. Ontario Health regulates telemedicine software, Accreditation Canada certifies hospitals, and OntarioMD certifies electronic health records software. However, significant gaps remain outside the specific areas these entities regulate.
- Current legislation remains limited in scope and provides little detail about how information users can protect themselves. PHIPPA does not provide technical specifications for information users to follow. This lack of detail leaves many users without a clear understanding of safeguarding health information and remaining compliant.
- Lack of resources. Governments must show leadership in this field and commit resources necessary to regulating our system and, at the same time, encourage providers to adopt better standards.
Gaps remain as a result of these issues. It’s areas in these gaps where criminals take advantage of our system, and attacks happen.
Fortunately, help is on the way
Since 2023, the government has made two separate efforts to reduce cyberattacks in Ontario:
- Release of a provincial cyber security operating model, providing some standardization for hospitals and implementing timelines and reporting requirements for hospitals to meet to ensure progress in reducing the risk of cybersecurity breaches.
- Introduction of Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. This bill is currently in its second reading and is the government’s first step in introducing regulations detailing technical standards for cybersecurity requirements across public institutions.
However, significant gaps in cybersecurity remain
Currently, government initiatives remain limited to organizations within the public sector, such as hospitals, departments and agencies. Other entities that retain large amounts of private health information –such as private health clinics, diagnostic laboratories, and pharmacies, to name a few– remain in a grey area with no regulation.
The government has left multiple digital healthcare areas unaddressed outside electronic medical records and telemedicine. For example, online pharmacy prescriptions, booking, referral and medical billing systems are not regulated or addressed in current and proposed legislation.
Technology and business solutions innovate much faster than legislation, and as a result, gaps continue to emerge in protecting our healthcare information. Far from taking a comprehensive approach, Bill 194 stands as a first step to protect our healthcare system. Many more comprehensive efforts will be necessary.
Cybersecurity is up to us
There is no room for complacency when protecting digital health information. Each member of the healthcare team needs to contribute to cybersecurity. It may seem daunting, but implementing basic cybersecurity tactics is easier than you think.
For healthcare providers such as doctors, the easiest way to implement effective cybersecurity is to use a third-party vendor that has done the work. When choosing a system, whether it is an appointment management system, a basic electronic health record, or a complex information management system, be sure your service provider has basic cybersecurity standards.
What are basic cybersecurity standards? Essential cybersecurity includes a range of items such as clear privacy notice, secure logins, evidence on trust pages, and many more. The easiest way to ensure basic cybersecurity standards is to look for an internationally recognized cybersecurity certification. Examples of the best certifications are:
- International Organization for Standardization (ISO/IEC) 27001
- System and Organization Controls (SOC) 2
- HITRUST
- Ontario Health Video Visit Solution
- OntarioMD EMR
In addition to using software with recognized certification, it is essential to emphasize the human component of protecting information. Most breaches occur as a result of predictable habits staff use on a day-to-day basis. Phishing–using authentic-appearing emails to trick individuals into providing sensitive information–is an example of this and a common tactic of cybercriminals. Training all healthcare team members is a core strategy for stopping cybercriminals in their tracks.
Individuals and their organizations cannot do this alone. Governments must play a bigger role in protecting all of our health information. That means organizing regulating bodies to fill the gaps, passing legislation encompassing all healthcare cybersecurity areas and investing in protecting our information. The most important legislation the government should consider may be a minimal cybersecurity code applicable to all areas of private health information in the province, similar to how a minimal building code applies to construction. The government needs to step up in all of these areas.
Digital healthcare and data sharing are here to stay, and robust cybersecurity is a must. Don’t wait for your first data breach. Act now.
References
Harish, V., Ackery, A., Grant, K., Jamieson, T., & Mehta, S. (2023). Cyberattacks on Canadian health information systems. Canadian Medical Association Journal, 195(45), E1548–E1554. https://doi.org/10.1503/cmaj.230436
Office of the Privacy Commissioner of Canada. (2020, May 7). Supporting public health, building public trust: Privacy principles for contact tracing and similar apps. https://www.priv.gc.ca/en/opc-news/speeches-and-statements/2020/s-d_20200507/
Privacy and security in the shadows of COVID-19. (2020). In TECHNATION Health Privacy and Security Framework. https://technationcanada.ca/wp-content/uploads/2020/11/TN-health-privacy-and-security-framework-v4-Nov-4-2020-FINAL.pdf
Thompson, C. (n.d.). Moving Forward for Cybersafe Healthcare: Insights from the Canadian Summit on Healthcare Cybersecurity. http://www.healthcarecan.ca/wp-content/themes/camyno/assets/document/Reports/2018/HCC/EN/CyberReport_finalweb.pdf