The verdict is out on Canada’s largest cyberattack: Newfoundland’s healthcare system was attacked by the international Hive ransomware gang. Hive stole the personal health information of 60,000 Newfoundlanders and deployed ransomware that toppled the province’s healthcare operations, costing the province $16 million.
While Hive may have been shut down by the FBI this January, the threat to Canadians remains the same. The cybersecurity gains to prevent another Newfoundland have been insufficient, and the protection of patients’ digital data is critical to protecting their physical health.
Cybercriminals threaten the health of patients when trying to gain access to medical records that now live in a range of digitally-enabled healthcare tools and devices. Without robust security measures, they’re wide open for cybercriminals to compromise, harming the reputation, finances or well-being of patients. Moreover, many of the tactics used by hackers—like ransomware—can disable the devices that healthcare workers rely on to provide care.
Unfortunately, cybercrime is a business. Healthcare data is more valuable to cybercriminals than financial data and social insurance numbers, with electronic health records selling for about ten times more than credit card information and 100 times more than social security numbers on the dark web.
Canada’s digital healthcare transformation is underway, with publicly funded healthcare institutions relying more on virtual care options, internet-enabled medical technology, and third-party platforms for sharing information like test results with patients and other healthcare professionals. The digital transformation of healthcare institutions has created more attack vectors through which cybercriminals can disseminate harmful malware and cyber threats that result in the violation and loss of patient data and the disruption of essential operations.
On the one hand, care technologies in hospitals are unique from regular internet technology. While it’s easy to download or update software on a computer that is less than a few years old, MRIs and other large care devices have life cycles up to decades-long. Their ability to ‘keep up’ with the changing technological and cyber threat landscape is low, and that only adds to their vulnerability.
On the other, private apps and technologies leveraging healthcare data reinforce the exponentially growing threat landscape. As people demand more at-home care, the patient-centric approach has introduced new, private players to the healthcare space who operate health, wellness and fitness apps, cloud-enabled technology, biometric data services, artificial intelligence for predictive care, and more. While these technologies are rapidly changing, they also open the supply chain of organizations that will interact with your data – necessitating security throughout the entire supply chain.
The growing reliance on digital platforms for health services creates significant cyber vulnerabilities in a vicious circle: it increases the volume of valuable health data that attracts cybercriminals and widens the threat landscape and its attack vectors.
This trend is even more complicated when the negative consequences of a cyberattack can leave irreversible and fatal damage to human health. Without balancing strong privacy and security protections for all actors in the Canadian digital health system, the frequency and severity of data breaches and cyberattacks on healthcare institutions only grow.
It’s incumbent on leaders in the healthcare and technology space to prioritize security alongside the expansion of digital care. This includes dedicated funding for healthcare IT shops, as limited resources have moved cybersecurity to the bottom of the priority list at a significant cost. As the recently announced 10-year federal-provincial healthcare funding deal takes shape, protections for patients’ data must be top-of-mind.
But responsibility for cybersecurity doesn’t begin and end with the IT team; all staff are responsible, and senior leaders are liable – ethically and legally.
Healthcare professionals must treat patients’ data with the care they treat their patients’ health – having regular cybersecurity awareness training and implementing low-cost, easy-to-deploy solutions are a good place to start.
Personal data is inseparably linked to Canadians’ physical health. As the digital health system expands, it’s up to all actors at the intersection of healthcare and technology to prioritize privacy and security. We can’t afford another Newfoundland-scale attack.
Byron Holland (MBA, ICD.D) is the president and CEO of the Canadian Internet Registration Authority (CIRA), the national not-for-profit best known for managing the .CA domain and developing new cybersecurity, DNS, and registry services.
Byron is an expert in internet governance and a seasoned entrepreneur. Under Byron’s leadership, CIRA has become one of the leading ccTLDs in the world, with over 3 million domains under management. Over the past decade, he has represented CIRA internationally and held numerous leadership positions within ICANN. He currently sits on the Board of Directors for TORIX, and is a member of the nominations committee for ARIN. He lives in Ottawa with his wife, two sons, and their Australian shepherd, Marley.
The views expressed in this blog are Byron’s opinions on internet-related issues, and are not necessarily those of the organization.
