Experts warn that, post-COVID, provincial health care systems will face serious financial challenges as they struggle to get back on their feet–and their IT departments will not be spared from this.
This piece originally appeared in The Globe and Mail on December 15, 2021.
In November, Newfoundland and Labrador residents saw their health care system grind to a halt after the province was hit with what one expert described as the worst cyber attack in Canadian history. The event comes amidst recent cybersecurity incidents affecting Toronto and Ottawa-area health facilities. And cybersecurity is a problem that goes beyond health care: Recently, for example, Quebec shut down almost 4,000 government websites after the threat of an online attack.
Together, these attacks have prompted a national conversation about what can be done to protect critical infrastructure that we, as Canadians, depend on. It’s tempting to look to technology for the solution. Which app or service can prevent attacks such as these from ever happening again? These are important discussions to have. But right now, the single greatest cybersecurity threat facing Canada’s health networks may be the underfunding of our health care system.
“How do we fix Canada’s health care system?” is one of our country’s most enduring debates. While the COVID-19 pandemic has demonstrated the courage of our front-line care workers, it has also exposed the frailties of our overburdened system.
It is no secret that the virus has placed a huge demand on our health care facilities. It has greatly reduced our capacity to provide non-emergency services and created a massive surgery backlog while driving an unprecedented surge in health care spending. Experts warn that, post-COVID, provincial health care systems will face serious financial challenges as they struggle to get back on their feet–and their IT departments will not be spared from this.
Healthcare IT professionals across the country are facing increased pressure during the pandemic. A recent survey by my organization, the Canadian Internet Registration Authority (CIRA), found that over one-third (35 per cent) of security professionals working in the MUSH sector (municipalities, universities, schools and hospitals) say that the number of cyber attacks has increased during the pandemic.
In the cybersecurity world, there’s a common saying: the weakest link in any organization’s cyber defences is its people. Unfortunately, human error accounts for the vast majority of all data breaches or cyber incidents. All it takes is for one tired employee to open a suspicious attachment, and all of a sudden, they find their systems debilitated by a ransomware attack.
The best medicine here is education. Staff in any organization need to be trained to identify potential cyber threats so they can avoid malicious attacks that expose sensitive data. And training requires resources.
Unfortunately, data from our survey shows that that organizations like hospitals face resourcing challenges when it comes to cybersecurity.
While our research shows that most MUSH sector organizations do provide some kind of cybersecurity awareness training for staff, they don’t conduct the training frequently; forty-five per cent of MUSH respondents report performing cybersecurity training annually or less.
Meanwhile, the small minority who say they don’t provide cyber awareness training at all cite insufficient IT human resources and the belief that training is too expensive among the top reasons for not doing so.
The bad guys are endlessly creative, and cyber threats evolve constantly. Staff in sensitive environments like healthcare need frequent reminders to stay alert for potential cyber attacks.
Many Canadians have been asking, “What can the government do to help?” Some have suggested that we make paying ransomware illegal, but privacy and security experts are split on the idea.
Ransomware is a business, after all, so cutting off payment seems like a great idea at first. But the reality is a lot more complicated. A local tire shop can refuse to pay the ransom, wipe their computers, and start over from backups, then lead a PR effort to justify their decision to their customers.
But for organizations like hospitals—who guard troves of highly sensitive, personal information—the calculations are different. Refusing to pay the ransom risks having highly confidential patient or employee data released online. In this case, refusal to pay could cause Canadians irreparable harm. Any rules prohibiting paying ransom would need to take these types of cases into account.
Banning ransomware payments is no panacea. But the federal and provincial governments can play a leadership role in preventing future cyber attacks by dedicating new funding for cybersecurity capacity in healthcare institutions. Right now, arming Canada’s healthcare IT departments with the resources they need to train staff and protect their networks might be the single best thing we can do to stop future attacks.
As the old healthcare maxim goes, the best treatment is prevention.