Prevention key to reducing hospital cyberattacks and protecting patients: researchers

Hospitals must do more to protect patients’ personal data from cyberattacks that can lead to disruptions in care, says an article published Monday in the Canadian Medical Association Journal.

About 16 separate cyberattacks have occurred at healthcare organizations across the country since 2015, but others go unreported, said lead author Vinyas Harish, a medical student at the University of Toronto and Unity Health Toronto.

State-funded systems are lucrative targets for hackers who can demand ransom for patient information that could be sold on the dark web, says the article, co-authored by three Unity Health doctors Toronto with expertise in the use and management of medical information and another. at the University of British Columbia.

Harish noted that a ransomware attack on five Ontario hospitals last month forced an unknown number of patients, including those in need of cancer treatment, to be redirected to another site because their medical records could have been inaccessible. Some data, such as laboratory results, would have been available through other shared electronic sources.

Clinicians who access medical records should be trained annually to recognize phishing attempts used by hackers to install malware that can infect a system and encrypt data, he said.

“I think sometimes the risk we run is that people roll their eyes and view this as another thing they have to do on top of their busy clinical practice and all the documentation they need to take care of patients. “.

This call to action comes as a national standard on cyberattack measures against healthcare organizations is expected to be released next week.

Funded by Public Safety Canada, it was developed by the Digital Governance Standards Institute and HealthCareCAN, which represents hospitals and health care organizations.

“The main reason for all of this is that we saw that too many of our health care facilities in Canada were under attack,” said HealthCareCAN President Paul-Émile Cloutier.

“If there’s no framework, if there’s no planning — which the standards will talk about — that’s where you’re really in trouble,” he told about the standards, expected on November 29.

“Not everything about a cyberattack is an IT issue. It’s a governance issue. So that means everyone in the organization needs to be informed about what needs to be done to prevent it, because it “There’s often a mistake by someone in the hospital that triggers a cyberattack,” Cloutier said.

Harish urged hospitals, laboratories and clinics to stop relying on older systems that have outdated security measures and to use two-factor authentication and strong passwords.

When an attack occurs, staff should respond immediately by taking steps such as disconnecting devices from the internet, restoring systems from backups and getting help from external vendors, said Harish, who also has a credential in computer science.

Yvette Coffey, president of the Registered Nurses Union Newfoundland and Labrador, said an October 2021 cyberattack crippled a core network shared by all four regional health authorities. Some surgeries, lab tests and appointments have been canceled, adding to delays caused by the pandemic.

“When this happened, we went back to the days before the 1980s, without access to patient data or medical records. Emergency surgeries had to take place, but even that was difficult because we had to produce a paper file,” she explained.

“It was difficult to find a lab request and an X-ray request. We couldn’t even call patients to say, ‘Sorry, your surgery is canceled’ because we didn’t even have their phone number.”

A provincial report released in March said a legitimate user’s credentials were compromised to access current and former patient records dating back to 1996. The breach revealed names, addresses, health care numbers , diagnostics, types of procedures, email addresses, and banking and financial information. information. Hackers obtained the social security numbers of 2,514 patients.

Sami Khoury, director of the Canadian Center for Cyber ​​Security, encouraged health organizations to report cyberattacks in order to learn more nationally.

“This may be a ransomware group that is going after every hospital, or it may just be a target of opportunity. We need to share a lot more information about this ransomware group in order to so that hospitals can protect themselves.”

This report by The Canadian Press was first published November 20, 2023.