The biggest impediment to improving the cybersecurity of Canadian hospitals is “lack of focus” of management and lack of money, says the head of the country’s .ca registry.
Byron Holland, chief executive officer (CEO) of the Canadian Internet Registration Authority (CIRA) told a Tuesday Globe and Mail webinar on cybersecurity in the healthcare sector that just short of 30 per cent of all organizations in this country have suffered a data breach.
“If a third of homes were broken into, or a third of business and hospitals were being [physically] criminalized, there would be an incredible uproar,” he argued.
But in the digital world, people don’t see the impact, so there is little support for more resources. CIOs and IT pros in healthcare tell CIRA the number one reason hospitals find it hard to fight cyber attacks is “lack of focus and money” to put in systems and technologies to keep up with the volume of attacks, Holland said.
Hospital management needs “a mindset upgrade,” he maintained. Cybersecurity “is an executive problem. This is a CEO, senior executive board problem, because there is liability and fiduciary risk at the top of the organization.”
They need to understand the solution is taking holistic security seriously — everything from installing multilayered defence in depth, DNS hardened firewalls, multifactor authentication and access control. These, he said are “table stakes.”
But he also said that cybersecurity “is not just the IT folks’ problem.”
In fact he claimed that “most compromises happening now are because people are compromised, not a firewall or a piece of tech.” That’s why cybersecurity awareness training is also important, he said.
Panel members included Jeff Curtis, chief privacy officer at Toronto’s Sunnybrook Health Sciences Centre; Steven Tam, chief data governance and privacy officer at Vancouver Coastal Health, which oversees all hospitals in the Vancouver area; and Hudda Idrees, CEO of Dot Health, a provider of mobile healthcare solutions for individuals and healthcare providers.
Hospitals and clinics have long been targets of hackers who believe the institutions are more willing than others to pay for the return of stolen data. For-profit hospitals and clinics are seen as a source of credit and debit card information in addition to sensitive medical data on patients. Non-profit hospitals often don’t have the money to make cybersecurity a priority.
Hospitals in Canada recently hit include Toronto’s Hospital for Sick Children and Lindsay, Ont.’s Ross Memorial Hospital. In the U.S., where for-profit hospital chains serve millions of people, California-based Regal Medical Group is now sending data breach notices to more than three million patients after suffering a ransomware attack late last year.
One of the worst attacks in Canada took place in Newfoundland and Labrador in 2021, when attackers copied years of patient and employee data from the provincial system.
Hospitals aren’t the only healthcare institutions hit. In 2019, hackers accessed medical lab results of 15 million Canadians when LifeLabs, the country’s biggest medical lab serving doctors, was hacked. The privacy commissioners of Ontario and British Columbia said the company failed to follow provincial data health protection laws.
Despite billions of dollars in annual healthcare spending in Canada, “funding for cybersecurity is getting short shrift,” Holland told the panel.
He got support for that from Indrees, who noted Ontario alone spends $70 billion a year on healthcare. “I don’t think it’s lack of funding. It’s just that people don’t think it [cybersecurity] is important enough.” While the province has set up a Digital Health Information Exchange, she said spending on “practical, tangible pieces of software or training … is seriously lacking.”
Hospitals spending more on IT in general will only exacerbate the problem, said Curtis. Money has to be targeted for cybersecurity.
However, he also said for better security, more institutions should be adopting shared systems. For example, there are shared diagnostic imaging services in Ontario used by many hospitals and medical practitioners.
He and others also pointed to a serious problem in Canadian hospitals: Legacy software and hardware that impedes the adoption of more secure technologies.
Tam said hospital CEOs and CIOs have to see cybersecurity as separate from IT in their budgets.
Proper governance is also important, he said. “We need to come together to collectively tackle these issues, to identify what the risks are and identify the solutions., If we’re working together, we can also improve our [cybersecurity] practices across the board. We have a diverse, broad healthcare system. We need to think how we govern our data and systems across the healthcare sector” rather than one hospital at a time.