Cyberattacks Pose Challenges for Canadian Health Information Systems

As Canadian health systems add new technologies such as electronic medical records (EMR), care coordination platforms, wearables, remote patient monitors, and -internet-of-things devices, cyberattacks pose new privacy and financial risks for patients, providers, and institutions, according to a new analysis.

Canadian physicians, whether in large hospitals or individual clinics, can improve their ability to prevent and respond to a cybersecurity attack through a four-stage plan, the authors wrote.

Vinyas Harish

"We have worked hard to write this piece in a way that clinicians, whether they work at a large academic institution with dedicated cybersecurity expertise or by themselves in a rural, private practice, can take away tangible and practical measures to improve their cybersecurity posture," author Vinyas Harish, an MD/PhD student at the University of Toronto’s Institute of Health Policy, Management, and Evaluation, Toronto, Ontario, Canada, told Medscape Medical News.

The analysis was published online November 20 in CMAJ.

Four-Stage Plan

Since 2015, Canadian health information systems have faced at least 14 major cyberattacks, including nine with ransomware or malware threats and six data breaches that compromised personal health information. These types of attacks are increasing, and even if no ransom is paid, cyberattacks can lead to health system downtime, patient safety concerns, and technology vulnerabilities.

Cybersecurity practices vary widely across public sector institutions within the provinces and territories, and smaller private organizations often lack financial and human resources to train employees and mitigate risks. Although some shared services models are being tested, such as an Ontario Health pilot with six regional security operation centers, clinicians and health systems must be aware and create their own cybersecurity plans that are appropriate for their devices and information systems.

Harish and colleagues suggested focusing on the following four stages of cybersecurity: prevention, detection, response, and recovery. During the initial stage of prevention, individual cyberhygiene plays a major role in stopping attacks. For instance, clinicians should use strong passwords and two-factor authentication (2FA) for their logins, install antivirus and virtual private network software on their devices, and update software as security patches are released. While physicians in large organizations should receive standardized institutional support for these best practices, private practice clinicians can work with third-party vendors or professional support groups, such as the Ontario Medical Association, to set up a secure system. They also may consider privacy breach and cyberattack insurance.

During the detection stage, clinicians should be aware of suspicious behavior, such as unfamiliar emails, pop-up messages, barred entry to files or applications, installation of unrecognized files and software, and unusual activity on routine malware scans. In a phishing email, for instance, physicians may notice giveaway signs of a scam, such as an incorrect or unusual email address, a sense of urgency, an impersonal greeting, different fonts, typos, a vague or strange signature, an outdated logo or incorrect address, and a strong call to open a link or download an attachment. Unusual activity should be reported.

After detection, particularly in the case of ransomware, clinicians should move into the response phase by disconnecting the affected machines from the internet and shutting them down. Quick action can prevent the extraction of data from the device and network. Then the organization should launch its cyberattack response plan, which could include contacting law enforcement and the Canadian Medical Protective Association and temporarily transferring workflows to alternate options, such as paper records in lieu of electronic medical records. To prepare for this type of response, physicians should practice their cyberattack plan as they would for a fire or other disaster. Importantly, health organizations shouldn’t pay ransoms to unlock and decrypt systems since access isn’t guaranteed and payment may encourage future attacks.

During recovery, larger organizations with IT experts can restore health information systems from backups, and smaller organizations can work with vendors to recover data. Organizations should also review the event, emphasizing areas for improvement and ongoing cybersecurity practices.

"While measures like 2FA can take some sacrifice by end users with regard to their workflows, those small sacrifices are far preferable to the stressors of navigating or recovering from an attack," said Harish. "Ultimately, it takes a concerted team effort by end users, policymakers, and vendors (among others) to keep our patients and communities safe from cyberthreats."

Emerging Cybersecurity Areas

Looking ahead, health systems must pay attention to emerging technologies to mitigate potential risks, the authors wrote. Virtual care platforms, for instance, may use consumer video-conferencing options that don’t meet provincial privacy and security requirements. Instead, clinicians can use tools built into the EMR or videoconferencing solutions that meet healthcare standards, such as Zoom for Healthcare.

In addition, remote monitoring and personal medical devices, such as pacemakers, insulin pumps, and blood glucose monitors, connect to the internet for software updates and biomarker information transmission. Cyberattack hackers have been able to drain device batteries, provide too much stimulus, or fail to provide a stimulus when needed. Clinicians should remain aware of cybersecurity notices that might affect their patients, such as the 2019 Health Canada recall of several models of insulin pumps that were vulnerable to attacks.

Alex Wilner, PhD

"Understanding the nexus between cybersecurity and healthcare is a top national priority. Canadians and medical professionals alike must trust the integrity of Canada’s healthcare system," Alex Wilner, PhD, associate professor of international affairs at Carleton University, Ottawa, Ontario, Canada, told Medscape.

Wilner, who wasn’t involved with this analysis, serves as the director of Carleton’s Infrastructure Protection and International Security program. He leads the university’s new interdisciplinary Cybersecurity Collaborative Specialization and has written about cybersecurity concerns in Canada’s healthcare sector.

"There’s no easy fix to addressing the cybersecurity challenges that threaten to degrade Canadian healthcare. A whole-of-society approach is needed," he said. "More support, training, leadership, and guidance is needed from all levels of government to help deter attacks in the first place. And more interdisciplinary research is needed to better understand the cybersecurity lessons for Canadian healthcare from other critical infrastructures."

Harish was supported by the Canadian Institutes of Health Research Banting and Best Canada Graduate Scholarship (Doctoral) and the Schwartz Reisman Institute for Technology and Society Graduate Fellowship. Wilner reports no relevant financial relationships.

Carolyn Crist is a health and medical journalist who reports on the latest studies for Medscape, MDedge, and WebMD.