Experts are pointing to the urgent need for Canada’s health-care system to adopt better security practices as cyberattacks, including data breaches and ransomware, become increasingly common in the country. According to a recent article published in the Canadian Medical Association Journal (CMAJ), at least 14 major cyberattacks have targeted Canadian health information systems since 2015. These attacks have resulted in significant disruptions to patient care and compromised the personal health information of millions of people seeking medical care.
The digitization of health information systems on shared networks has undoubtedly brought about improvements in convenience, access, and quality of care. However, it has also exposed the system to security risks. The co-authors of the CMAJ article emphasized that most clinicians lack dedicated information technology (IT) training, making it increasingly challenging for them to navigate complex health information systems. Outdated systems and lack of proper cybersecurity measures further compound the problem, leaving health organizations financially lucrative and vulnerable targets for cybercriminals.
In response to the escalating cyber threats, the federal government introduced legislation last year to enhance cybersecurity measures for critical infrastructure operators. However, the proposed legislation, known as Bill C-26, does not currently include health organizations, as noted in the CMAJ article. This highlights the need for greater coordination between the federal government, provinces, and territories to establish common security standards and shared service models across the health-care system.
To address cyber threats effectively, the researchers recommended following the preventative measures outlined by the U.S. National Institute of Standards and Technology. These measures include installing anti-virus and VPN software, remaining vigilant against phishing emails, using strong passwords and two-factor authentication, and conducting regular antivirus and malware scans.
In the event of a cyberattack, the article suggests disconnecting affected devices from the internet, shutting them down, and transitioning to alternative workflows, such as using paper records if access to electronic medical records is lost. It is also crucial to notify relevant authorities, such as the Canadian Medical Protective Association and the police in the case of a ransomware attack. The recovery phase heavily relies on the capacity of health information systems to restore data from backups and collaborate with external vendors to ensure data recovery.
It is clear that immediate action is needed to strengthen the cybersecurity measures within Canada’s health-care system. By prioritizing security standards, investing in training and technology, and fostering collaboration between various stakeholders, the health-care sector can mitigate the risks posed by cyberattacks and ensure the safety and privacy of patients’ personal health information.
FAQs (Frequently Asked Questions)
1. What is ransomware?
Ransomware is a form of malicious software that encrypts a victim’s files and demands a ransom payment in exchange for restoring access to the files.
2. How can health organizations prevent cyberattacks?
Health organizations can take several preventative measures, including installing anti-virus and VPN software, remaining vigilant against phishing emails, using strong passwords and two-factor authentication, and conducting regular antivirus and malware scans.
3. What should be done in the event of a cyberattack?
In the event of a cyberattack, it is crucial to disconnect affected devices from the internet, shut them down, and transition to alternative workflows. Relevant authorities, such as the Canadian Medical Protective Association and the police, should be notified, and external vendors should be involved in data recovery efforts.
4. What can the government do to improve cybersecurity in health care?
The government can enhance cybersecurity in health care by including health organizations in legislation that focuses on critical infrastructure protection. Additionally, greater coordination and collaboration between federal, provincial, and territorial governments are necessary to establish common security standards and shared service models.