Earlier this year, HealthCareCAN issued a call to action to address Cyber security vulnerabilities in Canadian healthcare, and invited Canadian and international leaders in health and digital security to attend HealthCareCAN’s Summit on Cyber Security. On February 22nd, 2018, these leaders descended on the Toronto Airport Sheraton Hotel to chart a path forward. Below are some of the key takeaways from the Summit.
1. All hospitals are at risk of a cyber attack
Hospitals – no matter their size or location – are at risk for cyber-attacks. Hospitals are seen by hackers as large repositories of valuable information, with limited budgets to secure data and update old hardware and software, making them vulnerable and thus, ideal targets.
Presenters for the Summit stressed that the healthcare sector will be a key focal point for cyber-attacks in the coming year, and that these attacks will increase in number and sophistication. “What we’re facing now, is the inevitable”, says Ray Boisvert, Provincial Security Advisor for Ontario. “Eventually, you will be breached.” added John Riggi, Senior Advisor on Cyber Security and Risk for the American Hospital Association “It’s not a matter of if, but when”.
2. Hospital data and system access are irresistible to cyber criminals
Healthcare data – from patient records to clinician information – contains a wealth of information for hackers to profit from. Healthcare data contains all the necessary data sets that allow hackers to steal identities, defraud insurance companies, encrypt for ransom, cross-reference for intelligence gathering, and steal intellectual property. A security breach can thus have grave implications for not only the hospital and its patients, but also the state.
Ransom – Healthcare’s reliance on digital medical information is so complete that some hospital systems cannot survive without it for long. Encrypting medical information and demanding a ransom to reinstate access to hospital staff is a common strategy by hackers, costing hospitals millions in ransom payments and grinding operations to a halt for several days in the meantime.
Identity theft – Stealing medical information to be sold on the black market generates millions in profit for hackers, as medical information contains highly sensitive data that is exceptionally difficult to revise, such as social insurance numbers.
Fraudulently billing the medical system / insurers – Once hackers have gained access to a hospital’s system, they can obtain clinician information and use it to buy medical equipment or drugs that can be resold, or file fraudulent claims with insurers.
Cross referencing the data for the benefit of intelligence gathering by political/state adversaries – This is particularly pertinent to the electronic health records of military personnel that receive treatment at civilian hospitals. By cross-referencing patient data with other data sets at hand, a hacker can determine posting schedules, sensitive medical testing information, and the general health status of the military.
Theft of intellectual property – Hackers can steal information on ongoing clinical trials, or innovative products prior to being patented, then delete all the related information in the hospitals system, and sell the stolen information to competitors on the black market. This can result in millions of dollars of lost potential revenue for hospitals and their research institutes.
Hospital System Access – The various ways that cyber criminals can use stolen data is rather straight-forward, however, it’s not always about greed or revenge; power and control (terrorism) are just as probable reasons for an attack. Hospital system access provides cyber criminals with the means to control the diagnostic, treatment, and life support equipment on which lives depend. In fact, with system access, they can disable MRI equipment, hack into pacemakers, re-route wire transfers, or completely shut off the power grid.
3. Hospitals can protect themselves
Cyber security is typically seen as a technology problem; however, it is in fact human error that typically causes a security breach. As Dan Taylor, Head of Security for NHS Digital, put it, “Cyber security is not a tech problem, it’s a people problem”. A number of important points emerged during the session, chiefly, that education – paired with the use of plain language and incentive-based training – is a key factor in preventing a cyber-attack, as well as ensuring data is regularly backed up.
Educate – Probably the most effective method of defending against a cyber-attack is to educate staff on cyber security due diligence and the typical strategies used by hackers, prevention is key. Training should be provided to all staff, at all levels, as cyber-security is the responsibility of every department and stakeholder.
Use plain language – When communicating risks and providing training on cyber-security, do so in a language that is easy to understand by people who may not be computer-savvy. Avoid terms that are too technical to prevent confusion and intimidation, which can result in costly human error.
Provide incentives – Fear is a poor motivator, provide opportunities for staff to take part in personable, interactive training tools, as regular training sessions are rarely memorable. Training can be ‘game-ified’ and thereby made memorable, such as by providing minor rewards for identifying phishing attacks. For more senior staff and stakeholders, who face reputational risk for declaring gaps in knowledge, one-on-one training sessions have been proven to be particularly effective.
Backup – while backing up data will not always solve the problem, regular data backups are still necessary as they reduce the potential for hackers to hold data for ransom, and protect against record deletion. Backups should be stored offline and offsite to ensure staff are still able to access records during an attack.
4. Responding to an attack is an enterprise-wide responsibility
Other sectors, including energy and finance understand security as an enterprise wide responsibility, but healthcare has not yet taken this philosophy to heart. Because cyber security is commonly treated as an IT issue, resilience and response are effectively delegated to a Chief Technology Officer, Chief Information Officer, or similar position. This attitude prevents the hospital board and executive team from developing knowledge and expertise or developing a resilience and response plan that cuts across the organization’s activities.
Treating security as an IT issue belies the fact that insider threat is a major driver of security risks. These threats can be either accidental or intentional. For example, a recent survey of about 900 employees of healthcare providers and payers in the United States and Canada found that 21 percent of healthcare employees write down their user names and passwords near their computer and 18 percent are willing to sell confidential patient data to an unauthorized outsider. “Don’t ever overlook the insider threat”, says Ray Boisvert, Provincial Security Advisor for Ontario, “You can trust, but always verify”.
Advance planning is imperative; the worst possible time to develop a strategy is during an attack, when stress levels are high. Healthcare organizations should have a plan in place that embraces both prevention and response to cyber-attacks in all their forms. That plan needs to include a set of criteria for determining who to contact for help, whether and when a ransom should be paid, and how to communicate with staff and stakeholders. But it should also involve building cyber security requirements into equipment procurement in order to encourage resilience and prevent attacks.
“When an attack occurs, your first call should be to your lawyer”, warns Jim Patterson of Bennett-Jones LLP. Any investigation or response an organization undertakes before engaging legal counsel is not covered by privilege. Its disclosure can be forced during a class action suit or other legal action. Your next call should be to your insurer.
5. The HealthCareCAN community is engaging deeply on cyber resilience
The Canadian Summit on Healthcare Cyber Security saw the launch of the Declaration of Commitment to Cybersafe Healthcare, which commits signatories to six tangible actions to increase cybersecurity preparedness and resilience:
- Champion: Championing cybersafety in Canada’s health sector;
- Inform: Enrusing that our leaders, staff, and partners are informed about the scope of the challenge and opportunities to mitigate risk;
- Contribute: Contributing to shared action plans that build resilience to cyberattacks;
- Advance: Progressing cybersafety in ways consistent with our mandates, considering opportunities for prevention, mitigation, preparedness, response, and recovery;
- Share: Sharing information, best practices, and tools with others within and beyond the health sector to build collective capacity and resilience; and
- Transparency: Publishing by Cybersecurity Awareness Month in October 2018 how we will apply these commitments in our unique context and/or with our community.
The Declaration is serving as the cornerstone for a Canadian Coalition for Healthcare Cyber Security, to jointly pursue education, standardization, information sharing, and other hallmarks of cyber resilience.
Useful tools & links
Participants highlighted tools and resources currently available to help inform and support cyber threat detection and response. Annotated descriptions of some of these tools are included below:
Canadian Cyber Threat Exchange (CCTX) –CCTX is an independent, not-for-profit organization, launched in 2016 that helps Canadian businesses and consumers detect and mitigate cyber attacks. CCTX acts as a node in which threat information from various industries and sectors can be analyzed, to the benefit of all members. Partners in CCTX provide access to internal data, which CCTX then collects, analyzes, aggregates, and anonymizes for distribution within the network. Any threats detected through this process are identified, and all members are alerted to threats with advice on strategies for mitigation. CCTX’s approach is consistent with the National Strategy for Critical Infrastructure and the network was recently joined by key federal departments, including Public Safety Canada and the Canadian Communications Security Establishment.
Cyber Essentials – Cyber Essentials Canada is a platform that allows firms to undertake self-assessment of cyber resilience based on five key security controls: (1) firewalls and gateways, (2) secure configuration, (3) access control, (4) malware protection, and (5) patch management. Compliance with Cyber Essentials standards is estimated to prevent approximately 80% of common internet attacks. Certification with Cyber Essentials is compulsory in the United Kingdom for firms doing business with the government.
Canadian Cyber Incidence Response Centre (CCIRC) – CCIRC is Canada’s national coordination centre responsible for reducing the cyber risks faced by Canada’s key systems and services and works within Public Safety Canada in partnership with provinces, territories, municipalities, private sector organizations and international counterparts. It also coordinates the national response to any serious cyber security incident.
Critical Infrastructure Information Gateway – The Canadian Critical Infrastructure Information Gateway is a collaborative, unclassified workspace for the critical infrastructure community with the aim of facilitating information sharing in support of building a safer, more secure and more resilient Canada. Critical infrastructure owner/operators can gain the benefit of joint expertise as well as rapid access to threat information by joining and participating in the Gateway.