2019 was the year of the cyber-breach in Canada. While the year’s headlines were plentiful with details of new breaches, vulnerabilities, and hacks, you would be hard-pressed to learn whether anything has actually been done about it. Amidst news that LifeLabs, one of Canada’s largest medical services companies, has been hacked and the personal information of up to 15 million customers held ransom, Canadians are forced to reconcile with the sad reality that our health and other personal data is under constant threat. Resolving that threat will take a concerted effort from all of us: facilities, healthcare practitioners and staff, patients, families, and especially government.
The world had its first major demonstration of the health sector’s cyber vulnerability during the WannaCry ransomware attack of 2017. That attack had particular penetrance in the United Kingdom’s National Health Service (NHS) causing a flood of cancelled doctors’ appointments and closed emergency departments in 80 healthcare organizations and 595 doctors’ offices. The net cost of the event came to about 92 million British pounds.
It could have been much worse.
WannaCry did not involve a mass selloff of private medical information, personal identifiers, or intellectual property; it did not affect the medical supply chain; it did not include resource hijacking for fraudulent purposes, and it did not involve remote control of vital equipment like internet-connected ventilators or pacemakers. In truth, the most stunning thing about that attack was that NHS wasn’t even a target – its institutions just happened to be using a 17 year-old operating system.
That’s worth pondering for a moment. This particular virus was designed to affect antique computer software and its impact was most visible in one of the world’s largest health systems.
Sadly, here in Canada we are no better.
The UK has a national process for evaluating the cyber-resilience of its healthcare infrastructure and has devoted resources to bringing its hospitals and health organizations up to speed. We do not, and have not. The UK is deploying a national approach to bring cybersecurity talent into its healthcare system and is encouraging its facilities to train and promote cyber hygiene. We do not and have not.
The truth is that a coherent approach to securing our healthcare systems will require us to invest time and resources, to adopt creative, systematic, and adaptable approaches and to nurture partnerships with lasting value. Moving forward on this last goal is the motive behind a recent partnership between HealthCareCAN –and the Canada-Israel Industrial Research and Development Foundation (CIIRDF).
As the national voice of Canada’s hospitals and healthcare organizations HealthCareCAN, champions innovation and transformation in Canada’s health system. CIIRDF is a bi-national organization supported by both Canada and Israel with deep ties to Israel’s Innovation Authority, the ‘nerve centre’ of Israel’s technological ecosystem, which produces almost a quarter of the world’s leading innovations in cybersecurity. Our organizations are partnering in an effort to create and sustain a dialogue between cybersecurity experts and health leaders, and to cultivate cybersecurity capacity and expertise within Canada’s health sector.
In late October HealthCareCAN, Eastern Health, the largest integrated health organization in Newfoundland and Labrador and CIIRDF gathered Israeli cybersecurity leaders and Canadian specialists in fields of healthcare, education, information technology, management and private sector partners in a focused discussion on cybersecurity in Canadian healthcare. We are now building on these discussions and working to develop new projects in education, software development, and digital infrastructure to support cybersafe healthcare in Canada.
These kinds of partnerships are urgently necessary to get Canada’s cybersecurity vulnerabilities under some kind of control, both within and outside healthcare. But efforts like this amount to a bridge to nowhere if the federal government considers cybersecurity in health to be someone else’s problem. It’s worth noting that the Prime Minister’s mandate letter to Bill Blair, the federal minister responsible for such issues, contains only a single passing reference to cyber security. Canadians might well wonder whether cybersecurity in healthcare is even on the Minister’s radar.
Things are likely to get worse before they get better. Today’s generation of threats are criminal hackers, computer viruses and internal threats either arising from exploitation or simple negligence. We have barely begun to talk about the implications of state-sponsored hackers using artificial intelligence and quantum computing technologies.
No organization or sector can go it alone in this environment – we’re going to have to work together to defend our common digital ground, and the federal government would be well-advised to get onboard.
- Moving Forward for Cybersafe Healthcare: Insights from the Canadian Summit on Healthcare Cybersecurity
- Digital Health And Data Platforms: An Opportunity For Canadian Excellence In Evidence-Based Health Research
- Champion Leading Practices in Cyber Security
- Identifying Health as a Key Player in the Digital Economy