Canada experienced a 250 per cent increase in healthcare cyberattacks towards the end of 2020, according to a report. Cybersecurity experts are urging the Canadian healthcare industry to rethink its security measures as more Canadians use telehealth services.
Check Point Software’s annual security report said the healthcare sector saw a 37 per cent increase in attacks globally in the past 12 months; Canada had the “most dramatic increase.”
Since the start of November, there has been a 45 per cent increase globally, the report said. In an email, Check Point said Canada had on average 200 attacks per week and peaked with over 800 per week in November.
The ransomware technique of “double extortion,” where a hacker will threaten to publicly leak stolen data, also rose in 2020.
Sumit Bhatia, director of communications and knowledge mobilization with Ryerson University’s Cybersecure Catalyst, says the increase comes from the industry suffering pressures from COVID-19, and that it’s a problem of “volume and attention.”
“There is an incredible amount of volume happening in this space and attentions have focused in very specific areas of care,” he said in an interview.
The volume comes from the number of people volunteering to help and the increased number of popup centres for COVID-19 services, he said. Bhatia said that an increase in personnel means healthcare providers are having a challenging time training everyone, making the sector a lot more vulnerable to cyberattacks.
Additionally, Bhatia said that many healthcare systems are running on legacy technology that isn’t able to keep up with sophisticated attacks.
In June 2020, the Canadian Medical Association said 47 per cent of Canadians have used virtual care services during the pandemic. And in December 2020, a Deloitte tech trends report said virtual healthcare is expected to grow in 2021.
At the time, experts said healthcare practitioners are still reluctant to do consultations over traditional video-calling platforms because of concerns around privacy.
Bhatia said that the rapid adoption of telehealth technology in healthcare systems has led to a limited ability to test and collect data and examine the trends and patterns around security.
He also says the industry is having to integrate existing proprietary systems that hold data, test results, and patient information, with the telehealth system in ways we haven’t seen before.
“We have to start with the healthcare industry actually developing a risk-informed cyber strategy, something where they’ve actually performed risk assessments across each of the systems and then defined whether the use of them creates greater pressure or a greater risk for the organization,” he said.
“Right now we’ve just adopted [technology systems] for the model of efficiency, not for models of security. We are focused on delivering care, not necessarily delving into cybersecurity issues.”
Ann Cavoukian, former information and privacy commissioner of Ontario, says the increase in cyberattacks is baffling but not surprising.
“It astounds me. Why aren’t they saying ‘look we have to change how we’re going about this. We have to increase far greater security,’” she said in an interview.
Cavoukian says companies need to ensure they have their own proprietary systems that ensure that adopt end-to-end security with full lifecycle protection.
“You would think that in a hospital where obviously you’re dealing with the most sensitive personal health information, they will go to great lengths to secure the data,” she said.
Healthcare privacy is mandated provincially, but Cavoukian said that current rules in place in Ontario are strong in terms of protecting data. She said that the onus is on the healthcare industry to have robust security systems.
“They have been in place for a long time, it’s provincial and it’s very strong in terms of protection. It’s not that [they need updating]. The requirements are there,” she said. “Hospitals and healthcare providers have to be doing this and they’re obviously not doing this properly.”