The rapid digitization of Canadian health systems, with 86% of family physicians using electronic medical records (EMRs) in 2019, has ushered in a new era of healthcare. The integration of digital tools, virtual care, and IoT devices offers improved convenience and quality of care. However, this digital transformation also exposes health systems to cybersecurity risks, threatening patient privacy, financial stability, and overall system functioning.
This article explores the impact of cyberattacks on Canadian health information systems and outlines strategies for clinicians and policymakers to bolster cybersecurity. The prevalence of cyberattacks targeting Canadian health information systems is on the rise, with 48% of reported breaches in 2019 occurring in the health sector.
These attacks, predominantly ransomware or data breaches, pose significant challenges to patient safety, system functionality, and financial well-being. Cybercriminals, nation-states, hacktivists, and extremists are drawn to health organizations as lucrative targets, leveraging vulnerabilities in outdated systems and exploiting the value of personal health information (PHI).Â
While cybersecurity policies are evolving, the recently enacted Critical Cyber Systems Protection Act (CCSPA) in the House of Commons excludes health organizations. Drawing inspiration from the U.S. Healthcare and Public Health Sector Coordinating Council, collaborative governance mechanisms could establish common standards, fostering innovation and experimentation.
Shared services models, such as regional security operation centres, aim to address cybersecurity disparities among smaller institutions. Provinces and territories play a pivotal role in addressing cybersecurity disparities among public sector organizations. Initiatives like Ontario Health’s pilot of six regional security operation centres aim to continuously monitor and enhance security practices.
However, it is crucial for clinicians and health organizations to actively engage with these initiatives, ensuring that their needs and perspectives are considered in the development of incident reporting and escalation pathways. At the individual level, clinicians must adopt robust cyberhygiene practices to thwart potential cyberattacks. Vigilance against phishing attacks, the use of strong passwords with two-factor authentication, and adherence to secure network practices are paramount.
Password managers can assist in generating and storing unique passwords, while clinicians should avoid sensitive tasks on public Wi-Fi to prevent interception or malware installation. Regular software updates are essential to address vulnerabilities in legacy systems. In the event of a cyberattack, quick and decisive action is crucial.
Clinicians should promptly disconnect affected machines, shut them down, and activate their well-documented cyberattack response plans. Transitioning to backup workflows, such as paper records, may be necessary to mitigate disruptions.
While the pressure to pay ransoms may be significant, health organizations are generally advised against it, as payment does not guarantee restored access and may encourage future attacks. As the frequency and sophistication of cyber threats continue to grow, a proactive approach to cybersecurity is imperative for Canadian health systems.
Policymakers, health organizations, and individual clinicians must collaboratively navigate the evolving landscape, leveraging tools, adopting best practices, and implementing robust incident response plans. Prevention remains the key, and as national and regional policies develop, a unified effort is needed to safeguard the integrity, confidentiality, and availability of health information systems. In the realm of cybersecurity, an ounce of prevention is indeed worth a terabyte of cure.Â
Journal Reference Â
Cyberattacks on Canadian health information systems, Canadian Medical Association Journal (2023). DOI: 10.1503/cmaj.230436.Â
