Sign up for the Unity Health Toronto newsletter, a monthly update on the latest news, stories, patient voices and research emailed directly to subscribers. If you haven’t subscribed yet, you can do that by clicking here.
As six Ontario hospitals recover from recent ransomware attacks, a new analysis is urging clinicians and health care organizations to take a proactive approach to protecting patients’ health information.
The paper, published in the Canadian Medical Association Journal, is one of the first of its kind to explore the impact of cyberattacks on Canadian health information systems and how clinicians can improve their cybersecurity readiness. The guidance comes at a critical time, says co-author Vinyas Harish, as cyberattacks against Canadian health information systems become increasingly common.
“Health organizations make attractive targets because of the value of personal health information and institutions’ perceived ability to pay ransoms,” says Harish, an MD/PhD candidate at Unity Health Toronto and in the Temerty Faculty of Medicine at the University of Toronto. “Amid events like the COVID-19 pandemic and geopolitical conflicts, we’re seeing hackers take advantage of situations that create fear and panic.”
The digitization of Canadian health systems onto shared networks has also created more opportunity for hackers to gain access to hospital or personal information.
“While digital tools and systems can improve access and convenience, most clinicians lack dedicated IT training,” says Harish. “This creates stress and increases the likelihood of falling victim to an attack.”
Adapted from the U.S. National Institute of Standards and Technology, the paper, which was written in collaboration with a researcher from the University of British Columbia, outlines four stages to effectively navigate cyberattacks. In the prevention and detection stages, clinicians are urged to use strong passwords and secure devices, avoid inadequate network protections and remain vigilant against phishing attacks or suspicious behaviour.
“Many health care organizations have sophisticated systems in place to prevent and respond to attacks but there’s a lot that can be done at the individual level,” says Dr. Shaun Mehta, Emergency Physician at St. Michael’s Hospital and one of the paper’s co-authors. “I think people probably underestimate their role in preventing attacks.”
In their analysis, the authors also find a lack of consistency in cybersecurity education and practices across provinces and institutions. In Ontario, for instance, cybersecurity isn’t part of the medical or nursing school curricula. While some health care networks and institutions have implemented cybersecurity modules, it’s really organization-dependent, says Mehta.
“Cybersecurity training and practices aren’t mandated in Canada, likely because we don’t have a good set of centralized instructions or guidance established at a national or provincial level,” he says. “There’s been a concerted effort to implement some type of standardization in recent years as we’ve identified this increased risk of attacks against health information systems, but we’re not there yet.”
At Unity Health Toronto, cybersecurity is a critical focus. In 2020, the organization commissioned an independent cybersecurity readiness assessment, which informed a three-year cybersecurity road map. Several recommendations have since been implemented, including deployment of technologies to track and identify suspicious activity, regular risk exposure assessments and a cybersecurity awareness program to educate staff, physicians and learners.
“We’ve been working really hard to empower staff with tools, knowledge and practices to avoid falling victim to an attack,” says Abdulkader Abdulkarim, Director of IT Security and Chief Information Security Officer. “It’s a dynamic environment. As the cyber landscape changes rapidly, we continue to look for new ways to educate our people and re-evaluate our systems and practices.”
These efforts are particularly important as Unity Health works to implement its new electronic patient record system. Though the benefits far outweigh the risks, says Mehta, education will be key.
“The system will have a lot of new functionality, which is great, but it’ll be unfamiliar to most clinicians,” he says. “Clinicians need to know what to click on, what to avoid and what to look out for, not just to avoid falling victim to an attack but to alleviate frustration and maximize time spent with patients.”
It all comes back to proactivity, says Harish.
“This is a serious problem but it’s not unavoidable if we take simple, concrete steps to improve our cybersecurity posture,” he says. “We don’t need to wait for something to happen before we take action.”
By: Anna Wassermann