Hospitals 'overwhelmed' by cyberattacks fuelled by booming black market

Canada's health system is under siege from unrelenting cybercriminals trying to access patient information and other data, according to health-care professionals and cybersecurity experts who say hospitals and clinics are unable to cope with the growing threats.

The problem has become so big that some are calling for Ottawa to impose national cybersecurity standards on the health-care sector and for an influx of cash from the federal government to deal with the issue.

"My biggest disappointment at this moment is that it seems that anything that has to do with the health sector and cybersecurity is falling between the cracks at the federal level," said Paul-Émile Cloutier, the president and CEO of HealthcareCAN, who spoke with CBC News in early March. The organization represents hospitals, regional health authorities and health research centres across the country.

There's a growing list of health-care institutions that have fallen victim to breaches over the last year. LifeLabs, a Canadian diagnostic and speciality testing company, was hit, possibly exposing the sensitive information of millions of patients.

Three Ontario hospitals were struck by ransomware in October. This year, eHealth Saskatchewan, which manages that province's personal medical records, was compromised, and in Nova Scotia patients had information about their surgeries exposed during a cyberattack.

In mid-March, the federal government's Canadian Centre for Cybersecurity issued an alert about the elevated risk faced by health organizations involved in the national response to the COVID-19 pandemic.

It said "sophisticated threat actors" may try to steal intellectual property related to COVID-19 research and development or pinch sensitive data on Canada's response to the virus. And cybercriminals could take advantage of the pandemic's pressure on the health system to infect online systems with ransomware.

Claude Vickery/CBC
Claude Vickery/CBC

Experts say health information can be even more valuable to hackers than a credit card, because it includes data such as a person's health number or date of birth — pieces of information with a "unique value" that doesn't change over time and can help thieves steal identities.

"The market for health-care identities is big and booming," said Abigail Carter-Langford, a vice-president with Canada Health Infoway, an organization funded by Health Canada that focuses on improving the access of Canadians to digital health technology.

Raheel Qureshi, a co-founder of cybersecurity firm iSecurity Consulting, which works with more than 150 health-care organizations in Canada including dozens of large hospitals, said the health-care sector is targeted more than any other industry in the country.

He said 48 per cent of all security breaches in Canada last year were in the health-care industry and cyberattacks in the sector rose 15 per cent between 2018 and 2019. In October 2019, iSecurity's monitoring service detected 3,257 attempts to gain access to the computers at one of its client's hospitals.

Qureshi said the health-care system is behind the times.

"A lot of health-care organizations are still in the middle of some kind of security road map, or they're starting the conversation now to understand, 'What do we need to do?' Banks started doing this 15, 20 years ago."

And that has consequences, according to David Shipley, CEO of Beauceron Security Inc., a cybersecurity company in Fredericton.

"Hospital IT staff are tremendously, tremendously overwhelmed," he said. "When you look at every dollar we spend in health care, we want it to go to front-line health-care services, so we really keep the IT spend to bare-bones minimum, and criminals know that and they've been exploiting that."

Submitted by Paul-Émile Cloutier
Submitted by Paul-Émile Cloutier

Exploited is exactly how Jill Golick of Toronto feels. She has worked hard to protect her data by using two-factor authentication and adopting unique passwords, but her personal information was compromised during the LifeLabs breach.

Golick hasn't been told exactly how much of her data might have been accessed, but the company did have her personal contact information and results from her health tests, including blood work.

"I don't think that anybody went through all the effort of hacking LifeLabs without evil intent. There's so many different schemes you could carry out with this kind of data, whether it's identity theft, just getting credit card numbers, there could be blackmail," she said.

"I find it incredibly upsetting, I take my cybersecurity very seriously."

So far, she hasn't noticed any fallout from the breach.

Thomas Daigle/CBC
Thomas Daigle/CBC

Hospitals may also hold a patient's credit card information as well as personal data, said Andrew Nemirovsky, a senior director of information management and information technology for the Nova Scotia Health Authority. For instance, a patient may have paid for a semi-private room.

He said while information from a credit card sells for about a dollar online, a U.S. citizen's health data can sell for $100 to $200, although he suspects Canadian health information would go for less as it contains less financial information.

To deal with the problem, some experts want the federal government to impose national standards to force health-care organizations to update their cybersecurity and better protect patients. Qureshi would even like those standards extended to all public-sector institutions.

Submitted by Raheel Qureshi
Submitted by Raheel Qureshi

Cloutier said the federal government should set aside money specifically to help health-care organizations improve their cybersecurity, which he estimates could cost billions of dollars.

In mid March Health Canada spokesperson Marie-Pier Burelle said in an email that it has taken action to address cybersecurity by creating a digital health division to assess the safety and effectiveness of digital health technologies like wireless medical devices and mobile medical apps.

And while no federal regulations exist forcing cybersecurity standards on hospitals or clinics, Health Canada did help develop guidelines that "provide cybersecurity recommendations to stakeholders," said Burelle. Those stakeholders include health-care providers, regulators and medical-device manufacturers.

Not everyone is sold on the idea of a national standard, though.

Carter-Langford, with Canada Health Infoway, said since the cybersecurity landscape is constantly changing, it would be difficult to put in any minimum security standards because what's appropriate today might not be good enough tomorrow.

"The slowest thing to create change is often the law, when we as organizations can use the tools we have and the systems we have to do better. And when we as individuals can make better choices and as consumers drive improvement," she said.

Submitted by Jill Golick
Submitted by Jill Golick

Still, the attacks keep coming.

In Nova Scotia, phishing emails have attempted to trick the health authority's payroll and human resources departments into putting money into an unauthorized account.

"They send through a message saying that 'I'm so and so, my banking information has changed, can you please update it?' And they even include a copy of a void cheque, so it's very sophisticated," Nemirovsky said.

The health authority has now stopped taking those requests via email.

Even the appointment of Brendan Carr as the health authority's new CEO prompted more cyberattacks, showing how criminals are paying attention to local developments and tailoring their attacks.

"The bad actors were starting to send out emails from 'Brendan Carr' asking for immediate updates and people to click on links," said Nemirovsky.

Both Cloutier, a victim in the LifeLabs hack, and experts say Canadians need to understand the seriousness of the problem.

"This is a real risk to Canadian health care, it can impact you and your family, " said Shipley.