Montreal's west end health agency just beginning to come back online, weeks after cyber-attack

·5 min read

Montreal's west end health agency, the CIUSSS du Centre-Ouest-de-l'Île-de-Montréal, is only now beginning to go back online after a cyberattack last month forced it to disconnect from the internet.

The health agency, which includes the Jewish General Hospital, said patient care wasn't affected when it first announced the attack October 29th.

A statement released today by the health agency suggests key information systems have been offline for weeks.

"Our plan for the coming weeks is to focus on establishing a connection path for critical applications such as OACIS, the DSQ and DSIE, as well as key administrative systems for HR, Finance and Logistics as quickly as possible," Dr. Lawrence Rosenberg, CEO of the agency, said in a statement.

OACIS and DSQ are the systems that allow doctors and nurses to access patients' medical records, and DSIE helps manage services such as home care and the Info-Santé 811 telephone service.

The statement said technical teams began re-establishing network and internet connectivity Monday, but that the process could take several more weeks.

"I am aware that this timeline may be very inconvenient for some members of staff, but it is the only way to ensure that service can be re-established as required," Rosenberg said in the statement.

He also said there's no indication that any staff or patient data had been compromised.

What happened?

In an email to CBC, CIUSSS spokesperson Carl Thériault offered more details about the cyberattack.

"We believe that it was an attempted ransomware attack," Thériault said.

"We have not received a ransom demand. Our early intervention, disconnecting our health network from the internet, seems to have prevented this scenario," he continued.

Several North American hospital networks have been hit by ransomware attacks in recent weeks.

At the end of October, the FBI issued a warning that it had "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.''

The alert said malicious groups were targeting the sector with attacks that produce "data theft and disruption of health-care services.''

Simon-Marc Charron/Radio-Canada
Simon-Marc Charron/Radio-Canada

Last month, around the same time the CIUSSS was targeted, the website of Montreal's Transit Agency, the Société de transport de Montréal (STM), was knocked offline by hackers who demanded a ransom payment of $2.8 million.

The STM didn't pay the ransom, and payroll and adapted transit service as well as its website were affected for a week before the agency was able to get back online.

Agency using 'alternate workflows' to cope

Thériault said the health agency has been coping with the shutdown by using 'alternate workflows' including 'paper charting' of patient information.

"Thanks to the dedication and professionalism of our staff we have continued to meet the needs of our users," Thériault said.

He said, in some cases, telephone service that was internet-based had been offline but had been mostly restored.

He also said in some cases, alternate cellphone networks have been set up.

He said nurses who staff the 811 Info-Santé service still don't have internet access, so they have been documenting patient information by hand, and "accessing relevant information through alternative methods."

Thériault said it was difficult to estimate how long it would take for all services to be back online.

"Our priority is to give back access to critical applications and services during the next three weeks," he said.

"Once that is done, we will be in a better position to evaluate the time necessary for things being fully back to normal," Thériault added.

Difficult to prevent such attacks

Steve Waterhouse, a lecturer on cyber-security at the Université de Sherbrooke and former information-systems security officer at the Department of National Defence, told CBC in an interview Tuesday such attacks often originate — or use servers — in other countries with less stringent internet regulations, particularly Russia.

CBC News
CBC News

Waterhouse said the hackers plant ransomware software in emails that may be opened by staff.

"At a certain moment the software will encrypt, and really just freeze up, all of the information inside a hospital," Waterhouse said.

"Because of the critical nature of this information they expect the institution to immediately pay up," he continued.

Waterhouse said such attacks are difficult to prevent.

"Even if they put half-a-million dollars worth of hardware to protect their infrastructure, it only takes one person to activate the email and activate the malicious code," Waterhouse said.

He added the best defence against such attacks is to educate staff about the possible risks.

To pay or not to pay?

Waterhouse noted some institutions have opted to pay ransom after negotiating with hackers.

He said the most famous example is the Presbyterian Hospital in Hollywood, California in 2016.

The hospital was asked to pay $17 million in ransom after its systems were attacked.

After twelve days offline, the hospital negotiated with the hackers and eventually paid a ransom of $17,000 US in bitcoin.

Waterhouse said there are always risks in paying a ransom.

"How can it be possible to ensure they will erase the data, or not come back and try to sell it again?" he said.

Health Minister Christian Dubé praised the health agency's response at a news conference Tuesday afternoon.

"The right measure that was done was to turn off the computer, because at least the personal information was not accessible," Dubé said.

"The negative side of that is that it takes longer to reset," he continued.