Hospitals 'overwhelmed' by cyberattacks fuelled by booming black market

Canada's health system is under siege from unrelenting cybercriminals trying to access patient information and other data, according to health-care professionals and cybersecurity experts who say hospitals and clinics are unable to copewith the growing threats.

The problem has become sobig that some are calling for Ottawa to imposenational cybersecurity standards on the health-care sector and for an influx of cash from the federal government to deal with the issue.

"My biggest disappointment at this moment is that it seems that anything that has to do with the health sector and cybersecurity is falling between the cracks at the federal level," said Paul-mile Cloutier, the president and CEO of HealthcareCAN, who spoke with CBC News in early March. The organizationrepresents hospitals, regional health authoritiesand health research centres across the country.

There's a growing list of health-care institutions that have fallen victim to breachesover the last year. LifeLabs, a Canadian diagnosticand specialitytesting company, was hit, possibly exposing the sensitive information of millions of patients.

Three Ontario hospitals were struck by ransomware in October. This year, eHealth Saskatchewan, which manages that province's personal medical records, was compromised, and in Nova Scotia patients had information about their surgeries exposed during a cyberattack.

In mid-March, the federal government'sCanadian Centre for Cybersecurity issued analert about the elevated risk faced byhealth organizations involved in the national response to the COVID-19 pandemic.

It said "sophisticated threat actors" may try to steal intellectual property related toCOVID-19 research and development or pinch sensitive data onCanada's response to the virus. And cybercriminals couldtake advantage of the pandemic's pressure on the health system to infect online systems with ransomware.

Experts say health information can be even more valuable to hackers than a credit card, because it includes data such as a person's health number ordate of birth pieces of information with a "unique value"that doesn't change over time and can help thieves steal identities.

"The market for health-care identities is big and booming,"said Abigail Carter-Langford, a vice-president with Canada Health Infoway, anorganization funded by Health Canada that focuses on improving the access of Canadians to digital health technology.

Raheel Qureshi, a co-founder ofcybersecurity firmiSecurityConsulting, which works with more than 150 health-care organizations in Canada including dozens of large hospitals, said thehealth-care sector is targetedmore than any other industry inthe country.

He said 48 per cent of all security breaches in Canada last year were in the health-care industry andcyberattacksin the sector rose 15 per cent between 2018 and 2019.In October 2019,iSecurity's monitoring service detected 3,257 attempts to gain access to the computers at one of its client's hospitals.

Qureshi said the health-care system is behind the times.

"A lot of health-care organizations are still in the middle of some kind of security road map, or they're starting the conversation now to understand, 'What do we need to do?' Banks started doing this 15, 20 years ago."

And that has consequences, according to David Shipley, CEO of Beauceron Security Inc., a cybersecurity company in Fredericton.

"Hospital IT staff are tremendously, tremendously overwhelmed," he said. "When you look at every dollar we spend in health care, we want it to go to front-line health-care services, so we really keep the IT spend to bare-bones minimum, and criminals know that and they've been exploiting that."

Exploited is exactly how Jill Golick of Toronto feels. She has workedhard to protect her data by using two-factor authentication and adopting unique passwords, but herpersonal information was compromised during the LifeLabs breach.

Golick hasn't been told exactly how much of her data might have been accessed, but the company did have her personal contact information and results from her health tests, including blood work.

"I don't think that anybody went through all the effort of hacking LifeLabs without evil intent. There's so many different schemes you could carry out with this kind of data, whether it's identity theft, just getting credit card numbers, there could be blackmail," she said.

"I find it incredibly upsetting, I take my cybersecurity very seriously."

So far, she hasn't noticed any fallout from the breach.

Hospitals may also hold a patient's credit card information as well as personal data, said Andrew Nemirovsky, a senior director of information management and information technology for the Nova Scotia Health Authority. For instance, a patient may have paid for a semi-private room.

He said while information from acredit card sells for about a dollar online, a U.S. citizen'shealth data can sell for $100 to $200, although he suspectsCanadianhealth information would go for less as itcontains less financial information.

To deal with the problem, some experts wantthe federal government to imposenationalstandards to force health-care organizations to update their cybersecurity and better protectpatients. Qureshi would even like those standards extended to all public-sector institutions.

Cloutier said the federal government should set aside money specifically to help health-care organizations improve their cybersecurity, which he estimates could cost billions of dollars.

Inmid March Health Canadaspokesperson Marie-Pier Burellesaid in an email that it has taken action to address cybersecurityby creating a digital health division to assess the safety and effectiveness of digital health technologies like wireless medical devices and mobile medical apps.

And while no federal regulations exist forcing cybersecurity standards on hospitals or clinics, Health Canada did helpdevelop guidelines that "provide cybersecurityrecommendations to stakeholders," said Burelle. Those stakeholders include health-care providers, regulators and medical-device manufacturers.

Not everyone is sold on the idea of a national standard, though.

Carter-Langford, with Canada Health Infoway, said since the cybersecurity landscape is constantly changing, it would be difficult to put in any minimum security standards because what's appropriate today might not be good enough tomorrow.

"The slowest thing to create change is often the law, when we as organizations can use the tools we have and the systems we have to do better. And when we as individuals can make better choices and as consumers drive improvement," she said.

Still, the attacks keep coming.

In Nova Scotia, phishing emailshave attempted to trick the health authority's payroll and human resources departments into putting money into an unauthorized account.

"They send through a message saying that 'I'm so and so, my banking information has changed, can you please update it?' And they even include a copy of a void cheque, so it's very sophisticated,"Nemirovskysaid.

The health authorityhas now stopped taking those requests via email.

Even the appointment of Brendan Carr as the health authority'snew CEO prompted more cyberattacks, showing how criminals are paying attention to local developments and tailoring their attacks.

"The bad actors were starting to send out emails from 'Brendan Carr' asking for immediate updates and people to click on links," said Nemirovsky.

Both Cloutier, a victim in the LifeLabs hack, and experts sayCanadians need to understand the seriousness of the problem.

"This is a real risk to Canadian health care, it can impact you and your family, " said Shipley.