Management, lack of money blamed for poor cybersecurity at Canadian hospitals

Share post:

The biggest impediment to improving the cybersecurity of Canadian hospitals is “lack of focus” of management and lack of money, says the head of the country’s .ca registry.

Bryon Holland, chief executive officer (CEO) of the Canadian Internet Registration Authority (CIRA) told a Tuesday Globe and Mail webinar on cybersecurity in the healthcare sector that just short of 30 per cent of all organizations in this country have suffered a data breach.

“If a third of homes were broken into, or a third of business and hospitals were being [physically] criminalized, there would be an incredible uproar,” he argued.

But in the digital world, people don’t see the impact, so there is little support for more resources. CIOs and IT pros in healthcare tell CIRA the number one reason hospitals find it hard to fight cyber attacks is “lack of focus and money” to put in systems and technologies to keep up with the volume of attacks, Holland said.

Hospital management needs “a mindset upgrade,” he maintained. Cybersecurity “is an executive problem. This is a CEO, senior executive board problem, because there is liability and fiduciary risk at the top of the organization.”

They need to understand the solution is taking holistic security seriously — everything from installing multilayered defence in depth, DNS hardened firewalls, multifactor authentication and access control. These, he said are “table stakes.”

But he also said that cybersecurity “is not just the IT folks’ problem.”

In fact he claimed that “most compromises happening now are because people are compromised, not a firewall or a piece of tech.” That’s why cybersecurity awareness training is also important, he said.

Panel members included Jeff Curtis, chief privacy officer at Toronto’s Sunnybrook Health Sciences Centre; Steven Tam, chief data governance and privacy officer at Vancouver Coastal Health, which oversees all hospitals in the Vancouver area; and Hudda Idrees, CEO of Dot Health, a provider of mobile healthcare solutions for individuals and healthcare providers.

Hospitals and clinics have long been targets of hackers who believe the institutions are more willing than others to pay for the return of stolen data. For-profit hospitals and clinics are seen as a source of credit and debit card information in addition to sensitive medical data on patients. Non-profit hospitals often don’t have the money to make cybersecurity a priority.

Hospitals in Canada recently hit include Toronto’s Hospital for Sick Children and Lindsay, Ont.’s Ross Memorial Hospital. In the U.S., where for-profit hospital chains serve millions of people, California-based Regal Medical Group is now sending data breach notices to more than three million patients after suffering a ransomware attack late last year.

One of the worst attacks in Canada took place in Newfoundland and Labrador in 2021, when attackers copied years of patient and employee data from the provincial system.

Hospitals aren’t the only healthcare institutions hit. In 2019, hackers accessed medical lab results of 15 million Canadians when LifeLabs, the country’s biggest medical lab serving doctors, was hacked. The privacy commissioners of Ontario and British Columbia said the company failed to follow provincial data health protection laws.

Despite billions of dollars in annual healthcare spending in Canada, “funding for cybersecurity is getting short shrift,” Holland told the panel.

He got support for that from Indrees, who noted Ontario alone spends $70 billion a year on healthcare. “I don’t think it’s lack of funding. It’s just that people don’t think it [cybersecurity] is important enough.” While the province has set up a Digital Health Information Exchange, she said spending on “practical, tangible pieces of software or training … is seriously lacking.”

Hospitals spending more on IT in general will only exacerbate the problem, said Curtis. Money has to be targeted for cybersecurity.

However, he also said for better security, more institutions should be adopting shared systems. For example, there are shared diagnostic imaging services in Ontario used by many hospitals and medical practitioners.

He and others also pointed to a serious problem in Canadian hospitals: Legacy software and hardware that impedes the adoption of more secure technologies.

Tam said hospital CEOs and CIOs have to see cybersecurity as separate from IT in their budgets.

Proper governance is also important, he said. “We need to come together to collectively tackle these issues, to identify what the risks are and identify the solutions., If we’re working together, we can also improve our [cybersecurity] practices across the board. We have a diverse, broad healthcare system. We need to think how we govern our data and systems across the healthcare sector” rather than one hospital at a time.

The post Management, lack of money blamed for poor cybersecurity at Canadian hospitals first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

TikTok Plans Immediate Shutdown for U.S. Users on Sunday

TikTok is set to shut down its app for American users on Sunday, January 19, coinciding with the...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways