Hospitals Under Siege

By Nasir Mundh & Yves Renaud

With more Canadians working from home, a spike in the volume of business being conducted online and the number of connected devices in buildings growing at an ever-increasing rate, organizations have seen a rise in cybersecurity-related issues. Healthcare facilities are no exception to these incidents. A 2020 global report showed Canada’s healthcare sector experienced the most dramatic increase compared to other countries, with a 250 per cent uptick in attacks. This is especially concerning during a time when hospitals are operating at full capacity and cannot afford any downtime.

As healthcare facilities adopt and deploy new technologies, how can they effectively manage the cybersecurity aspect of operations and protect themselves and their data?

Although no system will ever be foolproof, there are key considerations every hospital administrator, facility manager, IoT (Internet of Things) engineer and software developer should keep in mind to minimize any damage and protect patients. Only then can hospitals identify and adopt best practices to effectively manage threats and mitigate cybersecurity risks.

Cybersecurity for healthcare facilities is subject to extremely stringent standards and protocols. And rightfully so. Hospitals are a critical institution — when it comes to public health and saving patient lives, tampering with digital devices is simply unacceptable. The very nature of the work these cyber systems and software manage are integral to a hospital’s success and positive patient outcomes.

It is no surprise the primary concern for any healthcare facility moving to a digitally connected ecosystem is cybersecurity. The ecosystem’s capability to make decisions based on data means any disruption or manipulation of that data could have serious repercussions; hence, the necessity to act quickly when there’s a data threat. This is exactly what happened when IT systems for Ireland’s health service had to be taken offline as a precaution due to a cyber security threat. This affected outpatient appointments and posed a potential risk to Ireland's COVID-19 vaccination program. With so much on the line, the ability to identify risk and act fast in this type of situation is crucial.

Since the onset of the pandemic, 32 per cent of Canadians have made the transition to remote work, according to Statistics Canada. Businesses were forced to adapt quickly to connect their employees to physical assets on-site. While working remotely offers advantages, it relies on systems like WiFi connections, non-hardened work devices and collaboration apps that could be more vulnerable to cyberattacks.

Hackers see these points of vulnerability as an opportunity to take advantage of hospitals and the data they’re collecting. Last year, the world saw a 45 per cent spike in the volume of cyberattacks targeting healthcare organizations, with Canada taking the number one spot for the most dramatic increase.

Superhospitals and medical research facilities are no longer just a convenient target for the average hacker looking to make a quick dollar through a ransomware attack. While hackers can make money from patient data through blackmail or by selling data records to the highest bidder, attacks against hospitals are becoming more sophisticated as the people engaging in them have greater resources. Cyber criminals have grown increasingly savvy during the pandemic and are targeting businesses using a variety of methods. Some attacks have also become more prominent like the crippling of digital infrastructure.

t On 14 May, the Health Service Executive, which runs Ireland's healthcare system, suffered a major ransomware cyberattack that caused all of its IT systems nationwide to be shut down.

Canadian healthcare facilities are more vulnerable now than ever to cyberattacks, so it’s time for healthcare organizations to start thinking realistically about the risks to and vulnerabilities of their healthcare network and how to best protect their facility.

There are three key elements that must be addressed to ensure a cybersecure digitized healthcare facility. The first is the use of appropriate technology while implementing cybersecure products, software and network architecture. A hospital’s digital solutions provider should follow a series of standards like ISA/ IAC 62443 that specify security capabilities for control system components. Next is to have a comprehensive set of processes and procedures to follow when using technology and that regulates cybersecurity best practices. Healthcare facilities must also work together with their vendors and partners to share knowledge of cybersecurity risks and mitigation strategies, as well as regulatory compliance. Finally, it is important that people in the facility are trained and have ownership of keeping the hospital cyber secure. Good cybersecurity begins with the user. When hospital staff know and are kept up-to-date on best practices, the risks of an attack or data breach decline significantly.

In a world where hospitals are becoming more digitally connected, advances in technology are pushing the limits of what they can do. But the risk posed by cyberattacks on the Canadian healthcare industry cannot be ignored. Vigilance is absolutely necessary to building more resilient security systems. All patients and visitors expect hospitals to be safe, clean and efficient. Secure must now be added to that list.