Byron Holland is president and chief executive officer of the Canadian Internet Registration Authority.
In November, Newfoundland and Labrador residents saw their health care system grind to a halt after the province was hit with what one expert described as the worst cyberattack in Canadian history. The event followed similar incidents affecting Toronto and Ottawa-area health facilities. And cybersecurity is a problem that goes beyond health care: Recently, for example, Quebec shut down almost 4,000 government websites after the threat of an online attack.
Together, these attacks have prompted a national conversation about what can be done to protect critical infrastructure that we, as Canadians, depend on. It’s tempting to look to technology for the solution. Which app or service can prevent attacks such as these from ever happening again? These are important discussions to have. But right now, the single greatest cybersecurity threat facing Canada’s health networks may be the underfunding of our health care system.
“How do we fix Canada’s health care system?” is one of our country’s most enduring debates. While the COVID-19 pandemic has demonstrated the courage of our front-line care workers, it has also exposed the frailties of our overburdened system.
It is no secret that the virus has placed a huge demand on our health care facilities. It has greatly reduced our capacity to provide non-emergency services and created a huge surgery backlog while driving an unprecedented surge in health care spending. Experts warn that, post-pandemic, provincial health care systems will face serious financial challenges as they struggle to get back on their feet – and their IT departments will not be spared from this.
Health care IT professionals across the country are facing increased pressure. A recent survey by the Canadian Internet Registration Authority (CIRA) found that 35 per cent of security professionals working in the MUSH sector (municipalities, universities, schools and hospitals) say that the number of cyberattacks has increased during the pandemic.
In the cybersecurity world, there’s a common saying: The weakest link in any organization’s cyberdefences is its people. Unfortunately, human error accounts for the vast majority of all data breaches or cyberincidents. All it takes is for one tired employee to open a suspicious attachment and, all of a sudden, they find their systems debilitated by a ransomware attack.
The best medicine here is education. Staff in any organization need to be trained to identify potential cyberthreats so they can avoid malicious attacks that expose sensitive data. And training requires resources.
While data from the CIRA survey shows that most MUSH sector organizations such as hospitals do provide some cybersecurity awareness training, it also reveals that they face resource challenges on that front. Many do not conduct the training frequently; 45 per cent of MUSH respondents report performing cybersecurity training annually or less. Meanwhile, the minority who say they don’t provide any cyberawareness training cite insufficient IT staff and the belief that training is too expensive among the top reasons for not doing so.
The bad guys are endlessly creative and cyberthreats evolve constantly. Staff in sensitive environments such as health care need frequent reminders to stay alert.
Many Canadians have been asking, “What can the government do to help?” Some have suggested that we make ransomware payments illegal, but privacy and security experts are split on the idea.
Ransomware is a business, after all, so cutting off payment seems like an easy fix at first. But the reality is more complicated. A local tire shop can refuse to pay the ransom, wipe their computers and start over from backups. But for organizations such as hospitals – which guard troves of highly sensitive, personal information – the calculations are different. Refusing to pay the ransom risks having confidential patient or employee data released online. In this case, refusal to pay could cause Canadians irreparable harm.
Banning ransomware payments is no panacea. But the federal and provincial governments can play a leadership role in preventing future cyberattacks by dedicating new funding for cybersecurity capacity in health care institutions. Right now, arming Canada’s health care IT departments with the resources they need to train staff and protect their networks might be the single best thing we can do to stop future attacks.
As the old health care maxim goes, the best treatment is prevention.
Keep your Opinions sharp and informed. Get the Opinion newsletter. Sign up today.