Health care industry warned again it’s in the cross-hairs of cyber-thieves

Health care providers and insurers are seeing 340 per cent more security incidents and attacks than most industries, according to a report issued today.

The numbers, gleaned from a global survey last year by security provider Raytheon Websense, is another warning to the industry that the personal and financial information they hold is seen by cyber thieves as at least as important, if not more, than data held by retailers and governments.

In an interview Robert Slocum, Websense’s senior security product marketing manager, noted that a health care record on the black market is 10 times more valuable than credit card info.

Last year health providers and insurers were 200 per cent more likely to encounter phishing lures and redirects than most industries, today’s report pointed out.

Attacks on commercial companies like Target, Sony, and the U.S. and Canadian governments have been headlined. But there have also been huge breaches in U.S. medical industry this year, including insurer Anthem Inc.  where account information of as many as 80 million customers was exposed.

In Canada, hospitals or regional health authorities still hold patient records despite provincially-run medicare. Unlike the U.S., where many patients aren’t covered by private insurance and have to pay up front for care, institutions here won’t have much in the way of credit card data. But they will have some private health care information. opening the door to insurance fraud.

Not all provinces make it mandatory for hospitals to report breaches so some attacks may not have received public attention.

Still, Kevvie Fowler, a partner in KPGM Canada’s risk consulting services said in an interview this week that “a lot of health care providers (in Canada) don’t see the information as desirable to attackers, in contrast to credit card or finance data. I think that leads to a false sense of security.”

“There are quite a few breaches that have been reported — some not publicly — that involve health care information,” he added.

In August KPMG issued a report that said four-fifths of executives at U.S. healthcare providers and payers surveyed believe their information technology has been compromised by cyber-attacks. That report conclude the U.S. healthcare industry is behind other American industries in protecting its infrastructure and electronic health records because of outdated clinical technology, insecure network-enabled medical devices, and an overall lack of information security management processes.

That report, though, was a U.S.-focused study. Fowler couldn’t say how the Canadian healthcare industry compares to the U.S., other than to suggest the value of personal and health information to thieves knows no boundaries.

Slocum said not only do CISOs have to deal with personal medical records, increasingly they have to deal with personal data collected by Internet-connected medical devices. Protecting data on the so-called Internet of Things is still in a fledgling stage.

In addition, there’s the threat of insiders accessing data for their own purposes. Last year, for example, staff accessed former Toronto mayor Rob Ford’s medical records at an institution at three hospitals where he was being treated for cancer. It wasn’t clear if they saw paper or computer files.

Slocum said he knows of a case in the U.S. where a surgeon uploaded copies of patient files to Dropbox to use at the adjoining medical school where he teaches. It wasn’t to gain any advantage, but it was a privacy breach nevertheless. “The doctor saw nothing wrong with what he was doing,” Slocum said — give med students up to date training.

In a lot of ways, he acknowledged, CISOs have to meet the challenges of health data protection the same way as any industry: By following best practices, staff education, understanding the flow of data and where the risks are — increasingly, for example, doctors want to access data remotely — and having a data theft prevention program.

Fowler did say that boards of Canadian health institutions are getting more involved in the awareness and management of cyber risk.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now