The Ontario government has described its new model for healthcare as the biggest health system reform in 50 years, but according to a security expert, it’s leading to a spike in cyberattacks.
The province’s ongoing efforts to merge its health agencies and create local care co-ordination organizations called Ontario Health Teams are absent of a proper security framework, indicated Raheel Qureshi, the co-founder, and partner of iSecurity.
“What’s happening as a result of [the mergers] is hospitals are opening up their network to start to collaborate, but they aren’t talking security yet,” he told IT World Canada. “If I compromise one hospital, guess what? I can potentially get into 10 other hospitals and I can hold each one for ransom.”
Over the past year, hospitals and healthcare providers’ early attempts to become more connected – which is bullet point number four in the Ontario government’s list of outcomes achieved through a single Ontario health agency – have contributed to a 15 per cent increase in the number of reported breaches, according to iSecurity data that was shared with IT World.
Unauthorized access and ransomware were the top two threat vectors.
In October, ransomware became a national threat. The Canadian Centre for Cyber Security issued a country-wide alert about Ryuk ransomware, noting it was “affecting multiple entities, including municipal governments and public health and safety organizations in Canada and abroad.”
Michael Garron Hospital, formerly known as the Toronto East General, was one of those victims.
Around the same time, the Listowel Wingham Hospitals Alliance said on Facebook its two hospitals in rural southwestern Ontario were suffering an “information technology system disruption, which means our clinical applications are affected.”
iSecurity’s client base includes companies outside of healthcare, but healthcare is by far the most targeted industry. In 2019, nearly 50 per cent of breaches detected and responded to by iSecurity were in healthcare.
One of those clients, a hospital, experienced more than 3,200 exploit attempts in October alone. And while Qureshi couldn’t specify which one it was, he confirmed that it’s a hospital within a health partner network that leads regional programs in the areas of cardiac care, oncology, nephrology, and trauma.
“They suffered a serious breach before but now they’re getting their infrastructure properly monitored so they can protect and block. However, now we’re seeing the attackers, who got a small taste with the initial breach, coming back to attack them to see if they can figure out a way to get back in,” explained Qureshi.
While Canada’s healthcare system is frequently touted on the world stage, it’s missing a cohesive digital strategy from province to province, says Peter Kendall, chief revenue officer for PetalMD, a healthcare firm that builds online management, communication, and planning tools intended for physicians. This is contributing to several problems including long wait times and poor information sharing.
“I think part of the reason Ontario and the rest of Canada is in this jam is that there’s been a whole bunch of individual decisions made that don’t meet specific standards, especially around the proper sharing of information across all health agencies,” Kendall told IT World in an interview.
Ontario’s new model for healthcare has been met with fierce criticism in 2019. In addition to backlash from politicians, Dr. Bob Bell, former Ontario deputy minister of Health, has described the reform as a rushed effort.
“I think this is kind of being made up as it goes along,” he told the CBC.