Skip to main content

Main menu

  • Home
  • Content
    • Current issue
    • Past issues
    • Early releases
    • Collections
    • Sections
    • Blog
    • Infographics & illustrations
    • Podcasts
    • COVID-19 Articles
  • Authors
    • Overview for authors
    • Submission guidelines
    • Submit a manuscript
    • Forms
    • Editorial process
    • Editorial policies
    • Peer review process
    • Publication fees
    • Reprint requests
    • Open access
  • CMA Members
    • Overview for members
    • Earn CPD Credits
    • Print copies of CMAJ
  • Subscribers
    • General information
    • View prices
  • Alerts
    • Email alerts
    • RSS
  • JAMC
    • À propos
    • Numéro en cours
    • Archives
    • Sections
    • Abonnement
    • Alertes
    • Trousse média 2022
  • CMAJ JOURNALS
    • CMAJ Open
    • CJS
    • JAMC
    • JPN

User menu

Search

  • Advanced search
CMAJ
  • CMAJ JOURNALS
    • CMAJ Open
    • CJS
    • JAMC
    • JPN
CMAJ

Advanced Search

  • Home
  • Content
    • Current issue
    • Past issues
    • Early releases
    • Collections
    • Sections
    • Blog
    • Infographics & illustrations
    • Podcasts
    • COVID-19 Articles
  • Authors
    • Overview for authors
    • Submission guidelines
    • Submit a manuscript
    • Forms
    • Editorial process
    • Editorial policies
    • Peer review process
    • Publication fees
    • Reprint requests
    • Open access
  • CMA Members
    • Overview for members
    • Earn CPD Credits
    • Print copies of CMAJ
  • Subscribers
    • General information
    • View prices
  • Alerts
    • Email alerts
    • RSS
  • JAMC
    • À propos
    • Numéro en cours
    • Archives
    • Sections
    • Abonnement
    • Alertes
    • Trousse média 2022
  • Visit CMAJ on Facebook
  • Follow CMAJ on Twitter
  • Follow CMAJ on Pinterest
  • Follow CMAJ on Youtube
  • Follow CMAJ on Instagram
News

How hospitals can protect themselves from cyber attack

Brian Owens
CMAJ January 27, 2020 192 (4) E101-E102; DOI: https://doi.org/10.1503/cmaj.1095841
Brian Owens
St. Stephen, N.B
  • Find this author on Google Scholar
  • Find this author on PubMed
  • Search for this author on this site
  • Article
  • Figures & Tables
  • Responses
  • Metrics
  • PDF
Loading

Hospitals and health care systems have become a major target for hackers. The announcement that LifeLabs, Canada’s largest medical testing company, paid a ransom to retrieve the data of 15 million patients is just the latest in a string of cyber attacks aimed at stealing data or extracting money from health care organizations.

In September, the computer systems of three Ontario hospitals were crippled by a ransomware virus, an attack in which hackers encrypt data and demand payment to unlock it. And earlier in 2019, a similar attack hit Health Sciences North, shutting down computer systems across northern Ontario.

Hospitals are a popular target for several reasons, says Mark Gaudet, a cybersecurity expert at the Canadian Internet Registration Authority (CIRA). For one, they hold a great deal of valuable confidential data, and the move to electronic medical records has made those data more vulnerable. Hackers can get around $1 per record if they sell them in bulk, or up to $1000 for the records of specific people, he says.

Even if the hackers merely lock the data, hospitals can’t afford to lose access for long and might be more willing than other organizations to pay a ransom. “We provide life and death services,” says Dr. Joshua Tepper, CEO of North York General Hospital. “For that reason, we’re perceived as a high-value target.”

According to Gaudet, hospitals are also a relatively easy target because they have a “broad attack surface.” It’s hard to control physical access to equipment, he explains, and many medical devices use older operating systems that are difficult to update and easier for hackers to exploit.

But the biggest vulnerability for health care systems and hospitals is the same as for any other organization targeted by hackers, Gaudet says. “The main vector for attacks is people, through phishing or the more targeted spearphishing attacks,” in which hackers gather information using deceptive emails or websites, he explains. “Ninety percent of breaches start with a person.”

Health care workers seem to be more vulnerable to these kinds of attacks than others. One American study found that health care workers clicked on one out of every seven simulated phishing emails — a worryingly high rate, according to Gaudet.

That seems to be the cause of the September attack in Ontario that affected Michael Garron Hospital in Toronto. The virus spread from a single corporate laptop — likely someone clicked a link in a scam email or website, says Shelley Darling, director of communications for the hospital.

Figure

Recent ransomware attacks exposed cracks in health care cybersecurity.

Image courtesy of iStock.com/Farbentek

Although the attack did not lead to any patient information leaving the hospital’s system, nor any payment to the hackers, the effect on hospital operations was severe. It took 10 days to restore access to most systems including electronic medical records, and even longer to restore some less critical systems, says Dr. Patrick Darragh, the hospital’s chief medical information officer.

In response to the attack, the hospital required all staff to take further training in cybersecurity and beefed up its firewall, says Darragh. According to Gaudet, such steps can reduce the risk of future incidents substantially. He says the training offered by CIRA, for example, which includes simulated phishing attacks, can decrease clicks on malicious links by two-thirds. “Hospitals need to create a cybersecurity culture,” says Gaudet. “They already do a good job on privacy and data management, but on cybersecurity they have a long way to go.”

Even with strong firewalls and fully trained staff, future breaches are probably inevitable. Tepper says hospitals need to have procedures in place to minimize the disruption, as they do for any other emergency, like a fire or flood. In the attack on Michael Garron Hospital, for example, email and pagers were affected, so it was difficult to disseminate information throughout the hospital quickly. Darragh says the hospital collected cellphone numbers, which are now kept on a list for future emergencies. And with electronic records unavailable, the hospital needed to ensure that all staff, particularly younger staff, were able to revert to using paper charts.

“We have to have the mindset that it’s a matter of when, not if,” says Tepper. “We need to prepare for it as we would for any other adverse event.”

Footnotes

  • Posted on cmajnews.com on January 8, 2020

PreviousNext
Back to top

In this issue

Canadian Medical Association Journal: 192 (4)
CMAJ
Vol. 192, Issue 4
27 Jan 2020
  • Table of Contents
  • Index by author

Article tools

Respond to this article
Print
Download PDF
Article Alerts
To sign up for email alerts or to access your current email alerts, enter your email address below:
Email Article

Thank you for your interest in spreading the word on CMAJ.

NOTE: We only request your email address so that the person you are recommending the page to knows that you wanted them to see it, and that it is not junk mail. We do not capture any email address.

Enter multiple addresses on separate lines or separate them with commas.
How hospitals can protect themselves from cyber attack
(Your Name) has sent you a message from CMAJ
(Your Name) thought you would like to see the CMAJ web site.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Citation Tools
How hospitals can protect themselves from cyber attack
Brian Owens
CMAJ Jan 2020, 192 (4) E101-E102; DOI: 10.1503/cmaj.1095841

Citation Manager Formats

  • BibTeX
  • Bookends
  • EasyBib
  • EndNote (tagged)
  • EndNote 8 (xml)
  • Medlars
  • Mendeley
  • Papers
  • RefWorks Tagged
  • Ref Manager
  • RIS
  • Zotero
‍ Request Permissions
Share
How hospitals can protect themselves from cyber attack
Brian Owens
CMAJ Jan 2020, 192 (4) E101-E102; DOI: 10.1503/cmaj.1095841
Digg logo Reddit logo Twitter logo Facebook logo Google logo Mendeley logo
  • Tweet Widget
  • Facebook Like

Jump to section

  • Article
    • Footnotes
  • Figures & Tables
  • Responses
  • Metrics
  • PDF

Related Articles

  • No related articles found.
  • PubMed
  • Google Scholar

Cited By...

  • No citing articles found.
  • Google Scholar

More in this TOC Section

  • Monkeypox: tracking the global health emergency
  • Making sense of monkeypox death rates
  • Providing abortions to Americans could land Canadian doctors in legal trouble — without CMPA assistance
Show more News

Similar Articles

Collections

  • Areas of Focus
    • Health services
  • Topics
    • Health technology

 

View Latest Classified Ads

Content

  • Current issue
  • Past issues
  • Collections
  • Sections
  • Blog
  • Podcasts
  • Alerts
  • RSS
  • Early releases

Information for

  • Advertisers
  • Authors
  • Reviewers
  • CMA Members
  • CPD credits
  • Media
  • Reprint requests
  • Subscribers

About

  • General Information
  • Journal staff
  • Editorial Board
  • Advisory Panels
  • Governance Council
  • Journal Oversight
  • Careers
  • Contact
  • Copyright and Permissions
  • Accessibiity
  • CMA Civility Standards
CMAJ Group

Copyright 2022, CMA Impact Inc. or its licensors. All rights reserved. ISSN 1488-2329 (e) 0820-3946 (p)

All editorial matter in CMAJ represents the opinions of the authors and not necessarily those of the Canadian Medical Association or its subsidiaries.

To receive any of these resources in an accessible format, please contact us at CMAJ Group, 500-1410 Blair Towers Place, Ottawa ON, K1J 9B9; p: 1-888-855-2555; e: cmajgroup@cmaj.ca

Powered by HighWire