Cyberattacks on Canadian healthcare organizations, ranging from individual physicians to large healthcare institutions, have been increasing at an alarming rate. Successful attacks on large hospitals and regional authorities have made headlines, while clinics across Canada fell victim to attacks resulting in exposure of thousands of patient records. In fact, nearly 50% of breaches in Canada in 2019 occurred in the healthcare sector.
Taking Advantage of the Pandemic
To add to this continuing threat, cyber criminals are aggressively taking advantage of the current COVID-19 crises. The increased volume of communications and updates being sent to healthcare professionals, along with the prevalence of virtual care, has further increased the risk of cyberattacks. COVID-19 provides a perfect cover for emails disguised as official notices that contain malicious links to fake websites impersonating official organizations. The Canadian Centre for Cyber Security (CCCS) has identified over 1,500 websites posing as Government of Canada COVID-19 pages, designed to scam Canadians. The CCCS continues to warn Canada’s healthcare and medical research sector that they are of particular interest to cybercriminals, particularly state-sponsored ones.
Targeting Busy Healthcare Professionals
COVID19 provides the perfect environment for socially engineered cyberattacks. Cyber criminals use “social engineering” to exploit natural human vulnerability and hack busy healthcare workers. The most common form of social engineering is “phishing”, which is an attempt to trick recipients into clicking on a link or downloading an infected file. Successful phishes can lead to encrypted files, such as patients’ personal health information. Cyber criminals then demand a ransom payment to restore access to the files.
“The doctors are under attack,” says Dr. Dennis Desai, a physician advisor at the Canadian Medical Protective Association. “We are getting physicians on a regular basis saying, ‘I have a computer; I got locked out; I have ransomware.’”
Cybercriminals often consider the human element to be the weakest link in a healthcare organization’s security. With just one click, clinicians and staff can unknowingly infecting an entire organization’s IT systems with malware and other viruses.
Three Tips to Defend Against Phishing
- Verify the sender identity – check the email address carefully.
- Do not click on links or attachments – unless it is something you were expecting and the sender is known to you.
- Be suspicious of urgency – be wary of messages that encourage quick action. Stop to examine the email closely.
Cyber criminals are skilled at exploiting basic human psychology and tapping into fear, curiosity, and the desire to help. The email content is designed to manipulate employees into clicking before verifying the link is safe.
The Human Line of Defence
While a modern and robust IT network can be highly effective at preventing some cyberattacks, technology is only one component of a strong cyber defense. A cybersecurity-aware “human line of defence” is critical.
Training health care teams on day-to-day cyber security and privacy awareness best practices is an effective way to bolster that defence. A cyber security and privacy education program trains healthcare professionals to have “cybersafe” habits. Ongoing, evidence-based, and health care-specific training helps the team avoid a breach and identify and react appropriately if a breach should occur. Knowing that physicians are asking for help in understanding how to mitigate this threat, Saegis, a subsidiary of the CMPA, has released a free Cybersecurity eLearning module for healthcare workers across Canada. The brief course takes about 20 minutes to complete and can be accessed via their website – https://saegis.solutions/cybersecurity.
Top Three Cybersafe Habits for Virtual Care
- Log on safely – use multi-factor authentication and strong passwords
- Connect with care – always use a secure remote access solution. Do not use a shared wifi.
- Don’t get out of date – be sure to have a recent, secure, and recoverable back-up of patient data.
More comprehensive training programs in cybersecurity and privacy also exist, designed to establish and maintain cybersafe habits over the long term, as new threats evolve, and cyber criminals use new strategies. In addition to helping physicians and their teams avoid a breach, broader training can also inform them as to how to react appropriately if a breach should occur.
To summarize, a technological defence of firewalls and anti-virus software must be coupled with the “human defence”, in order to effectively guard against cyber-attacks in healthcare.