Mobilizing the frontline to protect patient health information
Cyberattacks on large healthcare organizations and health authorities across Canada continue to make news in 2019, proving that even an extensive security infrastructure cannot always prevent a cyberattack. In October of this year, hackers crippled the computer systems of three Ontario hospitals, likely through malware that penetrated the systems when an employee opened an infected email attachment. While technical safeguards are important, even the best anti-virus software and firewalls are not enough to effectively safeguard a practice against increasingly sophisticated attacks that bypass these safequards by exploiting human vulnerability. Cybercriminals will target individuals with the knowledge that simple, daily tasks can make a system vulnerable.
This human factor and the value of patient health information to cyber-criminals – a medical record can sell for up to $1000 on the dark web – is why small- and medium-sized clinics share many of the same vulnerabilities as large organizations. This reality means that the frontline staff is as critical to protecting patient safety in the virtual environment as it is in clinical practice. A comprehensive cybersecurity education and awareness program is crucial to help protect physicians, clinics, and patients from a breach.
Healthcare providers and administrative staff face multiple and varied cybersecurity risks every day. A threat can arise when using everyday tools like email, fax, USB keys, or the EMR; when communicating with clinic service providers or other healthcare providers in the community about prescriptions, test results, or requests for consultation; or when working remotely with clinic data. Actions as simple as staying logged in while taking a coffee break can compromise the security of an organization and lead to a breach.
Safeguarding against “social engineering”
Cybercriminals frequently use psychological manipulation also called “social engineering” tactics to deceive, or “hack”, their targets. This commonly includes “phishing”, which is an attempt to scam users through fraudulent emails or web pages convincing staff to click on a link or download a file. This can allow malicious software, or “malware”, to infect a system. They may also aim to trick people into providing or confirming bank, credit card, or other login information, like usernames and passwords.
Given the popularity of these types of attacks, awareness training and behaviour change surrounding cybersecurity that includes ongoing vigilance on the part of all team members is needed to prevent a breach. Training and support are critical to inform and sustain these efforts. For example, a program that used ongoing and tailored simulation-based training bursts helped the University of New Brunswick reduce the number of staff members who fell prey to a phishing email scam from 1 in 3 to 1 in 20.
Understanding your responsibilities
A privacy breach can be costly, resulting in downtime, loss of access to patient and scheduling information, and damage to the clinic’s reputation. Physicians, as the custodians of patient health information, are often assumed to bare the sole responsibility of safeguarding patient privacy, but in reality, preventing a breach requires a team effort.
In addition to training and support, administrative policies can set staff up for success as well as potentially contain an attack in progress and minimize the impact of a breach. Clinics should have procedures for the secure storage and sharing of health records; the use of portable electronics to access records and clinic systems offsite; and for communicating online and by phone with patients, providers, and other third parties.
In this rapidly evolving legal environment, these policies and procedures must be kept up-to-date to ensure compliance with current legislation. For example, in October of 2018, the Information and Privacy Commissioner of Ontario released guidelines for responding to health privacy breaches. These guidelines include the requirement that health organizations have privacy breach protocol as well as detail the immediate actions that organizations must take in response to a breach, including notification, reporting, and remediation.
Knowing the risks
Every clinic and staff member will encounter unique cybersecurity risks based on day-to-day interactions. A comprehensive risk assessment can identify vulnerabilities within the clinic and allow for tailored learning interventions to the areas most in need of improvement.
Given that the theft of patient health information is among the most lucrative cybercrimes, new threats and vulnerabilities are continually emerging.
Receiving updates on new scams and tactics as they develop is a simple way to enhance awareness and provide an added layer of protection. For example, integrating cybersecurity news updates into a clinic’s ongoing internal communications can help to keep these risks top of mind for staff.
Leveraging awareness training and tools
Multifaceted cybersecurity awareness programs that reinforce the human defence against breaches are a critical part of the solution to the growing threat of cybercrime in healthcare. However, many clinics may not be aware of this reality and that effective, affordable education programs exist. They are available, and some are specifically designed for healthcare clinics.
Saegis, a subsidiary of the CMPA, recently launched the Saegis Cybersecurity Solution specifically to provide small-and medium-sized clinics with cybersecurity and privacy resources. It provides team risk assessments as well as tailored ongoing education and tools to empower all clinic staff to protect patient data from a cyberattack.
 “Ransomware hits three Ontario hospitals” Canadian Healthcare Technology, October 8, 2019, https://www.canhealth.com/2019/10/08/ransomware-hits-three-ontario-hospitals/
 "Here’s How Much Your Personal Information Is Selling for on the Dark Web”, by Brian Stack, ©2019 Experian Information Solutions, Inc. https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/. Accessed October 9, 2019
 Information and Privacy Commissioner of Ontario. Responding to a Health Privacy Breach: Guidelines for the Health Sector. Toronto: IPCO, October 2018.