Management, lack of money blamed for poor cybersecurity at Canadian hospitals

The biggest impediment to improving the cybersecurity of Canadian hospitals is “lack of focus” of management and lack of money, says the head of the country’s .ca registry.

Byron Holland, chief executive officer (CEO) of the Canadian Internet Registration Authority (CIRA) told a Tuesday Globe and Mail webinar on cybersecurity in the healthcare sector that just short of 30 per cent of all organizations in this country have suffered a data breach.

“If a third of homes were broken into, or a third of business and hospitals were being [physically] criminalized, there would be an incredible uproar,” he argued.

But in the digital world, people don’t see the impact, so there is little support for more resources. CIOs and IT pros in healthcare tell CIRA the number one reason hospitals find it hard to fight cyber attacks is “lack of focus and money” to put in systems and technologies to keep up with the volume of attacks, Holland said.

Hospital management needs “a mindset upgrade,” he maintained. Cybersecurity “is an executive problem. This is a CEO, senior executive board problem, because there is liability and fiduciary risk at the top of the organization.”

They need to understand the solution is taking holistic security seriously — everything from installing multilayered defence in depth, DNS hardened firewalls, multifactor authentication and access control. These, he said are “table stakes.”

But he also said that cybersecurity “is not just the IT folks’ problem.”

In fact he claimed that “most compromises happening now are because people are compromised, not a firewall or a piece of tech.” That’s why cybersecurity awareness training is also important, he said.

Panel members included Jeff Curtis, chief privacy officer at Toronto’s Sunnybrook Health Sciences Centre; Steven Tam, chief data governance and privacy officer at Vancouver Coastal Health, which oversees all hospitals in the Vancouver area; and Hudda Idrees, CEO of Dot Health, a provider of mobile healthcare solutions for individuals and healthcare providers.

Hospitals and clinics have long been targets of hackers who believe the institutions are more willing than others to pay for the return of stolen data. For-profit hospitals and clinics are seen as a source of credit and debit card information in addition to sensitive medical data on patients. Non-profit hospitals often don’t have the money to make cybersecurity a priority.

Hospitals in Canada recently hit include Toronto’s Hospital for Sick Children and Lindsay, Ont.’s Ross Memorial Hospital. In the U.S., where for-profit hospital chains serve millions of people, California-based Regal Medical Group is now sending data breach notices to more than three million patients after suffering a ransomware attack late last year.

One of the worst attacks in Canada took place in Newfoundland and Labrador in 2021, when attackers copied years of patient and employee data from the provincial system.

Hospitals aren’t the only healthcare institutions hit. In 2019, hackers accessed medical lab results of 15 million Canadians when LifeLabs, the country’s biggest medical lab serving doctors, was hacked. The privacy commissioners of Ontario and British Columbia said the company failed to follow provincial data health protection laws.

Despite billions of dollars in annual healthcare spending in Canada, “funding for cybersecurity is getting short shrift,” Holland told the panel.

He got support for that from Indrees, who noted Ontario alone spends $70 billion a year on healthcare. “I don’t think it’s lack of funding. It’s just that people don’t think it [cybersecurity] is important enough.” While the province has set up a Digital Health Information Exchange, she said spending on “practical, tangible pieces of software or training … is seriously lacking.”

Hospitals spending more on IT in general will only exacerbate the problem, said Curtis. Money has to be targeted for cybersecurity.

However, he also said for better security, more institutions should be adopting shared systems. For example, there are shared diagnostic imaging services in Ontario used by many hospitals and medical practitioners.

He and others also pointed to a serious problem in Canadian hospitals: Legacy software and hardware that impedes the adoption of more secure technologies.

Tam said hospital CEOs and CIOs have to see cybersecurity as separate from IT in their budgets.

Proper governance is also important, he said. “We need to come together to collectively tackle these issues, to identify what the risks are and identify the solutions., If we’re working together, we can also improve our [cybersecurity] practices across the board. We have a diverse, broad healthcare system. We need to think how we govern our data and systems across the healthcare sector” rather than one hospital at a time.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs