Hackers target patient files for ransom
Hackers have repeatedly targeted Canadian doctors with ransomware recently, hobbling computer systems that hold thousands of medical records and impeding patient care, a major health-care organization says.
In the best-case scenario after the incidents, medical offices spend two or three days restoring their systems from backup sites; at worst they can lose masses of crucial data, the Canadian Medical Protective Association (CMPA) says.
In the meantime, physicians are missing key aspects of patients’ history when diagnosing health issues, says Dr. Dennis Desai, a physician adviser at the CMPA, which provides liability coverage for most of Canada’s MDs.
“The doctors are under attack,” he said. “We are getting physicians on a regular basis saying, ‘I have a computer, I got locked out, I have ransomware.’ … They’ve been asked to pay in bitcoin. They’re asking us, ‘Should I pay it?’”
The theoretical threat of ransomware to Canadian health care has been much discussed lately, especially since the global “Wannacry” outbreak struck several British hospitals in May.
The office of Brian Beamish, Ontario’s privacy commissioner, said Wednesday it has received 10 reports of ransomware attacks on doctor’s offices or clinics since the start of 2016, calling it an “increasingly dangerous” threat to the security of health records.
In simple terms, attackers freeze up computers by encrypting data, then demand a payment — usually in digital bitcoin — to unlock the files.
No Canadian hospital — as opposed to a doctor’s office — has publicly admitted to being a victim. But Bill Tholl, chair of a federal committee on cybersecurity and critical infrastructure, confirmed Wednesday that it has happened here.
“There have been some hospitals that have been attacked and have paid ransom in bitcoin, in Canada,” he said. “It was the Wannacry kind of event … It’s not individual patient files; they lock up everybody.”
The CMPA published an article this week urging physicians to ensure they have robust backup systems, vigorously guard against infection by computer viruses — and not pay ransom if they are targeted.
It seems to be a burgeoning problem, with one expert estimating the number of ransomware attacks has soared 600 per cent just in the past year, said Tholl, former CEO of HealthCareCan, which represents hospitals and other medical facilities.
And for various reasons, medical data is a prime focus, 10 times more likely to be targeted than even banking information, he said.
That reality was driven home by Wannacry, which caused 16 hospitals in Britain’s National Health Service to shut down at least part of their operations.
In the U.S., at least two major facilities have taken significant hits from more isolated attacks. Computers at Erie County Medical Center in Buffalo were down for six weeks earlier this year after hackers demanded $44,000 in bitcoin, a sum the facility refused to pay.
Kevin Magee, a cybersecurity consultant on Tholl’s federal committee, said Canadian hospitals have so far been relatively unscathed, partly because they seem disciplined about installing security patches to protect against malware.
But Wannacry showed cyber criminals the lure of pursuing health-care institutions, where lives could be endangered by a sudden computer failure, Magee said.
The physician offices affected by ransomware typically have one computer system that covers everything from appointment scheduling to patient charts, Desai said. And more than 70 per cent of physicians now have electronic medical records. Being without those charts even for a couple of days is a problem, he said.
The CMPA, like most other experts, advises against paying a ransom, as it may simply set up the clinic to be menaced again, and is no guarantee files will be unlocked, Desai said.