Ehealth system hack an example of sector’s digital vulnerability
Health-care organizations ‘prime target’ for attacks, say cybersecurity specialists
SASKATOON A recent cyberattack against Saskatchewan’s healthcare system is the latest in global incidences of hackers going after health-care providers and companies.
ehealth Saskatchewan was hit with a ransomware attack last week that crippled administrative services, though it did not affect emergency patient care.
We spoke to cybersecurity experts to learn why health-care organizations are in the crossfire of hackers and what they can do to rebuild when they’re hit.
Q How does ransomware work? A Ransomware is a type of malware that encrypts user files, preventing users from accessing their own data until they pay a fee.
It only takes one infected device to compromise an entire system.
Jonathan Coller, chief information security officer for the University of Saskatchewan, said attacks usually start with a “patient zero,” typically a single user who unwittingly opens an attachment in a malicious email.
“It might start small. Maybe you get someone who’s a lab manager with access to two machines,” Coller said. “Then it gets to the next person, and they have access to 10 or 100 machines, and then it keeps snowballing.”
Such emails are usually “spoofed, which means they are designed to look like they’re from a familiar sender or a trusted source, he said.
“It only takes one person clicking a link to burn the whole house down,” Coller said.
Hackers can target tens of thousands of targets at once using automated attacks. ehealth CEO Jim Hornell said there are thousands of attempts to hack the organization every month. Coller said as much as 90 per cent of all the email sent to the U of S is spam.
“In the current digital world, hackers can jiggle every doorknob on the planet overnight,” Coller said.
Q Why would someone target a health-care system?
A Michael Castro, founder and president of boutique cybersecurity firm Riskaware based in Newmarket, Ont., said healthcare organizations are the new “prime target” of hackers.
Health-care organizations hold a lot of personal data, he noted. Castro said health-care records can be more valuable than credit card numbers on the black market.
Such data can be used to steal identities or craft more sophisticated scams, which can allow hackers to steal from the people whose health-care records they have or from people with similar medical conditions.
And health-care organizations are big, complicated organizations with relatively little money to spend on cybersecurity, he said. Plus, their reliance on computer-operated machinery means they’re vulnerable to ransomware.
Coller said part of the problem is that software vendors are slow to upgrade security systems for devices like MRIS, making them easy to hack.
“They’re at the mercy of the vendor to release updates for very expensive pieces of equipment,” he explained.
Castro said in some cases, health-care organizations believe they need to pay the ransom to get their data back fast.
“You think of the potential impact on care or cancellation of surgery, or the fact lives could be at risk,” he said.
Castro said hospitals and clinics in the United States are regular targets for attacks. Often they opt to pay up.
And it’s not just the United States. The entire British National Health Service paid more than £90 million after it was hit with a ransomware attack in 2017.
In the recent attack on ehealth, there was little impact on patient care, and most of the effects have been felt on an administrative level. Hornell has said he isn’t aware of how much money the ransomware attack was demanding and that ehealth has no intention of paying the ransom. ehealth has said no personal patient data was compromised in the attack.
In La Ronge, the attack forced a health centre to disconnect from the network, which meant some departments reverted to manual processes. The Saskatchewan Cancer Agency also disconnected itself from the ehealth network to avoid being affected, creating a minor service disruption.
Q How can companies stop it?
A Some experts say getting hacked is not a matter of if, but when.
Dominic Vogel, founder and chief strategist of Vancouver-based firm Cyber SC, said the best strategy for companies is building a strong plan to recover systems once they’ve been attacked.
“Saying data breaches should never happen is like me saying ‘I’m never going to get sick,’” Vogel said. “You’re inevitably going to get sick. That’s why it’s so important for these companies to develop strong detection and response capabilities.”
Removing ransomware requires having good backups of systems and a plan for sealing off potential routes of attack, he explained. That can take hours or months depending on the extent of the attack and the quality of the backups.
If companies or organizations are attacked and don’t have those backups, they may be forced to either rebuild their entire IT system from scratch or pay the hacker, and there’s no guarantee the hacker won’t strike again.
“You might pay thousands of dollars to get your data back,” Coller said. “But getting rid of the infection is a separate issue.”
ehealth has said it has been working since last week to purge malware from its systems, although there’s no indication when the job will be finished.