EDITORIALS Hack threatens health systems
Last week, a form of self-replicating virus was loaded onto the Internet, and spread through email systems to more than 70 countries. The “ransomware” program takes control of infected computers, encrypts whatever data are held there and prevents users from accessing their files. A message then appears on the screen, demanding payment in exchange for removing the encryption.
Britain was particularly hard hit. Forty-eight health trusts (similar to Canadian health authorities) were affected, and thousands of operations in hospitals across the country had to be cancelled.
So far, it appears Canada has been spared, as much by good fortune as good planning. But cyber experts are warning this was merely a forerunner of worse attacks to come.
The ransom amounts demanded in this instance were small — $300 to $600. But the sky is the limit. And while anyone can be targeted — hackers say they have stolen an upcoming Disney movie — health-care systems are particularly at risk.
That’s because the black-market value of medical records has soared in recent years. In the past, patient files were most often spied on for reasons of personal curiosity — to check up on a relative, perhaps, or to snoop on a celebrity.
But hackers have discovered that the personal information contained in patient records can be used to break into bank accounts or gain control of credit cards. The technology to replicate a person electronically is now a growth industry.
The dilemma is obvious. Electronic records are essential to health-care facilities. They cannot function without them.
Yet these files are potentially worth millions to hackers. Every day, health authorities in B.C. are deluged with millions of fake emails and other devices designed to steal information. These must be caught and eliminated before landing in anyone’s inbox.
There is no simple answer. Island Health uses a form of defence in depth, meaning multiple barriers are set up. Automatic intrusion-sensing systems operate non-stop. Networks are segmented so that if one portion is attacked, the rest are safe.
Employees are trained to recognize suspicious emails, and protocols are in place to guard against careless handling of records. Files are either anonymized or encrypted.
These are the first lines of defence. But Britain’s health trusts used those measures, and evidently they were not sufficient.
B.C.’s health-care agencies have gone two steps further. The transfer of information between sites and agencies is conducted on a closed network with no linkage to the Internet. That means it cannot be hacked through emails and the like.
And second, data are continually backed up to remote depositories that are hardened against intrusion.
In short, everything that can be done is being done. And yet the risk of failure cannot be discounted entirely, because human frailty is an ever-present threat.
Some years ago, the U.S. military built a secure server to hold that country’s most sensitive information. It, too, was inaccessible to the Internet.
But hackers found a way in. They planted a virus in one of the Pentagon’s less well-protected systems. When an employee carelessly took a thumb drive from his desktop and plugged it into the secure server, the virus came along for the ride.
Reportedly, that breach was sealed, literally, by gluing up all the thumb-drive portals on the secure server. But the lesson remains. Even if the proper technology is in place to prevent computer theft, employees make mistakes.
Last week’s events were a wake-up call that all of us should heed. Without powerful, sophisticated and continually updated safety measures, no one’s computer, cellphone or iPad is safe. This is the world we now inhabit.