NS. JOHN’S, NL –
The cyber attack on Newfoundland and Labrador’s healthcare systems is another urgent signal that Canada needs better regulations around protecting personal health information from experts, experts say. hackers and the need for a unified response plan when healthcare services are under siege.
Paul-Emile Cloutier, president and chief executive officer of HealthCareCAN, a group that represents organizations such as research hospitals and health authorities.
“I think we’ve come after about 10 years to look at this in a very sophisticated way,” Cloutier said in an interview earlier this week. “And I think we need to put a lot of attention (on it), and it needs to be done immediately.”
Provinces follow individual standards for the protection of personal health information, he said, adding that he would like to see national standardized rules. “We need to develop a national strategy and really have a big, strong national response to protect our health care system across the country,” he said.
Cyberattacks targeting Canadian healthcare providers are becoming more frequent and difficult to give up, he said. Kempville County Hospital near Ottawa closed its emergency department following a “cyber incident” on October 20, 10 days before hackers took away Newfoundland and Labrador’s healthcare IT systems. The website of Ottawa’s Rideau Valley Medical Center is still grappling with a “cybersecurity incident”. Toronto’s Humber River Hospital, meanwhile, was attacked in June.
Newfoundland and Labrador are still recovering; The province’s largest health agency said on its website it was conducting chemotherapy appointments “in reduced numbers” and routine checkups were not yet available.
Cyberattacks on digital health infrastructure are not unique to Canada. A woman in Germany died last September after a cyberattack on a local hospital forced her to be transferred to another city and delayed her care, the Associated Press reported.
Anne Genge, chief executive officer of Alexio, an Ontario-based cybersecurity company specializing in healthcare, says there’s another pressing concern: particularly sensitive personal health information, sometimes reveal intimate details about a patient’s mental or sexual health. She said in a recent interview that stolen personal health information could be used to blackmail people once the cyberattack is resolved.
In the United States, agencies and providers must report to the federal government any breach of personal health information that affects 500 or more individuals. Those violations were posted to the US Department of Health and Human Services website on what experts have called a “wall of shame”.
Those rules are part of that country’s Health Insurance Portability and Portability Act, or HIPAA, which sets out national standards for protecting patient health information. However, Canada does not have a similar reporting requirement, nor does it have a federal health information law comparable to HIPAA, Genge said.
The authorities of Newfoundland and Labrador have yet to say what type of attack affected their health networks, nor whether those behind it have demanded a ransom. However, the government said some of the patients’ personal health information was stolen.
Kate Borten, president of the Marblehead Group, a healthcare cybersecurity company in the US, said that the attack in Newfoundland and Labrador would certainly create Canada’s “wall of shame” – if such legislation were to be. exist, she said.
Genge pointed to the wall of shame as an example of the kind of accountability and transparency that Canadian and provincial laws require.
“Reporting usually occurs only when there is a clear major violation,” she said, agreeing with Cloutier that Canada desperately needs clear, enforceable rules about “collection, storage, use, transmission and dispose of” personal health information.
Right now, Genge said, “there’s no provincial standardization, no federal standardization, in terms of how they operate it.” There are very few rules about vetting cybersecurity measures that have been put in place and “very little consequence” for those who don’t comply, she said.
She said: The law needs to cover the training of employees, including IT staff working at companies in the healthcare sector. “Your organization is only as strong as the one who cares the least about what they have to do,” says Genge.
Like Cloutier, Genge also hopes the assault on Newfoundland and Labrador’s health care systems will spur a rapid coordinated effort from Ottawa and the provinces to begin crafting and enacting new legislation.
When and if that happens, “I’d love to be riding on the main pontoon for that parade,” she said.
This Canadian Press report was first published on November 17, 2021.
