N.L. cyberattack shows Canada needs national rules to protect personal data: experts
The cyberattack on Newfoundland and Labrador's health-care system is yet another urgent signal that Canada needs better rules around protecting personal health information from hackers and needs a unified response plan when health-care services are under siege, experts say.
Lives are at stake and action is needed now, said Paul-Emile Cloutier, president and chief executive officer of HealthCareCAN, a group representing organizations such as research hospitals and health authorities.
"I think that we're about 10 years behind in looking at this in a very sophisticated way," Cloutier said in an interview earlier this week. "And I think we need to put a lot of attention (on it), and it needs to be done immediately."
Provinces follow individual standards for protecting personal health information, he said, adding that he would prefer to see national, standardized rules. "We need to develop a national strategy and really have a major, robust national response to protect our health-care systems across the country," he said.
Cyberattacks aimed at Canadian health-care providers are growing more frequent and unlikely to let up, he said. The Kemptville District Hospital near Ottawa closed its emergency department after a "cyber incident" on Oct. 20, 10 days before hackers took out Newfoundland and Labrador's health-care IT system. Ottawa's Rideau Valley Health Centre is still grappling with a "cybersecurity incident," its website says. Toronto's Humber River Hospital, meanwhile, was hit in June.
Newfoundland and Labrador is still recovering; chemotherapy appointments are going ahead "at a reduced capacity," and routine screenings are still not available, the province's largest health authority says on its website.
Cyberattacks on digital health infrastructure aren't only happening in Canada. A woman in Germany died last September after a cyberattack on a local hospital forced her to be transferred to another city and delayed her care, The Associated Press has reported.
There's another pressing concern: personal health information is particularly sensitive, sometimes revealing intimate details about patients' mental or sexual health, said Anne Genge, chief executive officer of Alexio, an Ontario-based cybersecurity company that specializes in health care. Stolen personal health information can be used to blackmail people long after a cyberattack is resolved, she said in a recent interview.
In the United States, agencies and providers must report to the federal government any breaches to personal health information affecting 500 individuals or more. Those breaches are posted to the website of the U.S. Department of Health and Human Services on a site known among experts as the "wall of shame."
Those rules are part of that country'sHealth Insurance Portability and Accountability Act, or HIPAA, which lays out national standards to protect patient health information. Canada, however, has no similar reporting requirements, nor does it have federal health information laws comparable to HIPAA, Genge said.
The Newfoundland and Labrador government still hasn't said what type of attack has affected its health network, nor whether those behind it have asked for a ransom. The government, however, has said some patients' personal health information had been stolen.
Kate Borten, president of the Marblehead Group, a health-care cybersecurity firm in the U.S., says the attack in Newfoundland and Labrador would certainly make the cut for a Canadian "wall of shame" -- if such legislation existed, she said.
Genge pointed to the wall of shame as an example of the kind of accountability and transparency that should be required by Canadian and provincial legislation.
"Reporting is generally only happening when there's a big breach that's obvious," she said, adding that she agrees with Cloutier that Canada desperately needs clear, enforceable rules about "the collection, the storage, the use, transmission and disposal" of personal health information.
Right now, Genge said, "there's no standardization provincially, there's no standardization federally, in how they are to operationalize it." There are few rules about auditing cybersecurity measures already in place, and "very little in the way of repercussions" for those who don't comply, she said.
Legislation needs to cover employee training, including IT employees who work at companies in the health-care sector, she said. "Your organization is only as strong as the person with the least amount of interest in doing what they're supposed to do," Genge said.
Like Cloutier, Genge also hopes the attack on Newfoundland and Labrador's health-care system will prompt a swift, concerted effort from Ottawa and provincial governments to begin drawing up and enacting new legislation.
When and if that happens, "I want to be riding on the main float for that parade," she said.
This report by The Canadian Press was first published Nov. 17, 2021.
CTVNews.ca Top Stories
BREAKING New York appeals court overturns Harvey Weinstein's 2020 rape conviction from landmark #MeToo trial
New York’s highest court on Thursday overturned Harvey Weinstein’s 2020 rape conviction, finding the judge at the landmark #MeToo trial prejudiced the ex-movie mogul with improper rulings, including a decision to let women testify about allegations that weren’t part of the case.
BREAKING Monthly earnings rise, payroll employment falls: jobs report
The number of vacant jobs in Canada increased in February, while monthly payroll employment decreased in food services, manufacturing, and retail trade, among other sectors.
Doctors say capital gains tax changes will jeopardize their retirement. Is that true?
The Canadian Medical Association asserts the Liberals' proposed changes to capital gains taxation will put doctors' retirement savings in jeopardy, but some financial experts insist incorporated professionals are not as doomed as they say they are.
Remains from a mother-daughter cold case were found nearly 24 years later, after a deathbed confession from the suspect
A West Virginia father is getting some sense of closure after authorities found the remains of his young daughter and her mother following a deathbed confession from the man believed to have fatally shot them nearly two decades ago.
Something in the water? Canadian family latest to spot elusive 'Loch Ness Monster'
For centuries, people have wondered what, if anything, might be lurking beneath the surface of Loch Ness in Scotland. When Canadian couple Parry Malm and Shannon Wiseman visited the Scottish highlands earlier this month with their two children, they didn’t expect to become part of the mystery.
Metro Vancouver mayors call for serial killer Robert Pickton to be denied parole
A dozen mayors from around Metro Vancouver say federal Attorney General and Justice Minister Arif Virani should deny parole for notorious B.C. serial killer Robert Pickton, and reassess the parole and sentencing system for 'prolific offenders and mass murderers.'
What do weight loss drugs mean for a diet industry built on eating less and exercising more?
Recent injected drugs like Wegovy and its predecessor, the diabetes medication Ozempic, are reshaping the health and fitness industries.
2 military horses that broke free and ran loose across London are in serious condition
Two military horses that bolted and ran miles through the streets of London after being spooked by construction noise and tossing their riders were in a serious condition and required operations, a British government official said Thursday.
'It was instant karma': Viral video captures failed theft attempt in Nanaimo, B.C.
Mounties in Nanaimo, B.C., say two late-night revellers are lucky their allegedly drunken antics weren't reported to police after security cameras captured the men trying to steal a heavy sign from a downtown business.