N.L. cyberattack shows Canada needs national rules to protect personal data: experts

The cyberattack on Newfoundland and Labrador's health-care system is yet another urgent signal that Canada needs better rules around protecting personal health information from hackers and needs a unified response plan when health-care services are under siege, experts say.
Lives are at stake and action is needed now, said Paul-Emile Cloutier, president and chief executive officer of HealthCareCAN, a group representing organizations such as research hospitals and health authorities.
"I think that we're about 10 years behind in looking at this in a very sophisticated way," Cloutier said in an interview earlier this week. "And I think we need to put a lot of attention (on it), and it needs to be done immediately."
Provinces follow individual standards for protecting personal health information, he said, adding that he would prefer to see national, standardized rules. "We need to develop a national strategy and really have a major, robust national response to protect our health-care systems across the country," he said.
Cyberattacks aimed at Canadian health-care providers are growing more frequent and unlikely to let up, he said. The Kemptville District Hospital near Ottawa closed its emergency department after a "cyber incident" on Oct. 20, 10 days before hackers took out Newfoundland and Labrador's health-care IT system. Ottawa's Rideau Valley Health Centre is still grappling with a "cybersecurity incident," its website says. Toronto's Humber River Hospital, meanwhile, was hit in June.
Newfoundland and Labrador is still recovering; chemotherapy appointments are going ahead "at a reduced capacity," and routine screenings are still not available, the province's largest health authority says on its website.
Cyberattacks on digital health infrastructure aren't only happening in Canada. A woman in Germany died last September after a cyberattack on a local hospital forced her to be transferred to another city and delayed her care, The Associated Press has reported.
There's another pressing concern: personal health information is particularly sensitive, sometimes revealing intimate details about patients' mental or sexual health, said Anne Genge, chief executive officer of Alexio, an Ontario-based cybersecurity company that specializes in health care. Stolen personal health information can be used to blackmail people long after a cyberattack is resolved, she said in a recent interview.
In the United States, agencies and providers must report to the federal government any breaches to personal health information affecting 500 individuals or more. Those breaches are posted to the website of the U.S. Department of Health and Human Services on a site known among experts as the "wall of shame."
Those rules are part of that country'sHealth Insurance Portability and Accountability Act, or HIPAA, which lays out national standards to protect patient health information. Canada, however, has no similar reporting requirements, nor does it have federal health information laws comparable to HIPAA, Genge said.
The Newfoundland and Labrador government still hasn't said what type of attack has affected its health network, nor whether those behind it have asked for a ransom. The government, however, has said some patients' personal health information had been stolen.
Kate Borten, president of the Marblehead Group, a health-care cybersecurity firm in the U.S., says the attack in Newfoundland and Labrador would certainly make the cut for a Canadian "wall of shame" -- if such legislation existed, she said.
Genge pointed to the wall of shame as an example of the kind of accountability and transparency that should be required by Canadian and provincial legislation.
"Reporting is generally only happening when there's a big breach that's obvious," she said, adding that she agrees with Cloutier that Canada desperately needs clear, enforceable rules about "the collection, the storage, the use, transmission and disposal" of personal health information.
Right now, Genge said, "there's no standardization provincially, there's no standardization federally, in how they are to operationalize it." There are few rules about auditing cybersecurity measures already in place, and "very little in the way of repercussions" for those who don't comply, she said.
Legislation needs to cover employee training, including IT employees who work at companies in the health-care sector, she said. "Your organization is only as strong as the person with the least amount of interest in doing what they're supposed to do," Genge said.
Like Cloutier, Genge also hopes the attack on Newfoundland and Labrador's health-care system will prompt a swift, concerted effort from Ottawa and provincial governments to begin drawing up and enacting new legislation.
When and if that happens, "I want to be riding on the main float for that parade," she said.
This report by The Canadian Press was first published Nov. 17, 2021.
CTVNews.ca Top Stories

Speaker's Nazi veteran invite 'profoundly embarrassing' Trudeau says, as Rota faces calls to resign
Tensions flared in the Commons on Monday over opposition calls for House Speaker Anthony Rota to resign after apologizing to Parliament for inviting, recognizing and leading the chamber in a standing ovation for a man who fought for a Nazi unit during the Second World War.
Poster advertising 'whites-only' children's playtime sparks outrage in B.C. community
Police have launched an investigation into a poster inviting "proud parents of European children" to participate in racially segregated playtime in B.C.'s Lower Mainland.
Canadian air force investigating 'inappropriate and unapproved' call sign broadcast on U.K. flight
The Royal Canadian Air Force (RCAF) is investigating an ‘inappropriate and unapproved’ call sign that was transmitted electronically from one of its aircraft on Monday.
'Deeply hurtful': Polish ambassador condemns Nazi veteran’s invitation to Canada’s Parliament
Polish ambassador to Canada says House Speaker Anthony Rota's apology doesn’t go far enough after a Nazi veteran was honoured in the House of Commons last Friday.
7 candidates have qualified for the 2nd Republican presidential debate. Here's who missed the cut
The field for the second Republican presidential debate will be smaller than the first.
Vaccination during pregnancy safe, effective and recommended, CMAJ says
The most up-to-date guidelines from the Canadian Medical Association Journal recommend the COVID-19 vaccine for anyone who is pregnant in order to reduce the risk of serious illness to themselves and the children they carry.
Canadian Sikhs stage protests against Indian government over murder
Canadian Sikhs staged small protests outside India's diplomatic missions on Monday, a week after Prime Minister Justin Trudeau said there may be a link between New Delhi and the murder of a Sikh separatist advocate in British Columbia.
An airsoft pistol, a machete, and 2 knives: Jury learns of items seized in pickup truck used during attack on a London, Ont. family
The trial of Nathaniel Veltman, 22, continued in Windsor for his actions on June 6, 2021 that killed four people and seriously injured a fifth person. In court on Monday, two forensic identification officers with the London Police Service testified.
Canada approves Ebola virus vaccine for adults exposed to the deadly disease
Canada has approved a vaccine to prevent Ebola in non-pregnant and otherwise healthy adults aged 18 and older.