N.L. cyberattack shows Canada needs national rules to protect personal data: experts

The cyberattack on Newfoundland and Labrador's health-care system is yet another urgent signal that Canada needs better rules around protecting personal health information from hackers and needs a unified response plan when health-care services are under siege, experts say.
Lives are at stake and action is needed now, said Paul-Emile Cloutier, president and chief executive officer of HealthCareCAN, a group representing organizations such as research hospitals and health authorities.
"I think that we're about 10 years behind in looking at this in a very sophisticated way," Cloutier said in an interview earlier this week. "And I think we need to put a lot of attention (on it), and it needs to be done immediately."
Provinces follow individual standards for protecting personal health information, he said, adding that he would prefer to see national, standardized rules. "We need to develop a national strategy and really have a major, robust national response to protect our health-care systems across the country," he said.
Cyberattacks aimed at Canadian health-care providers are growing more frequent and unlikely to let up, he said. The Kemptville District Hospital near Ottawa closed its emergency department after a "cyber incident" on Oct. 20, 10 days before hackers took out Newfoundland and Labrador's health-care IT system. Ottawa's Rideau Valley Health Centre is still grappling with a "cybersecurity incident," its website says. Toronto's Humber River Hospital, meanwhile, was hit in June.
Newfoundland and Labrador is still recovering; chemotherapy appointments are going ahead "at a reduced capacity," and routine screenings are still not available, the province's largest health authority says on its website.
Cyberattacks on digital health infrastructure aren't only happening in Canada. A woman in Germany died last September after a cyberattack on a local hospital forced her to be transferred to another city and delayed her care, The Associated Press has reported.
There's another pressing concern: personal health information is particularly sensitive, sometimes revealing intimate details about patients' mental or sexual health, said Anne Genge, chief executive officer of Alexio, an Ontario-based cybersecurity company that specializes in health care. Stolen personal health information can be used to blackmail people long after a cyberattack is resolved, she said in a recent interview.
In the United States, agencies and providers must report to the federal government any breaches to personal health information affecting 500 individuals or more. Those breaches are posted to the website of the U.S. Department of Health and Human Services on a site known among experts as the "wall of shame."
Those rules are part of that country'sHealth Insurance Portability and Accountability Act, or HIPAA, which lays out national standards to protect patient health information. Canada, however, has no similar reporting requirements, nor does it have federal health information laws comparable to HIPAA, Genge said.
The Newfoundland and Labrador government still hasn't said what type of attack has affected its health network, nor whether those behind it have asked for a ransom. The government, however, has said some patients' personal health information had been stolen.
Kate Borten, president of the Marblehead Group, a health-care cybersecurity firm in the U.S., says the attack in Newfoundland and Labrador would certainly make the cut for a Canadian "wall of shame" -- if such legislation existed, she said.
Genge pointed to the wall of shame as an example of the kind of accountability and transparency that should be required by Canadian and provincial legislation.
"Reporting is generally only happening when there's a big breach that's obvious," she said, adding that she agrees with Cloutier that Canada desperately needs clear, enforceable rules about "the collection, the storage, the use, transmission and disposal" of personal health information.
Right now, Genge said, "there's no standardization provincially, there's no standardization federally, in how they are to operationalize it." There are few rules about auditing cybersecurity measures already in place, and "very little in the way of repercussions" for those who don't comply, she said.
Legislation needs to cover employee training, including IT employees who work at companies in the health-care sector, she said. "Your organization is only as strong as the person with the least amount of interest in doing what they're supposed to do," Genge said.
Like Cloutier, Genge also hopes the attack on Newfoundland and Labrador's health-care system will prompt a swift, concerted effort from Ottawa and provincial governments to begin drawing up and enacting new legislation.
When and if that happens, "I want to be riding on the main float for that parade," she said.
This report by The Canadian Press was first published Nov. 17, 2021.
CTVNews.ca Top Stories
No 'warnings or second chances' for illegal activity on Canada Day: Ottawa mayor
Ottawa's mayor is warning the city won't tolerate any illegal activity downtown during Canada Day festivities this year, as the city prepares for possible protests.

'Deepest apologies': Central Alberta rodeo organizers shocked by parade float
Organizers of a central Alberta rodeo and its parade committee are calling for calm after a float in this weekend's parade, which possessed a racist theme, was seen in the procession.
Woman trampled, killed by horses at central Alberta rodeo: RCMP
A 30-year-old woman is dead after falling off a horse at the Ponoka Stampede on Sunday.
Ukrainian officials: Russian missile strike hits crowded shopping mall
Scores of civilians were feared killed or wounded in a Russian missile strike Monday on a crowded shopping mall in Ukraine's central city of Kremenchuk, Ukrainian officials said.
Canada outperformed most G10 countries during first two years of pandemic response: study
Canada handled key aspects of the COVID-19 response better in the first two years of the pandemic than most G10 countries, according to a new study by researchers from the University of Toronto, Unity Health Toronto and St. Michael's hospital.
When can you light fireworks in Canada? It depends on where you live
Figuring out where and when you're allowed to use fireworks in Canada depends on where you live and what rules apply in your municipality.
South Africa tavern deaths: 21 teens likely killed by something they drank, ate or smoked
South African authorities investigating 21 teenagers found dead at an east coast tavern over the weekend said on Monday the youths were probably killed by something they ate, drank or smoked, ruling out the earlier-touted possibility of a stampede.
Republican calls overturning Roe v. Wade a 'victory for white life'
U.S. Rep. Mary Miller of Illinois, speaking at a rally Saturday night with former U.S. President Donald Trump, called the Supreme Court's decision overturning Roe v. Wade a 'victory for white life.'
Ghislaine Maxwell put on suicide watch after saying staff threatened her
Ghislaine Maxwell reported Brooklyn jail staff threatened her safety, prompting employees to place her on suicide watch, prosecutors said on Sunday, arguing there was no need to delay her sentencing on sex trafficking charges.