N.L. cyberattack shows Canada needs national rules to protect personal data: experts

Nov 17, 2021 | 10:53 AM

ST. JOHN’S, N.L. — The cyberattack on Newfoundland and Labrador’s health-care system is yet another urgent signal that Canada needs better rules around protecting personal health information from hackers and needs a unified response plan when health-care services are under siege, experts say.

Lives are at stake and action is needed now, said Paul-Émile Cloutier, president and chief executive officer of HealthCareCAN, a group representing organizations such as research hospitals and health authorities.

“I think that we’re about 10 years behind in looking at this in a very sophisticated way,” Cloutier said in an interview earlier this week. “And I think we need to put a lot of attention (on it), and it needs to be done immediately.”

Provinces follow individual standards for protecting personal health information, he said, adding that he would prefer to see national, standardized rules. “We need to develop a national strategy and really have a major, robust national response to protect our health-care systems across the country,” he said.

Cyberattacks aimed at Canadian health-care providers are growing more frequent and unlikely to let up, he said. The Kemptville District Hospital near Ottawa closed its emergency department after a “cyber incident” on Oct. 20, 10 days before hackers took out Newfoundland and Labrador’s health-care IT system. Ottawa’s Rideau Valley Health Centre is still grappling with a “cybersecurity incident,” its website says. Toronto’s Humber River Hospital, meanwhile, was hit in June.

Newfoundland and Labrador is still recovering; chemotherapy appointments are going ahead “at a reduced capacity,” and routine screenings are still not available, the province’s largest health authority says on its website.

Cyberattacks on digital health infrastructure aren’t only happening in Canada. A woman in Germany died last September after a cyberattack on a local hospital forced her to be transferred to another city and delayed her care, The Associated Press has reported.

There’s another pressing concern: personal health information is particularly sensitive, sometimes revealing intimate details about patients’ mental or sexual health, said Anne Genge, chief executive officer of Alexio, an Ontario-based cybersecurity company that specializes in health care. Stolen personal health information can be used to blackmail people long after a cyberattack is resolved, she said in a recent interview.

In the United States, agencies and providers must report to the federal government any breaches to personal health information affecting 500 individuals or more. Those breaches are posted to the website of the U.S. Department of Health and Human Services on a site known among experts as the “wall of shame.”

Those rules are part of that country’sHealth Insurance Portability and Accountability Act, or HIPAA, which lays out national standards to protect patient health information. Canada, however, has no similar reporting requirements, nor does it have federal health information laws comparable to HIPAA, Genge said.

The Newfoundland and Labrador government still hasn’t said what type of attack has affected its health network, nor whether those behind it have asked for a ransom. The government, however, has said some patients’ personal health information had been stolen.

Kate Borten, president of the Marblehead Group, a health-care cybersecurity firm in the U.S., says the attack in Newfoundland and Labrador would certainly make the cut for a Canadian “wall of shame” — if such legislation existed, she said.

Genge pointed to the wall of shame as an example of the kind of accountability and transparency that should be required by Canadian and provincial legislation. 

“Reporting is generally only happening when there’s a big breach that’s obvious,” she said, adding that she agrees with Cloutier that Canada desperately needs clear, enforceable rules about “the collection, the storage, the use, transmission and disposal” of personal health information. 

Right now, Genge said, “there’s no standardization provincially, there’s no standardization federally, in how they are to operationalize it.” There are few rules about auditing cybersecurity measures already in place, and “very little in the way of repercussions” for those who don’t comply, she said.

Legislation needs to cover employee training, including IT employees who work at companies in the health-care sector, she said. “Your organization is only as strong as the person with the least amount of interest in doing what they’re supposed to do,” Genge said. 

Like Cloutier, Genge also hopes the attack on Newfoundland and Labrador’s health-care system will prompt a swift, concerted effort from Ottawa and provincial governments to begin drawing up and enacting new legislation.

When and if that happens, “I want to be riding on the main float for that parade,” she said.

This report by The Canadian Press was first published Nov. 17, 2021.

Sarah Smellie, The Canadian Press