Skip to content

COVID-19 pandemic made hospitals more vulnerable to cyberattacks: security experts

MONTREAL — Security experts say the suspected cyberattack on Newfoundland and Labrador's health-care system, which led to the cancellation of thousands of medical appointments and forced a local health authority to revert to using paper, isn't an iso

MONTREAL — Security experts say the suspected cyberattack on Newfoundland and Labrador's health-care system, which led to the cancellation of thousands of medical appointments and forced a local health authority to revert to using paper, isn't an isolated incident. Hackers' new tactic is to target health-care institutions, they say, because the COVID-19 pandemic has increased pressure on victims to pay up.

Here are five factors that help explain why hospitals and health-care facilities are being targeted:

1. Ransomware has changed the dynamic of hacking attacks

Ransomware — a form of malicious software that encrypts or deletes someone's data until they pay a ransom — has changed the nature of hacking attacks, said Robert Gordon, a strategic adviser at the Canadian Cyber Threat Exchange, a non-profit organization that works to reduce cyber risks.

Hospitals used to believe they wouldn't be targeted by hackers because they didn't have valuable intellectual property or trade secrets that could be stolen, he said. 

"Ransomware has changed that, because now the data you've got, it doesn't have to be of value to the attacker, it just has to be of value to you," he said in an interview Tuesday. "Because if it's of value to you, you're willing to pay to either keep it or get it back."

2. The pandemic has made hospitals a bigger target

"Cyberattacks, and particularly ransomware attacks, are all about leverage," Charles Finlay, executive director of the Rogers Cybersecure Catalyst at Ryerson University, said in an interview Tuesday. "Ransomware attackers attack organizations from which they believe that they can generate the highest ransom payment. Attacking a hospital or a medical system in the context of COVID-19, in the context of an ongoing public health crisis, generates significant leverage."

While the nature of the attack in Newfoundland and Labrador is not yet known, Finlay said ransomware attacks are often specifically targeted at "critical infrastructure," which he said includes pipelines, food supply chains and health-care networks. 

"These attacks are sophisticated, they are planned," he said. "It takes a significant amount of effort, often, to execute them effectively."

3. Other Canadian health organizations have also been targeted 

Paul-Émile Cloutier, president and CEO of HealthCareCAN, an organization that represents research hospitals, regional health authorities and health organizations, said that since 2019, there have also been attacks on hospitals in Ontario, a private laboratory services company in Toronto, and the agency that manages digital health records in Saskatchewan. 

He said the increased use of technology in hospitals may be contributing to their vulnerability. 

And it's not just in Canada. Finlay said health-care systems in the United States and Ireland have also been targeted. 

4. Cyberattacks on hospitals put patient safety at risk 

Cloutier said much of the data that hospitals hold is sensitive personal information about patients — information those patients wouldn't want to be made public. But, as is the case in Newfoundland's Eastern Health, an attack can also force the cancellation of necessary medical procedures, putting patients back on waiting lists for surgeries and other care, he said. 

"This is not just a security issue, it's also a patient safety issue."

5. Victims often pay the ransom

A survey of 510 security professionals released earlier this year by the Canadian Internet Registration Authority indicated 17 of their organizations had experienced a ransomware attack and 69 per cent of those paid a ransom.

While the increased number of people working from home may have created new vulnerabilities, online criminals have also preyed on people's anxieties, Spencer Callaghan, a senior manager at the registration authority, said in an interview Tuesday. Some hackers, for example, have masqueraded as health authorities in an effort to get people to click links in malicious emails, he said.

"They're preying on the fact that people are anxious, that people are afraid, that people are, sort of, in a high-stress environment," Callaghan said.

This report by The Canadian Press was first published Nov. 2, 2021.

———

This story was produced with the financial assistance of the Facebook and Canadian Press News Fellowship.

Jacob Serebrin, The Canadian Press