How Hamilton hospitals respond to cyberattacks

As news broke Friday of a ransomware attack hitting companies worldwide including hospitals in the U.K., the person in charge of information technology security at St. Joe's picked up a sort of inter-hospital bat phone.

Tara Coxon is interim chief information officer for St. Joseph's Healthcare Hamilton, and she was talking on the phone with the chief information security officer at Hamilton Health Sciences, the other big regional hospital system.

The two hospitals have separate servers and systems, but there are several places where the systems communicate and overlap.

And so: "We have each other's cell phone numbers," she said.

The pair got right to it, asking each other: Are you patched? How are you monitoring the risks on your end?

The call was "to make sure we were both enacting the plan, to be sure we're as secure as possible," she said. "We were both in a really strong situation."

While they weren't experiencing a direct attack, ahospital inOshawawas among thetens of thousands of victims of the unprecedented "ransomware" cyberattack that hit 150 countries in recent days.

There isn't a day that goes by that there isn't an attack.- RenatoDiscenza,VP for strategy and innovation at Hamilton Health Sciences

LakeridgeHealth one of Ontario's largest community hospitals saidit appeared theransomwarethreatened its computer system, but a spokesman said the facility's system was able to deflect the attack.

Attacks like this one happen when a type of software seizes control of a computer, encrypting its contents and rendering them inaccessible. A message is typically displayed, demanding a ransom payment to access the computer and its files.

For Coxon, the increasing threats point to a need for hospitals to keep vigilant. The role of chief information security officer is one that was more common at banks and financial institutions than hospitals 10 years ago. But as hospitals have evolved from a paper-based world, they now hold stores of personal and patient data.

"The reality is we face this literally daily," said Renato Discenza, the vice president for strategy and innovation at Hamilton Health Sciences. "There isn't a day that goes by that there isn't an attack."

So far, Discenza said, the hospital's protocols to isolate affected computers and contain the attack from spreading have worked.

'You always have to think of 'what if''

Hospitals used to be able to set up a strong perimeter around their systems and ward off external threats. But in the "internet of things" era, more medical devices and tools are internet-connected and thus there are more portals for a hacker to try to gain entry.

"When you modernize flows you always have to think of 'what if'," Discenza said.

Even something "less sinister" like a power outage is a possibility that the hospitals' information security teams have to be prepared for, Discenza said.

And In Hamilton, for some shared services, the systems are connected. The region's laboratory is part of Hamilton Health Sciences, for example, so medical staff at St. Joe's send orders and receive results from the lab.

The hospitals have contingency plans in case they have to disconnect from each other, in case one or the other feels there's an unacceptable risk at the other system.

'It's not like we're losing dollars'

Like any large workplace, Coxonand Discenza said workers occasionally click on phishing emails designed to obtain their personal information and passwords. That can compromise a single device or computer but doesn't usually pose a critical threat to the whole hospital.

She said the computers in the hospital were properly patched in March to ward off threats like the most recent attack.

And Coxon keeps in touch frequently with her colleague at HHS, like when a phishing email comes in that is so well-crafted it nearly tricks her, an expert, for example.

St. Joe's so far has "never fallen victim" to a wide-scale attack that resulted in the theft of patient data, she said.

Coxon said she's been hearing hackers are targeting hospitals more than financial institutions. But she has to balance interrupting a computer to make sure it's patched for the most up-to-date security measures, and the risk that interruption may have to providing the patient the best, continuous care.

"In healthcare, it's not like we're losing dollars" if a computer goes offline, she said.

kelly.bennett@cbc.ca