Possible cyberattack could impact N.L. health care for weeks, months: experts

Cybersecurity experts say disruptionsin Newfoundland and Labrador health-care services caused by what the government says is a possible cyberattack could potentiallylast for weeks or even months.

In an interview with CBC News, cybersecurity journalist Sam Harper saidit's difficult to determine the extent of the damage at this stage, and there is "no quick fix" to get the system back up and running.

"I don't think I can give you a number in terms of weeks or months," he said. "Having to rebuild systems ... takes a lot of time."

The disruption, which began on Saturday morning, has caused thousands of appointments and procedures to be cancelled. All four of the province's regional health authorities have been impacted by the outage, although Eastern Health appears to have been affected most severely.

In a media briefing on Monday, Health Minister John Haggie and Eastern Health CEO David Diamond said they didn't yet know the cause of the outage or how long it would be before the system is back up and running.

Sources have told CBCNews the outage is due to a ransomware attack,a type of cybersecurity breach where an attacker will make a system inaccessible until they are paid a ransom.

Similar attacks in U.S., Ireland

Haggie said the system outage is affecting both the "brain" of the system and its backup a situation Harper says is a problem.

"Saying it's bad is an understatement," Harper said. "If you want to be able to restore your infrastructure, you actually need to have backups that you know are safe and that ...have the correct information."

Harper said health-care systems in the United States and Ireland have experienced similar attacks recently. Nunavut experienced a ransomware attack on government systems in 2019, though the Nunavut government says it didn't pay the ransom, but instead isolated infected portions of its network.

Saying it's bad is an understatement.- Sam Harper

Harper said most organizations and governments who do pay the ransom risk getting back damaged information, or not getting the information at all.

Steve Waterhouse, a cybersecurity expert who has worked with the Department of National Defence, said ransomware attackers often target health-care systems because of the urgent nature of many appointments and procedures.

Waterhouse said he doesn't advise organizations to pay the ransom except as a last resort.

"It's going to be a gamble," he said.

Waterhouse said organizations and governments need to make cybersecurity a top priority.

He said an organization that is prepared for a ransomware attack could have their system back online within days or weeks. However, he said most aren't prepared for such an attack, and in those cases, it could take months before everything is back to normal.

Other government systems being monitored

Speaking with reporters on Monday, Digital Government and Service N.L. Minister Sarah Stoodley said outside service providers and teams from the Office of the Chief Information Officer have been monitoring other government systems, but so far haven't found any abnormalities.

"Everyone's very diligent and the analysis is ongoing," Stoodley said.

Stoodley wouldn't say how often government IT systems are upgraded and updated, but said her department works with "a range of partners." She also wouldn't say how much the government spends on cybersecurity, but said there are a range of initiatives dedicated to keeping government systems safe.

Stoodley said cybersecurity attacks are becoming increasingly common, and the government is subjected to "thousands" of attacks a month.

"Intrusion attempts are always occurring. There's always a risk," she said.

When asked if the government updated its policies following the 2019 ransomware attack in Nunavut, Stoodley said the government is always improving cybersecurity efforts.

"We're always looking to see if we can be doing things better or differently," she said.

Stoodley advised people to ward off cyberattacks by creating separate passwords for different accounts, using two-step authentication and thinking twice before clicking links in emails or advertisements.

"Cybersecurity and protecting our information and assets is really everyone's responsibility," she said.

Read more from CBC Newfoundland and Labrador