LifeLabs cyberattack one of 'several wake-up calls' for e-health security and privacy

The data breach of the Canadian laboratory testing company LifeLabs is one of "several wake-up calls" for security and privacy challenges that come with thepush for a medical system in which eHealth plays a significant role.

"The medical field for us is one of the worst when it comes to cyber security practices," said David Kennedy, cyber security expert and founder and CEO of TrustedSec, aninformation security consulting firm.

"What's interesting about the large push for electronic patient health-care information that you put online is thata lot of these organizations are not designed to withstand attacks."

Many health-care organizations and professionals are big advocates for eHealth.On its website, Heath Canada describes eHealthas"an essential element of health-care renewal," which will "result in benefits to Canadians through improvements in system accessibility, quality and efficiency."

The Electronic Health Record, for example,allows the sharing of necessary information between care providers across medical disciplines and institutions.

But on Monday,LifeLabs Canada's largest provider of general diagnostic and specialty laboratory testing servicesannounced that a cyberattack on its computer systems had forced the company topay a ransom to retrievethe sensitive information of millions of customers.

LifeLabspresident Charles Brown wrote that information related to about 15 million customers, mainly in British Columbiaand Ontario, may have been accessed during the breach.

Other security breaches

And that attack was just the most recent breach in Canada. Just months ago,hackers crippled the computer systems of three Ontario hospitals.

Meanwhile, in Alberta, breaches have included the disappearance of an unencrypted hard drive containing the personal health information of 650 patients at the Mazankowski Alberta Heart Institute in August, and the inappropriate access of 2,158 electronic health records by Alberta Public Laboratories staff at the Red Deer Regional Hospital Centre earlier this year.

"We've probably had several wake-up calls, but it still seems like lots of folks are asleep at the wheel," said Beau Woods, a cyber safety innovation fellow with the U.S. think-tankAtlantic Council.

Woods suggested it was troubling thatBrown didn't know whether or not the LifeLabs records were encrypted.

"Whether or not encrypted records would have protected the data in this case is to be seen," he said. "Thefact that the CEO, even after probably talking to IT can't say whether the records are encrypted, says that there's some kind of fundamental breakdown in governance."

Hackers like to targethospitals and medical facilities, which are often on very tight IT budgets, saidDavid Masson,director of enterprise security for Darktrace, a cyber AI company.

"They know they'll be struggling to actually secure their IT networks. So they will see them as easy targets. Andthat's why they go after them," Masson said.

So security usually falls by the wayside in many cases for most organizations. Security ends up being a very small percentage if anyin most hospitals, most health-care providers.- David Kennedy, founder and CEO of TrustedSec

One of theproblems is that medical institutions see themselves solely as health-care providers, meaning IT security doesn't get the focus it needs, TrustedSec'sKennedysaid.

"So security usually falls by the wayside in many cases for most organizations. Security ends up being a very small percentage if anyin most hospitals, most health-care providers that we see out there today."

TomKeenan, a University of Calgary professor who specializes in cyber securityand researched the issue ofelectronic health records, said not all hospitals are lax when it comes to IT security, and that it varies across Canada how well hospitals treat the issue.

While human error is often the weakest link, another factor, he said, is that people who build these systems also sell optional extras for security.

'Take extrameasures'

In one particular case he studied, the people who ran the health authority knew they had vulnerabilities and bought anextra auditing package, butnever installed it.

"Wecan take extra measures," he said. "We need to tighten things up."

Despite the security issues, Keenan said there's no need to pause when it comes to the push for eHealth, but just beef up security.

"We don't want to slow it down. If anything, we want to speed it up," he said. "Full steam ahead but with due regard to caution."

"I trust my lab, but I would also likethem to publish periodically [thatthey've]been audited by a third-party cyber security company."

There's a lot of cyber hygiene things that you could do that aren't expensivethat actually can be less costly than not doing them.- Beau Woods, cyber security expert

As well, medical facilities should hire cyber security firms to conduct penetration tests, to determine the vulnerability of their system, he said.

Woods, the cyber security expert, said there are some simple remedies for medical facilities, like updating theirsoftware or having multi-factor authentication.

"There's a lot of cyber hygiene things that you could do that aren't expensivethat actually can be less costly than not doing them," he said. "Not looking at cost of breaches and things like that, just operationally less costly and more secure."

Sandy Buchman, president of the Canadian Medical Association, said he believes in terms of the human component of security,hospitals aremaking "extreme efforts" to protect patient privacy.

'Breaks down trust'

But he said he understandshow incidents like the LifeLabsdata breach can shake a patient's trust.

"It could be something way beyond a physician or hospital's control, like these cyberattacks that are occurring, but it still breaks down trust in the overall system.

The medical community has to be diligent and press for the improvementsneeded in the security of personal health information, he said.

"We have to be better as a health-care community in demanding that. I'm not a cyber security expert. I know we can't let off the pressure to be pressing for this at all times in whatever ways are technologically possible."