The National Post recently reported that hackers have repeatedly been targeting Canadian doctors with ransomware, attacking computer systems that house the confidential medical records of thousands of patients and seriously affecting patient care.
Ransomware and Other Cyber Attacks
In recent years, ransomware has been a particularly insidious method that hackers have been using to attack organizations that house sensitive information, including law firms, banks, universities, hospitals, and medical offices.
Ransomware is a form of software that threatens to publish the data of the individual or organization targeted, or to block access to it until a ransom is paid, usually in an untraceable form of currency such as Bitcoin. Ransomware attacks are generally launched through a Trojan virus, disguised as a legitimate email or file that the victim is duped into opening or downloading. Even where the ransom is paid, and the files are unlocked, concerns remain about privacy breaches and about what the hackers might do with the data after the fact.
The Canadian Medical Protective Association (CMPA) says that the best-case scenario following one of these attacks is that affected medical offices spend two or three days restoring their systems from backup sites. The worst-case scenario is that the offices lose critical data, including years of sensitive medical information. All the while, while offices scramble to recover and return to business as usual following an attack, doctors are missing key aspects of patient history.
Earlier this year, the CMPA published an article explaining the possible threat and urging doctors to be vigilant. This was the first official recognition that patient data in Canada is vulnerable to these cyber-threats.
Ten Ransomware Attacks on Ontario Doctor’s Offices or Clinics since 2016
Ontario’s Privacy Commissioner told the National Post that, since the beginning of 2016, it has received 10 reports of ransomware attacks on clinics and doctor’s offices. The Commissioner has deemed ransomware an “increasingly dangerous” threat to the security of health records in the province.
No hospitals officially reported being victim to ransomware. However, the chair of a federal committee on cybersecurity and critical infrastructure told the newspaper that attacks against hospital have occurred in Canada, and that medical files have been affected.
Another expert estimates that the total number of ransomware attacks has increased by 600% in the last year alone. Medical information, much more than other sensitive data such as banking information, is 10 times more likely to be targeted.
Attacks in Other Countries
Earlier this year, 16 hospitals across Britain’s National Health Service (NHS) were affected by a global ransomware attack known as “Wannacry”, resulting in operations being cancelled, ambulances bring diverted, and patient records becoming unavailable.
In the U.S, at least two major healthcare facilities have been affected. Most recently, computer systems at Erie County Medical Center in Buffalo were down for six weeks after a ransomware attack in which hackers demanded $44,000, which the Center refused to pay.
Very Real Risks
Experts warn that the recent Wannacry attacks in the U.K were essentially an advertisement for other hackers, exposing the vulnerability of the healthcare sector to such incidents, which is magnified by often extensive media coverage that provides incredible pressure on the affected organization to pay.
Physician’s offices are particularly vulnerable since they generally have one computer system that covers all aspects of the practice, from appointment scheduling to patient charts and medical records. While most offices have their files backed up, getting access to the back up files can be arduous and take time.
There are major medical-legal issues arising from a ransomware attack. Firstly, patient care and lives may be impacted where physicians and other healthcare providers cannot access medical records, or other relevant electronic information. Secondly, ransomware may allow hackers to access personal health information contained in electronic medical records and should be treated as a privacy breach. Depending on the jurisdiction in which such a breach occurs, the hacked clinic, office, or individual may have to provide notice of the breach to the affected patients, the Privacy Commissioner, or both.
Experts predict that, going forward, the ransomware threat is expected to increase, and hackers will become more malicious and sophisticated. Some foresee that hackers may escalate their tactics and threaten, for instance, to change vital information in patient records (such as blood type or allergy information), publish private medical information, or remotely take over medical devices connected to computers.
At Wise Health Law, we have been recognized for our outstanding work in health and administrative law. We regularly assist regulated health professionals with emerging legal and regulatory issues and provide them with exceptional and skilled support.. Our team of health lawyers are well-known in the legal, regulatory, and health-care communities for our exceptional legal guidance. With offices in both Toronto and Oakville, Ontario we are easily accessible to professionals throughout South-Western Ontario. Contact us online, or at 416-915-4234 for a consultation.