LifeLabs cyberattack one of 'several wake-up calls' for e-health security and privacy

The data breach of the Canadian laboratory testing company LifeLabs is one of "several wake-up calls" for security and privacy challenges that come with the push for a medical system in which eHealth plays a significant role.

"The medical field for us is one of the worst when it comes to cyber security practices," said David Kennedy, cyber security expert and founder and CEO of TrustedSec, an information security consulting firm.

"What's interesting about the large push for electronic patient health-care information that you put online is that a lot of these organizations are not designed to withstand attacks."

Many health-care organizations and professionals are big advocates for eHealth. On its website, Heath Canada describes eHealth as "an essential element of health-care renewal," which will "result in benefits to Canadians through improvements in system accessibility, quality and efficiency."

The Electronic Health Record, for example, allows the sharing of necessary information between care providers across medical disciplines and institutions. 

But on Monday, LifeLabs — Canada's largest provider of general diagnostic and specialty laboratory testing services — announced that a cyberattack on its computer systems had forced the company to pay a ransom to retrieve the sensitive information of millions of customers.

LifeLabs president Charles Brown wrote that information related to about 15 million customers, mainly in British Columbia and Ontario, may have been accessed during the breach.

Other security breaches

And that attack was just the most recent breach in Canada. Just months ago, hackers crippled the computer systems of three Ontario hospitals. 

Meanwhile, in Alberta, breaches have included the disappearance of an unencrypted hard drive containing the personal health information of 650 patients at the Mazankowski Alberta Heart Institute in August, and the inappropriate access of 2,158 electronic health records by Alberta Public Laboratories staff at the Red Deer Regional Hospital Centre earlier this year.    

"We've probably had several wake-up calls, but it still seems like lots of folks are asleep at the wheel," said Beau Woods, a cyber safety innovation fellow with the U.S. think-tank Atlantic Council.

Woods suggested it was troubling that Brown didn't know whether or not the LifeLabs records were encrypted.

"Whether or not encrypted records would have protected the data in this case is to be seen," he said. "The fact that the CEO, even after probably talking to IT can't say whether the records are encrypted, says that there's some kind of fundamental breakdown in governance."

Hackers like to target hospitals and medical facilities, which are often on very tight IT budgets, said David Masson, director of enterprise security for Darktrace, a cyber AI company.

"They know they'll be struggling to actually secure their IT networks. So they will see them as easy targets. And that's why they go after them," Masson said. 

So security usually falls by the wayside in many cases for most organizations. Security ends up being a very small percentage if any in most hospitals, most health-care providers.- David Kennedy, founder and CEO of TrustedSec

One of the problems is that medical institutions see themselves solely as health-care providers, meaning IT security doesn't get the focus it needs, TrustedSec's Kennedy said. 

"So security usually falls by the wayside in many cases for most organizations. Security ends up being a very small percentage if any in most hospitals, most health-care providers that we see out there today."

Tom Keenan, a University of Calgary professor who specializes in cyber security and researched the issue of electronic health records, said not all hospitals are lax when it comes to IT security, and that it varies across Canada how well hospitals treat the issue.

While human error is often the weakest link, another factor, he said, is that people who build these systems also sell optional extras for security.

'Take extra measures'

In one particular case he studied, the people who ran the health authority knew they had vulnerabilities and bought an extra auditing package, but never installed it.

"We can take extra measures," he said. "We need to tighten things up."

Despite the security issues, Keenan said there's no need to pause when it comes to the push for eHealth, but just beef up security.

"We don't want to slow it down. If anything, we want to speed it up," he said. "Full steam ahead but with due regard to caution."

"I trust my lab, but I would also like them to publish periodically [that they've] been audited by a third-party cyber security company."

There's a lot of cyber hygiene things that you could do that aren't expensive — that actually can be less costly than not doing them.- Beau Woods, cyber security expert

As well, medical facilities should hire cyber security firms to conduct penetration tests, to determine the vulnerability of their system, he said.

Woods, the cyber security expert, said there are some simple remedies for medical facilities, like updating their software or having multi-factor authentication.

"There's a lot of cyber hygiene things that you could do that aren't expensive — that actually can be less costly than not doing them," he said. "Not looking at cost of breaches and things like that, just operationally less costly and more secure."

Sandy Buchman, president of the Canadian Medical Association, said he believes in terms of the human component of security, hospitals are making "extreme efforts" to protect patient privacy.

'Breaks down trust'

But he said he understands how incidents like the LifeLabs data breach can shake a patient's trust. 

"It could be something way beyond a physician or hospital's control, like these cyberattacks that are occurring, but it still breaks down trust in the overall system.

The medical community has to be diligent and press for the improvements needed in the security of personal health information, he said.

"We have to be better as a health-care community in demanding that. I'm not a cyber security expert. I know we can't let off the pressure — to be pressing for this at all times in whatever ways are technologically possible."