“On high alert”: Newfoundland and Labrador cyberattack prompts other provinces to take a closer look at cybersecurity
ST. JOHN’S, NL — Health care providers have some of your most private information in their databases — a detailed list of your ailments, the medications you take, your ID and contact information — and chances are a cybercriminal is trying to steal all this for quick cash.
In October 2021, a cyberattack on health authorities in Newfoundland and Labrador plunged the province’s healthcare system into crisis.
Almost all medical procedures, except for emergencies, have been canceled. Workers reverted to a paper-based system while computer systems were rebuilt from scratch using backups.
The attack strained an already overwhelmed healthcare system, with overwhelmed emergency rooms, a shortage of doctors and large surgical backlogs – all amid the COVID-19 pandemic.
At least one in 13 people in the province have had their privacy breached – and that number will likely continue to rise as the investigation into the attack continues.
Meanwhile, the province’s largest health authority, Eastern Health, is offering free credit monitoring to all affected patients for two years.
In May, government officials said the attack cost the province $16 million in credit monitoring, overtime IT staff, and consulting and legal fees.
No one in the government said if a ransom had been paid.
Learn from NL
The devastation caused by the attack illustrates the danger for the whole country.
Despite limited resources, the healthcare sector across Canada is working to strengthen its cybersecurity and avoid facing a similar mess.
An additional $875.2 million was allocated in the 2022 federal budget for cybersecurity, including $180.3 million over five years to prevent and respond to cyberattacks on critical infrastructure.
Provinces and territories are also working to improve the cybersecurity of their healthcare systems.
A spokesperson for the Government of Nunavut said that whenever there is a public update on a cyberattack, like any update on the ongoing investigation in Newfoundland and Labrador, a review of Nunavut Security Posture is conducted to determine where improvements need to be made.
The territory knows the dangers all too well. Its entire government infrastructure, in all 25 communities, was disrupted by a ransomware attack on November 1, 2019.
“The Government of Nunavut has invested heavily in new tools, resources, managed services and (a) cybersecurity awareness campaign to mitigate the risk of ransomware,” a spokesperson said in an email.
Employees and contractors in the territory’s healthcare sector will complete mandatory online privacy and security training starting this fall, and all healthcare workstations will have mandatory multi-factor authentication.
Ontario is also paying attention to the situation in Newfoundland and Labrador.
A spokesperson for the Ontario Ministry of Health said that shortly after the cyberattack, the ministry and Ontario Health announced ransomware defense funding, specifically aimed at increasing controls against malware and response capacities in acute care centres.
Paul Allen is Director of IT Security Risk Management and Digital Infrastructure at Nova Scotia Health.
In an email, he said he worked with a consulting firm to review their cybersecurity posture.
“With the cybersecurity event that hit very close to home in Newfoundland and Labrador last year, Nova Scotia Health and its partners have been on full alert in managing its cybersecurity portfolio to identify threats early,” Allen said.
A spokesperson for the Yukon government said it has contacted the Newfoundland and Labrador government directly to determine if there are any lessons for the territory.
A spokesperson for Quebec’s Ministry of Health and Social Services said discussions between governments across the country had been initiated to increase the effectiveness of the fight against cyberattacks, and in June this year, the province hosted the first cybersecurity and digital technology conference. for Federal, Provincial and Territorial Ministers and Senior Officials.
More funding needed
Is everything enough?
Ali Ghorbani, director of the Canadian Institute for Cybersecurity, said he would like to see more funding for cybersecurity in the healthcare sector across the country.
“Rarely do you find critical infrastructure that brings together a few things that are very attractive to cybercriminals, and healthcare is one of them,” he said.
Ghorbani said it’s the combination of the effect a cyberattack can have on both people’s health and the security of their private information, as well as the security of healthcare processes – such as the planning of life-saving surgeries – which makes the sector “extremely attractive” to cybercriminals who will hold all this vital information for ransom.
“I want to give the government and the health authorities some sort of warning that this critical infrastructure is extremely, extremely important because people’s lives are at stake. … So I would like to see more investment, more training, more of education,” he said.
The government remains silent
In Newfoundland and Labrador, politicians haven’t been saying much about the attack lately. A request from The Telegram for interviews with the Minister of Health and the Minister for Digital Government were both refused; a spokesperson cited the ongoing police investigation as well as an investigation by the Office of the Information and Privacy Commissioner.
This does not sit well with the Progressive Conservative opposition in the province.
PC MHA Loyola O’Driscoll is the Opposition Critic for Digital Government. In a July 22 press release, he said Digital Government Minister Sarah Stoodley needed to let people in the province know.
“Eastern Health reported that the number of employees and patients who were affected by the cyberattack has increased and will continue to increase; this is of great concern to me as there are potentially many Newfoundlanders and Labradorians who are unaware that their personal information has been accessed,” O’Driscoll said.
He said the government needs to tell people what is being done to increase the cybersecurity of all government platforms.
Meanwhile, other than watching their credit more closely, there’s not much people in Newfoundland and Labrador can do.
“As far as handing over your data, once you hand it over to an organization, you’re essentially trusting them to keep it safe for you,” Ghorbani said.