Radiation treatments for cancer patients are being transferred to other hospitals. International law enforcement are investigating. Eight days after the cyberattack at five southwestern Ontario hospitals was first declared, the scope of the problem and the agencies working on the solution have become more clear.
Local health-care officials have now said the cyberattack is a case of ransomware. Patient and employee data was taken — and could be exposed.
“Sensitive medical data is extremely problematic in the hands of the wrong people. Where I would start is, what is the strength of the security measures these hospitals had employed to begin with?,” said Ann Cavoukian, the former privacy commissioner of Ontario.
I am speculating, and I want to emphasize that it is purely speculation. I have not thoroughly analyzed it, but my speculation is that they were not particularly powerful.
Cavoukian is also the executive director of data security company Global Privacy and Security By Design.
For the past eight days, the member hospitals of TransForm, the organization established by five local hospitals to oversee IT and accounts, have been experiencing the consequences of a cyberattack.
TransForm announced on Tuesday that sensitive data belonging to both patients and staff has been compromised, potentially leading to its exposure. The affected individuals will receive notification about the cyberattack, and both the FBI and Interpol are currently conducting investigations.
“We are tirelessly working 24/7 to recover our systems and anticipate providing updates on the progress of the restoration within the next week.”
The hospital’s email and internet services are currently offline due to the attack.
The organization stated that they have informed the appropriate regulatory bodies, such as the Ontario Information and Privacy Commissioner.
There had been a gap of four days since the previous official update on the cyberattacks that caused computer systems to go offline at numerous hospitals in southwestern Ontario, prior to Tuesday’s update.
Cyberattack impacting radiation at Windsor Regional cancer care centre
The hospitals impacted by the incident, namely Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health, and Chatham-Kent Health Alliance, have been required to reschedule and delay surgeries and appointments following the attack.
Individuals are requested to go to nearby clinics or their main healthcare provider whenever feasible and to only go to the hospital in case of actual emergencies.
The Ontario Ministry of Health has not responded to several requests for comment from CBC News. In their only statement last week, they acknowledged the breach and expressed trust in TransForm’s management of the situation.
Windsor Regional Hospital (WRH) announced on Tuesday that its cancer care center was also affected by the cyberattack.
The hospital has stated that they do not currently offer radiation treatment. However, they are actively working on providing radiation services without compromising the equipment.
The hospital is collaborating with other cancer care organizations to facilitate the transfer of both existing patients’ care and new referrals for radiation treatment.
The hospital states that they are currently providing chemotherapy and related services to patients at WRH, and they have intentions to extend this service to other centers as well.
Joannie Cowie, a patient at Windsor Regional Hospital, regularly visits the hospital for treatment due to her anemia. Additionally, she has growths that require biopsy and cancer testing, which she claims have been delayed.
Last week, while she was at the hospital, she experienced the initial occurrence of the cyberattack and expressed that it is “extremely frightening.”
Cowie expressed surprise that the IV bag was delivered with handwritten instructions and expressed frustration that the issue has not been resolved yet.
Cowie mentioned that the hospital staff was frequently rushing to take written orders and prescriptions. Although she praised their hard work, she expressed her belief that the government should take more responsibility.
“They need to step up their game, the hospital and the Ford government because there are privacy laws and you don’t just play games with people.”
Andrew Dowie, the Member of Provincial Parliament (MPP) representing Windsor—Tecumseh as a Conservative, mentioned that TransForm is still actively engaged in this matter, seeking assistance from external specialists.
Dowie stated that the priority for Transform, the hospitals, and the province is to restore the systems to their required condition for offering appointments and procedures. Any possible support from the province will be employed in these efforts.
The cyberattack is probably the biggest security breach ever recorded in Ontario, and the lack of response or information is deeply concerning.
Daniel Tsai is a lecturer in technology at the University of Toronto. He says he believes TransForm took too long to declare the cyberattack.
According to Tsai, if any patient data is made public, it will not be available on a website that is accessible to everyone.
“He mentioned that the information might not be visible to the general public,” he stated. “However, this information has the potential to bring about significant distress as it can be purchased from the dark web and used for extortion.”
Tsai referred to the widely publicized breach of Ashley Madison, a dating website catering to extramarital affairs, and the victims who were extorted by criminals following the incident.
He recommended that individuals remain vigilant in monitoring their identity and banking details for any indications of fraudulent activity. However, this precautionary measure will not aid in detecting potential leaks of medical information.
He stated that this is probably the most significant data breach ever experienced in Ontario. There have been cyberattacks on other hospitals, such as SickKids in Toronto, as well.
He expressed his surprise that the health minister has not yet tackled this matter. He believes it is a significant problem and calls for a course of action. Therefore, the absence of response is quite noticeable.
The hospital administrators in Windsor not only made a mistake by delaying their announcement about the issue for over a week, but the leadership at all levels also let down these patients, which is disgraceful.
The dissemination of medical information to the public can have significant consequences.
Cavoukian, the former privacy commissioner, says having medical data out there can have serious ripple effects.
She mentioned that making conclusions based on highly sensitive data, such as medical data, can be misleading and potentially lead to significant consequences if mishandled.
“Do not underestimate the importance of safeguarding identity, particularly when it comes to sensitive health data. It is crucial to ensure robust protection for such information.”
Cavoukian suggests that she has a possible explanation for the hospitals’ unusual silence.
“I believe they are extremely anxious about it because, in my opinion, adequate precautions were not implemented during the time of this security breach,” she expressed.
However, the existing laws that protect patient and data privacy require revisions.
“The use of encryption and the methodology of the encryption: This should be encoded in this legislation. It isn’t,” Cavoukian said. “Yes, you need to protect health data, but that’s not enough. The how and where and what, the means required and the need to look under the hood after it’s been done and audit what’s been done, all of this is critical.”