Jun 23, 2020, 08:00 AM by Yiou Huang
According to more than 31 research articles, the healthcare network is slow to adopt the necessary measures to ensure the security of its stakeholders’ data, in this case its employees and patients. Indeed, in an article published on June 3, 2020, on the Radio-Canada website [French only], we learn that “the number of cyberattacks against the Canadian healthcare system jumped by 15% between 2018 and 2019.” To face this threat, facilities must make a financial and time investment to protect their technological infrastructures and support the continuity of their services. Despite both federal and provincial recommendations, this remains a major challenge, since healthcare facilities are complex organizations saturated with interdependent technologies.
The Healthcare Network – A Strategic Infrastructure
The security of strategic infrastructures, including that of the healthcare network, is an unavoidable state security issue. According to the Ministère de la Sécurité publique du Québec [French only], a strategic infrastructure is an infrastructure that provides a service of great importance to society. A breach would have major consequences for the health, safety or well-being of citizens or for the efficient functioning of government.
The cyber vulnerability of the provincial healthcare system’s technology infrastructure results from the accumulation of vulnerabilities in individual hospitals. Computer applications are now linked together in real time, which means that any loss of data can affect the entire ecosystem and activities of an organization. It is advisable to refer to the Synoptic table of key measures grouped by axes and objectives [French only] for all recommendations developed by the Government of Quebec.
The National Critical Infrastructure Strategy notes that a failure, breakdown, virus or human error in one of these facilities could jeopardize the entire healthcare network infrastructure, depending on the interdependencies of the affected computer system. In 2019, for example, a major blackout affected five hospitals in Montreal [French only]. For this reason, all CISSS and CIUSSS must move forward together to ensure that the resilience of critical infrastructures is strengthened and to make the industry less attractive to cybercriminals, and therefore less vulnerable in the event of a natural disaster.
Real-Life Cases and Responsibilities
Events experienced by some facilities demonstrate the importance of protecting these infrastructures and having a quick action plan to deal with computer threats.
Among the many responsibilities of hospital IT management is that of ensuring the security of the IT infrastructure to guarantee, among other things, the continuity of services, including those provided to patients. The security of infrastructures and the importance of business continuity depend first and foremost on the culture of each organization. According to one of the CIOs interviewed in the scientific article Cybersecurity in Hospitals: A Systematic, Organizational Perspective: “Our culture wasn’t like this seven years ago… Bad things have had to happen at times. Nothing affects change like someone who makes a mistake.” In Quebec, here’s what Steve Waterhouse had to say in an interview with La Presse [French only]: “In IT, as long as there’s no accident, we tell ourselves that we’ll deal with it if it happens. That’s where it hurts the most, and once again, it’s the people who pay the price.”
It would be a shame to wait for a disaster to drive the necessary change when it could already be implemented. The loss of data in a healthcare facility would be particularly catastrophic, as there could be medical errors with serious clinical consequences and deaths directly related to a breakdown in computer systems.
Ensuring Service Continuity in the Event of a Disaster
The purpose of a business continuity plan is to ensure the continuity of critical IT services in the event of a disaster. This plan must allow facilities to restart operations as quickly as possible (RTO) with minimal data loss (RPO) by following pre-established procedures.
According to Stéphane Dumont, Director of Technical Solutions at Logibec, best practices dictate three phases to maximize the availability of the technological infrastructure in the event of a disaster. First of all, data must be secured with a backup copy, one of the essential components of a continuity plan. Then, it is necessary to maintain solutions up to date and carry out migrations or version upgrades in due time. Finally, the team in charge must set up and implement a recovery plan and process for computer systems.
Critical success factors are planning, documentation of the impact of each process and rapid activation of the plan. The IT management team must define and establish its recovery time objective (RTO) and recovery point objective (RPO). This plan must be regularly tested to validate procedures, ensure that the plan is complete and achievable, and guarantee its success. As a result, the team is able to detect incidents as early as possible in order to minimize impacts, reduce recovery efforts and maintain service levels.
The cooperation of the various sectors, asset holders and users is critical to the success of the recovery plan. The impact assessment must be carried out by a multidisciplinary team that will offer its analysis and commitment. All stakeholders will be required in the event of a disaster.
In the COVID-19 Context
The Canadian Centre for Cyber Security alerts facilities that “the COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations involved in the national response to the pandemic.”
Logibec also advises the implementation of backups on systems that previously appeared less critical, such as Med-Echo and Clinibase SICHELD. The current pandemic highlighted the ongoing need for information on these databases to support statistics and the monitoring of patient care episodes.
Information Security specialists at Logibec, say that in times of a pandemic, “it is essential to remember the right reflexes, to test our recovery plans, our backups and our data recoveries. I also recommend the implementation of Security Table-Top Exercises. These provide a better understanding of roles and responsibilities during an incident, reinforce inter-team synergies, validate strategies and ensure that the continuity plan is up to date. Also, feel free to simulate critical system failures to validate your ability to recover and to detect any issues, such as non-functional backups.”