From public health to cyber hygiene: Cybersecurity and Canada’s healthcare sector

Canadian healthcare and cybersecurity

According to cybersecurity expert David Kennedy, “the medical field is one of the worst when it comes to cybersecurity practices.” ¹⁸ Hospitals typically dedicate less than 3 percent of their budget towards IT, let alone cybersecurity. ¹⁹ While other critical infrastructures have a significant private sector component, in Canada, healthcare services are largely provided through public funding from the provincial and federal governments. This creates certain trade-offs. As one cybersecurity expert with experience working with US-based hospitals explained, healthcare professionals often cite financial constraints as a main barrier to implementing effective cybersecurity practices: If a hospital has a certain amount of funding and they can either use that to buy new life-saving equipment they have been waiting for, or, alternatively, to upgrade their network security, they will regularly choose the former. This sentiment illustrates one of the major barriers to changing cyber practices in Canada’s health sector; spending caps and gaps persist and cybersecurity is not traditionally viewed as an issue of patient safety or welfare. Other critical infrastructures like the finance and energy sectors may be targeted more often by cyberattacks, but they also have more resources available to them to guard against an evolving threat.

Canada’s regional health disparities also come into play. Healthcare is a provincially and territorially mandated sector, and as a result, health spending varies considerably. Health organizations in certain provinces have more sophisticated hospitals than other regions. As a result, bigger budgets lead to more advanced technologies, which lead to higher investments in cybersecurity. By contrast, health organizations in other regions of Canada continue to struggle to provide care. Cybersecurity risks are seen as an afterthought given these budgetary constraints. While cybersecurity within the healthcare sector is getting more attention—in part because the global pandemic has shone a light on the issue of information security—resources have yet to increase accordingly, let alone equally, across the country.

The mentality and workplace culture within Canada’s healthcare sector is another obstacle to building cyber-resilience. As several Canadian and international cybersecurity and healthcare experts explained to us, the individuals who run healthcare in Canada have a mentality of service and excellence, and of serving their patients and communities. By contrast, however, the very idea of cybersecurity is itself abstract. Canadian healthcare organizations have a hierarchy of concerns, with patient care at the top. Ultimately, healthcare decision-makers may not consider cybersecurity their primary concern; it is an IT problem, not a healthcare problem. In contrast, as another expert reminded us, not every cybersecurity challenge requires an IT solution. Insider threats, for instance, may require an operational, training, and managerial solution. Financial concerns exacerbate this dilemma: every healthcare dollar spent on cybersecurity is a dollar taken away from patient needs, potentially creating further resistance against cybersecurity from within healthcare institutions.

Another dilemma is the lack of information-sharing and transparency among and between different healthcare organizations regarding cybersecurity. When a cyberattack occurs, healthcare organizations may address the issue privately, if only to save face with the public, a challenge expanded upon in the case studies. This reflex is understandable, but it is also precisely the opposite response from that which is needed. A cyberattack happening in one place is inevitably happening elsewhere. As such, the timely and efficient sharing of information is crucial for implementing cyber-resilience across the sector and across the country. Public assurance might be best acquired by building robust cybersecurity measures.

The tension between safety and security is another barrier to cyber-resilience in Canadian healthcare. Safety entails ensuring that internet-enabled medical devices are not harmful to patients, while security refers to the vulnerability of internet-enabled devices to hackers. For example, how do we ensure that the device’s update (i.e., security) will not actually make the device more harmful (i.e., safety)? As it stands, healthcare has been largely focused on safety, to the detriment of security. One Canadian university professor cautioned that there currently exists a complacent attitude in Canadian healthcare, wherein basic security requirements are met without giving serious consideration as to whether these measures are enough to keep up with rapidly evolving cybersecurity trends.

Shifting to policy, given that the Canadian health sector is predominantly controlled on a provincial or territorial basis, significant comparisons must be drawn to develop an accurate national assessment of the sector’s overall approach to cybersecurity. Some overarching Canadian frameworks do exist; Canada has a general privacy framework, The Personal Information Protection and Electronic Documents Act, to which only four provincial health privacy laws have been declared substantially similar (Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia). ²⁰ Provinces and territories also differ on breach notifications: in the Northwest Territories and Ontario, notification is required in every case where personal health information is accessed, lost, or stolen. However, in New Brunswick, Nova Scotia, Newfoundland and Labrador, Prince Edward Island, the Yukon, and Alberta, notification is only required when the breach poses a reasonable risk of harm to the affected individual. Another unresolved issue is that many cyber breaches go undetected in the first place, and these various acts do not specify or require any standard of cyber detection in the safeguarding of Canadian health information. Even in analyzing cybersecurity within healthcare, Canada’s approach appears disjointed and regionally driven. For illustration, the Northwest Territories’ hazard identification risk assessment process identifies the risk of critical infrastructure failure within healthcare but neglects to address cyber vulnerabilities; failure is mostly understood as being driven by environmental causes, inaccessible winter roadways, and remote access. ²¹

Why target healthcare

Canada’s healthcare sector makes an inviting target for cyberattack for four principal reasons. First, as a critical infrastructure that serves as the very backbone for Canadian healthcare provision, the healthcare sector offers would-be hackers with a potentially high-impact and high-visibility target, a key motivator for certain actors who seek to sow public distrust and doubt in Canadian governments. Second, as in many other developed countries, Canada’s medical sector has experienced mass digitization over the past decade. ²² This trend has sped up with COVID-19. Digitization has itself led to an increased reliance on digital systems across the healthcare sector in service provision. In fact, wireless internet-enabled devices have become involved in every step of the healthcare process, from check-in services, to patient evaluations, diagnoses, and treatment services—and, with the recent arrival of Internet-of-Things (IoT) devices, wearable and implementable technologies are being developed to monitor patient health. ²³ By some measure, the global market size of IoT healthcare is expected to grow to over $185 billion by 2025; health data will grow in step. ²⁴ At the same time, a significant number of healthcare organizations are still using legacy systems which are outdated and insecure. ²⁵ A compounding factor is the “technological and organizational complexity of the industry, which makes it difficult to implement and maintain tight security controls.” ²⁶ As a result, this creates more vulnerabilities for potential hackers to exploit in order to access healthcare networks. For illustration, Shodan is a publicly available search engine of internet-connected devices. ²⁷ Using open-source intelligence, it lists all unpatched vulnerabilities and exposed ports associated with a particular network. For this reason, it is often referred to as “the world’s most dangerous search engine.” ²⁸ One study looking at exposed devices connected to hospital networks found that nearly 80 percent of the exposed devices in hospitals around the globe could be traced back to one hospital in Ontario, useful information for gaining entry into healthcare systems. ²⁹

Third, the time sensitivity inherent to healthcare provision makes the sector unique from other critical infrastructures. Without quick and accurate access to medical records, patient care can suffer delays, which can lead to lawsuits against doctors and hospitals. ³⁰ Within these constraints, patient safety is prioritized to the detriment of cybersecurity, and as a result, healthcare employees may be willing to cut corners in cyber hygiene and best practices if doing so provides faster care. ³¹ For illustration, surreptitiously encrypting hospital records in a ransomware attack has repeatedly proven to be a lucrative crime, leading to large ransom payments because hospitals cannot afford to lose access to patient files. ³² Indeed, healthcare providers may be especially prone and inclined to pay a ransom, to their own long-term detriment. As one expert explained, once this behaviour occurs and is repeated, the organization risks developing a reputation as an easy target; they prove themselves willing to pay a ransom to save people’s lives.

Fourth, the value of personal data has increased on the black market, which extends to healthcare data. In fact, in 2018, the price of stolen medical records was estimated to be worth more than ten times that of stolen credit card information. ³³ To put this into perspective, in 2018, the Canadian Internet Registration Authority estimated that confidential medical records could be sold for as much as $1,000 on the dark web versus $5 for credit card information. ³⁴ Medical records are in high demand because the detection period—the lag time between theft and awareness of the theft—is significantly longer than in the case of credit card theft; it can take hundreds of days for a healthcare organization to detect a data breach. ³⁵ That means criminals have more time to put the data to use; unlike stolen credit card information, the value derived from stolen healthcare is longer lasting. The healthcare sector is likewise targeted for purposes of industrial espionage due to the high value of its intellectual property and research data, something COVID-19 researchers are finding out today. Stolen research data, including patient data, can be highly profitable, because research trials require a significant financial investment coupled with years of diligent and careful work.

How to target healthcare

The healthcare sector can be targeted by a range of different types of cyberattack. Five stand out: data breaches, data manipulation, DDoS attacks, ransomware, and medjacking. In the case of data breaches, malicious actors may seek not only biometric and physical health data on individuals, but also other more tailored information such as recent prescriptions or medical interventions. While data breaches are often fuelled by financial motivations, other actors may steal health-related data for purposes of cyber-espionage and blackmail. The Danish Centre for Cyber Security categorizes these types of data breach as very likely. This subclass of data breach incorporates theft of intellectual property and personal health data of prominent officials—useful for extortion—and probes meant to survey the general cyber defence landscape across the sector or country. ³⁶

Similar to data breaches, health data manipulation attacks require a malicious actor to gain access to a digital health record, but instead of exfiltrating this data (or, perhaps, in addition to doing so), they change the information on hand, tampering with electronic health records, potentially causing patient mistreatment and misdiagnosis. ³⁷ An additional scenario envisions malicious actors erasing a patient’s known allergy or changing their prescription. Importantly, data manipulation could affect a broad range of healthcare organizations, beyond hospitals, medical clinics, and insurance companies. Changing an individual’s prescription might be most easily accomplished by hacking a local pharmacy, whose cybersecurity measures are likely to be even lower than a local hospital.

Alongside these data-related attacks, malicious actors might pursue DDoS attacks. Here the goal is disruption, rather than theft or manipulation of patient information. These attacks overwhelm web servers with unsustainable amounts of internet traffic, slowing or crashing a target’s ability to function properly. Attackers usually flood a server by first taking control of multiple network-connected machines, often by employing malware, which are then used to amplify web traffic. ³⁸ Distributed denial of service attacks on the health sector are neither particularly resource-intensive nor challenging to conduct.

Ransomware is a fourth, and increasingly prolific, type of cyberattack targeting healthcare actors: malicious actors infect a computer or network with malware which is used to lock the system until a financial ransom is paid. The data itself is not usually stolen; it is encrypted, depriving legitimate users of the ability to access it until and unless they pay a ransom. Like other forms of extortion, once a ransom is paid, users are—at least in theory—provided with an encryption key that unlocks their data. ³⁹ The malware that encrypts the data is usually delivered through a phishing email (which fools a user into clicking a link embedded with the malware); by brute-force attacks (where automated software cracks logins and passwords); or as a result of simple human error (where individuals fail to follow proper security protocols). Ransomware attacks share some general characteristics with DDoS and data breaches; they can cripple a healthcare provider’s operational ability and generate revenue for malicious actors. ⁴⁰

Medical device jacking, or medjacking, is a fifth type of healthcare cyberattack. In this case, malware is used against the IoT devices embedded across the healthcare ecosystem, from the tools designed to improve patient care or monitor employee productivity, to specific machines, like cardiac pacemakers, diagnostic equipment (e.g., MRIs), monitoring devices, and life support equipment (e.g., defibrillators). The primary concern with medjacking is that it may constitute the most direct threat to a patient’s physical health. The most frequently used hypothetical scenario is one in which malicious actors identify the serial number of an IoT medical device—a pacemaker, or insulin pump—and manipulate the device’s function, threatening the individual’s physical health. ⁴¹ These types of attacks have yet to occur, but are theoretically and technically possible, as aforementioned Government of Canada warnings illustrate. Current medical devices are built with an emphasis on safety (e.g., whether or not the pacemaker will work in extreme temperatures), rather than security (i.e., whether or not the pacemaker is easily hackable).

Who targets healthcare

A range of actors working both internationally and domestically might organize and conduct cyberattacks against Canada’s healthcare sector. Violent non-state actors, including extremist or terrorist organizations, might find Canada’s critical infrastructure an attractive target due to its high-profile nature. ⁴² Canada’s healthcare sector might be targeted to cause public panic and erode confidence in the Canadian government’s ability to secure and protect Canadians. For this class of actor, success would not necessarily be measured in financial gain, but rather in loss of life and civil disruption. For example, the UK’s NHS websites were hacked in 2017 by ISIS-linked militants and defaced with gruesome images of the Syrian civil war, possibly as a way to promote the group’s cause, humiliate the British government, drive recruitment to their organization, and/or spur sympathetic Brits into conducting domestic attacks. ⁴³ These defacements, however, had little practical effect on healthcare services. And yet, while several different terrorist groups have expressed an interest in conducting cyberattacks on critical infrastructure, only the most sophisticated groups have the ability to do so. ⁴⁴ Moreover, these same groups do not lack the means and motivation to get attention, kill and harm people, and embarrass governments using traditional and far less sophisticated physical attacks. In sum, then, while terrorists might be willing to attack Canada’s healthcare sector in cyberspace for a variety of reasons, doing so would require investments more efficiently served conducting other physical attacks.

Second, hacktivists—politically and thematically motivated non-state actors that use cyberattacks to draw attention to a cause—might target Canada’s healthcare sector. Hacktivists differ from terrorists in that their actions are usually non-violent in nature; they target specific people and organizations they deem problematic, but instead of intending widespread harm or destruction, they seek to promote their cause while degrading their opponent’s stature or capability. ⁴⁵ This suggests that hacktivists might prefer to conduct DDoS over other types of attack. Then again, hacktivist groups are often highly decentralized, with a wide range of hacking skills that vary from member to member. This makes hacktivist behaviour and motivation difficult to anticipate since any member can act on behalf of the group, a topic discussed in greater detail below.

Third, other nation states might target Canada’s healthcare sector. The concern here is two-fold and includes cyber espionage and cyberattack. The former is very likely; indeed, it has occurred repeatedly with regards to COVID-19 research, as noted in the introduction. Some foreign states possess both the intent and capability to commit cyber espionage with a view of accessing Canadian research data and intellectual property. Even before the pandemic, this type of activity was common: Chinese hackers targeted eighteen healthcare organizations in 2013 and 2014 alone. ⁴⁶ Foreign governments might target research data and intellectual property in the healthcare sector in order to gain a comparative advantage in medical research, to strengthen their own healthcare sector, or to simply gather other useful information and intelligence (including sensitive medical information of prominent individuals). ⁴⁷ For illustration, consider Deep Panda, a hacker group believed to be associated with the Chinese government. It carried out operations against health care service and insurance providers like Anthem, Empire Blue Cross Blue Shield, and Premera Blue Cross, stealing social security numbers and other sensitive information. Around the same time, related hacking groups targeted the US Office of Personnel Management, stealing information on millions of American federal employees, including financial information, social security numbers, and fingerprints. ⁴⁸ Some experts believe that the information stolen from these various hacks was purposefully combined and aggregated into a database for future espionage purposes. ⁴⁹ As for the latter type of state-sponsored cyberattack meant to cause harm, Danish intelligence suggests adversary states target the healthcare sector to identify potential cyber vulnerabilities which could be exploited in the event of a future geopolitical crisis or conflict. ⁵⁰ And yet, Canada’s healthcare sector may not be as attractive a direct target to adversary states when compared to other critical infrastructure, such as the energy or communications sectors. The healthcare sector is heavily reliant on essential services including energy, water, transportation, and communications technology, suggesting a hierarchy of targets. Healthcare may be at the bottom of the list if it can be intentionally crippled by the cascading effects of attacking other sectors.

Fourth, criminals tend to be active wherever a profit can be made and where the risks of attribution and apprehension are low. As a result, cyber crime is an especially attractive endeavour. Some criminal entities have the intent and capability to target Canada’s healthcare sector. The threat is two-pronged: cyber-enabled crimes and cyber-dependent crimes. ⁵¹ Both share a financial motive, but they differ in characteristics: cyber-enabled crimes are facilitated through computers (data theft); cyber-dependent crimes rely on computers as both a vehicle and a target (ransomware). On the former, criminal entities are thought responsible for approximately 48 percent of data breaches targeting the healthcare sector. ⁵² While certain criminal entities may have limited programming skills and will resort to purchasing hacking tools from the dark web, other organizations are known to have developed and deployed custom malware to target specific victims. ⁵³ For instance, consider the Orangeworm criminal hacker group. Approximately 40 percent of its victims are healthcare sector organizations located in the US, Europe, and Asia. The group is highly selective in its choice of victim and approach, conducting thorough research prior to carrying out their attacks, and deploying custom malware to infiltrate specific X-ray and MRI machines. ⁵⁴ On the latter—cyber-dependent crimes—ransomware has become the classic exemplar. For illustration, The Dark Overlord criminal group has targeted several international healthcare organizations. Their modus operandi has remained consistent: identify and target a vulnerable healthcare organization, steal or lock its files, and demand a cryptocurrency ransom. If a healthcare organization refuses to pay, the group releases stolen files onto the dark web for resale, publicly naming and shaming the targeted organization. ⁵⁵ Of all the different actors motivated to target Canada’s health sector, criminals of all stripes are the most likely to do so.

Fifth, and finally, current and former healthcare employees or personnel may be responsible for attacks on healthcare. Indeed, by some accounts, approximately 58 percent of cyberattacks affecting the healthcare sector were facilitated by insiders. ⁵⁶ At its broadest, an insider threat is defined as “the potential for an individual who has or had authorized access to an organization’s assets to use that access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.” ⁵⁷ The concern includes both individuals with a desire to cause harm (such as disgruntled employees) and others who inadvertently facilitate attacks by falling prey to phishing schemes, or otherwise share their passwords. Focus here will be placed on the former of the two. Traditionally, insider threats are thought to be influenced “by a combination of technical, behavioural, and organizational issues.” ⁵⁸ Under certain conditions, greed can play a role. As mentioned, selling unauthorized access to confidential records can be a lucrative business; employees with excessive debt may turn to illicit income streams. One survey of both Canadian and American healthcare organizations found that 29 percent of healthcare employees were aware of someone within their organization selling access to confidential patient data. Incredibly, an additional 21 percent of surveyed employees indicated that they would themselves be willing to sell access to patient data to make an extra profit. ⁵⁹ Doing so may appear as a victimless crime. Under other conditions, personal vendettas come into play; an employee may become so disgruntled with their place of work that they decide to retaliate by embarrassing or harming their employer. Stressful events such as employer sanctions that are perceived as unwarranted, or lack of recognition, can act as precursors to retaliatory behavior. Additionally, as the chief security officer of one Canadian provincial government health organization noted, employees may interpret the loss of a loved one or of a particular patient as the hospital’s or health organization’s fault; exposing a perceived wrongdoing motivates subsequent insider threat behaviour. In this case, the employee may grant third parties unauthorized access to confidential records to prove employer incompetence, a practice an expert noted occurs more often than most casual observers realize. Under a third set of conditions, employees may be blackmailed, coerced, or otherwise convinced to conduct insider attacks on behalf of an external actor, including criminal organizations. Luis Ayala, a technical expert with the US Department of Defense, argues that specific employees—against which the external actor has compromising information—may be purposefully recruited. ⁶⁰

Insights from past healthcare cyberattacks

A review of several different high profile, international cyberattacks targeting the healthcare sector over the past half-decade offers insights for Canada in preparing its own sector for a range of emerging challenges. We present three cases that span the different types of attacks, motivations, and perpetrators discussed in this paper, including a DDoS attack launched against the BCH (2014), a data breach targeting Anthem (2015), and a ransomware attack that struck the UK’s NHS (2017).

Securing Canadian healthcare: Lessons from abroad

The COVID-19 pandemic and the associated social, technological, and economic responses are forcing Canadians to reassess and reinterpret the cybersecurity challenges they face in securing their healthcare sector. While other countries find themselves in a similar immediate situation, many of them have previously addressed cybersecurity in healthcare as a result of local developments, past crises, and previous initiatives. Canada is still catching up, providing it with an opportunity to learn from others’ experience. By way of conclusion, what follows is an overview and analysis of different cybersecurity approaches and models derived from Australia, New Zealand, the UK, Norway, and the Netherlands, providing Canada with examples, highlights, and lessons for better protecting its own healthcare sector.

First, Australia’s Digital Health Cyber Security Centre was created as part of the Australian Digital Health Agency (the Agency) to help protect digital health technologies, safeguard personal health information, and improve the overall resilience of Australia’s healthcare sector. Because cybersecurity continues to evolve, the organization, in alignment with other federal partners—notably the Australian Cyber Security Centre—plays a key prevention role in developing cyber threat reports that outline emerging challenges, risks, and concerns that are likely to impact the healthcare sector directly. The Centre disseminates threat alerts and associated mitigation strategies to healthcare providers across Australia. It also provides nation-wide cybersecurity training and awareness campaigns to healthcare organizations and their personnel, adding another layer of protection. It provides a range of useful cybersecurity information to healthcare practitioners, from advice on building a culture of cybersecurity excellence, to protecting healthcare consumers and small businesses. The Centre also has a crisis management and leadership function: in the event a major cybersecurity attack successfully targets Australia’s healthcare sector, it would help coordinate the national response alongside other federal partners. ⁷² For Canada, the lesson might entail building a specific federal body or organization—potentially within or alongside CSE’s Canadian Centre for Cyber Security, Public Safety Canada, or the Public Health Agency of Canada—with a mandate to oversee cybersecurity within Canada’s healthcare sector, providing healthcare-specific best practices and advice that resonate across Canada’s provinces and territories. The organization would help level the disparities in Canadian healthcare that currently include inequalities in cyber-preparedness.

Second, the New Zealand Ministry of Health—in its capacity of exercising stewardship across the healthcare sector—created a healthcare cyber response plan specific to the sector. New Zealand’s healthcare system—much like Canada’s—is managed independently by district health boards. ⁷³ Traditionally, management extended to IT systems. Following the WannaCry attack, it became clear that this disparate approach to decision-making and information-sharing was less than optimal. As one New Zealand expert explained, if one healthcare organization is experiencing a problem, there is an increased likelihood that others are also experiencing the same issue, elevating the challenge to the national level and requiring government action. As a result, New Zealand began breaking down its healthcare silos. Its cyber response plan identifies criteria for the activation of a nation-wide and cross-sector response, clarifying issues over leadership and decision-making. New Zealand’s approach was to find a way to standardize incident escalation criteria and centralize strategic decision-making to make it more efficient, while at the same time respecting jurisdictional control over healthcare. In the event that a cyber incident meets the activation criteria, the Ministry of Health is given a mandate to facilitate and support a wider, cross-jurisdiction response. The plan has eliminated the ambiguity that once existed regarding crisis decision-making and emergency leadership. Importantly, it was created with bottom-up input from the sector itself to work with healthcare cultural norms, rather than against them. As a result of this input from the sector, the plan has cultivated support from health providers. Framing cybersecurity within the context of patient harm and trust and confidence—something the healthcare sector cares deeply about—has reduced resistance to cybersecurity planning within the sector. New Zealand’s collaborative approach with healthcare organizations in developing the cyber response plan has been a key part of its success. ⁷⁴ The lesson for Canada is that building a pan-Canadian cybersecurity response policy, plan, and strategy—alongside healthcare organizations—in advance of a major cybersecurity incident will go a long way in identifying the parameters of emergency response, management, and leadership that suits the sector’s unique organizational and jurisdictional constraints. Cybersecurity prevention may be the best cure.

Third, various healthcare-specific computer emergency response teams (CERTs) developed in the UK (CareCERT), Norway (HelseCERT), and the Netherlands (Zorg-CERT) were created to better prepare healthcare organizations to address cybersecurity concerns and challenges. CareCERT, for instance, was created as part of NHS Digital to provide situational awareness of the emerging cybersecurity landscape, and to carry out preventive assessments by training healthcare sector employees in cyber hygiene, providing guidance to healthcare organizations for improving their cybersecurity capabilities, and assisting in containing and defeating cybersecurity attacks if and when they struck. ⁷⁵ For example, as a result of a breakdown in communication among NHS organizations during the WannaCry attacks, CareCERT developed the capacity to deliver updates through SMS alerts to affected organizations. ⁷⁶ HelseCERT was likewise created because Norway understood that different critical infrastructures, including healthcare, needed dedicated and tailored resources, something that could not be assured by only one general CERT whose resources were shared across all critical sectors. As noted by an expert, the constant development and improvement of HelseCERT is a key deliverable according to the Norwegian Health Network’s mandate, and is publicly funded through Norway’s national budget; all government-run healthcare providers participate in the program, in addition to some private sector organizations, such as healthcare software developers. HelseCERT provides prevention services, including vulnerability overviews, white hat hacking exercises, and threat advisories, and provides advice and recommendations on how detected vulnerabilities can be mitigated. It also assists in event-response by coordinating efforts and facilitating information-sharing. Like its European counterparts, Zorg-CERT provides services for all healthcare providers in the Netherlands, including prevention and detection services, information-sharing, and incident response. ⁷⁷ It functions, however, as a non-profit organization, acquiring its funding partially from public funds and participating healthcare providers. The lesson for Canada is that healthcare, as a critical infrastructure, needs dedicated and nuanced cybersecurity attention, expertise, and support tailored to the specifics of the sector. Good cyber health flows from understanding the disease.

Taken as a whole, our exploration and analysis of Canadian healthcare cybersecurity suggests the discourse has begun shifting from public health and personal safety to national security. This shift in focus predates, but was accelerated by, the COVID-19 pandemic. Two avenues for further research present themselves. From an academic perspective, a more nuanced understanding is needed of critical infrastructure protection, both in theory and empirically. On the former, scholarship should continue broadening the traditional scope of critical infrastructure studies from the physical to cyber domains, and better incorporate state, sub-state, and societal perspectives into its analysis. ⁷⁸ On the latter, among and between the disparate infrastructure categories listed in Canada, empirical lessons in cyber and physical security from one might be better applied to another, building towards a general consensus of shared and transferable observations across all critical infrastructures. Similar analysis might probe commonalities among and between different countries, building towards an international consensus. From a policy perspective, these theoretical and empirical lessons might be better woven into practical responses, both in Canada and abroad, that help guide the development of functional and equitable cybersecurity systems that bridge the divide between federal, provincial, and local governments, and private, non-profit, and societal stakeholders.