Abstract
With support from Public Safety Canada’s Cyber Security Cooperation Program, HealthCareCAN and the Digital Governance Council developed a new standard to support cyber resiliency in Canada’s healthcare system. With a clear framework and enhanced cybersecurity capabilities, healthcare organizations will be better protected from cybercrime, allowing them to respond more effectively to evolving threats and defend critical infrastructure. Health and information technology leaders can derive practical guidance and next steps from this three-year national project to enhance cyber resilience and improve safety within their organizations.
Cybersecurity is a critical patient safety issue
Virtual health, telemedicine, smart medical devices, and electronic health records are just a few concrete examples of how digital transformation is reshaping our healthcare system. Through the adoption of innovative technologies and digital solutions, healthcare organizations can enhance patient care and clinicians can more confidently diagnose and treat disease. While the digitization of healthcare has revolutionized the practice of medicine and led to major advancements in patient care and research, exposure to cyberthreats is a growing concern.
The Royal Canadian Mounted Police (RCMP) defines cybercrime as “any crime where a cyber element (that is, the Internet and information technologies such as computers, tablets, or smart phones) has a substantial role in the commission of a criminal offence.” 1 Across Canada, cybercrime has steadily increased in recent years, and healthcare organizations are a leading target. The Canadian Centre for Cyber Security reports that healthcare organizations such as hospitals, medical clinics, and other frontline services will continue to be targeted by cybercriminals. 2
Cybercrime is of particular concern for the health sector because vulnerabilities threaten not only the security of information systems but also the health and safety of patients. Healthcare organizations use and depend on vast amounts of technology to provide care to patients, and the personal health information, intellectual property, and data these facilities hold are of high value to cybercriminals. Health information is considered the most sensitive of personal information, with significantly higher value to cybercriminals than financial and other personal information.
The COVID-19 pandemic has presented an elevated risk to the cybersecurity of Canadian healthcare organizations. Pandemic-related changes within Canada’s healthcare system have heightened vulnerabilities, including virtual care, telemedicine, and remote work. Cybercriminals quickly took advantage of the COVID-19 pandemic, using the increased pressure facing critical sectors as an opportunity to extract ransom payments. While the rate of ransomware attacks has drastically increased across all sectors, healthcare has been disproportionately targeted. 3
The cyberattack of the Hospital for Sick Children (SickKids) in December 2022 is one recent example. Another recent example occurred on October 30, 2021, when a cyberattack perpetrated by the HIVE ransomware group impacted information technology systems supporting the delivery of healthcare services across the province of Newfoundland and Labrador. The group accessed the province’s healthcare technology infrastructure, which resulted in a systems outage. The attack led to the cancellation of thousands of medical appointments and procedures and compromised the integrity of confidential information for more than 2,500 patients and staff. 4 As evidenced by these examples and many others, from delayed treatments and procedures to the theft of sensitive personal data, cybersecurity is not simply an “information technology issue” — it is an urgent patient safety concern.
Development of a national standard
Use of information and communication technology is growing rapidly in the healthcare sector. While most organizations recognize that a baseline level of security awareness and assessment is essential, the degree of preparedness varies widely across the healthcare sector. The current landscape suggests that healthcare organizations are highly vulnerable to cyberattacks and the healthcare sector is increasingly valued as a target due to several key factors, including personal information, financial resources, high-profile and impact, and pandemic-related pressure. 5 Wilner et al. describe potential barriers to cyber resiliency within Canada’s healthcare system, pointing to financial constraints and competing priorities, workplace culture and a lack of information-sharing and transparency. 6
Through extensive consultation with health leaders across Canada, several opportunities to enhance cyber resilience have been identified. 7 Chief among these recommendations is a commitment to fostering a culture of cybersecurity within Canada’s health system by developing a national standard that will help organizations address existing vulnerabilities and prepare for future incidents. 8 With support from Public Safety Canada’s Cyber Security Cooperation Program beginning in 2022, HealthCareCAN and the Digital Governance Council (formerly the Chief Information Officer (CIO) Strategy Council) have developed a national standard to support cyber resiliency in Canada’s healthcare system.
Entitled Cybersecurity: Cyber Resiliency in Healthcare, the national standard of Canada was informed by the Digital Governance Council’s extensive network of digital and information technology experts and HealthCareCAN’s extensive network of health leaders across Canada. Hundreds of thought leaders, cybersecurity experts, health leaders and stakeholders have brought their unique perspective to the development of the standard through a rigorous standards development process.
The standard incorporates guidelines and best practices that healthcare organizations can use to improve their cybersecurity posture. From hospitals and research institutes to medical clinics and virtual care providers, the standard is designed to help organizations across Canada’s healthcare system manage the risks associated with the use of health information and information technology and protect their organizations from cybercrime. Addressing a broad range of topics and considerations, from organizational risk management, leadership and education to cyberincident response and contingency planning, the standard provides guidance on how to identify, assess, and manage cyber risks in Canada’s healthcare organizations.
Methods
Needs assessment
In February 2022, a National Standard of Canada proposal was approved by the Standards Council of Canada and the Digital Governance Council Standards Policy Committee. On March 9 and 10, 2022, HealthCareCAN and the Digital Governance Council co-hosted a series of focus groups in English and French with the goal of acquiring feedback from healthcare and health technology leaders across Canada on their concerns, issues, and needs around cyber resilience in healthcare.
The focus groups saw participation from over one hundred healthcare technology leaders and a multitude of other key stakeholders from across Canada and internationally. Representation included hospitals and healthcare organizations, academic and research institutes, national, provincial, and territorial governments, industry, legal professionals, and insurance organizations. These participants from HealthCareCAN and the Digital Governance Council memberships were asked five key questions: 1. What is your biggest area of concern if you become the target of a cyberattack? 2. What is the biggest risk to the healthcare system today? 3. What focus areas would you like to see included in a National Standard of Canada? 4. What are the critical success factors regarding the development and implementation of a national standard for the cybersecurity of Canada’s healthcare system? 5. Does your organization currently use or is your organization looking to adopt a recognized information/cybersecurity standard?
Guidance from the focus groups was refined into a formal report that guided the development of the standard. Respondents identified patient care, safety, protection of health information, and the ability to ensure continuity of care as some of the most pressing areas of concern. Participants also felt that a Canada-wide healthcare specific approach would be needed to address some of the most common risk factors to healthcare organizations, which include ransomware and legacy information technology infrastructure. As many organizations would require additional resources to implement such a program, participants felt that a tiered approach would ensure accessibility for all organizations within Canada’s healthcare system. Participants emphasized the need for extensive training for frontline and clinical staff with supporting educational materials.
Development and Technical Committee review
To inform and oversee the development of the standard, HealthCareCAN and the Digital Governance Council formed a Technical Committee of cybersecurity experts from healthcare organizations, government, and the private sector. The Technical Committee is responsible for developing, approving, and interpreting the standard, as well as reviewing the standard every five years. An Expert Drafting Team composed of ten members with broad stakeholder representation including government, the private sector, and industry were assembled to develop the first draft of the standard. Completed in November 2022, the first draft of the standard was submitted to the Technical Committee for their review and comments in January 2023.
Stakeholder and public engagement
A consultation session was held on January 19, 2023 in English and French with representation from health leaders, patients, and caregivers across Canada. HealthCareCAN members participated in the session and provided their feedback on the draft standard both orally and in writing. Members that were not able to attend the virtual consultation session were invited to provide their feedback in writing.
The Technical Committee review saw excellent engagement across Canada, with 600 views of the standard and 118 unique comments. During the review, members of the Technical Committee emphasized the important role of leadership in cybersecurity risk management and strengthening cybersecurity awareness. Key themes included clarifying the role and responsibilities of the leadership team, and the identification and achievement of cybersecurity policies and objectives.
Meetings of the Expert Drafting Team were held in January and February 2023 to complete the disposition of comments on the draft standard. Given the depth of the comments received, the Technical Committee reviewed the revised draft standard in March 2023.
A 60-day public review began on April 27, 2023 and closed on June 27, 2023 providing an additional opportunity for cybersecurity experts, health leaders, and stakeholders across Canada to provide their feedback on the standard. The standard was made publicly available on the Digital Governance Council’s website and stakeholders were invited to review and contribute. The public review, which included in-person and virtual consultation sessions in June 2023, saw over 700 unique reviewers of the draft standard and 40 unique comments that have been reviewed by the Expert Drafting Team and dispositioned by the Technical Committee.
Key themes from the public review included the inclusion of additional cybersecurity resources; strengthening the role of governance and board members for cybersecurity; covering remote patient monitoring, threat management, and vulnerability management; strengthening security controls for lifecycle of data; and additional requirements around network controls. Reviewers provided feedback on how the standard can be properly implemented and used by organizations. Many reviewers also noted a desire for a form of minimum mandatory compliance, including future linkage to a certification program and accreditation standards.
The standard is available for download free of charge for health leaders, organizations, clients, and the public to access in English and French.
Guidance for health leaders
Cybersecurity has evolved from being viewed as an information technology function to an organizational risk. It is imperative that health leaders, including the Board of Directors, Chief Executive Officer (CEO), and senior management team, maintain an understanding of cybersecurity risks and assume ultimate accountability and responsibility for the organization’s cybersecurity posture. Cybersecurity: Cyber Resiliency in Healthcare offers guidance for health leaders who wish to enhance cybersecurity as an important part of the organizational culture, addressing key areas of concern such as organizational risk management, education, technology controls, healthcare technology considerations, cyberincident response planning and protocols, contingency planning, monitoring, and measurement.
Communication is the foundation of an effective cybersecurity program. Health leaders can demonstrate their commitment to cybersecurity by ensuring that policies and objectives are established and aligned with the strategic direction of the organization. Further, leadership must ensure that the resources needed for the cybersecurity program are available and aligned with the cybersecurity policy and objectives. The standard recommends that a member of the senior leadership team is appointed to oversee the organization’s cybersecurity program. Suggested roles and responsibilities include: developing and implementing an organization-wide information cybersecurity program; documenting and disseminating information security policies and procedures; coordinating the development and implementation of an organization-wide information security training and awareness program; determining and recommending to the leadership team the cyber risk target level of the organization; tracking and providing periodic reports and status updates on the cyber risk target level of the organization; coordinating a response to actual or suspected breaches; identifying organizational risks and prioritizing risk treatment; and delegating the information security role as required.
The standard emphasizes the importance of developing and maintaining a cyberincident response plan. Incorporating business continuity and disaster recovery plans, the cyberincident response plan details the steps for identifying, containing, and eradicating threats and recovering systems and operations. Effective cyberincident response plans detail roles and responsibilities for handling a cyberincident and communication strategies for incident response team members, internal and external stakeholders.
While these principles and processes form the governance of cybersecurity within healthcare organizations, one of the most effective ways to protect an organization’s cybersecurity is by building a cyber resilient workforce. Health leaders must ensure that all employees are educated on basic security practices, with a focus on practical and easily implementable measures such as the effective use of passwords, identification of malicious e-mails and links, use of approved software, and appropriate use of the Internet and social media. Beyond an understanding of basic security practices, cybersecurity training should be customized based on the unique roles and responsibilities of employees.
Moving toward enhanced safety in Canadianhealthcare
As COVID-19 stretched healthcare capacity, we are reminded of how critical it is for our healthcare infrastructure to be resilient in times of crisis. With the confidentiality of patient data and the availability of medical devices and treatments at stake, digital hygiene must be regarded as a basic and essential component of our healthcare system.
Standards that can be implemented and sustained are essential to ensure patient safety is protected in a digitally reliant health system. Cybersecurity: Cyber Resiliency in Healthcare can help health leaders navigate and address vulnerabilities in their digital infrastructure and prevent cyberattacks. A clear framework and enhanced cybersecurity capabilities will better protect Canada’s healthcare organizations from cybercrime and allow them to respond more effectively to evolving threats and defend critical infrastructure.
Cyber resilience describes an organization’s ability to continue delivering services despite experiencing adverse cyberevents. Suggested areas of further expansion of this national standard of Canada include mandatory compliance, such as inclusion in accreditation processes, mandatory reporting, and the need for further investment in enhanced infrastructure, education, and training.
Published in 2023 and to be revised every five years, Cybersecurity: Cyber Resiliency in Healthcare will continually evolve to meet the needs of healthcare organizations across Canada. HealthCareCAN and the Digital Governance Council will continue to disseminate and share the standard, as well as key findings and lessons learned from this project with health leaders across Canada to ensure that our healthcare system remains resilient, safe, and one that all Canadians can depend on.
Footnotes
Acknowledgements
We thank members of the Technical Committee on Cybersecurity and the following members of the Expert Drafting Team for their expertise and guidance throughout the development of the national standard, Cybersecurity: Cyber Resiliency in Healthcare: Darryl Kingston, Digital Governance Standards Institute; Jonathan Mitchell, HealthCareCAN; Claire Samuelson, HealthCareCAN; Victor Beitner, Cyber Security Canada; Raphael Jauvin, Canada Health Infoway; Charles Lewis, Canada Life; Kopiha Nathan, Healthcare Insurance Reciprocal of Canada (HIROC); Jim St. Clair, Linux Foundation Public Health (LFPH); Eric Sutherland, Public Health Agency of Canada (PHAC); Nada Tamim, CIUSSS du Centre-Ouest-de-l’Île-de-Montréal; and Ann-Marie Westgate, Canada Health Infoway.
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the Public Safety Canada.
Ethical approval
Institutional Review Board approval was not required.
