Cyberattack on Hospital Provides Lessons for Health Providers

By: Sari Feferman

On June 14, 2021, Humber River Hospital’s information technology system was the target of a cyberattack. According to a report[1], the Hospital immediately shut down its system to prevent the ransomware from encrypting files and its systems remained inoperative for more than a week while the Hospital investigated and responded to the cyberattack.

The IT shutdown had a wide-ranging impact on the provision of care, including delayed test results, cancelled clinics, and redirected ambulances to other hospitals. In light of the fact that the Hospital serves a high-need population, it did not consider temporarily cancelling all patient services. Ontario Health was closely monitoring the situation and provided support to the Hospital in responding to the cyberattack. In the interim, the Hospital relied on paper records to assess patients.

A group of emergency room (ER) physicians called for a temporary closing of the ER department and its normal activities as they believed the IT shut down created a dangerous risk to patients. They anticipated delays in laboratory tests due to their inability to view and share diagnostic results, and they were worried that there would be lengthy waits for blood tests for at-risk dialysis patients. Notwithstanding this, the chief and medical director of the emergency department insisted that the ER was still delivering safe care to its patients and that there had been only one patient complaint regarding this issue.

All services otherwise continued, including surgeries, albeit at a slower pace as services were provided through paper records while the computers were checked and gradually reactivated. The Hospital rebuilt approximately 5000 computers while still providing services and care to patients and vaccinating the public. The Hospital also engaged resources from other hospitals that have gone through similar viruses and conducted an investigation in order to determine the source of the ransomware.

Fortunately, the Hospital’s team noticed unusual activity very quickly (at approximately 2 a.m.) the day it struck and immediately shut down all systems and deactivated all computers. Because it caught the malware early, the Hospital did not receive demands for ransom and avoided the loss of data, mitigating the impact of what could have been a significantly worse attack. This experience demonstrates that organizations must exercise such diligence in order to catch cyberattacks early so as to place themselves in the best possible position to respond quickly and efficiently, allowing the ongoing provision of services to be prioritized.

Security incidents and cyberattacks are becoming harder and costlier to contain in part due to “drastic operational shifts during the pandemic”.[2] Hospitals and organizations can safeguard their online systems by constantly updating their computer virus detection system. In fact, the Hospital had just done that, applying a new patch approximately twelve hours before the cyberattack. However, the ransomware was a new variant not recognized by the patch. A study by IBM Security and Ponemon Institute found that organizations that implement a hybrid cloud approach had lower data breach costs than those who had a primarily public cloud or private cloud approach.

Health care providers and other organizations can protect themselves from cyberattacks and reduce the cost of a data breach by a number of ways, including:[3]

  • Ensuring encryption on all IT systems;
  • Installing antivirus software and constantly updating their computer virus detection system;
  • Completing software and operating system updates and patches regularly;
  • Performing real-time scans and regularly scheduled scans of systems;
  • Training employees on using caution when opening attachments or links;
  • Granting minimal user privileges and access rights;
  • Completing frequent and regular backups; and
  • Having an efficient system ready to revert to paper records in the event of a cyberattack to ensure continuity of business and services.[4]

In responding to cyberattacks or security incidents, health care providers should engage an IT and legal assistance at the earliest opportunity in order to mitigate risks. On a practical level (and with IT support), providers should also disconnect infected computers immediately and determine the scope of infection, the strain of ransomware and the best path towards recovery. Preventative measures should then be updated to address any weakness in the security that were exposed by the incident.

If you or your organization requires assistance creating internal privacy and security policies or understanding privacy breaches and risk management, we would be happy to help.

 

[1] Megan Ogilvie, “Letter urges closing Humber River’s ER until IT systems fixed after cyberattack, but hospital says it’s safe”, Health Reporter, June 18, 2021.

[2] Lisa Gentes-Hunt, “Healthcare Data Breach Costs Surged During Pandemic”, Health IT Security, July 29, 2021 https://healthitsecurity.com/news/healthcare-data-breach-costs-surged-during-pandemic.

[3] Information and Privacy Commissioner of Ontario, “Protecting Against Ransomware” Technology Fact Sheet. IPC, July 2016 https://www.ipc.on.ca/wp-content/uploads/2016/08/2016-07-07-1678_Ransomware_fact_sheet.pdf.

[4] Humber River Hospital “Code Grey – Update #2”, June 18, 2021 https://www.hrh.ca/2021/06/15/code-grey-2/.

Posted in:

Back to Top