Physician systems under attack by ransomware

TORONTO – It’s not just hospitals that have been targeted by hackers using ransomware to disable computer systems holding patient records. Doctors’ offices, too, have been hit, with thousands of records becoming inaccessible, says the Canadian Medical Protective Association (CMPA).

In some cases, medical offices are spending two or three days restoring their systems from backup sites; in more dire instances, they are losing masses of crucial data, says the CMPA.

As a result, physicians are missing key aspects of patients’ history when diagnosing health issues, says Dr. Dennis Desai (pictured), a physician adviser at the CMPA, which provides liability coverage for most of Canada’s MDs.

“The doctors are under attack,” he said. “We are getting physicians on a regular basis saying, ‘I have a computer, I got locked out, I have ransomware.’ … They’ve been asked to pay in bitcoin. They’re asking us, ‘Should I pay it?’ ”

The theoretical threat of ransomware to Canadian healthcare been much discussed lately, especially since the global “Wannacry” outbreak struck several British hospitals in May.

But according to the National Post, the CMPA’s revelations appear to be the first public acknowledgement of actual patient data in this country being affected by the increasingly common form of cyber crime.

The office of Brian Beamish, Ontario’s privacy commissioner, said it has also received 10 reports of ransomware attacks on doctor’s offices or clinics since the start of 2016, calling it an “increasingly dangerous” threat to the security of health records.

In simple terms, attackers freeze up computers by encrypting data and then demand a payment – usually in digital bitcoin – to unlock the files. Even if ransom is paid, there is lingering concern about what hackers might do with the data.

No Canadian hospital – as opposed to a doctor’s office – has publicly admitted to being a victim. But Bill Tholl, chair of a federal committee on cybersecurity and critical infrastructure, confirmed that it has happened here, with medical files involved.

“There have been some hospitals that have been attacked and have paid ransom in bitcoin, in Canada,” he said. “It was the Wannacry kind of event … It’s not individual patient files; they lock up everybody.”

The CMPA published an article this week urging physicians to ensure they have robust backup systems, vigorously guard against infection by computer viruses – and not pay ransom if they are targeted.

It seems to be a burgeoning problem, with one expert estimating the number of ransomware attacks has soared 600 per cent just in the past year, said Tholl, former CEO of HealthCareCan, which represents hospitals and other medical facilities across the country.

And for various reasons, medical data is a prime focus, 10 times more likely to be targeted than even banking information, he said.

That reality was driven home by Wannacry, which caused 16 hospitals in Britain’s National Health Service to shut down at least part of their operations.

In the U.S., at least two major facilities have taken significant hits from more isolated attacks. Most recently, computers at Erie County Medical Center in Buffalo were down for six weeks earlier this year after hackers demanded $44,000 in bitcoin, a sum the facility refused to pay.

Kevin Magee, a cybersecurity consultant who is on Tholl’s federal committee, said Canadian hospitals have so far been relatively unscathed, partly because they seem disciplined about installing security patches to protect against malware.

Simple computer “hygiene” – not clicking on suspect links or attachments in emails that can usher viruses into a system – is also effective, experts say.

But Wannacry showed cyber criminals the lure of pursuing healthcare institutions, where lives could actually be endangered by a sudden computer failure, Magee said.

“It was an advertisement to hackers to say, ‘They’re ripe for the picking, they’re a very high probability, low-risk target,’” he said. “The media coverage is extensive, which provides incredible pressure on the organization to pay.”

Desai said the physician offices affected by ransomware – some housing several doctors – typically have one computer system that covers everything from appointment scheduling to patient charts. And more than 70 per cent of physicians now have electronic medical records.

Being without those charts even for a couple of days is a problem, he said.

“The patient comes in with a sore throat and you’re going to prescribe an antibiotic. But (maybe) they’ve got an allergy to penicillin, or they had a previous problem with a cancer and this might be a recurrence,” said Desai. “You really need to know that information.”

Most offices do have their files backed up, meaning a compromised system can be purged and then restored from other sources, but that can be an arduous process, he said.

The CMPA, like most other experts, advises against paying a ransom, as it may simply set up the clinic to be menaced again, and is no guarantee files will be unlocked, said Desai.

A national policy against hospitals paying ransom would be ideal, but not practical until all the facilities have implemented adequate, daily backup of patient data, said Tholl. Some have yet to take that step.

Meanwhile, the ransomware threat is expected to keep growing, and become increasingly sophisticated, said Magee.

That could mean hackers demanding ransom with more insidious forms of pressure, such as threatening to change blood type or other key facts in patient records, publish private charts or emails, or meddle with computer-connected medical devices, he said.

Tholl said the healthcare system, once skeptical of the threat, now takes it very seriously.

A survey done for HealthCareCAN after the Wannacry incident found 85 percent of those officials felt their institutions were very or somewhat vulnerable to cyber assaults.