And the stress involved in maintaining something as complex as health-care services may add to the vulnerability.
Spencer Callaghan, senior manager of brand and communication, spoke with The Telegram Tuesday, Nov. 2, in the wake of a major cyberattack on Newfoundland and Labrador’s health authorities that has caused thousands of cancelled appointments and procedures.
Eastern Health is the most severely affected, but other regions have also had to delay non-essential surgeries and services such as chemotherapy.
Officials won’t divulge whether the Newfoundland attack is ransomware — in which the hackers extort the organization for money to unlock the system — but details so far indicate that’s likely the case.
The RCMP confirmed Tuesday the case is being investigated by its cybercrimes division.
“There are ways to mitigate it, but it’s not easy,” Callaghan said. “It would really depend on the sophistication of the organization and what kind of backups it had in place.”
A lot would depend on whether there is sufficient redundancy built in, he said.
Giving in
Ransomware has become an increasingly common form of cyberattack in Canada, and a majority of businesses and institutions are willing to simply pay the ransom rather than fight the invasion and possibly lose data.
That was evident in the results of a CIRA-sponsored annual survey of more than 500 IT managers across the country that was released last month.
Almost one in five reported some form of ransomware attack in the past year, and almost 70 per cent admit that the organization gave in to the hackers’ demands.
“I actually wouldn’t have been surprised if it were higher, because ransomware is definitely on the rise. It’s one of those cybercrimes that’s increasing in frequency and really in the way it impacts our society,” Callaghan said.
The demands — which usually involve using cryptocurrency — are not always extravagant, he added.
“The funny thing about the ransom is that in many cases it’s not that high. … One of the advantages of this type crime is that if you set the ransom relatively low, you’re more likely to get paid.
“If I’m an IT manager, and I know that it’s going to take me three weeks and thousands and thousands of dollars in order to rebuild my systems, and someone’s asking me for two ethereum (approximately $10,000CAD), I might just pay that to move on.”
Prey on emotion
Implementing layers of protection is an important defence against cyberattacks, Callaghan said.
“It’s like your house. You might lock your door, but then you might also put up a camera. You might put up a fence and gate. With cyber security, it’s the same. You generally want to have a variety of layers of defence.”
Nonetheless, cyber criminals almost always look for the weakest link, and that usually involves exploiting someone’s emotions.
You might get an email telling you you’ve been fined, or are being investigated by authorities — or something positive like you’re getting a raise.
“If you look at the example of the health-care system in Newfoundland … if you think about those environments, they’re high-stress, high-anxiety environments. Add in the complications around COVID and full waiting rooms and full operating rooms and surgeries being cancelled and all that sort of stuff that we’re seeing across the Canadian health-care system, there’s a lot of anxiety, there’s a lot of stress, there’s a lot of fear, and these sorts of attacks prey on that type of emotion,” he said.
The most important protection is employee training — and updated training, since cybercrimes are constantly evolving.
“You can have the best technical defence possible, but at the end of the day, if someone clicks on a link that they shouldn’t click on, or does something they shouldn’t do, in a lot of ways it’s like unlocking the door.”
Callaghan said governments must take a long look at how they allocated funding for cybersecurity, particularly in an era when health dollars are stretched to the limit.
“How do you weigh cybersecurity protection vs. a new MRI machine?” he said.