2023 marked another high-water mark for the use of digital healthcare in Canada. However, as waves of optimism grow concerning how growth in the use of virtual health, telemedicine, wearables, and electronic health records can improve access to care and outcomes, so too do fears of a sinister danger in our brave new digital health world: Cyber attacks.

Major cybersecurity incidents continue to occur in healthcare across Canada. Just a few months ago five hospitals in southwestern Ontario were victims of a cyber-attack affecting email and patient records, leading to delays and cancellations for patients. In December 2022, SickKids Hospital was targeted by a partner of the LockBit ransomware, leading to patient treatment delays. While in October 2021, a ransomware attack in Newfoundland & Labrador delayed thousands of appointments and medical procedures, exposed sensitive data, and resulted in $16 million in damages. These are just a few of recent healthcare cyber-attacks in Canada.

Cyberthreats are among the greatest fears of healthcare leaders. Patient data held hostage, computer systems frozen in limbo and thousands of procedures cancelled, just some of the worst-case scenarios that churn in their minds. HealthCareCAN has taken the concerns identified by our member institutions very seriously, working since 2017 to develop policies, recommendations for action, and tools to help hospitals, health authorities, healthcare and health research institutions reduce the risk of cyber threats.

What we learned from our cybersecurity work with health leaders from coast to coast to coast was that Canada’s lack of healthcare-specific cybersecurity standards was significantly increasing the risk to healthcare institutions. To correct this situation, HealthCareCAN provided leadership to determine that a standard was needed, then developed the project with the Digital Governance Council and support from Public Safety Canada’s Cyber Security Cooperation Program.

Entitled Cybersecurity: Cyber Resiliency in Healthcare, the new national standard of Canada leverages HealthCareCAN’s extensive network of healthcare leaders across Canada and the Digital Governance Council’s wide-ranging network of digital and information technology experts. Hundreds of thought leaders, cybersecurity experts, health leaders and stakeholders brought their unique perspective to the creation of the standard through a rigorous standards development process.

The standard incorporates guidelines and best practices that healthcare organizations can use to improve cybersecurity within their institutions. From healthcare organizations and research institutes to medical clinics and virtual care providers, the standard is designed to help organizations across Canada’s healthcare system manage the risks associated with the use of health information and information technology and protect their organizations from cybercrime.

Addressing a broad range of topics and considerations, from organizational risk management, leadership and education to cyber incident response and contingency planning, the standard provides guidance on how to identify, assess, and manage cyber risks in Canada’s healthcare organizations.

Fundamentally, communication is the foundation of an effective cybersecurity program. Health leaders can demonstrate their commitment to cybersecurity by ensuring that policies and objectives are established and aligned with the strategic direction of the organization.

As COVID-19 stretched healthcare capacity, we are reminded of how critical it is for our healthcare infrastructure to be resilient in times of crisis. With the confidentiality of patient data and the availability of medical devices and treatments at stake, cyber hygiene must be regarded as a basic and essential component of our healthcare system.

Cybersecurity: Cyber Resiliency in Healthcare can help health leaders navigate and address vulnerabilities in their digital infrastructure and prevent cyberattacks. A clear framework and enhanced cybersecurity capabilities will better protect Canada’s healthcare organizations from cybercrime and allow them to respond more effectively to evolving threats and defend critical infrastructure.

While it is impossible to completely eliminate cyber threats from Canadian healthcare, HealthCareCAN and our partner, the Digital Governance Council, are committing to supporting the spread and use of the standard and we encourage all health leaders to apply it in their institutions.

We will also continue to share key findings and lessons learned from this project with health leaders across Canada to help ensure that the people of Canada can depend on their healthcare system to be resilient and safe in the face of cyber threats.

The standard is available in English and French on both the HealthCareCAN and Digital Governance Council websites. (links to both to be provided once live on Nov. 29).

By Paul-Émile Cloutier

Paul-Émile Cloutier is President & CEO HealthCareCAN