The Scarborough Health Network Breach + What We Can Learn From It

The healthcare industry is plagued by cybersecurity-related issues. Within the past few years, private patient information has grown to be one of the largest targets of cyberattacks. In 2021, nearly 40 million patient records had been compromised and reported to the U.S. Federal Government. Cybercriminals have created countless pandemic-themed malicious campaigns in an attempt to compromise personal health information (PHI) and in many cases, succeeded.

Why Personal Health Information is Targeted

Personal health information, including DOB, home addresses, OHIP numbers, and patient ID numbers, is valuable data on the dark web and comes with a pretty price tag. As such, targeting hospitals serve as a lucrative opportunity for cyber attackers.

Most recently, three Toronto hospitals were victims of a significant data breach.

The Scarborough Health Network Breach

The Scarborough Health Network (SHN) issued a public notice this week after an “unauthorized actor” was discovered in their systems. The incident was first detected on January 25th when unauthorized access to private patient data on several servers occurred. The SHN said the “unauthorized actor” was shut out of the system by Feb. 1, ensuring that no further data beyond that date would be at risk.

The cybersecurity breach compromised patient data including but not limited to, names, home addresses, date of birth, immunization status, OHIP numbers, and insurance policy numbers.

Given the complexity of the situation, officials cannot currently determine individuals directly affected by the cyberattack or the number of people who were affected.  As of now, the hospital network has not detected any malicious use of the compromised information. The “unauthorized user” was officially booted from the system on February 1st, meaning all patients at Birchmount Hospital, Scarborough General Hospital, and Centenary Hospital after this date are not at risk.

Similar Healthcare Cyber Attacks

Similarly, in 2019, three hospitals located in Toronto and Southwestern Ontario fell victim to a malware attack. The malware, known as ‘Ryuk,’ attacks computer systems while remaining undetectable to the average user for weeks; collecting information about patients to later weaponize for ransom threats. The impact of the attack affected patients and staff- emails were taken offline, healthcare record access was more difficult, and patients had longer wait times. Luckily, no data was stolen and the networks were able to be restored.

However, these attacks are not isolated and the healthcare sector remains one of the largest targeted industries for cyberattacks. From reading about these events, we can deduce clear security practices healthcare organizations and professionals should use to protect against cyberattacks in the future.

What We Can Learn

The recent Scarborough Health Network breach reminds us of the importance of cybersecurity in a day and age where more than 2200 cyberattacks occur every day. To keep information secure, here are some best practices:

1. Keep software up-to-date

Healthcare organizations are particularly vulnerable to malware attacks due to their reliance on specialized software which rarely gets updated. However, it doesn’t have to be this way. Consistently upgrading software (such as operating systems, and anti-malware) to its latest versions will ensure that you have all the latest security updates to protect your systems from attacks.

2. Adopt 2FA / SSO across all platforms and devices

Using 2FA or Single Sign-on (SSO) for staff login on devices can protect against unauthorized access to patient information. This ensures that employees will need to confirm their identity before being able to access important data.

3. Educate staff about online risks and best practices

Oftentimes, non-technical employees are not experts in security and organizations do not formally train them on how to mitigate and recognize threats. As a result, cybersecurity threats may go undetected and human error can come into play. Creating a security plan and educating staff on security best practices can aid in the detection of suspicious activity early on and hopefully prevent breaches.

4. Encrypt data

Encryption is the best method for protecting personal health information. The process involves encoding data to cipher-text making it difficult to decipher/read by unauthorized individuals. It can be difficult to do, so many health organizations use third-party software that automatically encrypts documents, like TitanFile. Automatic encryption creates an additional layer of protection for confidential information so that even if cyber attackers steal it, they won’t be able to utilize the data.

The Future of Healthcare

Since healthcare organizations have access to a lot of sensitive data, they’re always going to be a target of cyber attackers. While cyber-attacks are unavoidable, organizations can dramatically reduce the success rates of these attacks by enacting tighter security practices and policies, educating employees on risks, and updating software to prevent the likelihood of future data loss. Their reputation and patient trust depend on it.