From public health to cyber hygiene: Cybersecurity and Canada’s healthcare sector
| Author | Olivia Williams,Harrison Luce,Nelson Costa,Alex S. Wilner,Eva Ouellet |
| DOI | 10.1177/00207020211067946 |
| Published date | 01 December 2021 |
| Date | 01 December 2021 |
| Subject Matter | Scholarly Essay |
Scholarly Essay
International Journal
2021, Vol. 76(4) 522–543
© The Author(s) 2022
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/00207020211067946
journals.sagepub.com/home/ijx
From public health to cyber
hygiene: Cybersecurity and
Canada’s healthcare sector
Alex S. Wilner, Harrison Luce, Eva Ouellet, Olivia Williams
and Nelson Costa
Carleton University, Ottawa, ON, Canada
Abstract
The COVID-19 pandemic has ushered in a wave of cyberattacks targeting the
healthcare sector, including against hospitals, doctors, patients, medical companies,
supply chains, universities, research laboratories, and public health organizations at
different levels of jurisdiction and across the public and private sectors. Despite these
concerns, cybersecurity in Canadian healthcare is significantly understudied. This
article uses a series of illustrative examples to highlight the challenges, outcomes, and
solutions Canada might consider in addressing healthcare cybersecurity. The article
explores the various rationales by which Canadian healthcare may be targeted, unpacks
several prominent types of cyberattack used against the healthcare sector, identifies the
different malicious actors motivated to conduct such attacks, provides insights derived
from three empirical cases of healthcare cyberattack (Boston Children’s Hospital
[2014], Anthem [2015], National Health Service [2017]), and concludes with lessons
for a Canadian response to healthcare cybersecurity from several international per-
spectives (e.g., Australia, New Zealand, the UK, Norway, and the Netherlands).
Keywords
Healthcare, COVID-19, cybersecurity, ransomware, Canada, critical infrastructure
As the COVID-19 public health crisis continues to unfold and evolve, the health sector
has emerged as an appealing target for cyberattacks; the sector is, by some accounts, at
Corresponding author:
Alex S. Wilner, Norman Paterson School of International Affairs (NPSIA), Carleton University, Richcraft
Hall, 1125 Colonel By Drive, Ottawa, ON K1S 5B6, Canada.
Email: alex.wilner@carleton.ca
its most vulnerable.
1
The COVID-19 pandemic has, as Canada’s Communications
Security Establishment (CSE) underscored in its November 2020 National Cyber
Threat Assessment, ushered in a wave of different types of cyberattacks targeting the
healthcare sector, including against hospitals, doctors, patients, medical companies,
supply chains, universities, research laboratories, and public health organizations at
different levels of jurisdiction and across the public and private sectors.
2
Recent
examples illustrate the scope of the challenge. In June 2019 and March 2020, Health
Canada warned that certain wireless medical devices, including insulin pumps,
pacemakers, and blood glucose monitors, were vulnerable to cyberattack. The vul-
nerabilities could allow malicious actors to “deadlock the devices.”
3
In other devel-
opments, foreign states have hacked medical laboratories and biotech companies in
order to steal research.
4
The US accused Chinese state hackers of doing this in May
2020.
5
Weeks later, the US, UK, and Canada issued a joint advisory noting that
malicious actors—“almost certainly part of the Russian intelligence services”—were
conducting cyberattacks on organizations involved in developing COVID-19 vaccines,
“with the intention of stealing information and intellectual property.”
6
Microsoft
followed suit with a November 2020 warning that it had detected state-backed hackers
from North Korea and Russia targeting vaccine researchers in Canada, France, India,
the UK, South Korea, and the US.
7
IBM issued similar warnings regarding a “global
phishing campaign”targeting organizations involved in the COVID-19 vaccine “cold
chain,”a part of the “vaccine supply chain that ensures the safe preservation of vaccines
in temperature-controlled environments.”IBM noted that the “precision targeting of
executives and key global organizations”during the phishing campaign had the
“hallmarks of nation-state tradecraft.”
8
Besides crashing medical devices or stealing data, ransomware attacks against
healthcare organizations have also spiked in recent months. On 28 October 2020, the
US Cybersecurity and Infrastructure Security Agency issued an unprecedented warning
1. David Burke, “Hospitals ‘overwhelmed’by cyberattacks fuelled by booming black market,”CBC,
2 June 2020.
2. Canadian Centre for Cyber Security, National Cyber Threat Assessment 2020, November 2020.
3. Health Canada, “Certain older Medtronic MiniMed insulin pumps may be vulnerable to cybersecurity
risks,”29 June 2019; Health Canada, “Cybersecurity risks associated with some medical devices with
Bluetooth and Low Energy chips,”11 March 2020.
4. Robert Lemos, “State sponsored cyberattacks target medical research,”DARKReading, 21 August 2019.
5. Federal Bureau of Investigation, “FBI and CISAwarn against Chinese targeting of COVID-19 research
organizations,”13 May 2020.
6. National Cyber Security Centre, “Advisory: APT29 targets COVID-19 vaccine development,”
16 July 2020.
7. Gordon Corera, “Coronavirus: North Korea and Russia hackers ‘targeting vaccine,’” BBC,
13 November 2020.
8. Claire Zaboeva and Melissa Frydrych, “IBM uncovers global phishing campaign targeting the COVID-
19 vaccine cold chain,”Security Intelligence, 3 December 2020.
Wilner et al. 523
To continue reading
Request your trial