Electronic Medical Records Held Hostage – in Canada?!
Imagine getting into a car accident and being rushed to the Emergency Department – only to be turned away because they do not know what to do with you. They cannot access your medical records. They do not know your personal history, nor what meds you are on. MRI scans, CT scans, X-ray scans – all blocked. All held hostage by Ransomware.
Just when you thought that this was an “American problem” subject to American fuel, American food, American infrastructure – the threat of cyber attacks has landed on Canadian soil. No longer just a threat, but a reality.
On June 18, 2021, Global News reported that the Toronto Humber River Hospital issued a code grey for a Ransomware attack. A code grey means a loss of power/telecommunications. It also encompasses utilities (loss of clean water, closure of air supply, sewage problems).
Toronto Humber River Hospital reports that the Ransomware attack occurred at 2 am on June 14, 2021 and reassured the public that patient information was not “released or compromised”. There were, however, “corrupt files”. This is the worrisome part. By “corrupt”, do they mean codes that work in the background in order to make a computer run smoothly or do they mean patient files that have corrupt information?
For example, if patient A had a heart condition and patient B had cancer, is there the possibility that their diagnoses could have been swapped as a result of this Ransomware attack? How about the addition or deletion of diagnoses within patients’ records? The description of “corrupt files” must be weighed seriously at all levels, for this will dictate the course of future care.
Not having access to lab results and key data is like flying a plane blind through a storm. About half of the emergency physicians at Humber signed a petition to close off the Emergency Department until the technical issues were fully resolved[5]. Despite this plea, it remained open. One can only hope that medical decisions made during this Ransomware crisis were sound and did not lead to undue harm on the patients.
An interesting observation is that the news reports do not reveal the perpetrators of this Ransomware attack, whether it is homegrown or foreign, individual or state-run.
Furthermore, the media and Humber do not reveal whether a large sum of money was paid off to the hacker(s) holding the data hostage. At a national level, the Ransomware attack on Toronto Humber River Hospital did not even make it to the top of the headlines of the Globe & Mail and CBC. The Globe & Mail mentions Humber in the context of “bracing for a wave of non-COVID-19 patients”, as its Emergency Department admission rate jumps from 7% to 14%[10].
As for CBC, it is more concerned with how Humber has started switching to Moderna for the 2nd dose. CBC also featured the controversy surrounding Humber and how a patient with a history of mental illness was video recorded crawling on the floor to the hospital exit, as staff dismissed his leg pains. For a Ransomware attack on a hospital to not be covered by two major national news agencies is a testament to the fact that this is being dismissed as merely a local problem.
Now if this had been a coordinated cyber attack crippling hospitals across Canada, then this would make headlines in federal news. And more and more patients would be caught on camera, crawling to the nearest hospital exit.