In our increasingly digital age, it’s no longer enough to just protect ourselves from physical threats. More and more, the most common types of threats organizations – and people – face are far less visible. There is an entire world of digital invaders, defensive walls, and rapidly changing tactics that are in a constant battle, and the prize is your data. This is the world of cybersecurity.
“Since 2009, there has been highly invisible cyber-warfare in the world happening. Some threats are highly organized and state-sponsored, others are individual cyber-criminals,” said Michael Dawes, Information Security Specialist for Northern Health. “Email is our most common way [for threat delivery].”
In 2019, Northern Health had roughly 20 million inbound emails from sources outside of Northern Health. Of those, only 14% (2.8 million) were legitimate. The remaining 17.2 million were varying levels of spam, viruses, or somewhere in between. And that’s just one source of attack.
This is the challenge that James Uhrich, Director of Technology & Information Security, and his team face daily at Northern Health.
“It doesn't take as much effort to launch a cybersecurity attack as it used to and healthcare has had a target on its back over the past few years,” said James. “These people also understand that medical information has a higher value to them than financial information. They've got a lot of leverage with that information.”
Cybersecurity is therefore an important component in the healthcare world.
“We're entrusted with health information for citizens in the North. We don't take that lightly,” said James. “We have a responsibility to secure that information to the best of our ability.”
To that end, the Northern Health Information Security team has put a number of controls in place to help protect both patient and employee data. This in depth defense strategy includes setting up multi-factor authentication to provide identity assurance, an incident response plan to guide staff on responding to and recovering from security incidents when they happen, and risk assessments to assess digital risks, among other things.
“We are working internally and with others in the province to continually improve our security program, to make sure we’re doing our part to raise the water level of security in BC, beyond a basic level of ‘security hygiene’ and compliance,” said James.
Despite the controls in place, organizations are largely dependent on end users to protect devices and information. To assist with this, the Information Security team has developed an online learning program for all staff to highlight the risks and what they can do to help protect both themselves, as well as patient data. Cybersecurity is everyone’s responsibility, and everyone in the organization has a role to play.
“If you can prevent the bad guys or malware from getting at our data, or from compromising systems from your endpoint, and you have the same thing happening at all endpoints, you're hardening access and helping to reduce the threat,” said James.
“Having these measures in place, being aware of the threats that are out there, and being aware of the methods to protect from these threats helps you, helps the organization, and helps our patients.”