Safeguarding Ontario’s health-care system from cyber-attacks

Managing cyber-risk is a critical challenge for many organizations including health care, where susceptibility to these risks are evident.

Ensuring timely, high quality and disruption-free care for patients while also protecting their personal health information requires continuous effort from all members of the health-care sector. Cyber-attacks can significantly impact the data and systems that support the operations of hospitals and health-care providers, how they deliver care and services to patients, and the privacy of personal health information.

How Ontario Health is working with partners to address cyber risks

Lyndon Dubeau, Ontario Health

To address the growing threat of cyber-attacks, Ontario Health, in partnership with the Ministry of Health and Ministry of Public Business Service Delivery, developed the Provincial Cyber Security Operating Model (CSOM) that sets the direction and vision for cybersecurity in Ontario’s health-care sector.

Developed in consultation with the broader health-care sector and cybersecurity experts, the CSOM provides a framework and roadmap for a coordinated cybersecurity network in the province, positioning cybersecurity as a team effort among health-care organizations. With the support of a collective defence system, the CSOM:

• strengthens the ability of hospitals and health-care providers to identify, protect, detect, respond, and recover from cyber-attack, thereby safeguarding the delivery of health-care services to patients;
• boosts protection of patients’ personal health information; and
• reinforces the capability of hospitals and other health-care organizations to prevent and mitigate cyber-threats.

Ontario Health piloted the model across 44 per cent of acute care hospitals within the province. Results showed that the CSOM increased the sites’ resiliency against cyber-attacks, helped participants maximize savings and efficiencies through volume licensing and resource sharing when procuring cybersecurity tools and services, and helped sites meet their insurability requirements.

The pilot also illustrated the value of building a community of cyber thought leadership and support and defined an approach to cybersecurity that aligns with internationally recognized industry standards.

Coordinated approach to strengthening cybersecurity

Based on the pilot, and with the support and collaboration of government and health system partners, Ontario Health has established Local Delivery Groups responsible for shared cybersecurity service delivery. Located in various parts of the province, the delivery groups will help set the direction for cybersecurity initiatives and practices among its member hospitals. Going forward, general hospitals will, with their Local Delivery Group:

• ensure the use of cybersecurity services from Ontario Health-approved vendors;
• share cyber-threat information via incident response notification and a cyber-threat intelligence sharing platform; and
• implement standardized evaluation through accountability agreements and performance reporting.

With the aim of enhancing collaboration among health-care providers at all levels in the health system, Ontario Health will work with partners and providers to continue to expand the CSOM for full provincial coverage.

How the model benefits patients and the health-care system

Managing cyber-risk requires a collective effort from all members of the health-care sector. Vigilance is particularly important as technology changes and threats evolve over time. In all aspects of cybersecurity planning and implementation, the CSOM was designed to strengthen the security posture of all those who deliver health care.

For patients and caregivers, the CSOM helps guard against cyber-threats that could cause disruptions to the availability of medical services. It also improves the overall patient experience by laying a foundation for secure communication with the health-care system while protecting patient information and strengthening privacy to prevent unauthorized access or disclosure.

For health-care organizations and providers, the CSOM increases cost efficiency by ensuring high-quality cybersecurity services are used to protect systems that contain sensitive patient information and critical systems through resource sharing and collaboration. Having cybersecurity integrated into the overall health-care delivery model enables health-care providers to focus on delivering the best possible care to patients.

Appropriate planning, resourcing, and collaboration with partners in the health system, now and into the future, helps safeguard the system so that hospitals and health-care providers can keep their doors open, their patients cared for, their communities served, and individuals’ private health information secure.

Lyndon Dubeau is the vice-president, Innovations for Connected Health, at Ontario Health.