Your private information is more likely to be hacked in your local hospital just as much as a coffee shop.

Six Ontario hospitals have been hit by cyberattacks since October and front-line workers are being urged to take a proactive approach to protect patients’ health information.

“This is a serious problem but it’s not unavoidable if we take simple, concrete steps to improve our cybersecurity posture,” some doctors said in a study. “We don’t need to wait for something to happen before we take action.”

Some 267,000 individuals had been affected by a cyberattack in October that hit Bluewater Health, Windsor Regional Hospital, Chatham-Kent Health Alliance, Erie Shores HealthCare, and Hôtel-Dieu Grace Healthcare.

The facilities said that the ransomware attack impacted operations and that some patients, employees and staff data were stolen and some of published online.

A paper, published in the Canadian Medical Association Journal reveal the impact of cyberattacks on Canadian health information systems is very serious and clinicians and front-line workers should improve their cybersecurity readiness.

“The guidance comes at a critical time,” wrote co-author Vinyas Harish, of Unity Health Toronto and in the Temerty Faculty of Medicine at the University of Toronto. “Cyberattacks against Canadian health information systems have become increasingly common.”

Harish said hospitals and health organizations are easily targeted by hackers who deem them as easy.

They make “attractive targets because of the value of personal health information and institutions’ perceived ability to pay ransoms,” he said. “Amid events like the COVID-19 pandemic and geopolitical conflicts, we’re seeing hackers take advantage of situations that create fear and panic.”

The digitization of Canadian health records onto shared networks has also created more opportunity for hackers to gain access to hospital or personal information.

“While digital tools and systems can improve access and convenience, most clinicians lack dedicated IT training,” said Harish. “This creates stress and increases the likelihood of falling victim to an attack.”

The study outlines four stages for hospitals to effectively navigate cyberattacks.

Clinicians are urged to use strong passwords and secure devices, avoid inadequate network protections and remain vigilant against phishing attacks or suspicious behaviour.

Dr. Shaun Mehta, an emergency physician at St. Michael’s Hospital, said more can be done by frontline workers and doctors to safeguard the information of patients.

“Many health care organizations have sophisticated systems in place to prevent and respond to attacks but there’s a lot that can be done at the individual level,” Mehta said. “I think people probably underestimate their role in preventing attacks.”

The study finds a lack of consistency in cybersecurity education and practices across provinces and institutions.

“In Ontario, for instance, cybersecurity isn’t part of the medical or nursing school curricula,” it stated. “While some health care networks and institutions have implemented cybersecurity modules, it’s really organization-dependent.”

Mehta said cybersecurity training and practices aren’t mandated in Canada, likely because we don’t have a good set of centralized instructions or guidance established at a national or provincial level.”

Unity Health Toronto is taking cybersecurity seriously and has commissioned a readiness assessment and set up a three-year cybersecurity plan. They have since implemented measures to curb hacking, like  technology to track and identify suspicious activity, regular risk assessments and a cybersecurity awareness program to educate staff, physicians and learners.

“We’ve been working really hard to empower staff with tools, knowledge and practices to avoid falling victim to an attack,” said Abdulkader Abdulkarim, the Chief Information Security Officer. “As the cyber landscape changes rapidly, we continue to look for new ways to educate our people and re-evaluate our systems and practices.”

Abdulkarim said front-line personnel need to be educated on ransomware.

“Clinicians need to know what to click on, what to avoid and what to look out for,” he said. They cannot “just avoid falling victim to an attack but to alleviate frustration and maximize time spent with patients.”