Front Burner - The cyberattack throttling N.L's health-care system
Episode Date: November 17, 2021Since the end of October, a cyberattack on the health-care system in Newfoundland and Labrador has caused thousands of delays and cancellations for services. Patients have missed appointments and proc...edures, including chemotherapy. With their IT networks knocked out, facilities resorted to pen and paper. The CEO of a cybersecurity firm in Fredericton, David Shipley, called it “the worst cyberattack in Canadian history.” Disruptions to health services are easing. But while the province has now confirmed that both patient and employee data was stolen, it is still offering little information on the attack. Today on Front Burner, St. John’s-based CBC reporter Peter Cowan joins us to explain what this attack was, why the province isn’t saying more, and why health breaches like this are happening so often.
Transcript
Discussion (0)
In the Dragon's Den, a simple pitch can lead to a life-changing connection.
Watch new episodes of Dragon's Den free on CBC Gem.
Brought to you in part by National Angel Capital Organization,
empowering Canada's entrepreneurs through angel investment and industry connections.
This is a CBC Podcast.
Hi, I'm Angela Starrett. I mean, you know that this cancer is inside you and you know there's nothing being done about it.
And, you know, as far as I know, it could be spreading really fast again.
Joyce Gaines is from Conception Bay South in Newfoundland,
and she's undergoing palliative chemotherapy.
I'm considered terminal, so there's no cure.
So I have to do whatever I can to keep it at bay
and keep from spreading any further.
Joyce started chemo in August,
and she says she was responding really well to the first treatments.
But then, on October 30th, a cyber attack breached Newfoundland's health care data centre,
bringing many services to a standstill.
It caused Joyce to miss her fourth appointment and left her in limbo.
They haven't told me anything.
The lack of communications is really disturbing.
I have no idea when I'm going to get it.
Every time the phone rings, I'm hoping it's a call from them saying, come on in.
That's Joyce in an interview with my colleague Peter Cowan just last week.
And thankfully, she got a call shortly afterwards,
booking her for an appointment just over a week after her original one.
But that anxiety she felt, it's just one example from thousands of people
who had healthcare cancelled or delayed while the province had little to say about the cause.
Interruptions from the cyber attack are easing now, but services still aren't back to normal.
And now, the province is confirming that both patient and employee data were stolen.
So today on FrontBurner, we're going over how this attack caused so much disruption,
why the province is telling us so little about it, and why these breaches are happening so often.
Peter Cowan's been covering this from the start, and he's here to explain.
Hi, Peter.
Hello.
So, first off, I mean, give me a sense of how big a problem the cyber attack has been for healthcare in Newfoundland.
I mean, over almost the last three weeks, what kind of services were delayed or totally stopped?
Well, right from the beginning, it was anything that wasn't an emergency or urgent, they were putting off.
So that even included things like chemotherapy.
Right early on, they were saying, you know, we're not going to be able to do it.
And that's significant because even at the beginning of the pandemic, when they shut everything down to maintain space in hospitals, chemotherapy was one thing that they kind of prided themselves. And, you know, we've been
continued to being able to offer this. No interruptions. COVID did not impact anything
for me or anybody else. I know nobody missed their treatments or their testing or whatever
they needed to have done. But then the cyber attack knocked that out. And since then, it's
kind of been building things back slowly. And since then, it's kind of
been building things back slowly. And so, you know, they do finally have chemotherapy back.
They've got radiation services. But, you know, even in the biggest hospital in the province,
the Health Sciences Center, they're still only dealing with emergency or urgent surgeries. So,
you know, I was talking to one person who was supposed to go in to get their cancer operated on.
It was supposed to happen November 1st.
They still don't know when that's going to be rebooked for.
Having cancer is like having a full-time job because there are so many appointments, you know.
So this week, for instance, because of the cyber attack, I've missed six appointments and that's just me.
So how many other people have missed at least that many appointments?
And I think there's a lot of anxiety amongst people as they are sort of sitting there going,
I've got something that maybe doesn't qualify as an emergency, but this is a big health care issue for me.
And I don't even know when it's going to be dealt with. I mean, people might be asking, how does a hack of a data center cause all of
these disruptions to services in the first place? A lot of this is because health care, like
everything else, has become very digitally based. And so, you know, when you go into the hospital,
when they check you in, they put all your information into the computer.
When they order new meds, when they need to get blood work done, when they need to send you for a scan, all of that goes into a computer system.
So when that computer system goes down, all those tools that the doctors have in a hospital in order to treat people, they disappear.
And what hospitals went back to was operating the same way they did 30 years ago, which is if you need blood work done, you fill out a paper form,
someone runs that form down to the lab,
someone comes by, draws the blood, the blood gets tested
and then that result, it gets printed off on a sheet of paper
and you run it right back up.
And so the issue they had was they just couldn't deal
with the same capacity of people in the hospital anymore
because everything was having to go to paper backups and that may not sound like, OK, well, you can just print it
off. But if you're dealing with thousands and thousands of tests a day, that's a lot of paperwork
and it really slows things down. And just to be clear here, we still don't officially even know what the nature of this attack was because the province is just calling it a cyber attack.
But based on your reporting, what does it seem like the hackers did?
I mean, what did they want?
Money is the main motivation behind these attacks.
is the main motivation behind these attacks.
And, you know, the experts I've talked to have said, like,
they're pretty confident that this is a, you know, a ransomware type attack and what they refer to as double extortion,
which sounds like the name of a really cool action movie.
But what it really is, is, you know, the first thing they do is they lock up the data
so that you can't get access to it.
And if you want to get it back,
you're going to have to pay the ransom. And because some people will say, fine, I got backups.
You keep that locked data. We'll just wipe it clean and start from scratch. The second part of that extortion is we've taken your personal information and we are going to release it to
the world unless you give us this money back. You know, so the big question is, you know,
did the province pay to keep this information secret?
Is it possible that it's still going to be released onto the dark web?
So far they say there's no evidence that this information has been misused.
But once the information's out there, it's hard to get it back.
And knowing what a huge problem this attack has become for health care,
I just want to get into how the government handled it.
So in the first few days after the attack on October 30th, just how slowly was the province giving us information about it?
On the first day, we kind of got a few hints because I was hearing from people who said, I tried to go online and fill out the form to get a COVID test, but the form won't even load. And then it was for folks arriving in the province to fill out
the paperwork they need to prove they're vaccinated upon arrival, things like that.
That form wasn't working. And, you know, so we started putting feelers out to the province to
say, OK, what's going on here? What's the backup plan? Thinking the urgency was, well, what about
people who need to get a COVID test and they now can't get one? And it wasn't until sort of the next day that we started hearing from folks inside
the system that says, oh, yeah, this is a whole lot bigger. You know, I've had sources within
the government say this is a ransomware attack. And yet the province two and a half weeks in
has refused to say, have there been any demands made for money? Have they paid out a ransom?
All of this, they've said, look, our experts are telling us not to do anything to inflame
the situation.
So we're refusing to answer any of these questions.
We were days into this before they even said, you know what, this is a cyber attack.
You know, the rest of the province had kind of all figured it out by the time the minister
had finally gone up and said, yep, we're willing to admit it. And I've seen video of the deputy premier aggressively
deflecting questions just a few days afterwards. The health care systems and the requirements of
same. But one of the very basic questions that the opposition asked today, which you didn't answer,
was has a ransom demand been made? We are working with the proper authorities
and working with the experts that are required. As the Attorney General has pointed out,
the RCMP have been engaged and they are working through this issue. But that's a yes or no
question. That is not a yes or no question. This is a security question. And I am telling you that
we are working with the proper authorities. What are they saying about why they're being so tight-lipped about it so far?
We're kind of left to read between the lines because what we don't know is what sort of demands were made.
You know, did these attackers say, look, if you go out in the media and even mention that we might be behind this or even mention this attack, we will delete all your data.
data. And again, we don't have that information to be able to know, you know, is this actually the best practice or is government using this as a shield to avoid responsibility? Because,
you know, we've been kind of been able to tease out little details. For example,
the fact that, you know, these hackers were able to get access to patient information.
So all that information you supply when you first go into the hospital, including information like which doctor are you seeing and why have you come into the hospital?
They've also got access to patient information.
They got access to employee information, including things like social insurance numbers, addresses, dates of birth, all the things you'd need in order to steal people's identity.
And one of the questions we said was, hold on a second.
Were they able to access this information unencrypted?
And the answer was yes.
And so that's led to lots of follow-up questions about, well, hold on, why was this personal information sitting there unencrypted?
And the answer they've said is we won't talk about what we encrypt and what we don't.
It could only write a handbook for future attacks.
yet another opportunity for them to kind of shut down some real questions about whether or not they were following best practices and doing enough in order to protect and safeguard this
critical information that they have under their control. I know Fredericton cybersecurity expert
David Shipley called this attack the worst in Canadian history. We've never seen a health network take down this large ever. We've
seen specific hospitals, but never this many hospitals, healthcare centers, other things.
And the severity of this is what really sets it apart. We've seen breaches before and ransomware
attacks against other industries, but healthcare is in that top tier of it has real impacts on human life and safety.
And this is the worst of the worst.
The difference that we've had with this attack is it's not just one hospital.
This has been the entire health network across a province.
And it's now been two and a half weeks.
And we still have some areas that can't do routine surgeries.
You know, so never before have we seen an attack
that's sort of lasted this long in terms of the disruption,
but also the geographic disruption
that we're not just dealing with one hospital here
or, you know, a health center there.
The fact that we're dealing with this across an entire system. In the Dragon's Den, a simple pitch can lead to a life-changing connection.
Watch new episodes of Dragon's Den free on CBC Gem.
Brought to you in part by National Angel Capital Organization.
Empowering Canada's entrepreneurs through angel investment and industry connections.
Hi, it's Ramit Sethi here. You may have seen my money show on Netflix. I've been talking about
money for 20 years. I've talked to millions of people and I have some startling numbers to share
with you. Did you know that of the people I speak to, 50% of them do not know their own household income?
That's not a typo. 50%. That's because money is confusing. In my new book and podcast,
Money for Couples, I help you and your partner create a financial vision together.
To listen to this podcast, just search for Money for Couples.
Just search for Money for Cops.
We've seen cases where only one facility was exposed in hacks.
Just this weekend, the Rideau Valley Health Center in Ottawa said its service is being disrupted by a quote-unquote cyber security incident.
So why did the attack in Newfoundland affect so much of the province? Part of this is because unlike places like Ontario, where the hospitals are kind of run
independently, the health system here is all run by four health authorities. And they've kind of
centralized all of their computer infrastructure behind the Newfoundland and Labrador Center for
Health Information. So, you know, there are cost savings by sort of bringing this all together,
bringing the expertise into one place rather than having four different systems. But that means when
there's an attack like this, it affects all four health authorities, not just one. And the challenge
we have is if someone is really sick and needing a procedure, then, you know, in Ontario, if you've
got one hospital down, you can send them to another hospital. But when you've got the entire healthcare system down and you're largely an island or a
remote chunk of mainland, there's not a lot of options. You know, and they've been able to sort
of triage and make sure the most urgent cases are getting done. But I kind of like to use the
analogy, you know, healthcare is a bit like a river. There's always this need coming in and
people being dealt with. And if you immediately dam up that river, that water
doesn't disappear. It's backing up. And so the longer this goes on, the more and more pressure
is building behind the system that they're going to have to deal with. Experts have been drawing parallels between the attack in Newfoundland and an attack in Ireland that happened in May.
Irish officials say hospitals can't even carry out routine diagnostic procedures.
There are significant delays in emergency departments
and even basic communications are impossible. The head of the Irish National Health Service called
it a stomach-churning criminal act in the midst of a global pandemic. It's just quite an extraordinary
thing to do and there's no doubt it is a vicious and a callous act and will be condemned everywhere
by decent people. Waterloo, Ontario, cyber security expert Mark Sangster actually argues that the same gang
called the Conti could be behind both attacks.
Is that they're incredibly sort of ferocious when they come to doing this.
They're extremely heartless.
So when they shut down a hospital or a municipality or a law enforcement service,
it doesn't matter to them that that might actually have, you know,
an impact on, you know, people's health or, you know, their safety.
Looking to Ireland as an example,
what does it take for a health care system to recover from an attack like this?
Ireland is a really interesting example
because they took a very different approach from Newfoundland and Labrador
and they were much more transparent.
So they said right up front, this is a ransomware attack,
and we're not going to pay. And they took a very hard line. Within a week, the attackers actually
gave them the key to decrypt their health information. Unfortunately, that's not enough
to kind of get the services back up and running. You can't just kind of flip the switch and go, we're now back to the way things were.
It's been months and months and months of rebuilding.
You know, at one point they had a ballroom where they had like hundreds of people all sitting there with computers wiping them clean because they had to make sure that none of this nefarious software was hiding out in some workstation somewhere.
You know, so throughout the hospital, they had sort of green and red tags.
If there was a red tag on it, it's like, this is an infected computer.
Don't use it.
So, you know, they needed to make sure that they scrubbed any evidence of this right out of their systems
because the danger is, you know, you may get your system back today,
but the attackers may come back in tomorrow and decide to lock it up again and demand another ransom, or they may sell that backdoor access to another criminal gang and
saying, look, go back in a couple of weeks from now or a couple of months from now when they think
they're back up and running and hit them again. So unfortunately, the Ireland example is even when
you get the key to unlock the data, there's still a lot of damage. And they have ended up spending about
five times the original ransom demand just on repairing and rebuilding their systems.
The ransom is often the least of the costs when it comes to rebuilding from these attacks.
So Ireland didn't pay the ransom, but there's been big cases where attack victims just pay to have their data released. U.S. meatpacker JBS says they paid the equivalent of 11 million U.S.,
both morally and financially. If there's a ransomware attack on
healthcare, what's the debate over whether to just pay the ransom or not? It's a tricky situation
because on the one hand, you pay this money, it goes directly into the criminal hands. They spend
it on research and development to develop better tools to attack more people and you only make the situation worse. So do you take the hit personally and pay out more money, deal with more disruption
in the hopes that you're able to, you know, for the greater good of trying to make sure these
criminals aren't successful or do you just pay the ransom, you get the key and you get back up
and running faster? And, you know, I was talking to one expert who said normally his advice is always never pay the ransom, that, you know, this only makes the situation worse.
You're only encouraging the criminals.
But he said, you know, when you're dealing with health care and you're dealing with life or death.
When you're talking about patient care, if that is the only choice that they have left in the situation they're in, I can't condemn that because it's people's lives.
And it seems like we're routinely hearing about cyber attacks on health care right now.
Why are we seeing this dramatic increase in these types of hacks?
Yeah, the experts that I've talked to have said it is the fact that health care has been strained during the pandemic.
It's become a clearly essential service.
And so the need is there to keep these services up and running.
So people are going to pay.
You know, these criminals, their main focus is who can I convince to pay me the most amount of money for the least amount of work that I have to do?
So health care systems are an area where people can't afford to be down for a couple of weeks.
And I think a lot of people here in Newfoundland and Labrador have been wondering, okay, well,
why did they pick us? And what I'm hearing from experts is, you know, this is not that they woke
up one morning and said, Newfoundland, you know, they've got a lot of money, we're going to go
after them. But these sorts of attacks, they are constantly trying to find weaknesses in any
computer system. And, you know, health care is one area they're looking at. And so once they find
that little hole, that little back door, the way that they can channel into the system, they're
going to go for it. And there's been big cases like we've talked about in the U.S., like JBS, and there's a hack that shut down the colonial fuel pipeline.
Arguably, it is the single most important pipeline in the United States.
Basically, this takes oil and gas, jet fuel, refined products from the Houston and Louisiana areas and brings it up the East Coast.
The main pipes comes up through Virginia and New York and
New Jersey. Let's put this into place. Is it fair to say that it seems like many of these cases
are in Canada? And if so, why are these happening in our country?
It's an interesting question because, you know, you mentioned the attack just recently in Ottawa.
There was another hospital that was affected near Toronto.
Saskatchewan has had, you know, so there have been numerous health care systems that have been targeted by hackers in Canada.
One of the speculations from the cybersecurity experts has been the U.S. has had a fair crackdown,
especially after that Colonial Pipeline attack where, you know, they did pay the money.
But we saw President Joe Biden come out very strongly within days of that attack saying, you know what? We pay the money, but we saw President Joe Biden come out very
strongly within days of that attack saying, you know what, we are not going to stand for this.
We are going to take every measure we can. We're going to go after the attackers where they live
and work and the people who are hiding them. You know, he specifically called out the Russians,
not for directly sanctioning this, but for allowing this to happen within their system. We do not believe, I emphasize, we do not believe the Russian
government was involved in this attack. But we do have strong reason to believe that the criminals
who did the attack are living in Russia. We have been in direct communications with Moscow about
the imperative for responsible countries to take decisive action against these ransomware networks.
So that kind of, you know, put the attackers on the defensive and they kind of wanted to take the heat off.
And so that's why they may have been looking for areas that are not the United States to attack.
It is worth noting here that more than two weeks into this attack,
we haven't heard a single thing from the prime minister,
from the new ministers in charge of things like public security.
We've asked to speak to those ministers,
and we get a few generic statements back.
But there has been a very different approach from the U.S.
that made a very public hard line that we're not going to stand for this,
and the Canadian government, which has been quiet on this. It's going to be
one of the questions, certainly, as we go down and sort of move out the other side of this is,
you know, what needs to be done to protect systems. But I think it is a lesson for all
healthcare systems across the country that these vulnerabilities do exist. And we've got some very
motivated people who are looking for a payout and they don't care
what they disrupt in the course of trying to get that. Peter, thank you so much for taking us
through this really excellent reporting you've done on this story. Thanks, happy to do it.
That's all for today.
Thanks for listening to FrontBurner. I'm Angela Starrett, go to cbc.ca slash podcasts.