An interview with Claudiu Popa, CISSP CIPP PMP CISA CRISC
If you’ve seen the news lately, you’ve seen the same type of story playing out – ransomware attacks from cyber criminals targeting all types of organizations. Cyber criminals are targeting organizations large and small, for-profit, and not-for-profit. This is an issue that impacts everyone, and your association could be a potential target for these types of attacks.
Ransomware is arguably the top threat to your organization today and has the attention of almost every executive team around the world. It is also the least well understood phenomenon, a situation that continues to increase damages by billions of dollars annually. With the recent cyberattacks against the health care system in Newfoundland and Labrador (and others), we reached out to Security, Privacy and Cyberfraud expert Claudiu Popa for more details on the impacts of these types of attacks.
1. Is the recent cyberattack that knocked down Newfoundland and Labrador’s health system data centres the worst hack in Canadian history?
Ransomware has already created severe health and safety issues, including loss of life. If we see this type of harm materialize in this instance, it will prove to be the worst hacking incident in Canadian history. If it does not turn into such an event, it will only be because of the good people struggling to compensate for this awful situation. From a data breach perspective, the LifeLabs hack revealed early last year continues to be the largest and most impactful cybercriminal act ever reported in Canada, having exposed the personal information and medical data of a reported 15 million Canadians. The repercussions from that event may never be fully understood.
2. What are the consequences of a cyberattack of this magnitude?
As we saw in 2020 when a German woman died after being sent to another hospital when hers was hit with ransomware, these types of events are extremely serious, and their perpetrators absolutely must face the most severe consequences under the law. We need a national and international effort specifically focused on hunting down these individuals and bringing them to justice, regardless of where they are in the ‘food chain’ of these unscrupulous criminal organizations. The United States has taken the lead on an International Counter-Ransomware Initiative, but it is still too hearly for its effectiveness to be demonstrated.
3. Ransomware attacks have been ongoing since the start of the pandemic, impacting hundreds of hospitals in Canada and the U.S. Why do you think they are targets?
There are at least 5 key reasons for the healthcare sector to be targeted:
(a) criminals lack morals and scruples, hoping that by playing Russian Roulette with hospital administrators the latter will have to flinch because they have to adhere to the proverbial Hippocratic Oath misunderstood to mean “to allow no harm to come to a patient”.
(b) healthcare is the sector with the highest urgency, so they stand to get paid soonest, theoretically
(c) healthcare has historically been lacking cybersecurity protection and it shows in the rates of compromise we are seeing across North America
(d) this is a regulated sector more likely to carry cyberinsurance, so criminals think this is just a matter of relying on the insurance company to pay up, the same way that bank robbers think they’re doing no harm by stealing insured assets.
(e) breaches in this sector tend to be impactful at the individual level, so they are more difficult to contain and keep secret, as most organizations do by avoiding public reporting. This makes it look like healthcare is disproportionately targeted, which it is not. It is only disproportionately harmful to everyone involved.
(f) bonus reason: even if they fail to get healthcare facilities to pay up, they still walk away with extremely sensitive, personal health information that can be leveraged for profit, fraud and intimidation for years to come
4. What steps can be taken to improve the situation?
Three (3) things need to happen immediately for the scourge of extortion to slow down:
(a) organizations need to patch their systems and routinely test their protective measures
(b) healthcare systems and organizations must have more than just cybersecurity: they need to rapidly learn business continuity planning, disaster management and incident response
(c) the criminal organizations must be disrupted, and perpetrators brought to justice and made examples of in a very public manner, so their peers realize that their actions have grave consequences.
When he is not volunteering with the Knowledgeflow Cybersafety Foundation, Claudiu Popa helps Canadian organizations to adopt frictionless cybersecurity and privacy compliance as the CEO of www.SecurityandPrivacy.ca.
Looking for more information on cybersecurity? Check out Get Cyber Safea national public awareness campaign created to inform Canadians about cyber security and the simple steps they can take to protect themselves online. For free, downloadable resources, visit Canada’s Cybersafety Foundation and get some free, printable tip sheets.