A Message from the Guest Editor

In military doctrine, the interlinking concept of “command and control” is a fundamental component of warfare as it reflects on the two foundational activities effectively required to plan, develop, and execute operations. Global security challenges posed by cybersecurity threats to healthcare establishments are in no way different. Best practices suggest that the resilience of an organization is dependent on the efforts of staff at all levels, from the Janitor to the Chief Executive Officer.

Over the last decade, cybersecurity has emerged as a leading global priority across borders and industries. In October of 2022, the International Criminal Police Organization (better known as INTERPOL) identified financial and cybercrimes as the world’s leading crime threat, and COVID-19 has only amplified this threat. Cybercriminals have been globally boosting their attacks, falsely impersonating government and health authorities, all designed to infiltrate systems, compromise networks, steal data, divert money, and build bots.

Multinational efforts against global cybersecurity risks include the joint cybersecurity advisory reports, stemming from collaborative efforts between national agencies such as the National Security Agency, the Federal Bureau of Investigation, the U.S. Cyber Command, the United Kingdom’s National Cyber Security Centre, the Canadian Centre for Cyber Security, and the Australian Cyber Security Centre.

The European Union Agency for Cybersecurity (ENISA) released a report in the summer of 2023 specifically focused on cyberthreats which studied health sector mapping and cyberincidents from January 2021 to March 2023. It identified a significant spike in attacks on healthcare supply chain and service providers, causing data breaches and disrupting healthcare services.

These cyberattacks cost hospitals real money. The ENISA report concluded that the median cost for a major cybersecurity incident is estimated at €300,000, or more than $441,000 CDN for a single incident. This includes downtime costs, lost revenues, and long-term reputational damage to the organization and its brand. This is especially important in healthcare, a field in which many hospitals and health providers have charity programs.

How should health leaders address this challenge without interfering with clinical operations and jeopardizing patient safety and privacy? The authors in this edition provide some concrete recommendations. They include having detailed digital roadmaps, creating robust administrative processes, attracting and retaining the right people, tailoring educational programs, and taking advantage of opportunities emerging from national networks and partnerships.

The first article by Kwolek describes the nature and scale of human resource shortages within the healthcare sector and offers practical options designed to support organizational attraction and retention efforts.

Samuelson and co-authors present key executive guidelines of a new standard to support cyber resiliency in Canadian healthcare. Organizations will be better protected from cybercrime, allowing them to respond more effectively to evolving threats and defend critical infrastructure.

In our third article, Waddell outlines the four pillars of a cybersecurity education program specifically developed for the healthcare sector. Leaders who promote cybersecurity education, focused on the human factors of cyberattacks, can build a resilient workforce that complements technical protections and reduces organizational risk.

Clarke’s contribution offers a progressive, collaborative approach to address the many emerging patient data integrity challenges related to the multiplication of medical technologies operating on digital networks. Health data is a valuable source of reliable and permanent personal information making it an attractive target.

The fifth article by Jerry-Egemba presents recommendations of how to incorporate tailored educational content into an establishment’s institutional ongoing learning and awareness of cybersecurity. The article calls for a holistic approach to cybersecurity education in order to protect patient information.

Building on the significance of cyberdefenses and response processes through a fictive scenario, Allen’s article demonstrates how healthcare organizations can develop comprehensive and cyber resilient responses to safeguard their operations. Focusing on the ransomware threat, the provided scenario examines its impact on healthcare systems and frontline support staff, while highlighting the time-sensitive challenges faced by response teams striving to restore essential services.

The next article provides a thorough description of the actual cyberthreat landscape. Hartman proposes a sector overview, advocating for new investments and legislations.

The final article, grounded on a real-life example, presents how continuous cyberattacks on an organization’s information technology infrastructure could be circumvented with the establishment of a digital roadmap. Carlson also talks about the rising insurance expectations for continuing care operators to continuously enhance their information technology safety controls against evolving cyberterrorism.

These authors demonstrate to us that health leaders, within our respective networks and communities, can change practices in this area. I would encourage all chapters of the College to work with their members and their communities to establish cybersecurity committees.

Only through a joint national approach will we collectively succeed in circumventing—or at least generate enough political pressure against—the sector-wide root-problem of digital devices and information technology systems critically lacking built-in cybersecurity features.