Top

Cybersecurity at NHH

By Cecilia Nasmith

Cybersecurity was the subject of an educational session at the April Northumberland Hills Hospital Board meeting.

Chief Clinical Information Officer Judy Fleming and Director of IT Cheryl Thomson filled in board members on their work to ensure cybersecurity at a time when global cyberattacks increased by 38% last year over 2021.

Ransomware operators aggressively target the health-care sector, Fleming said, ramping up attacks on weekends and holidays when systems are considered most vulnerable and increasing

She displayed the framework developed by the National Institute for Standards and Technology as a guideline with five priorities – identify the threat, protect against it, detect everything you can about it, respond in the most effective way, and recover.

Thomson offered some examples of how the threats are posed, technologies in place to prevent them, and mitigation strategies.

The threat is recognized at provincial, regional and local levels, with nine critical areas of focus – device-protection technology, instant-response planning, cyberthreat monitoring and response, vulnerability management, event management, strong authentication practices, back-ups, disaster recovery and security e-mail training.

Regionally, Fleming noted, networking is an important means of expanding each partner's knowledge and share experiences – to learn from each other for the benefit of all.

At NHH, there is currently a cybersecurity awareness campaign, including a course which all NHH staff have been required to complete. At this point, 57% of NHH staff have completed it, and they are on track to make that 80% within a few weeks.

Board members noted that NHH now has several million dollars in cybersecurity insurance. This didn't exist until recent years, Fleming noted.

“The premium is pretty high, and that will come down, I think, as events unfold. And hopefully we will never have to call upon it,” she said.

This is all the more important, President and Chief Executive Officer Susan Walsh noted, because the thinking is that – in the event of a cyber-attack in which ransom demands are made – “you do not pay the bad actors. That's what keeps the business going.”