Is Your Organization Cyber Smart?

We sat down with Dr. Sash Vaid, assistant professor in Marketing at the DeGroote School Business, to discuss cyber security threats, protecting consumer data, and the impact data breaches have on consumer well-being and organizations.

Vaid’s research focuses on marketing interfaces, along two dimensions that are intrinsic and extrinsic to the firm, specifically – functional and technological. The first dimension explores marketing’s interfaces with other functions within the firm: sales, operations, finance, human resource, among others. The second dimension, the focus of his current research, investigates marketing’s interfaces with a range of technologies associated with: data breaches, consumer policies, AI, lead generation, marketing automation systems, healthcare, and mobility/geodata.

Vaid is also part of the McMaster Research Data Management (RDM) Strategy implementation committee, where he and his colleagues are working on an operational plan to ensure research data is stored safely.

Cyber security is a service offered to consumers by corporations and organizations, including those in healthcare. Patients who provide their information to healthcare providers are first and foremost consumers of such cyber security services. Healthcare consumers share their personal health information with the expectation that such data will be safeguarded. However, if this expectation is unmet, trust is broken, and a social contract is violated. This may cause healthcare consumers to feel perceptions of harm due to the breached information. Therefore, according to the American Marketing Association, consumer well-being should account for these “processes for creating, communicating, delivering, and exchanging (cyber security) offerings that have value for customers, clients, partners, and society at large”.

Data breaches could result in perceptions of harm from identity thefts or fraud which would lower how consumers perceive brand quality. Sash Vaid is exploring how policies like data breach notification laws impact healthcare consumers. Vaid, along with Fred Feinberg, professor at the University of Michigan and Aniket Kesari, associate professor at Fordham Law School, are interested in exploring how types of data breach notification laws impact consumer well-being.

Data breaches occur when personal or identifiable information, such as name, address, birth date, and medical results, are shared with third parties who would not normally have access to this information, resulting in service failure and breaking a social contract between an organization and its consumer.

In order to better protect consumers, over the last 20 years US states and some Canadian provinces have developed and implemented data breach notification laws – laws that dictate what firms should do to protect consumers if they experience a data breach – however, the specifics of such laws (the types of data breach notification laws) vary by state/province. For example, they can vary in the number of days firms are required to disclose information to consumers, the number of consumer records breaches that occurred, and what information the firms are required to disclose to affected consumers. Understanding which types work best is what Vaid, Feinberg, and Kesari are currently in the early stages of exploring.

The following Q&A from our interview with Sash Vaid answers some questions about how cyber security intersects with marketing in a healthcare setting:

How has the evolving threat landscape in cyber security affected the Canadian healthcare industry, both in terms of data breaches and patient safety concerns?

The landscape of threat is constantly evolving due to the increased use of artificial intelligence (AI). Cybercriminals are now leveraging AI for consumer data breaches, which means that there is an increased risk due to:

• Speed – tasks can be executed quicker
• Scale – attacks on various targets can occur simultaneously
• Impact – attacks are harder to detect because they are more sophisticated

According to the PwC Canadian cyber threat intelligence report, data breaches continue to pose a threat to the Canadian marketing ecosystem that may be relying on personal (health) information to craft targeted solutions to consumer problems. These challenges are worsened when corporations and institutions face breaches caused by third parties. Organizations will need to consider risks posed by sharing information with third parties, including marketing integrated supply chains.

In terms of healthcare consumer safety, if there is a breach and consumers are aware that their data has been exposed, this may cause them to feel vulnerable, as this information could be used to steal their identities or expose confidential information. My new project explores how data breach notification laws impact healthcare stakeholders, whether they minimize the potential for data breaches or not.

What are the key cyber security challenges unique to the Canadian healthcare sector, and how do they compare to those faced by other industries?

Hospitals are prime targets as they collect sensitive patient information, which tends to be stored on outdated IT systems. Late last month, the Better Outcomes Registry & Network (BORN) announced it had experienced a cyberattack in May 2023 that had compromised the data of 3.4 million people. The patients were all consumers of various types of healthcare services—primarily mothers, newborns, and individuals seeking fertility treatments. The attack exposed health data that had been on the server from January 2010 to May 2023 and exemplifies the issue with healthcare data breaches. The key difference between healthcare data and other data is that it may reveal confidential health information that healthcare consumers do not want revealed (i.e., mental health information, fertility struggles, sexually transmitted infections) and may reveal lifestyle factors that consumers would not want exposed.

Though we are yet to explore the specifics of data breach notification laws as they relate to the healthcare sector, I suspect that there will be extra sensitivities around safeguarding this data, as it may reveal extremely confidential information that healthcare consumers expect to be kept confidential.

With the increasing use of IoT (internet of things) devices and telehealth solutions, what specific vulnerabilities are emerging in the Canadian healthcare sector, and what strategies can organizations employ to mitigate these risks?

Scholars of consumption behaviors in marketing and allied fields and practitioners are sensitive to the fact that healthcare, specifically hospitals and doctor’s offices, are at an increased risk of a breach since they fax patients’ personal and health information. According to the Office of the Privacy Commissioner of Canada, there are also breaches that are caused by unencrypted emails, unauthorized access to records (i.e., employees ‘snooping’) and ransomware attacks.

Phasing out faxes and unencrypted emails are some ways to mitigate these risks. Others include educating healthcare consumers about the potential risks and benefits of virtual healthcare, informing them of the rights associated with their personal health information and informing them about how they can exercise their rights.

Quicker ways organizations can mitigate these risks are for corporations to stay informed about the policies put in place in their jurisdiction if a breach were to occur. Knowing who to inform, by when, and how to safeguard their data to protect consumers against future breaches will make it easier to come up with a plan if a breach were to occur (especially if the corporations need to meet certain timelines). In addition, there may be changes to data breach notification laws, including Ontario-specific laws or changes to the federal laws, so it is important to stay on top of these changes in case the notification requirements or timelines change.

Can you share insights on the financial implications of cyber security incidents on the corporate sector?

In Canada, not only is an average firm likely to lose some C$5.6million from data breaches, one recent survey of business leaders reveals that while 30 per cent of the survey takers reported loss of customer data, 60 per cent of the firms indicated that such breaches resulted in price increases.

How has the regulatory environment in Canada evolved to address cyber security in healthcare, and what role does it play in improving cyber security practices among healthcare organizations?

The prevalence of data breaches is so well known that the question has become when they will occur rather than if they will occur. This has resulted in the creation of data breach notification laws at both the federal and provincial level in Canada. According to researchers Jens Foerderer and Sebastian Schuetz, the idea behind data breach notification laws is to “empower affected individuals to take protective actions against possible identity theft and to create market incentives for firms to strengthen the security of consumer data by making data breaches known to the public,” thereby improving healthcare consumer well-being.

In Canada, data breach notification laws exist at both a federal level and provincial level (specifically in Alberta and Quebec). Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Information Protection Act (PIPA) Alberta, and the Quebec Privacy Act all currently have breach notification requirements.

While the specifics of each of these legislations differ slightly, there are a few key similarities between them:

• Requirements of notification to privacy regulators:
  1. All are required to notify privacy regulators but in Alberta, the organizations are also required to provide an assessment of risk of harm to the individuals.
  2. In Alberta and Quebec, the organizations need to provide the steps that have been put in place or will be put in place to prevent this from occurring in the future (with timelines).
• Requirements of notification to affected healthcare consumers:
  1. All are required to notify the affected individuals, provide a description of the breach circumstances, and the date and/or period of the breach.
  2. All are required to provide the steps the organization has taken to mitigate the risk, but only PIPEDA and the Quebec Act are required to provide steps that affected individuals can take to reduce the risk of harm.
• Record keeping:
  1. PIPEDA and the Quebec Act also require that the breach report must be kept on file. PIPEDA requires that the breach record is kept for at least two years and the Quebec Act requires that the breach record should be kept for at least five years.

The Canadian Centre for Cyber Security has also created an awareness series that discusses how healthcare organizations can protect themselves against cyber attacks.

What are the best practices that corporate entities and healthcare organizations should adopt to protect against ransomware attacks and other emerging threats?

We suggest the following practices to protect against attacks and other emerging cyber threats:

• Fix known IT issues
• Create and store backups of files and documents if institutions/corporations cannot access certain files for some time due to a breach
• Encourage managers and employees to take cybersecurity training to ensure they are up to date on the latest risks, threats, and best practices
• For healthcare specifically, phase out faxes and unencrypted email
• Reach out to cyber experts for guidance on how to update digital health platforms
• Use unique passwords for each account
• Use multi-factor authentication to make it more difficult for someone to hack into the account
• Use a secure Wi-Fi network as opposed to a public Wi-Fi network. If you need to use a public Wi-Fi network, try to avoid sending sensitive information – or use a Virtual Private Network (VPN) if you absolutely need to send sensitive information
• Use trustworthy software and applications
• Install anti-virus software on your devices

If an attack does occur, we encourage Canadians (both as healthcare consumers and larger corporations) to consult the Office of the Privacy Commissioner of Canada’s website for advice about next steps.

In light of the global shortage of cyber security talent, how can Canadian healthcare institutions and corporations effectively build and maintain a skilled cybersecurity workforce?

There are a few internal marketing strategies that institutions and corporations can implement to build and maintain a cyber smart workforce, particularly one that digitally interfaces with the market and consumers. The first is to build a brand within the organization that ensures internal consumers are up to date on the best cyber security practices. This includes reminding healthcare providers to:

• Be mindful of opening links that seem suspicious. If they receive a suspicious message, they should notify their IT team (or equivalent)
• Use different passwords for unique accounts
• Change the password to their account if they suspect any unusual activity and continue to monitor the account after
• Use two-factor authentication

Institutions and corporations should continue to encourage marketing managers and employees to keep up with their cyber hygiene/fitness. And finally, institutions and corporations should focus on equating their brand to being proactive (i.e., seeking out good, reliable information, and staying abreast of best practices) rather than being reactive (i.e., needing to understand what to do once a breach occurs). The Office of the Privacy Commissioner (OPC) website has plenty of helpful links and tips, so I would encourage managers and healthcare consumers to consult the OPC website if they have not already.

References/Additional Reading:

• How nextGen EMR breach is a wake-up call for healthcare CIOs
• BORN Ontario data breach left health data of millions exposed. What went wrong?
• Data Protection Laws of the World: Canada
• Data breach announcements and stock market reactions: a matter of timing?
• Cyber security for healthcare organizations: Protecting yourself against common cyber attacks (Government of Canada)
• Canadian Privacy Breach Notification Requirements: An Overview
• The effect of a data breach announcement on customer behavior: Evidence from a multichannel retailer
• Data breaches cost Canadian businesses $5.6 million on average, risk losing customer trust
• Securing public trust in digital healthcare: Resolution of the federal, provincial, and territorial privacy commissioners and ombudspersons with responsibility for privacy oversight
• Consider the risks: Faxing personal information (Office of the Privacy Commissioner of Canada)
• PwC Canadian cyber threat intelligence report media release
• Canadian cyber threat intelligence annual report
• Ransomware gang claims it stole Social Security numbers, passport data in recent hospital attack
• When injured product users may also stay satisfied: A macro-level analysis