When Fighting Cyber Crime, There is No Finish Line

Marc Aiello
A header image for the article featuring circuitry in the background, with the tile "When Fighting Cyber Crime, There is No Finish Line" overlaid.

“With cyber, it’s always easy to think about technology. But if you don’t have the people, processes and all the other pieces in place, it’s really not that effective,” said Stephen Lloyd, Director, Cyber Security Centre, Ontario Health.

Lloyd spoke at the 2025 Spark Cyber Security in Healthcare Conference in Toronto, ON. His sentiment defined this year’s conference, where critical conversations were not focused on the latest flashy tools or emerging tech.

Instead, presenters zeroed in on why strong cyber strategies should be more about embedding good security habits into daily work. This can be done through process improvements, greater awareness and education for boards, consistent auditing and learning best practices from peers.

HIROC is always looking for the best ways to support our Subscribers in their preparation and response related to all things cyber. We support educational conferences like this one as they provide a trusted space for healthcare professionals to connect, ask questions and strengthen their approach together.

The event was co-chaired by Kopiha Nathan, Lead, Privacy and Compliance Officer at HIROC, and Brendan Kwolek, Chief Information & Digital Officer, Halton Healthcare.

A photo taken at the conference featuring the two co-chair's Brendan Kwolek (left) and HIROC's Kopiha Nathan (right).
Photo of Brendan Kwolek and Kopiha Nathan at the conference.

 

As you read through the following key takeaways, we encourage you to consider how these insights apply to your organization and to share them widely. This is one way you can be part of the effort to improve cybersecurity across our healthcare system.

Governance-Level Conversations that Matter

One of the standout sessions was a panel discussion on aligning board-level reporting with governance expectations, safety requirements and evolving cybersecurity risks. 

“It’s about making sure the board understands this is not exclusively an IT problem,” said Lyn Baluyot, President and CEO, TransForm Shared Service Organization. “It’s a shared responsibility.”

With healthcare continuing to rank as one of the most targeted sectors, panellists underscored the need for consistent attention and investment. And to do this, it’s all about finding the right frequency and format. Here’s what they shared:

  • David Stankiewicz, Vice President and Chief Information and Privacy Officer, William Osler Health System, talked about how they report to the board twice a year, with additional meetings or updates when necessary. Their focus is on educating the board about their overall cybersecurity program, current investments or maturity scores.
  • Baluyot talked about reporting on a quarterly basis, tying updates to risk register items and mitigation strategies.
  • Dave Brewin, Vice President, Digital Health and Regional CIO, Royal Victoria Regional Health Centre, explained that his team reports to multiple boards annually, including his hospital’s own board several times a year. Each presentation is unique, shaped by the board’s existing knowledge and tone set by leadership.

Performance indicators like phishing rates, multi-factor authentication (MFA) adoption, and maturity scores are all proper metrics that can help build confidence and raise awareness about a clear cyber strategy when reporting to boards.

  • Stankiewicz shared how partnering with neighbouring hospitals to standardize reporting has helped them point to best practices and benchmarks.
  • Baluyot suggested tying metrics back to mitigation strategies outlined in their organization’s risk register to keep the focus on outcomes.

“I often try and tie it to clinical talk,” added Stankiewicz, emphasizing how helpful making the connection to healthcare language when speaking to the board could be.

“One example I use is to get boards to think about cybercrime like the flu. Each year, there’s a flu shot that comes out, and you have to adjust that shot to the mutating viruses that happen. It’s the same idea with cybersecurity. You have to stay adaptive.”

KEY TAKEAWAY: Maintaining clear and consistent communication with your board is critical. Additionally, providing education as well as understanding and tracking key risks supports a sound cyber strategy.

Tailoring Cyber Defence Strategies to Your Unique Organization

A panel presented by Ontario Health explored why cybersecurity strategies should look different depending on the size and complexity of healthcare organizations. An overarching point was that organizations should always start with the basics. Here are a few more to take note of:

  • Frameworks are fundamental. At the heart of OH’s approach is an operating model built on the NIST Cybersecurity Framework (CSF), which is focused on people, processes, technology, and data. Organizations should use this to build their foundational architecture and grow from there.
  • On top of implementing foundational controls, depending on available resources, organizations should explore more complex security components after assessing gaps.
  • Utilize roadmaps to stay on top of risks. Roadmaps are essential to being more strategic and pushing the maturity of programs.
  • Organizations looking to partner with technology vendors should start by defining their needs and properly vetting to find those who align with healthcare standards.

KEY TAKEAWAY: If your organization is considering partnering with technology vendors, we highly recommend you connect with HIROC, as our experts can help assess risk, and ensure your cybersecurity strategy supports both patient safety and organizational resilience. The team is also at the ready to share valuable resources from our library (risk notes, guides, and more).

“We owe it to patients to never stop doing better,” said Stephen Lloyd. “What maturity means to that organization is just keep pushing. Get some advanced frameworks in place, leverage your vendor community, get the expertise you need and map out that maturity.”

Framing Cybersecurity Through a Lens of Patient Safety

“From a healthcare perspective, the patient should be at the centre of all that we do,” said Lloyd. “We’re not doing cyber for the sake of cyber. We’re doing cyber to support healthcare.”

Whether the conversation is about privacy regulations like PIPEDA and PHIPA requirements, or even protecting intellectual property in research hospitals, cyber risks must be framed through a lens of patient safety, compliance and operational continuity.

In support of this, Sabrina Lavi, Senior Communications Advisor, Ontario Health, stressed the importance of integrating communications teams early into cybersecurity planning.

“Become friends with your corporate communications team,” she advised. “They not only speak the language of business, they’re also incredibly good at navigating those tough conversations and building rapport.”

  • Lavi emphasized that strong comms teams understand who the decision-makers are and can help navigate both day-to-day risk conversations and crisis scenarios.
  • When it comes to emergency preparation compliance, a lot of crisis communications can be done preemptively, such as thinking about who can speak to the media and developing communications templates.
  • Lavi directed delegates toward HIROC’s resources, like our Planning for Cyber Security Incidents: A Crisis Communications Guide, which was developed with Subscriber input and contains templates and guidance for organizations who need assistance getting started.

KEY TAKEAWAY: Form your strategy around a solid foundation as outlined by our friends at OH. Keep lines of communication open across your organization, be sure to loop in your communications team, and be sure to practice your plans.

Final Reflections: The People, the Processes, and the Push Forward

To close out the conference, co-chairs Brendan Kwolek and Kopiha Nathan shared their reflections on the day.

A photo of the final panel featured during day one of the cyber conference.
Photo of the final panel featured during day one of the cyber conference. From left to right: Brendan Kwolek, Stephen Lloyd, Lyn Baluyot, Mohammad Waqas (Armis), and Kopiha Nathan.

 

“At past conferences, there’s been a lot of talk about technology,” said Kwolek. “But today was different. It was about reporting to boards, communication, collaboration, and partnership.” Kwolek reemphasized that while tools remain essential, their effectiveness depends on the people and processes behind them.

Nathan brought the conversation back to what matters most: patients. “For me, it’s our healthcare sector. I can’t imagine doing this in the private sector, because the cost becomes the most important factor,” she said. “But in healthcare, it’s the patient at the end of the day.”

From reporting to boards, tailoring cyber defence strategies, and honest reflections on the people and process challenges we face today, it’s never been clearer that cybersecurity is a continuous journey to create a stronger, safer system for all.

 

By Marc Aiello, Communications and Marketing Specialist