With cybercrime on the rise, it’s more important than ever to put safeguards in place
You may have seen recently that Ontario physicians are reporting a rise in scam calls targeting physicians. With incidents like these becoming more common, personal health information remaining a valuable target for cybercriminals and the lack of a centralized security approach across the health-care system, it’s more important than ever to safeguard your practice’s cybersecurity.
Here are five tips to get started:
Make sure each member of your staff creates their own individual password and encourage them to avoid sharing these across exam rooms or among each other.
Passwords should be long, complex and changed frequently. Mandate two-factor authentication among staff, which requires a user to provide a second form of identification in addition to a password — like a one-time code sent to a mobile device or an authenticator app — to access their account. This makes it more difficult for external individuals to hack accounts.
Encrypt data on all devices in your clinic using enhanced detection and response software, as well as secure firewalls for all computers and phones, in order to protect the sensitive PHI you have access to and are bound to protect under the Personal Health Information Protection Act.
Equally important is creating secure cloud backups of critical information and protecting non-EMR data like images and shared files.
Use professional email platforms like Microsoft Office 365, while avoiding free services like Gmail, Hotmail or Yahoo to help protect against hacks into accounts and AI-driven communication attacks, where cybercriminals study communication patterns to impersonate staff.
Before moving forward with a vendor, vet their data storage practices carefully. This means looking into where they back up cloud data, including in what country or region, and making sure they have proper security policies in place. Review all contracts carefully, especially any terms and conditions attached to free trials that are frequently offered for tools like AI scribes.
It’s also important to understand the concept of data sovereignty — that data is subject to the laws in the country where it’s generated or stored — and how that affects information that vendors store. Even if a vendor lists protections in its contracts, they may not be sufficient if a governmental or law enforcement authority in that country or region decides to seize PHI.
Require your staff to complete training, such as OntarioMD’s privacy and security training. Any training should include education about emerging cyber threats and understanding how AI can be used in cyberattacks.
With the right training, you can create an awareness among your staff about potential security risks, minimizing the chance that a threat will make its way into your systems.
To learn more about how to protect yourself, your patients and your practice, visit our cybersecurity web page and check out OntarioMD’s digital health tools and resources.
Don’t forget to sign up for the 2026 OMD Educates: Digital Health Conference to learn how you can take advantage of innovative technologies in your practice.