■ Duties and responsibilities:

Expectations of physicians in practice

Cybersecurity threats: Are you prepared?

Rows of virtual padlocks, with one red padlock open

3 minutes

Published: December 2021

The information in this article was correct at the time of publishing

Cyberattacks directed at healthcare organizations, clinics and physician offices are a growing concern that can have a crippling effect on healthcare systems and impact patient care and safety.

Such attacks may result in healthcare providers being unable to access electronic medical records or other electronic files. Some cyberattacks may result in the loss of information or allow hackers to access personal health information, and when this occurs, the attack should be regarded as a privacy breach. As well, doctors may be further impacted if the attack leads to a complaint or investigation into the incident.

What is a cyberattack?

A cyberattack, or cybersecurity incident, generally includes any malicious and deliberate attempt to breach the information system of an organization or individual.

  • Ransomware is computer malware that encrypts electronic files, essentially locking users out of their computers, and only the hackers have the key. The hackers hold the files for ransom and try to extort money to restore access.
  • Phishing involves enticing a user to click on a legitimate-looking link in an email message, which can then lead to theft of sensitive data such as login information or installation of malware on the victim’s device.
  • Distributed-denial-of-service (DDoS) attacks flood the computer network with excessive internet traffic, which degrades network performance or causes a service outage of critical infrastructure.

If you experience a cyberattack

  1. Focus on any urgent patient needs or follow-up.
  2. Promptly contact your IT specialist to review the facts and your options, including reasonable steps to immediately contain the incident and ensure continuity of patient care.
  3. Where privacy may have been breached, and depending on the jurisdiction, it may be necessary to notify affected individuals, the privacy commissioner, and/or the medical regulatory authority (College).
  4. Contact the CMPA if you need guidance on your reporting obligations or related medico-legal advice.

Medico-legal risks and CMPA assistance

Cyberattacks can lead to complaints or investigations, including by hospitals, the Colleges, and privacy commissioners. They can also lead to civil legal actions.

The CMPA generally assists members with privacy-related matters, including complaints, investigations and claims arising from the practice of medicine. Because matters concerning the business of medicine are outside the CMPA’s mandate, CMPA assistance does not generally extend to payment of ransomware or costs associated with the restoration of data, privacy breach notification, forensic investigation, and hardware issues.

Preventive actions

You can take steps to protect your systems from cybersecurity threats and to mitigate the damage from a cybersecurity incident.

  • Consult with IT experts about a layered approach to securing your computer systems, including firewalls, encryption, web scans, and up-to-date anti-virus software. Ensure available software updates are installed promptly.
  • Engage in and provide clinic staff with information security training to instill awareness of cybersecurity threats and routine precautions, such as the importance of strong passwords. (Some medical organizations offer training programs, such as OntarioMD’s Privacy and Security Training Modules.)
  • Recognize and avoid phishing scams. Never open links or attachments in unsolicited emails.
  • Segment information systems (i.e. setting up the computer network so that one part can be quickly disconnected, either physically or virtually, from other parts of the network and the Internet) to help prevent the spread of a cyberattack.
  • Regularly back up files and keep backed-up files on a separate system disconnected from the main system (physically or via cloud backup). Back-up systems should be tested regularly.

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.