Cybersecurity Staff Training & Refreshers

Consider making this month the occasion with which you begin a yearly practice of cybersecurity training, or do your yearly refresher on cybersecurity best practices with both clinic practitioners and staff. Everyone who has access to patient data or computers which access it needs to understand how they play a critical role in protecting your clinic from cyberattacks and privacy breaches. We are lucky to have excellent resources on cybersecurity that are tailored to clinics thanks to DTO’s collaborations with UBC and SFU; find links to these free courses for MOAs and clinic staff on our cybersecurity training resource page.

Keeping Systems and Software Up To Date

Software updates are not just there to add more features or fix problems; they also provide critical fixes to vulnerabilities. This is why it is critical to keep your clinic’s computer software and operating systems up to date with all security patches.

Windows 10 End of Life

If your computers are using Windows 10, they will stop receiving security updates on October 14, 2025. In order to remain protected with critical operating system security updates, you will need to upgrade your computers’ operating systems to Windows 11 (if possible) or purchase computers which support Windows 11.

If you haven’t had time to figure out what to do about this yet, you can sign up to receive a 1 year extension for critical security updates through the Extended Security Updates Program, but this will only provide critical security updates until October 2026.

Cyberattacks

Learning about the strategies used in different types of cyberattacks can help you identify when they are being attempted, as well as ways you can mitigate the risk that they will succeed. Fundamentally, all cyberattacks focus on finding and exploiting a security vulnerability, and often can use more than one type of vulnerability to gain access. Common vulnerabilities are things like software that hasn’t been kept up to date, simple passwords that are shared across accounts or systems, unsecured networks, or even physical security issues that allow for easy physical access to devices that are used to access patient data.

One of the most common strategies for cyberattacks is something called social engineering. This is the practice of manipulating or deceiving someone into giving the attacker access to a system or sensitive information, whether they realize it or not. This is why staff training and awareness is so critical in preventing a successful breach or cyberattack; if they are able to identify and respond appropriately, you can reduce the risk of a privacy or data breach.

Phishing

Phishing (pronounced ‘fishing’) is a cyberattack that uses social engineering in order to steal information about you, your clinic, or your patients. This information can be usernames and passwords, contact information, patient data, account numbers, money, or other operational information. It is most typically done over email, but can also be done over text message or even phone. It most often will attempt to direct the person to view a photo or attachment, visit a website, or fill out a form.

Ransomware

Ransomware is a type of malware that encrypts all of the files on a device and then presents a message demanding a “ransom” (usually in the form of cryptocurrency like Bitcoin) be paid in the next 24-48 hours in exchange for decrypting your data. These malicious programs are often designed to spread silently across a network, and some types of ransomware will not activate until all devices on a network are infected. If a ransomware victim is not able to restore their computers from “clean” backups (that haven’t been infected), they may lose all of the data stored on their machine, and will have to do a fresh install of their operating system on each and every infected device in order to recover.