Professional organizations, including medical, dental and other health care practices, continually depend on technology and digital advancements to collect, store and organize information about their patients. Increasing use of electronic data and electronic medical records creates a heightened risk of cybersecurity threats for many professional practices given the type of information they collect and store about their patients. Such patient information may include names, addresses, birthdates, social insurance numbers, health history, health card numbers, insurance information, and banking information. Taking into account the sensitive nature of this information, it is critical that appropriate steps are taken to safeguard against cyber attacks and security breaches.
Understanding the kinds of threats posed to your professional practice is part and parcel of better protecting yourself. One of the most common threats is Business Email Compromise, also called BEC. BEC is a form of “phishing” that dupes email users into sending otherwise confidential patient information. Using socially manipulative techniques such as imitating a practice manager, hackers are able exfiltrate personal information relating to patients.
Hackers will also tempt users into clicking on links that open malicious software. Once said software has infiltrated a system, hackers are able to exfiltrate sensitive information, and lock you and your practice out of your computers. Hackers then ask for a ransom, usually in the form of a cryptocurrency, to get access to your computers. This is exactly what happened in 2019, when a malware known as Ryuk attacked three Ontario hospitals. Fortunately, the hackers were unsuccessful in their attempts to exfiltrate patient data, and no ransom was paid.
In order to better protect patients from these kinds of threats, Ontario developed privacy legislation known as the Personal Health Information Act (PHIPA). PHIPA places unique responsibilities on individuals that control and collect health information. Organizations now have increased statutory obligations to protect patient information. This legislation sets up a framework of mandatory principles and enforceable rules that are intended to protect individuals’ personal health information. Failure to protect patient information and comply with the requirements under PHIPA may result in a host of liability issues. Given the sensitive nature of health information, legislation has set out fines of up to $100,000 for individuals, and $500,000 for institutions.
Under PHIPA, certain reporting obligations and requirements are imposed on hospitals and health information custodians (HICs) in the event of a privacy breach. Health information custodians include healthcare practitioners, hospitals, pharmacies, as well as others. It is mandatory that HICs report certain privacy breaches, including unauthorized use or disclosure of information; stolen information; further use or disclosure without authority after a breach; a pattern of similar breaches; disciplinary action against a college member or non-college member; as well as any other significant breach, to the Information and Privacy Commissioner of Ontario (IPC). Additionally, HICs are responsible for submitting statistics with respect to any breaches which did not meet the criteria for mandatory reporting to the IPC. An HIC must submit a report each year setting out statistics with respect to the number of times in the previous calendar year that personal health information in the HICs custody or control was stolen, lost, used without authority and/or disclosed without authority.
It is of paramount importance that healthcare practitioners understand the notification requirements under PHIPA, as well as those under the regulatory body governing their professional practice. It is suggested that practitioners work hand in hand with their IT team, staff, and legal counsel to develop an effective strategy to not only safeguard against a potential breach, but to carefully and appropriately handle cybersecurity threats and the risks posed to patient care and privacy.
 O Reg 329/04, s 6.3.
 Supra, s 6.4(1).