Cybersecurity in Ontario’s Primary Care: Time to Wake Up
In today’s digitized healthcare landscape, primary care physicians are unwittingly standing at the edge of a cybersecurity cliff—and many don’t realize it. For most community doctors, cybersecurity barely registers in the long list of their daily demands. Yet the risks are growing, the stakes are high, and the solutions—while complex—are within reach if we take action now.
Patchwork Landscape
The current cybersecurity posture in primary care is deeply fragmented. Once you step outside the well-resourced walls of acute care hospitals, the digital defense perimeter thins dramatically. Most primary care practices in Ontario operate independently, using different electronic medical records (EMRs), hosting their own servers (often under the basement stairs or in an upstairs broom closet), or relying on external systems without centralized oversight or standardized protections. Networks, hardware and software are sitting ducks for attack.
And while Ontario Health Teams (OHTs) were created with the promise of fostering integrated care—including shared digital infrastructure—many clinicians remain skeptical. “In real life, this isn’t really happening,” says one physician. OHTs vary significantly across the province, often lacking tangible programming or support for primary care clinics and so far almost nothing on the data or IT front. Planning meetings proliferate, but concrete action—especially around digital coordination and cybersecurity—remains elusive.
Why Primary Care is Particularly Vulnerable
Primary care physicians are small business owners. They’re expected to be clinicians, administrators, IT managers, and compliance officers. That’s unsustainable. The reality is that many clinics are undersecured. Antivirus software might be out of date or nonexistent. Cloud storage may be misconfigured. Physical security is often overlooked, and staff (not just physicians) are regularly the point of breach through phishing emails or unsecured systems. Few if any have been trained in prevention.
“… ransomware demands are real, data lockouts are common, and privacy breaches have become commonplace…”
Despite this, cybersecurity still feels intangible for many. The concept generates great discussion when someone like the wise and erudite Ariane Siegel, Chief Legal Council and Privacy Officer at OntarioMD, gives a chilling presentation. She wins minds through story telling: ransomware demands are real, data lockouts are common, and privacy breaches have become commonplace. When one hears about the nightmare experience of a collegue or clinic “just like me”, only then do ears perk up. But even when we have their attention, physicians are left asking: “Now what? Who do I call?”
Unfortunately, no one has a straightforward answer. OMA deflects to insurance. OntarioMD is under-resourced for hands-on support. Vendors are fragmented and mistrusted. Meanwhile, hospitals offer “solutions” like rolling out their clinical information systems into community—practices, but these are usually ill-suited for primary care workflows.
The Culture of Cynicism
Years of stalled reforms and siloed initiatives have bred deep cynicism. Many doctors suspect that government programs like OHTs will fizzle out before meaningful support ever arrives. The downloading of responsibility onto the backs of individual clinicians is constant. Mistrust is a barrier to any cybersecurity strategy requiring system-wide cooperation.
We’ve seen this before. Whether it’s OHTs, regional EMRs, or central intake programs or centralized referral systems, physicians are reluctant to engage unless they see real value, trust the implementers, and—critically—are paid for their time and risk.
Cybersecurity, for all its urgency, doesn’t stand a chance in this culture without a new approach. As one physician put it: “Unless someone helps me translate this abstract risk into something I can act on, unless they teach me and —and unless I trust them to do it—it’s not going to happen.” Then eyes cast downward in a look of defeat.
What’s Working Elsewhere
But let’s look at a place where there has been a coordinated approach: Prince Edward Island. Granted the province has less than 100 primary care doctors and a very pro-health government, but there the province is implementing sweeping reforms. There is one health authority. Primary care transformation is real with the formation of over thirty integrated Primary Care Medical Homes across the province. All doctors will be salaried. The government is building physical clinics. One EMR will serve the entire province. And crucially, physicians are being paid for participation in system transformation—including IT transitions and cybersecurity improvements in their new physician services contract (their working thesis is an hour of work is an hour of pay, regardless of the work that is being done).
This model works because it doesn’t overburden already strained clinicians. It treats cybersecurity as a central system responsibility, not an individual one. It pays doctors fairly. And it builds trust.
Contrast that with Ontario: physicians pay for their own EMRs, these EMRs have not substantively changed in decades, docs receive no additional funding for cybersecurity assessments or insurance, and are constantly asked to do more for less. It’s no surprise that system-level initiatives struggle to gain traction as there is little energy left for participation based on good will alone.
A Way Forward
To shift this dynamic, several changes are needed:
- A Coordinated Risk Assessment Offering
Clinics need easy, trusted access to cybersecurity evaluations that include hardware, software, physical safeguards, and staff practices. These must be offered by known and trusted players like OntarioMD —not only large hospitals or unfamiliar vendors. - Education That Hits Home
Peer-led stories are powerful. When a fellow physician shares how their system was hacked and their clinic was offline for days, it sticks. Clinicians trust clinicians much more than cybersecurity vendors cold calling and offering solutions. - Funding for Transformation
Cybersecurity isn’t free, and the cost of addressing it shouldn’t fall solely on physicians’ shoulders. A new funding model must emerge—whether through bundled payments, stipends for transformation activities, or insurance subsidies. The goal: protect practices without punishing them financially. There is a real role here for the OMA and CMA in making things work. - Trusted Vendor Ecosystem
Government-supported verification processes (e.g., Ontario Health’s vendor assessment framework or OntarioMDs EMR certification) are a good start. But they must be transparent and broad enough to include innovators, startups, consultancies, and insurers, not just the usual large IT players. - Seamless, Simple Solutions
The most successful health tech tools—like AI scribes—succeed not because they’re flashy, but because they’re simple, cheap, and solve an immediate real problem. Cybersecurity tools must follow suit: easy to install, understandable, automated and offload work from clinicians.
A Final Word: This is About More Than IT
What’s at stake is not just patient data, but the continuity of care, the integrity of the practice, and the professional trust that defines primary care. A cyber breach isn’t just an IT problem—it’s a clinical, legal, and reputational disaster.
Yet, the good news is this: we can prevent most of it. But only if we act now. Not with more jargon or top-down mandates, but with real partnerships, practical support, and above all, trust.
Cybersecurity in primary care is not an abstract issue. It’s a business imperative, a clinical safeguard, and a professional duty. It’s time for Ontario to treat it that way.
Check in tomorrow, for part 2, where I focus on direct solutions for community clinics… the place you can start now!
