Six Steps to Rebuild a Secure Clinic Foundation

What this means:

Make sure your clinic has reliable, secure internet that supports your EMR and daily operations. 

Why it matters:

Moving off the PPN means your clinic is now responsible for its own internet connection. If your connection is unreliable or not set up properly, it can impact:

• Access to your EMR 
• Patient care 
• Security and privacy 

This step is about building a stable foundation before adding security controls in later steps. 

Install business-grade internet (not home internet) 

• Ensure that you are using a business internet plan
• Check that your provider supports clinics or small businesses

What this means: 

• Home internet is not designed for clinics. Business internet offers better reliability and support. 

Why it matters: 

• More stable connection for EMR and virtual care 
• Faster support if issues occur 
• Better alignment with privacy and security expectations 

Have a Service Level Agreement (SLA) in place

• Understand what support your provider offers 
• Know how quickly issues will be resolved 

What this means: 

• An SLA is your agreement with the provider about uptime and support response times. 

Why it matters: 

• Reduces downtime during outages.
• Ensures you can get help quickly

Good practice: 

• Ask: What is your guaranteed response time if our internet goes down?

Confirm static IP (if required)

• Confirmed with your vendor if a static IP is needed
• Set up a static IP if required

What this means: 

• A static IP is a fixed internet address that some systems (like EMRs or VPNs) require. 

Why it matters: 

• Needed for certain secure connections
• Helps ensure reliable access to systems

Tip: If unsure, ask your EMR or IT provider. 

Test EMR connectivity

• Check if you can log into the EMR without issues
• Check if the performance is stable during clinic hours

What this means: 

Your EMR should work consistently over your new internet setup. 

Why it matters: 

• Avoids disruptions to patient care 
• Confirms your setup is working as expected 

Consider backup connectivity (optional but recommended)

• Have a backup plan if internet goes down (e.g., mobile hotspot, secondary connection) 

What this means: 

• A backup connection allows you to continue basic operations during outages. 

Why it matters: 

• Reduces downtime 
• Helps maintain access to critical systems 

Identify support contact 

• Know who to call for internet issues
• Document the contact details

What this means: 

• When something goes wrong, staff should not be guessing who to contact. 

Why it matters: 

• Faster issue resolution 
• Less disruption to clinic operations

Purpose: Help clinics choose the right internet provider and setup for their needs. 

What to look for in an internet provider 

1. Business-grade service 
   • Designed for clinics or businesses 
   • Offers better reliability than residential plans 
   • Ask: Do you offer business internet with support for clinics?
2. Reliable support and response times 
   • Clear support hours 
   • Defined response times (SLA) 
   • Ask: What happens if our internet goes down during clinic hours?
3. Sufficient speed and performance 
   • Supports: 
     • EMR access 
     • Video/virtual care 
     • Multiple users at once 
   • Ask: What speed do you recommend for a clinic of our size?
4. Static IP option (if needed) 
   • Available if required by EMR or VPN 
   • Ask: Can you provide a static IP address if needed?
5. Security compatibility 
   • Works with business firewalls 
   • Supports secure connections 
   • Why it matters: Your internet provider must support your security setup (Step 2 and beyond). 
6. Scalability 
   • Can grow with your clinic 
   • Ask: Can we upgrade easily if our needs change?

Questions to ask before choosing a vendor 

• What is included in your business internet package? 
• What are your uptime guarantees? 
• What support do you provide if there is an outage? 
• Do you provide or support static IP addresses?
• Can you work with our IT provider?
• Are there any additional costs (installation, support, etc.)? 

What to avoid 

• Choosing based on price alone
• Using home internet for clinic operations
• Not confirming EMR compatibility
• Not understanding support terms

Summary 

A good provider should be: 

• Reliable
• Easy to reach for support
• Compatible with your clinic systems
• Able to grow with your needs

It is important to assess your clinic’s IT needs when interviewing IT companies. For guidance, download the template for choosing an IT support vendor.

Purpose: Ensure your clinic network is set up securely and only allows safe, necessary connections. 

Firewall in place

• Install business-grade firewall
• Get your IT provider to set it up

Block unknown access (default-deny)

• Ensure that all incoming internet traffic is blocked by default 
• Check that only approved connections are allowed 

Limit access points (ports and services)

• Check that only required services are open 
• Check that unused access points are closed 

Control outgoing traffic

• Ensure that clinic devices only connect to appropriate external services 
• Limit risky or unnecessary connections

Separate networks

• Secure staff Wi-Fi is secure
• Separate guest Wi-Fi from clinic systems 

Keep systems updated 

• Regularly update the firewall and network equipment 

Responsibility assigned 

• Assign responsiblity to someone for managing network security 
• Document the IT provider contact

Summary

• Block everything by default 
• Only allow what you need 
• Keep systems updated 
• Assign responsibility 

Purpose: Help clinics understand what a firewall does and how it should be set up. 

What is a firewall? 

A firewall is like a security gate between your clinic and the internet. It decides what is allowed in and out. 

Key setup principles 

1. Default-deny (block first) 
   • Block all incoming traffic 
   • Only allow specific, approved connections 
   • Why this matters: Prevents unknown or unauthorized access. 
2. Allow only what is needed 
   • Open access only for required services (e.g., EMR)
   • Why this matters: Fewer open connections = lower risk 
3. Control outgoing traffic 
   • Limit access to unsafe or unnecessary websites/services 
   • Why this matters: Prevents malware or unsafe connections 
4. Separate networks 
   • Staff network (secure) 
   • Guest network (isolated) 
   • Why this matters: Protects clinic systems from public devices 
5. Keep firewall updated 
   • Install updates regularly 
   • Review settings periodically 
   • Why this matters: Fixes known security issues 

Who should set this up? 

• Your IT Support Provider 
• Not recommended to configure without technical support 

Common mistakes 

• Using a home router instead of a firewall
• Leaving default settings unchanged
• Opening access “temporarily” and forgetting to close it

Summary 

• Use a business firewall
• Block everything first
• Only allow what you need
• Keep it updated

See the sample basic clinic network diagram.

Purpose: Help clinics understand their options for protecting devices. 

What is antivirus? 

Basic protection that scans for known viruses and blocks common threats. It is best for smaller clinics and lower-risk environments.

What is XDR (Extended Detection and Response)? 

Advanced protection that: 

• Monitors devices continuously.
• Detects unusual behavior (not just known threats).
• Responds to threats automatically or with IT support.

Key differences

Antivirus:

• Protection level: Basic
• Detects new threats: Limited
• Monitoring: Minimal
• Response capability: Basic

XDR:

• Protection level: Advanced
• Detects new threats: Yes
• Monitoring: Continuous
• Response capability: Advanced

Which should you choose? 

Antivirus may be enough if:

• Small clinic 
• Limited IT support 
• Lower complexity 

XDR may be better if:

• Larger clinic 
• Multiple devices/users
• Higher security needs 

Simple summary 

• Antivirus=basic protection
• XDR=stronger, more proactive protection

Purpose: Help clinics manage and maintain devices safely over time. 

Keep devices secure 

• Use passwords or passphrases 
• Enable auto-lock after inactivity 
• Keep devices physically secure 

Keep devices updated 

• Turn on automatic updates 
• Restart devices regularly to apply updates 

Control software 

• Only install approved software 
• Avoid downloading from unknown sources 

Assign responsibility 

• Identify who manages clinic devices (internal or IT provider) 
• Ensure someone monitors updates and security 

Avoid using personal devices for clinic work 

• Do not store patient information on personal laptops or phones 
• Use clinic-approved devices only 

Prepare for incidents 

• Know how to report lost or stolen devices 
• Act quickly if a device is compromised 

Summary 

• Keep devices updated 
• Limit what is installed 
• Assign responsibility
• Be ready to respond if something goes wrong

Micro clinic size (1–5 employees)

• Total annual cost: $400–$1,500
• Example model: FortiGate 30G/40F ($700–$1,500 Hardware + subs)

Small clinic size (6–15 employees)

• Total annual cost: $1,200–$3,500
• Example model: Sophos XG, Meraki MX67 ($900–$3,200 hardware + subs)

Growing clinic size (16–49 employees)

• Total annual cost: $2,800–$6,500
• Example model: FortiGate 50G/71G, Palo Alto PA-220 ($1,500–$4,000 + subs)

Enterprise clinic size (50+ employees)

• Total annual cost: $50,000+
• Example model: Palo Alto PA-7000, FortiGate large ($10K + hardware + subs)

Understanding and recognizing the most common cybersecurity threats is critical for mitigating the risk of a security breach.

Learn more about preventing a breach.

Ensure all solutions comply with BC PIPA requirements.

What this means:

• Assign clear responsibility for privacy and security, and document how your clinic manages them. 

Why it matters:

• Security is not just about technology—it’s about people and accountability. 

Without clear roles and documentation:

• Important tasks may be missed.
• Staff may not know their responsibilities.
• Clinics may not meet privacy expectations.

This step ensures your clinic has:

• Named individuals responsible for privacy and security.
• Clear documentation (policies and roles).
• Staff awareness of responsibilities.

Assign a Privacy Officer 

• Identify a Privacy Officer 
• Ensure staff know who this is 

What this means:

• Someone is responsible for overseeing privacy practices.

Why it matters:

• Required for accountability
• Ensures privacy concerns are addressed

Assign an IT/Security lead

• Assign a person (or vendor) to be responsible for IT/security
• Document the contact details

What this means:

• Someone is responsible for technical security.

Why it matters: 

• Ensures systems are maintained and secure.
• Provides a clear point of contact for issues.

Document roles and responsibilities

• Write down the key responsibilities
• Ensure that staff understand their role

What this means: 

• Who does what is clearly defined. 

Why it matters: 

• Prevents gaps or confusion.
• Supports consistent practices.

Update the privacy policy

• Ensure that the clinic privacy policy is current 
• Include the contact information for Privacy Officer

What this means:

• Your clinic has a written document explaining how personal information is handled. 

Why it matters:

• Supports compliance with privacy requirements.
• Builds trust with patients.

Make staff aware of responsibilities

• Ensure that staff have been informed of privacy and security expectations 
• Staff should know who to contact with questions

What this means: 

• Policies are not just written—they are understood. 

Why it matters:

• Staff actions are a key part of protecting information. 
• Reduces risk of accidental breaches.

Download our roles based access template.

Find Privacy templates and tools:

• Download our privacy toolkits policy template
• Online privacy toolkit

Purpose: Ensure staff understand their role in protecting privacy and security.

Key training topics

Staff should understand:

• How to recognize phishing emails
• Safe use of passwords/passphrases or passkeys
• Proper handling of patient information
• Secure use of email and systems

Common risks to watch for 

• Suspicious emails or links
• Requests for login information
• Unexpected attachments
• Sending information to the wrong person

What staff should do

• Stop and think before clicking or sending
• Confirm unusual requests
• Report concerns immediately

Who to contact

Staff should know:

• Privacy Officer 
• IT/Security Officer 

Summary 

• Be aware 
• Be cautious 
• Report concerns

Watch the privacy toolkit’s physician and staff refresher training video.

Find clinic security resources:

• See the Enhance Your Clinic’s Security webpage
• Download the physician office IT security guide