A data security checklist for the age of AI

When you work in healthcare you can’t afford to be complacent about data security—the consequences of a breach could be disastrous, for both you and your patients. These are some security threats you need to know about and some strategies to ensure that your digital records remain protected.

Aisling Smith·

An illustration of robots trying to get through a keyhole

You’re not imagining it—online scams are becoming more convincing. This means that implementing strong security practices is more important than ever, especially when it comes to your allied health practice. You’re the custodian of highly sensitive and private information, all of which is very juicy bait to hackers. So how do you avoid becoming a cautionary tale? By knowing the threats that you’re facing and taking the right steps to protect your data.

What are the threats?

Once upon a time it was easy enough to figure out that the email, riddled with typos and telling you that you’d won 10 million dollars, wasn’t legitimate. These days, scammers have gone high-tech and sophisticated. With the rise of AI, it’s getting harder to pick up what’s real and what’s fake—and the bad news is that it’s only likely to get worse. As a starting point, make sure you’re aware of:

  • Social engineering
    This is a manipulative technique where a criminal will use information about you (usually that they find online but they may also use phone-based tactics) to make it hard to identify their messages as deceptive. This often involves impersonation—so, for example, you might receive a text message that’s signed off with the name of your actual boss but is in fact from a scammer. 
  • AI enhanced scams
    With AI voice technology becoming more advanced, it’s likely that scammers will become increasingly able to use AI to replicate a person’s voice on a phone call, in a voice message, or even during a video call.

Treat any communication you receive with caution, even if it appears to be from someone you know. Obviously, be careful with your bank details and credit card information, but also make sure that you never share your password with anyone for any reason. It might not feel good to always be cynical, but it’s better than being sorry! It’s also a smart move to restrict what information you share on social media or other public platforms (perhaps consider making your personal accounts private), so it can’t be weaponised by scammers.

Why this is so vital for you to be on top of

The importance of data security for health professionals can’t be overstated. At a minimum, a data breach will cost you time, money, and patient trust. At worst, it could land you in legal or regulatory trouble, or even cause your business to fail.

  • Time
    If your practice suffers a data breach, you can expect to sacrifice many hours from your workday trying to sort it all out. Imagine having to cancel appointments to instead figure out what private information was leaked and notifying your impacted patients, not to mention notifying appropriate authorities. You’ll then need to spend the time to figure out the weaknesses in your system and ensure that it doesn’t recur.
  • Money
    Data breaches are extremely costly. On average, a single cyber-attack in the healthcare industry results in a loss of $11 million USD (these statistics have been published by Morgan Lewis and come from a 2023 report by Proofpoint and the Ponemon Institute). Could your business afford a breach? You also risk the cost of potential litigation from your patients if the breach is severe enough.
  • Patient trust
    Last but not least, there’s the ethical aspect of a data breach. Your patients themselves are directly affected if their medical data is exposed and this could have serious and far-reaching adverse consequences for them. In addition to this, if sensitive information that you’ve collected is leaked, it has the potential to damage your professional reputation irreparably. 

The good news is that these consequences can be avoided by following some simple security steps.

How to protect yourself

Having the right security measures in place is the cheapest and most effective way to remain compliant and avoid a data breach. A small amount of effort in the short term could save you a world of pain down the track.

We encourage you to implement all of the following steps for your Cliniko account, and many of them will be applicable for other online services that you use as well.

1Check whether you’ve already been compromised

There’s a handy website called Have I Been Pwnd that allows you to check whether your personal information has already been involved in a data breach. We recommend you have a look. You type in your email address and the website informs you as to whether you’ve been compromised, which can help you figure out how vulnerable you are right now. A service like iCloud Keychain automatically checks for this.

2Use strong passwords

This is your first line of defence against a data breach and while it sounds obvious, far too many people don’t get this right. Having a password that can’t easily be guessed isn’t an annoying bureaucratic hurdle to jump over; it’s an essential step to protecting your data. While we all get taught that a password including “a combination of a letter, a number, lower case, upper case, and a symbol” equals a strong password, this isn’t actually the case. So, what criteria should you use for your passwords instead?

  • Complexity
    Don’t choose a password that’s obvious, such as a pet’s name, your birthday, or a simple word or sequence (e.g. “password” or “1234”).
  • Uniqueness (i.e. don’t re-use passwords)
    Make sure that you use a unique password for each platform or it becomes a useless safeguard. It’s like dominos; if a password is compromised in one place, using the same password across platforms will topple your security everywhere else.
  • Length
    Length is one of the best defences against getting hacked. Aim for long strings of random words or, better yet, use a password management system (such as LastPass or 1Password) and allow it to generate and store a password for you. 
  • Randomness
    The more random, the better!

3 Make it mandatory for all employees to enable 2FA

Enabling 2FA in Cliniko (two-factor authentication) is the single most effective step you can take to keep your account secure. It works by adding an extra layer of protection in addition to your username and password. With 2FA enabled, logging into your account requires you to enter a code that gets sent to your device. This means that even if a hacker gains access to your password, they’ll also need to have your phone or your iPad handy to get any further. It’s also possible to make 2FA mandatory for all users on your Cliniko account and we highly recommend that every healthcare practice takes this step.

4Installing updates

Keep software and devices up to date, and always install the latest version. This is important: software updates fix any bugs and gaps in the security of the current system and prevent you from becoming a target for hackers. It’s similarly important to keep your browser up to date and What Is My Browser is a site that allows you to check this.

5Scrutinise any third-party software you use

What are the security policies of any third-party software that you use? Check whether the service you’re using includes peer-to-peer encryption (we talk more about the different kinds of encryption in our article all about telehealth security). It’s also a wise idea to review whether any tools you use will sell or transmit your personal data to other parties—you can’t afford to skip the fine print.

6Educate team members about current scams

Make sure that your team can recognise a phishing email or text, as well as the impersonation techniques used by social engineers. It’s also a good idea to give them strategies to know what to do if they’re in doubt and even to invest in some education or training sessions they can take. As a starting point, you could ask them to take this online test about phishing!

7Have a verification system in place

Use a system to verify the identity of anyone calling for information and make sure that you have a protocol in place as to what information to give out. When you’re authenticating your patients, try to do so in a way that preserves their confidentiality—which is one of the reasons that online booking can be a better option than phone booking.

8Implement secure offboarding procedures

Create clear procedures that you can follow when someone leaves your practice, and a key part of this is making sure that their security access is revoked ASAP. Thinking about future security from when you first onboard new team members will make your offboarding much easier.

Security is a shared responsibility

While we take the security of your data very seriously at Cliniko, we can’t protect you without your help. If you don’t have basic security protocols in place, then it doesn’t matter how secure our software is—your patient data is still at risk.

Security can feel like a hassle until it’s too late, so take a few minutes today and make sure you’ve checked off everything on this list.


Author information

Aisling is a Melbourne-based writer and all around word nerd. When she isn't writing for Cliniko, she likes circus fitness, playing her cello, and eating dessert.

Never miss an update! Sign up for monthly Cliniko news and tips.

Read Cliniko’s Terms and Privacy policy

Keep reading