Cyber Security: Risk Management 101

Cyber Security: Risk Management 101

The dangers of Internet hacking remain in the spotlight. Late in the summer of 2014, the theft of 1.2 billion usernames, passwords and email addresses by a Russian gang was revealed. Before that, there was a massive theft of data from Target Stores. This type of fraud and financial data loss is unfortunately not limited to credit card information or even to retailers, making it extremely important for medical aesthetic practices to protect their systems against hackers.

Today, virtually every medical practice is sharing some amount of data—whether financial records, tax documents, patient records and contact information, or intellectual property and trade secrets—on systems with Internet access. Accordingly, every practice owner or principal should recognize the security threats and risks inherent in living in the digital age.

Where Does Health Care Stand?

The healthcare industry is being dragged kicking and screaming into the digital world, trailing banks and retailers with their decades of cyber security experience. In fact, last summer Community Health Systems, one of the country’s biggest hospital groups, was the victim of a cyber attack that resulted in the theft of personal data belonging to 4.5
million patients, including Social Security numbers.

Willingly or not, many medical professionals and hospitals have gone from paper to electronic health records in the space of only a few years, spurred by the passage of the Health Information Technology for Economic and Clinical Health Act of 2009—granting the Department of Health and Human Services (HHS) authority to promote health IT that improves health care.

The HHS has, of late, become more aggressive in enforcing cyber security laws, levying almost $10 million in fines in just the last fiscal year through its Office of Civil Rights, which investigates privacy violations. Since they began tracking the numbers in 2009, more than 31.6 million individuals—roughly one in ten people in the U.S.—have had their medical records exposed through a hack attack, data theft or unauthorized disclosure.

Aesthetics and the Internet

Any medical spa or aesthetic practice that takes names, Social Security numbers or other sensitive information is legally and ethically required to take all necessary steps to protect both patient and employee data from loss and theft.

The amount of information practitioners transfer via the Internet is vast—from email correspondence to online consults, training and business meetings. Many practices are completely paperless, and the more business you do digitally, the higher your responsibility to protect your practice’s data.

Initially, the greatest risk appears to lie with high-profile and high-risk companies, however more than 72% of all data breaches occur in small- or medium-sized businesses, according to a recent study by the U.S. Secret Service and Verizon Communications. Most cyber attacks target operations with fewer than 250 employees—a group unlikely to have the financial means to afford fines and lawsuits resulting from breaches or data losses.

Social media sites in particular expose information at light speed with little control. Employee activity on any of the proliferating social media sites can trigger liability. Defamatory statements and leaked patient and/or medical information are all growing concerns.

Image copyright Getty Images.
A medical aesthetic practice can also be held liable for the loss of third-party data. Once an aesthetic practice’s reputation has suffered from a cyber security breach, losing the
trust of patients can be far more damaging than the financial effects.

DIY Risk Management

Cyber hacking is big business, so how can medical practitioners prevent an attack and protect their practices from potential data breaches? If outsiders have access to a clinic’s internal network through an Internet connection, there is virtually no way to fully protect the data on that network. Therefore, providers must assess whether all stored data has to be instantly accessible.

For starters, employee Social Security numbers and sensitive personal information should only be accessible to human resources and payroll departments. Patient records should be accessible only to medical professionals.

When it comes to limiting access to data and protecting said data, security experts agree that the easiest place to start is with strong password protection. Many recently exposed hacking cases have been traced back to weak passwords that were either not encrypted or not changed regularly.

If managing passwords for all of the practice’s servers, apps, cloud services, databases, tablets and laptops seems daunting, there are affordable password management professionals and software that will do it for you.

Here are some other steps you can take to help secure your practice data, reduce its liability and, in many cases, lower the cost of insuring against potential losses:

  • Use a firewall. There are hardware and software approaches that are both cheap and easy to use. These programs allow you to create applied rules to control incoming and outgoing network traffic, reducing the risk of nefarious activities.
  • Have your system analyzed. Regularly assess possible hardware, software and individual site vulnerabilities with an IT professional.
  • Separate sensitive data. Computers used for sensitive applications—such as EHR and financials—should be isolated from the rest of the practice’s network.
  • Control access to data, i.e., limit the delivery and exchange of patient documents and information to secure channels.
  • Employ anti-virus software and update it regularly—a number of popular programs are relatively inexpensive and may include free automatic updates.
  • Cancel old accounts. When an employee or contractor with access to the system leaves the aesthetic practice, ensure their passwords are no longer usable. It is common to lock an employee out of the system just before or at the same they are being terminated.
  • Create and implement a data security plan that includes immediate notification of all affected parties. In the U.S., most states have breach notification laws in which written notification must be sent to those individuals who have been affected by a data loss—even where such laws are not in place, a reputable medical spa or aesthetic practice should provide breach notification.
  • Share the liability by demanding similar protocols of colleagues, suppliers, vendors and partners—and checking for compliance.

Image copyright Getty Images.

Getting Covered

Unfortunately, practice owners often discover what is—and what isn’t—covered by their insurance policies only after a cyber attack. Business interruption insurance policies rarely help in the event of a system failure due to a malicious employee, computer virus or hack. Similarly, identity theft, telephone hacking and phishing scams are all very real possibilities rarely covered by traditional practice or business interruption policies, including umbrella and blanket liability insurance policies. Some insurance policies offer general liability protection, while Directors and Officers (D&O) liability may provide a measure of coverage for these areas.

Cyber liability insurance, which has been available for almost 10 years, can cover the loss of profits from a system outage caused by hacker attacks, viruses and worms that steal or destroy a business’s data. Even email or social networking harassment and discrimination claims can be covered, along with trademark and copyright infringement, through these policies. When looking into cyber insurance, make sure that all potential risks are covered. Portable devices make it much easier to both store and lose information; a missing USB stick, a stolen iPad or a laptop left in a taxi are all real possibilities and, for a hacker, a goldmine.

A good insurance company will usually ensure their policyholders have all the necessary protections in place. They can put a firewall in place to protect the practice’s network, and help create social media policies that will reduce risk and potential liability. Even if data is stored in the cloud, the medical aesthetic practice may still be liable for a breach. Cyber insurance can protect against these breaches as well.

Hackers are getting more sophisticated every day, sometimes forming syndicates of like-minded criminals to share information and new techniques. Practices and businesses, even independent medical practitioners, are increasingly in their crosshairs and need to use every protection strategy available to combat the growing cyber threat.

Mark E. Battersby is a Philadelphia-based freelance writer specializing in business finance and insurance topics.

Image copyright Getty Images.

More in Business