The dangers of Internet hacking remain in the spotlight. Late in the summer of 2014, the theft of 1.2 billion usernames, passwords and email addresses by a Russian gang was revealed. Before that, there was a massive theft of data from Target Stores. This type of fraud and financial data loss is unfortunately not limited to credit card information or even to retailers, making it extremely important for medical aesthetic practices to protect their systems against hackers.
Today, virtually every medical practice is sharing some amount of data—whether financial records, tax documents, patient records and contact information, or intellectual property and trade secrets—on systems with Internet access. Accordingly, every practice owner or principal should recognize the security threats and risks inherent in living in the digital age.
Where Does Health Care Stand?
The healthcare industry is being dragged kicking and screaming into the digital world, trailing banks and retailers with their decades of cyber security experience. In fact, last summer Community Health Systems, one of the country’s biggest hospital groups, was the victim of a cyber attack that resulted in the theft of personal data belonging to 4.5
million patients, including Social Security numbers.
Willingly or not, many medical professionals and hospitals have gone from paper to electronic health records in the space of only a few years, spurred by the passage of the Health Information Technology for Economic and Clinical Health Act of 2009—granting the Department of Health and Human Services (HHS) authority to promote health IT that improves health care.
The HHS has, of late, become more aggressive in enforcing cyber security laws, levying almost $10 million in fines in just the last fiscal year through its Office of Civil Rights, which investigates privacy violations. Since they began tracking the numbers in 2009, more than 31.6 million individuals—roughly one in ten people in the U.S.—have had their medical records exposed through a hack attack, data theft or unauthorized disclosure.
Aesthetics and the Internet
Any medical spa or aesthetic practice that takes names, Social Security numbers or other sensitive information is legally and ethically required to take all necessary steps to protect both patient and employee data from loss and theft.
The amount of information practitioners transfer via the Internet is vast—from email correspondence to online consults, training and business meetings. Many practices are completely paperless, and the more business you do digitally, the higher your responsibility to protect your practice’s data.
Initially, the greatest risk appears to lie with high-profile and high-risk companies, however more than 72% of all data breaches occur in small- or medium-sized businesses, according to a recent study by the U.S. Secret Service and Verizon Communications. Most cyber attacks target operations with fewer than 250 employees—a group unlikely to have the financial means to afford fines and lawsuits resulting from breaches or data losses.
Social media sites in particular expose information at light speed with little control. Employee activity on any of the proliferating social media sites can trigger liability. Defamatory statements and leaked patient and/or medical information are all growing concerns.
Image copyright Getty Images.