Insurance and risk management consultant Holly Markham discusses changes to data protection laws and advises how to protect your patients’ privacy
According to a study carried out by the Information Commissioner’s Office (ICO), the healthcare sector is the most vulnerable industry when it comes to cyber-attacks and data breaches.1 Breaches in the healthcare sector exceeded any other industry in the UK in 2015- 2016, including local government, finance and retail institutes (Figure 1).1
With new EU data privacy laws looming, an increased integration of technology and the current vulnerability of the healthcare sector, medical professionals and aesthetic businesses need to take a proactive approach to mitigating their exposure to cybercrime and data breaches to protect the highly sensitive information of their patients and to act in accordance with the law.
Traditionally when we think of cybercrime or data breaches, our thoughts are drawn to the vision of criminals hacking into a website to obtain financial information or take control of personal data. We also tend to think that our business has some sort of immunity to these risks and it will never happen to us. Cybercrime and data breaches can take a variety of forms. The mainstream media has highlighted how even the biggest institutes can fall foul. Some of the most prolific examples that would have been brought to your attention over the past decade include:
Data breaches can easily occur within the medical aesthetics sector. It is important to be aware that it could happen to you; understanding where your business’s weakness might be is vital. The following list comprises some of the most common ways data is breached and how to prevent them.
It is no secret that some healthcare providers have still not yet moved into the 21st century and are living in a paper-based society. Paper is easily lost, could potentially get left on a commute to and from your clinic, or stolen from your premises. To prevent this, implement a clear desk policy; classify documentation; shred all confidential waste (if in doubt, shred it) and/or engage an accredited organisation to collect and shred documentation for you. It is also a good idea to increase your premise’s security. If using paper-filing systems, ensure that patient records are safely secured in a locked cabinet ideally within a locked office area and remove all keys from the premises. This is one of the processes that your chosen data protection officer should review (explained on the next page). There are several data leakage prevention solutions to prevent data incorrectly leaving an organisation whether by mistake or malicious intent.
A simple clerical error such as emailing the wrong patient or sending a letter with the wrong patient details enclosed is classed as a data breach.6 As a healthcare provider you hold highly sensitive confidential data which, if it falls into the wrong hands, could cause severe damage and distress to those individuals. This is difficult to prevent so add disclaimers to your post and email. To lower your cyber risk when sending sensitive documents, only email using password protected files.
How many practitioners use their own iPad, iPhone or tablet device to take patient before and after photographs? Some of which may well be celebrities or those with a high profile. If that device is lost or stolen, this is a breach, no matter what patient the photos are of. What would the ramifications be to your reputation and finances if such data got into the wrong hands? To prevent this, ensure that all of your devices are encrypted by default (available on most mobile devices – to encrypt is to code information to prevent unauthorised access). Also implement mobile device management so that you can remotely wipe devices that are lost.
The first mistake is to think ‘my website is not interesting to hackers, we don’t transact any financial information so we’re fine, it will never happen to us’. You may be surprised to know that as many of you read this, hackers are attempting to break into websites just like yours. It is not exactly your website per se that the average hacker wants, it’s the power that the webserver is running on. Your website can be used as a valuable tool to conceal a hacker’s identity whilst they perform illegal tasks, or to send millions of spam emails from your server to your patients asking for payments, or to serve vulnerable visitors to your website with viruses. A hacker may also encrypt your server with specially-developed ransomware to commit cyber extortion demanding payment. To manage this, regularly carry out penetration and vulnerability scans to test the effectiveness of your firewalls and data security. The aim of this is to identify browser exploits, unpatched software, unsecure coding practices and weak encryption algorithms. A penetration test must be conducted by a certified ethical penetration tester, who will use their expertise to identify specific weaknesses within an organisation’s security arrangements. This involves simulating a malicious attack on an organisation’s information security arrangements, often using a combination of methods and tools. As well as this, do not use free WiFi access or hotspots as it is easy for unscrupulous cyber criminals to intercept your data. Any access to your business or home network should also be encrypted and password protected.
Highly sensitive patient information, records, hard drives and business recycling, if not discarded safely, can significantly increase the risks of a security breach if it falls into the wrong hands. To prevent this, ensure that all old paper documents are shredded and get your data protection officer to review current data protection processes and run a programme to bring the organisation into line with the ICO guidelines.
Improper redaction most often occurs when text or images are covered instead of being completely purged from a document. For example, if you use a case study or post before and after photographs on your website and have simply blackened out sensitive information or not fully concealed the identity of the patient, then you are at risk of breach. As discussed, the way to prevent this is insuring that you implement all of the processes outlined above. For more information you can visit the ICO’s guide to data protection.7
In January 2012 the European Commission proposed a reform of the EU data protection rules to make them fit for an ever increasing, technology-driven society and to create uniformity across the 28 member states.9 Four years on, and with data breaches continually on the rise, the implementation of the reform is imminent and it is important that businesses are a readily prepared to meet the requirements of the new legislation.
The changes to law require more rigorous processes to obtain explicit consent on the collection of data and also a ‘right to be forgotten’ requiring companies controlling data to delete information upon their client’s request. In addition, individuals will also be allowed access to their own personal data and be given the right of data portability, meaning patients could request a copy of their data and move it to another company. The new EU rules could potentially drive a safer patient journey by allowing a more open form of practitioner-patient communication, providing patients with a set of their own records that they could transfer if visiting a new clinic for further or different treatments.10
In addition to empowering all EU citizens with more control over their own data, the new legislation will affect businesses regardless of whether you are an individual practitioner or a large chain of clinics. One of the most prevalent changes that will make an impact is the requirement to notify the ICO of any serious breaches as soon as your business has been made aware; a serious breach could involve some of the examples detailed where highly sensitive data such as patient records are involved. Breaches must be notified as soon as reasonably possible, ideally within 24 hours, and clinic owners should notify any affected individuals without delay.
The ICO is a non-departmental public body that reports directly to the British parliament as an independent regulatory office. The ICO is tasked with enforcing a range of regulations such as the Data Protection Act 199810 and the Privacy and Electronic Communications (EC Directive) Regulations11 in the UK. The ICO is also responsible for making guidelines for legislation and has the power to enforce these laws and issue fines to those who breach these regulations.
The good news is the new law will not be introduced until 2018, however all healthcare professionals and businesses should utilise this time to proactively ensure their business is readily prepared to act in accordance with legislation.
As well as severe reputational damage there will be significant fines for individuals, clinics and businesses that do not comply with the proposed regulation, with the possibility of individuals and associations acting in the public interest to bring claims for noncompliance. The imposed fines could be anywhere up to 4% of your global turnover.13 Businesses need to carefully review the new laws to ensure they comply.
Businesses will need to put in place written security and privacy policies and procedures, which include the process of reporting breaches. If you hold highly sensitive data such as healthcare information, then you will need to appoint a data protection officer. This person can be an existing member of staff, but they must be competent and have extensive knowledge of data protection. Businesses can obtain cyber and data training from specialist providers, which will provide practical guidance on how to mitigate risk and protect themselves from cyber and data crime. Alternatively, the data protection officer can also be an outsourced consultant who can act on behalf of your business to ensure you meet the legislation standards. As well as this, it is a good idea to consider computer software and insurance, explained below, to safeguard you and your clinic.
One way practitioners can mitigate their risk and exposure to cyber and data breaches is by introducing a compliant medical consultation software system. These systems are encrypted to protect the highly sensitive patient information you record throughout the consultation process. The companies that create such systems are often engaged with the ICO during the design to ensure best practice and consider future EU legislation, which enables patients to have access and transport information held about them.
One solution that all medical and aesthetic businesses should consider is cyber and data insurance protection. Cyber and data insurance not only provides financial protection for businesses from regulatory awards, fines or penalties imposed against you for data breaches, it also covers the third party damages and the costs associated with an investigation brought from the ICO in relation to a potential breach or notification. As well as the financial protection provided by cyber and data insurance, the cover extends to provide your business with full support from a team of IT forensic, legal and PR experts who are on your side to protect your reputation from a media frenzy, investigate and diagnose the route of the attack and the rectification costs to get your systems secure and safely up and running again.
No one is immune from data breaches or the risks of cybercrime. It’s not just a hacker, but also human error that can give rise to a claim and, as mentioned, the ICO has highlighted the healthcare sector as the most vulnerable in the UK.1 The best way to protect your business from cyber and data breaches is through creating a robust risk management strategy to prevent them occurring in the first place. However, it is not always possible and even the most data secure businesses suffer losses, so it is imperative to ensure you and your business are prepared for the implications of a potential data breach.