Aesthetics investigates data security risks and questions what practitioners can do to prevent cyber attacks from happening in their clinic
On October 17, London Bridge Plastic Surgery faced a data breach in its clinic after it was attacked by hackers who stole confidential patient data. According to the clinic, adequate data security software was installed prior to the breach and appropriate measures were immediately taken to block the attack.
Although it is unclear what provoked the cyber attack at London Bridge Plastic Surgery, a spokesperson for the clinic said, “Regrettably, following investigations by our IT experts and the police, we believe that our security was breached and that data has been stolen. We are still working to establish exactly what data has been compromised.”1
They added, “We are horrified that they have targeted our patients. The group behind the attack are highly sophisticated and well-known to international law enforcement agencies, having targeted large US medical providers and corporations over the past year. We are profoundly sorry for any distress this data breach may cause our patients.”1
With the threat of cyber attacks increasing in the UK by 55% year-on-year across all businesses,2 Aesthetics investigates how and why this is happening and asks what measures can be taken to reduce the chances of a data breach occurring.
How do data breaches happen?
“Phishing and drive-by downloads are the most common ways of getting malicious software on your system and would be the most likely causes of a data breach in an aesthetic clinic,” according to medical malpractice and risk specialist, and divisional director of Enhance Insurance, Martin Swann; but, he notes that this may not necessarily have been the case for the attack at London Bridge Plastic Surgery. Phishing is the fraudulent practice of sending emails, telephone calls or text messages by someone posing as a legitimate institution, to lure individuals into providing sensitive data, which is then used to access important accounts.3
Out of 19,000 people surveyed across 144 countries, 97% cannot identify a sophisticated phishing email
Shockingly, a survey by cyber security company Intel Security, revealed that out of 19,000 people surveyed across 144 countries, 97% cannot identify a sophisticated phishing email.4 Drive-by downloads, on the other hand, are typically carried out by exploiting browser vulnerabilities where security is lacking, and downloading a programme onto the users’ device, which the attacker can then control remotely.5
So can practitioners do anything to protect themselves and reduce the risk of data breaches occurring? Swann says, “Ensuring data is encrypted is one of the things you can do. Data encryption translates data into another form, or code, so that only people with access to a decryption key or password can access it.”6 Aesthetic nurse prescriber Frances Turner Traill, who runs a busy clinic and has been close to a security threat herself, stresses, “It’s so important to keep patient information secure, we always ensure all of our data is encrypted in our clinic to minimise the chances of a data breach occurring.” She adds, “Every patient who comes into our clinic has a password protected number which identifies them on our system, we never refer to them electronically by their name when inputting their information. Doing this means that if there were a data breach, patient details would still be confidential.”
Swann says that it is highly important that every business takes the necessary steps to mitigate the chances of a breach to their network, for example, having adequate network security, installing updates or software patches (which can add a new feature or fix a bug), and running penetration tests.
The subject of data security sits very close to home for Turner Traill, after she experienced a security threat, when her clinic got broken into. Although patient data wasn’t stolen, Turner Traill says, “It made me understand how vulnerable we are and how much information we put out there, which is very worrying.” She adds, “I realised that, if someone wants to break in, either physically or electronically, there’s not much you can do to stop them, but you can make it harder for them.”
Swann states that in the unfortunate circumstance a data breach does occur, practitioners can maintain patient confidence with their speed of response, communication with the public and patients through a reputable PR agency or representative, and dealing with the breach in a quick and efficient manner.
According to a recent survey by YouGov and customer management software company Consentz, of 136 organisations operating in the medical and health sector, just 37% are certain that they would be able to detect a data breach,7 which highlights the importance of data security training in-clinic. Swann says, “Practitioners should ensure their staff are trained and that cyber awareness is part of their clinic.” Turner Traill agrees, “We provide staff training and have policies in place on data protection and confidentiality. Data protection should be part of your clinic’s plan. Just as you would do health and safety checks, the same process should be in place for data security.”
The new General Data Protection Regulations (GDPR)8 are due to come into force in May 2018, where all European businesses must legally report if they have received a data breach to the UK Information Commissioner’s Office (ICO). Under the new GDPR, the maximum fine for simply failing to alert the necessary regulatory authority of a data breach within 72 hours could be €10 million (around £8.5 million) or 2% of a company’s global revenue; whichever is greater.9 With this in mind, data security is even more vital and is something that all practitioners should be thinking about, according to Swann.
“Having a clear process of what to do in the event of a breach and having a breach response plan is something that every practice and clinic should have,” says Swann, adding, “The important thing with a breach response plan is to know if you suffer a breach, who you need to call, who your emergency breach response team is, who will investigate the breach and collate the data, and – from May – who you need to tell.” Turner Traill says, “Practitioners don’t know enough about data security, which is why we need professional advice and help – we need to have specialists who can deal with these things.” She concludes, “We can’t wait for a data breach to happen, we need staff to be trained and be vigilant.”