Cyber security specialist Anthony Green discusses why the aesthetic sector is a prime target for cyber criminals, and what to do if your practice becomes a victim of attack
Across the world, cybercrime is one of the greatest threats facing companies of all sizes, and businesses in the medical and aesthetics industry are especially vulnerable. From November 2020 to January 2021, cyber-attacks against the healthcare sector increased by 45% worldwide compared to the 22% increase seen by other industries over the same period, and attacks remain high for the first quarter of 2022.1 In this article, I discuss the specific challenges facing the aesthetics sector, how to protect your practice from attack and what to do if you get hacked.
Ultimately, hackers are after sensitive data which they can use for financial gain. One reason why aesthetic practices, and healthcare settings in general, are at such a high risk of attack is because medical data is extremely valuable on the dark web. According to a recent Trustwave Global Security report, the black-market value of one patient’s medical records stands at an average of US $250, but they can sell for as much as US $1,000.2
The 2021 UK government cyber security review identified healthcare as second only to the finance sector in being the most likely to hold personal data about customers. The amount of personal data they hold, and its high value, means that medical practices are particularly vulnerable to ‘theft or loss’ breaches – where data cannot be recovered. In fact, the percentage of breaches classed as ‘theft’ or ‘loss’ was 32% in the healthcare industry, and only 15% in other industries.3
With this in mind, it is crucial for the aesthetic industry to prioritise cyber resilience and know what to do if the worst does happen.
Can your cyber security strategy be summed up with the phrase ‘ignorance is bliss’? If so, then you’re probably leaving the door wide open for hackers. To protect your patients’ data, it’s important that you take action.
Restrict system access to only those who need it and ensure that all access is secured. Delete any inactive accounts, such as those belonging to past employees, and implement strong multi-factor authentication to all administrative accounts. Make sure that employees with access to medical records are well-trained in the privacy regulations around sensitive data, as outlined by the UK General Data Protection Regulation (UK GDPR).4 A good place to start is the UK Information Commissioner’s Office website, which has useful guidance for organisations regarding GDPR data protection laws.
The National Cyber Security Centre (NCSC) is a great resource for any business looking to boost their system’s security. Aesthetic businesses, being more vulnerable to attack, should look to get Cyber Essentials certification from the NCSC. This entails an organisation assessing themselves against five basic security controls. A qualified assessor will then verify the information provided (the NCSC recommends using a qualified assessor from their partner, the IASME consortium).5 The process will strengthen your protection from the most common attacks; this is crucial because vulnerability to a basic attack can mark you out as an easy target for more in-depth breaches.
Ideally, you should not allow anyone to access patient data on personal devices, and only allow secured devices to connect to the network. Steps to securing your devices include installing new system updates as soon as possible – old software is easier to exploit, so using it can make you a target for hackers. You also need to make sure that all your devices have been tested and patched (the process of repairing security holes in your device software).
Disable frequent password updates because these encourage employees to save their passwords on your system or write them down. The NCSC guidance also recommends disabling password complexity requirements which encourage password re-use, and instead use three random words, such as jamplaytree or blushwaterphone.6
Phishing emails are by far the most common form of attempted attack. According to the UK government, 83% of UK businesses experience a scam email attempt every week.7 Take advantage of the NCSC’s free cyber security training which has a useful module on spotting and reporting phishing emails – remember that employees are the first line of defence against phishing attempts. It’s also important to instil a ‘no blame’ culture to encourage employees to report when they suspect they have clicked on a phishing email.5
It’s essential to review all your internet-facing data, as you might be displaying more than you realise. Get a low-cost or free attack surface map, which will analyse your system for security loopholes and discover what you have exposed to the internet. You should also get a cyber security expert to conduct vulnerability scanning on your internet-connected services and patch any vulnerabilities.
Check that any third-party software such as browsers, cloud-based services and medical practice management software are patched. Make sure your firewall, endpoint security and anti-virus software are properly installed and correctly configured – if it’s configured incorrectly, you may not be protected. Most cyber security firms will be able to configure this software for you at a low cost.
Implementing the right cyber security measures will dramatically decrease your risk of falling victim to attack, but hackers are agile, and your practice can never be completely immune to the risk of attack. However, you can make sure you react in the right way and rectify the situation if the worst should occur.
Whether you’ve been immersed in a full-blown attack or you’ve discovered a suspected breach to your system, it’s important to try and stay calm. It’s easy to panic, particularly if an attack is in progress and you don’t know where the disruption is coming from. Developing a documented incident response plan can help you remain rational and take the right steps to mitigate the repercussions of an attack. Take a look at the NCSC’s guidance on cyber security response plans for advice.8 A good incident response plan will outline key cyber security contacts, which staff members have the authority to make decisions, how employees will communicate if normal systems are down and what will happen if the attack takes place out of practice opening hours.8
This is a typical panic response, and it might be tempting to shut everything down. Unfortunately, if an attack is underway, you should assume that the hacker has already gathered much of the information they were looking for. By unplugging your system or deleting malicious files, you could be destroying evidence that will be key to discovering what patient information has been taken, and how your system was breached. It’s far better to leave your system be and call an expert straight away.
This is the most important step to take in the event of a hack. If you have never used a cyber security consultancy firm before, then you need to conduct a search for a security expert as a matter of urgency. To avoid this scenario, it is highly advisable for aesthetic practitioners to find a trusted cyber security partner before a breach occurs. Having an expert on hand who is familiar with your system means that if the worst does happen, they will be able to act immediately to help you contain and analyse the attack. They can also help you discover the facts and take the right actions in the event of a ransomware demand.
As soon as you realise your system has been attacked, keep a record of every subsequent action taken, such as who has touched the system and when. This log will help you keep track of your system, and will become a valuable resource for post-breach analysis. It will also help your practice’s case in the event of any legal action.
Most clinic owners will worry about the reputational damage of disclosing a breach of sensitive data to their patients. However, if personal medical data is out there, your patients not only deserve to be notified, but you could face legal action if you fail to do so. Once you have called in an expert, they will work to understand the scope of the attack, close the security holes that have caused a problem and review your compromised files. If the breach contained any personal information, then, by law, this must be reported to the Information Commissioner’s Office (ICO) within 72 hours. Failure to do so can lead to a fine of up to £8.7 million or 2% of your global turnover.9 Once you have notified the ICO, you should reach out directly to the people affected via email, letting them know what data has been breached and offering a point of contact in your company where they can make any queries. You should also make a formal announcement to the press, either in the trade media or wider, depending on the size of your business and the scale of the attack.
After an attack, it is essential to put your entire system through an extended security assessment by a third-party cyber security specialist. This can identify and fix any other vulnerabilities in your system to help protect your clinic from a repeat incident.
It’s important to make a plan to protect your practice from any cyber security breaches, and put it into action. Be methodical as you begin layering your security measures and remember that every bit will make a difference. The UK Government’s 2021 cyber security review found only 15% of all businesses have conducted an audit of their cyber security vulnerabilities, and only 31% have a business continuity plan that covers cyber security.10 While cyber-attacks are certainly a threat to healthcare and aesthetic clinics, there is lots of scope for clinic owners to take control, become cyber aware and build cyber resilience. Doing so will protect not only your patient’s data, but the success of your business.
Upgrade to become a Full Member to read all of this article.