Protect your practice’s data from security threats

Experts say the easiest place to start is with strong password protection.

Issue: January 2015

ByMark E. Battersby

The dangers of Internet hacking continue to hit the spotlight. According to the Reuters news service, Community Health Systems Inc., one of the country’s largest hospital groups, was recently the victim of a cyberattack, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.

Unfortunately, hack attacks are not limited to retailers or even to large corporations or hospital groups. According to many experts, most hack attacks target small and medium-sized operations, a group with limited financial budgets for the fines and lawsuits that result from breaches or data losses. This makes it extremely important for an optometry practice to protect its data and information.

Protection basics

We correspond through email, transfer information through the Internet and hold webinars, training and business meetings online. Many professional practices and businesses are completely paperless. Responsibility for the protection of this data increasingly falls on the optometric professional and his or her practice.

The health care industry is being dragged, kicking and screaming, into the digital world, trailing banks and retailers with their decades of cybersecurity experience. Many medical professionals and hospitals have gone from paper to electronic health records in the space of only a few years, spurred by the passage of the Health Information Technology for Economic and Clinical Health Act of 2009.

The U.S. Department of Health and Human Services has, of late, been increasingly more aggressive in enforcing cybersecurity laws, levying almost $10 million in fines in just the last fiscal year through its Office of Civil Rights, which investigates privacy violations.

Since they began tracking the numbers in 2009, more than 31.6 million individuals – roughly 1 in 10 people in the U.S. – have had their medical records exposed through a hack attack, data theft or unauthorized disclosure.

Patient trust is invaluable

In the U.S., most states have breach notification laws, and other countries are following suit. Written notification must be sent to those individuals who have been affected. Even where such laws are not in place, a reputable optometry practice should provide breach notification.

Mark E.
Battersby

Social media sites expose information at light speed with little control. A practice’s Web site as well as an employee’s activity on social media sites can trigger liability, especially if the practice is responsible for the sites. Defamatory statements, leaked information and copyright infringement are all growing concerns.

It is becoming more and more likely that an optometric practice’s reputation will suffer from a cybersecurity breach. Losing the trust of patients and clients can be far more damaging to a professional or his or her practice than the financial impact. Making matters worse, an optometry practice can be held liable for the loss of third-party data. If there is a data breach, the practice could find itself facing expensive damage claims.

Do-it-yourself risk management

So-called “cyberhacking” is big business, and no one – not individuals, not small practices or businesses and not large corporations – is safe. But, what can an optometric professional do to prevent a hack attack and protect their practice from potential liability?

Security experts agree that the easiest place to start is with strong password protection. Yes, password protection, something a surprising number of Internet technology-sophisticated professionals and businesses often fail to master. Many recently exposed hacking cases have been traced back to weak passwords that were either not encrypted or “salted,” or not changed regularly.

If managing passwords for all of the practice’s servers, apps, cloud services, databases, tablets and laptops seems daunting, there are affordable password management professionals and software that will do it for you – usually avoiding the often big price tag of cyberinsurance.

Other tips to help secure the optometry practice’s data, reduce its liability and, in many cases reduce the cost of insuring against potential losses, include:

Get a firewall. There are hardware and software approaches that are both cheap and easy to use.

Conduct regular assessments of possible risks to reveal hardware, software and individual site vulnerabilities.

Computers that are used for sensitive applications such as making electronic bank deposits should be isolated from the rest of the optometry practice’s network.

Control access to data, which often means limiting delivery and exchange of patient-related documents and information to secure channels.

Get antivirus software and use it. There are a number of popular packages, most of which are relatively inexpensive. Although free updates are usually included, make sure to update the program regularly or, better yet, allow the software to do so automatically.

When an employee or contractor who has had access to the system leaves the optometry practice, the employer should make sure their passwords are no longer usable. (Many employers lock an employee out of the system just before or at the same time the employee is being terminated.)

Create – and implement – a data security plan that includes immediate notification of all affected parties. It many cases, it is the law.

Share the liability by demanding similar protocols with colleagues, suppliers, vendors and partners – and checking for compliance.

PAGE BREAK

Insurance to the rescue

Little of an optometry practice’s data assets are typically covered under today’s insurance policies. Thus, liability for any loss of patient or employee data is probably not protected. Admittedly, some of a practice’s insurance policies might offer general liability protection. Directors and officers liability may, for instance, provide a measure of coverage for these areas. Unfortunately, as the risk escalates, it is only after a hack attack that many optometrists discover what is and is not covered by their insurance policies.

A practice or business interruption insurance policy rarely helps in the event of a system failure because of a malicious employee, computer virus or a hack attack on an optometric practice. Identity theft, telephone hacking and phishing scams are all very real losses that are rarely covered by traditional practice or business interruption policies.

While few so-called “umbrella” policies or blanket liability insurance policies cover these types of losses, a new form of insurance, cyberliability insurance, is available. Cyberliability insurance has been available for almost 10 years, although it is rarely purchased.

Cyberliability insurance can cover hacker attacks, viruses and worms that steal or destroy an optometry practice’s data. Even email or social networking harassment and discrimination claims can be covered along with trademark and copyright infringement. Cyberliability insurance will often cover the loss of profits because of a system outage caused by a nonphysical peril such as a virus or attack.

An optometric practice purchasing cyberliability insurance enjoys special protection from most digital losses. When looking into cyberinsurance, common sense dictates that all potential risks should be covered, including laptops and mobile phones. Portable devices make it much easier to both store and to lose information. For example, a missing USB stick, a stolen iPad or a laptop left in a taxi are all real possibilities and, for a hacker, a goldmine. There are viruses being built just to attack mobile devices.

Remember, however, even if data is stored in the cloud, the optometric practice may still be liable for a breach. Although controlling how a cloud provider handles the practice’s data is almost impossible, cyberinsurance can protect the optometry practice from their mistakes.

A good insurance company will ensure their policy holders have all of the protection that is possible. They can make sure a firewall is in place to protect the network and help create social media policies that reduce risk.

Hacking threats

A few statistics to keep in mind about cyberrisk:

The average cost of a data breach per record is $204.

Almost 53% of business executives responding to Travelers’ Business Risk Survey worry about cyberrisks, with a whopping 18% worrying “a great deal.”

According to Bloomberg, financial service firms will have to boost annual average cybersecurity spending 13-fold to nearly $300 million each to fend off 95% of cyberattacks.

Experian Information Systems reported that malware and hacking attacks were down nearly 30% in 2012. However, 2013 saw a number of high-profile companies hacked, including Adobe, which lost nearly 38 million personal and password records, and Livingsocial, which lost 150,000 pieces of data.

The bottom line for many optometrists and their practices is this: Hackers are getting more sophisticated every day, often forming syndicates of like-minded criminals to share information and new techniques. Optometry practices are increasingly in the criminals’ crosshairs and need to use every protection strategy available to combat the growing cyberthreat.

For more information:

Mark E. Battersby has been reporting on news and developments in the tax and financial arenas for more than 25 years. He can be reached at P.O. Box 527, Ardmore, PA 19003-0527; (610) 789-2480; MEBatt12@earthlink.net.

Disclosure: Battersby has no relevant financial disclosures.