A 2013 survey released by McAfee found 45 per cent of surveyed small-medium businesses (between 25 – 250 employees) had been the target of an electronic attack in the prior year and 46 per cent had suffered a data or security breach perpetrated by disgruntled and current employees. Medical practices store sensitive patient information, so are a clear target for hackers.
If your systems are connected to the web (whether you use a server or are cloud based) you are potentially exposed. There are many steps you can take to reduce your risks, such as having an IT security audit/review of your systems completed annually. Go our risk management page and the below FAQs which discusses privacy risks – and why privacy should be on your ‘top 10 risks’ in running a medical practice.
Having a Cyber Liability & Privacy Protection policy can provide cover for the following risks:
- Your costs to deal with a cyber breach (e.g. Forensic investigations, lawyers, IT security experts, notifying patients and the regulator, public relations costs, costs to restore data, programs and networks)
- Your lost revenue following a cyber attack
- Liability and fines you incur – the office of the Australian information commissioner can now seek fines against organisations of up to $1.7m and against individuals of $340,000. Patients, suppliers and others can bring civil claims against the entity.
Below are Questions and Answers. Please contact us if you would like to discuss, or request a quote
- Put cyber security and patient privacy on your Risk Register and in your ‘top 10 risks’
- develop a business continuity plan/disaster recovery plan for system downtime;
- develop a data breach response plan;
- Test your back-up/recovery system and your disaster recovery plan annually
- conduct employee training to ensure your staff are aware of risks the company faces;
- develop appropriate policies such as a ‘bring your own device to work’ policy and internet usage while connected to the company network;
- review contracts with third party vendors providing data storage and other IT services. Are there limitations of liability? Where are they storing your data.
- conduct an external penetration test to highlight potential areas to address;
- review system protection you have in place, such as anti-virus, firewalls etc. and update regularly;
- keep all your systems and software patched and up to date.
- The costs to investigate the breach and restore the IT system/data;
- The legal fees to manage the data breach response, for example, whether there is an obligation to report the incident to the Office of the Australian Information Commissioner (OIAC);
- The costs to provide support to patients such as credit monitoring services, public relations firm to help repair damage to your brand; legal costs for notifying your affected customers;
- The potential fine sought by the OIAC, which from 1 March 2014 is up to $1.7 million for companies and $340,000 for individuals for serious or repeated invasions of privacy;
- The loss of revenue the practice may suffer in the event the practice is unable to trade due to, for example, ransomware.
Broad specialist cyber and privacy protection policies are designed to cover the above risks.