Protect & Defend columnist Ed Branam, DVM, is the veterinary and animal services program manager at Safehold Special Risk Inc. A 1977 graduate of the Michigan State University College of Veterinary Medicine, Dr. Branam has worked in the insurance industry for the past 20 years. He is a former Sacramento, California, veterinarian and a former veterinary affairs manager with Hill’s Pet Nutrition.Read Articles Written by Ed Branam
You don’t need to look far to find a story about yet another data breach. Here are recent headlines:
- Health care data of 1 million N.J. patients compromised since 2009
- Hacker attacks on health care providers jump 600%
- Hacker publishes 5 million Gmail addresses, passwords
- Breach at Goodwill vendor lasted 18 months
- Home Depot data breach may hit 60 million customers
- Data breach at Bartell Hotels exposes credit, debit card numbers
- Target puts data breach cost at $148 million
Can a data breach like this happen at your hospital? After all, the examples above involved large organizations that held the personal information of millions of individuals. The answer is, unfortunately, yes.
According to a 2011 Verizon report, 57 percent of all data breaches occurred at companies of 11 to 100 employees. Furthermore, an Experian survey found that 60 percent of small businesses that suffer a cyberattack go out of business within six months, and the National Small Business Association reported that 44 percent of small businesses have suffered at least one data breach.
Recovering from electronic disasters or privacy breaches has cost many companies, both large and small, millions of dollars. Some never recover from the damage to their bottom line or reputation.
The rise in cybercrime and ever-increasing public awareness of and sensitivity toward the privacy and security of personal information have forced companies to be more proactive about protecting data and responding to breaches. Companies in traditional business segments, including veterinary and animal services, have significant exposures if the sensitive data with which they are entrusted is exposed inadvertently or inappropriately.
Why Now More Than Ever?
The wheels of commerce turn almost entirely on the instantaneous availability, integrity and confidentiality of information assets. New technologies make safeguarding these assets more difficult. Volumes of information can be stored on media the size of a thumb. While such tiny devices allow for the easy storage and transport of sensitive information, they also are easy to steal or lose. Gone in an instant could be electronic medical records, credit card numbers and employee information.
Almost every day I hear veterinarians and office managers tell me things like:
- We have an IT expert who takes care of our system.
- We are a small business; hackers focus on large companies like Target or Home Depot.
- We don’t keep clients’ credit card information or employees’ Social Security numbers.
- We don’t sell things on our website.
With global outsourcing on the rise, the boundaries of computer systems and corporate responsibility have expanded and are often hard to define. Companies are constantly looking to outside vendors for a host of services that require the sharing of sensitive data. Although partners such as call centers, credit card processors, payroll administrators and cloud providers handle this information, the company for which they provide such services bears the ultimate responsibility to protect the information and respond appropriately in the event of a breach.
Almost half of all data breaches took place while the data was with a third-party vendor, according to a 2016 study by IBM and The Ponemon Institute.
Therefore, if you transmit proprietary information such as credit card numbers for billing purposes, you likely have significant exposure. It doesn’t matter whether you save card numbers in your system, because hackers can access data during the transmission. They also can get into the cache system of your computers or servers and access information that you deleted.
It Gets Worse
Regulations and standards, such as those outlined in the Health Insurance Portability and Accountability Act (HIPAA), the Fair and Accurate Credit Transactions Act and the Financial Modernization Act, are becoming more stringent and more strictly enforced. Violations are costly to defend and may carry significant penalties and other legal implications.
Most states have data-breach notification laws that require an organization to provide written notice to anyone affected. In addition to that cost, the offering of credit- and identity-monitoring services to affected customers has become the norm.
Data breaches also can be an expensive public relations nightmare for your hospital. Damage to your reputation is often costlier than the direct financial loss. Can your business withstand a network security event in which customers lose faith in you?
Lawsuits are common in cases of large data breaches or inadvertent information releases. According to the 2013 NetDiligence Cyber Liability and Data Breach Insurance Claims Study, legal damages represented the single largest component of costs paid by insurance carriers that participated in the survey.
So, what can you do.Less is better.
1. Less is better. Store the minimum amount of sensitive information that is needed to do business. Sensitive information includes Social Security and credit card numbers, addresses, protected health information, driver’s license numbers and proprietary data about third-party businesses. The less information stored, the less the risk that it can be lost or stolen.
2. Payment card industry (PCI) compliance. If your business accepts credit or debit cards for payment — of course you do — make sure to follow PCI compliance standards. Self-assessments for smaller merchants and third-party assessments for larger ones are available. If your practice does not store credit card numbers but outsources card processing to a third party, be sure to ask the processor if it and the equipment you use are fully PCI compliant.Encrypt.
3. Encrypt. For information that must be retained, be sure it is kept in an encrypted format. Companies often dismiss encryption because of the implementation cost. But encryption suddenly looks inexpensive when you consider the cost that will be incurred if data is stolen. If encrypting data in transit, at rest and on mobile devices is prohibitive, at least focus on mobile devices, such as whole-disk encryption for laptops, and ensure that electronically transmitted data to third parties is submitted in an encrypted format.
4. Limit access. Many data losses and thefts happen because of negligence or intentional actions by employees who have authorized access to the network. Be sure to limit employee access to sensitive information to a need-to-know basis. When an employee leaves, disable the network access code immediately.
5. Have an incident-response plan. Don’t wait for a data breach to occur before you think about how to respond to one. Your insurance broker and carrier can assist with developing a plan that outlines the steps to take and the risk-management strategies to employ.
6. Purchase insurance. After weak links have been addressed, consider an insurance policy that protects your organization in the event of a breach. Insurance covers the cost of complying with notification laws, the legal fees incurred to determine a response, forensic costs to investigate what happened, and the defense and fines due to governmental actions against your company. It also provides defense costs and the payment of damages involving third-party claims.
Don’t wait until a breach occurs to figure out how to respond. You should have a detailed and tested response plan ready to go.