As more and more patient information is stored online and in electronic form, the risk of data theft increases. Private practitioners and clinics must ensure that their data systems are resilient to attack and that they adhere to data protection legislation.
In less than a year, in May 2018, the European General Data Protection Regulation (GDPR) comes into effect, introducing new requirements that will impact on the private healthcare sector and imposing penalties on those who do not comply. Few private clinics and private healthcare businesses have begun to prepare for these additional requirements. Our Private Practice Masterclass in London in September will be addressing this issue with a presentation by Kerry Beynon from Acuity Legal.
Private healthcare lagging behind
Despite the sensitivity of the information that is held, healthcare generally has not led the way in ensuring the confidentiality and secure transmission of customer (patient) data. This is particularly true in private practice where what are, in effect, small businesses have not possessed the expertise or the technology to adopt modern day data standards. Unsecured email transmission of patient data, patient reports and medical opinions is not uncommon.
The WannaCry ransomware attack which affected IT systems in many NHS trusts in early May highlighted the shortcomings of NHS systems. However, this wasn’t targeted specifically at the theft of personal data for criminal gain.
What can go wrong? A lesson from Lithuania
A recent instance of computer hackers targeting a cosmetic surgery clinic in Lithuania highlights the risks associated with holding patient data. The hackers targeted the clinic’s servers, acquiring 25,000 images (some nude) and other personal data related to the clinic’s patients. The records on over 1,500 British cosmetic surgery patients were held on the system. Patients then reported receiving blackmail threats by the hackers and being asked for Bitcoin payments to secure removal of the images from the public internet. The clinic was also asked for £500,000 for the return of the data, but refused to pay.
Could it happen here?
Probably “yes”! Imagine the scenario… you run a cosmetic surgery clinic in Harley Street catering for the rich and famous of London. Overnight, your business is in ruins due to shortcomings in data security that deliver your clients’ images and their private data into the hands of a bunch of unscrupulous hackers. Within days, you’re receiving calls from clients who are receiving SMS messages from the hackers including links to the stolen images and demands for payment to remove them.
What can I do to protect my business?
- Get informed…. Book a place for the Private Practice Masterclass in London in September to hear what Kerry Beynon has to say about GDPR.
- Speak to your technology suppliers. If you’re running an online or PC based practice management system, find out what security is in place to reduce the risk of a data hack.
- The GMC guidelines on handling patient information
- The series of articles in Independent Practitioner Today on the growing need to “lock out cyber crime”.