November 2018 Volume LIII Number 6

 
 
 
Covercrop

Dangerous Exposure: Protecting Yourself and Your Practice from a Potential Data Breach

September 2015 Volume L Number 5

 By John Adcock, CHFC, CLU, Treloar and Heisel, Inc.

Trust is a precious resource of the pediatric dentist office. Referring dentists want to feel confident in the care provided to the patients, and patients want to feel safe in the chair. What happens, though, if that trust is destroyed due to something totally unrelated to the delivery of treatment, but because someone gained access to confidential patient data and worse, misused it? 

Today's digital world offers dentists effective tools for managing patient information. With these tools, though, comes a hefty legal and ethical responsibility. Any loss, theft, accidental release or accidental publication of Personally Identifiable Information (PII) and Protected Health Information (PHI) can wreak havoc on a practice's finances and reputation. While Social Security numbers, bank account numbers and credit/debit card numbers are most commonly associated with a data breach, driver's license numbers, email addresses and patient medical history are also highly vulnerable.

 

Rather than dismiss this as a problem specific to big corporations, over one-third of data-breach investigations in 2013 were in businesses with 100 or fewer employees1. The most common perpetrator is not some mysterious hacker situated overseas, but rather plain old human error. Some research indicates that employees themselves cause three times as many breaches as external attacks2. One example involves an employee doing work at a Starbucks on a practice laptop, leaving the table and coming back to find their laptop missing3.

There are also examples of dentists being subjected to more nefarious plots. Just last year, another California dentist received a call from her practice's information technology vendor informing her that her server had been hacked. Her access to patient information would be locked out until she paid the hackers a ransom! Despite having had two anti-virus programs, Cloud backup and hard-disk backup, these weren't enough to prevent encrypted patient information from being re-encrypted by the hackers4.

Early response is critical in minimizing or preventing the damage caused by misuse of patient information in the event of a breach. Although each state has its own laws on the matter, the Federal Trade Commission generally recommends notifying local authorities as soon as a breach occurs or is suspected5. In  addition, the practice must notify potentially affected patients with the following information:

 

• Clearly describe what is known about the breach, how it happened, what data was taken, and what actions have been employed to remedy the situation.

 

• Explain how patients should respond to the breach—including which organizations and agencies to contact.

 

• Include information about identity theft in general.

 

• Provide contact information for law enforcement officials investigating the event.

 

• Encourage victims to file a claim with the Federal Trade Commission.

 

As suspected, the cost in both money and time is significant in responding to a breach. The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, estimates the average cost per jeopardized patient record is about $200. So if a practice has 1,000 patient records put at risk, the cost could rise to $200,000! This is in addition to the practice's damaged reputation and potential civil suits from patients.

Risk assessment is a critical first step in identifying areas of vulnerability. Although this can be performed internally, hiring a qualified professional may be a sound investment. Next, the doctor should oversee preventative measures to minimize both the risk and impact of a breach.

Although these measures will vary from practice to practice, implementing secure password procedures is a basic first step. Each employee should have his own, private password when logging on to office computers. Passwords should be changed at regular intervals. Also, servers should be stored in a protected environment and all patient data should be encrypted.

Another tool doctors should consider is cyber liability or data breach insurance. This type of coverage is not included in professional liability or business owner's policies, but can be obtained as a stand-alone policy or via endorsement to an existing business owner's policy. There are two major components to this insurance:

Part one, known as first-party response, assists with the practice's financial responsibility in the event of a breach. It provides coverage for legal and forensic services, as well as crisis management and public relations. Perhaps most importantly, it includes assistance with notifying the impacted patients, as well as services such as credit monitoring. Limits for first-party response range from $10,000 to $100,000. Deductibles on this portion range from $1,000 to $2,500.

The other component is third-party response, which provides coverage for judgments and legal fees associated with civil lawsuits brought by impacted patients as a result of a breach. Fines, penalties, and/or punitive damages are not included. Limits for third-party response range from $50,000 up to $500,000 and deductibles tend not to apply.

Note that these policies are relatively inexpensive. Premiums range from $300-$3,000 per year, but the average cost hovers around $6006. Given the burden of both time and money a breach represents, this is a small price to pay.

As with most risks facing pediatric dentist practices today, the best strategy is multifaceted. Assessment, prevention and transference through insurance won't eliminate data breaches, but they'll certainly assist in protecting the assets and reputations doctors work so hard to build and maintain.

For more information on insurance planning and other financial service needs, contact Treloar and Heisel, Inc. at (800) 345-6040 or visit http://www.treloaronline.com. 

1. The Hartford. "Data Breach: Just The Facts" 

2. http://www.dentistryiq.com/articles/2015/02/cyber-security-new-necessity-for-dental-practices.html ; Ponemon Institute

3. http://www.njbiz.com/article/20141203/NJBIZ01/141209906/ Doctors%27-offices-must-be-wary-of-data-breaches-as-use-of-electronicrecords-grows

4. California Dental Association. http://www.cda.org/news-events/ dentist-has-patient-data-held-for-ransom

5. FTC. http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf

6. Ponemon Institute  

treloarandheisellogo