Cyber Security for Veterinary Practices

www-abstract-globe.jpgThe practice of veterinary medicine is changing at a rapid pace. As a result of the reliance on electronic data, veterinary offices have become vulnerable to cyber security threats. The growing volume and sophistication of cyber-attacks suggest that veterinary practices will have to grow increasingly vigilant to ward off these threats. A breach of cyber security will inevitably lead to significant expenses, both financial and reputational, which can wreak havoc on a veterinary practice.

Many veterinarians believe that cyber criminals are not a threat to their practices. However, when choosing between a large corporation or bank with security teams and firewalls preventing access to databases and a veterinary office with no firewall or security team, the veterinary practice will be the chosen target. In fact, many hackers specifically target small veterinary offices because they believe that the small business may not have the resources for sophisticated security devices and do not enforce employee security policies.

Veterinary practices are an increasing target for cyber criminals. These offices hold a large amount of data, including names, addresses, credit card information and even banking information. The threat of this information being stolen by a staff member or a cyber-criminal is great, and veterinary practice owners must address this concern before a cyber breach creates a legal nightmare for the veterinary practice.

The most common causes of data breaches in veterinary practices are theft, hacking, unauthorized access or disclosure, lost records and devices, and improper disposal of records. A significant proportion of practices breaches are a result of lost or stolen mobile devices, tablets and laptops.

It is crucial for veterinarians to take steps to ensure that their practice is in security compliance. Because the majority of data security breaches occur when staff members fail to follow office procedures or exercise poor judgment, the location of computers in the veterinary office is key. All computers should be placed in areas where the computer screens are not visible to clients and visitors, and encrypted passwords should protect access to each computer. Passwords should contain mixed-case letters and include numbers or symbols and should be changed regularly. In addition, passwords should not be written down under keyboards or kept on desks or surfaces where the public may be able to access them. Veterinarians should ensure that all staff members understand the importance of maintaining the privacy of information.

Every veterinary practice should have a policy that includes steps for safeguarding private information and educate staff members as to how to comply with the office policy. A strict Internet and computer use policy should be enforced that prohibits staff members from checking personal e-mail accounts or visiting Internet sites that aren’t work-related. It is also important that veterinarians ensure that all firewalls, operating systems, hardware and software devices are up to date, strong and secure and that wireless networks are shielded from public view. Antivirus software should be installed on every computer, kept updated, and checked regularly.

When accessing office data remotely, veterinarians should use only trusted Wi-Fi hot spots and never use shared computers. Smartphones and tablets should be password protected to prevent easy access to patient information in case the device is lost or stolen. In addition, all hard copies of documents with patient information should be shredded.

Many veterinary practices have relied on cyber insurance for protection in the event of a breach of cyber security. These insurance policies cover the cost of investigating a theft, compensate the insured for all state and federal fines and penalties imposed, and fund all related lawsuits and legal fees, thus relieving veterinarians of the financial and time burdens imposed as a result of the breach in security.

It would be prudent for all veterinarians to invest in data security and in the proper training of staff members as to acceptable use of office computers. If plans and policies are put in place proactively and steps are followed to ensure security compliance, a veterinary practice should be able to prevent the significant cost and headache involved in responding to a cyber-breach.

If a security breach in a veterinary office does occur, it is imperative that appropriate action is taken immediately, which includes determining how the breach occurred, and the extent of the security breach. In addition, if a security breach does occur, the owner of a veterinary practice must be very careful whom they initially contact and provide information to. Any improper or accidental disclosure to a third-party other than legal counsel for the veterinary practice owner may be subject to the rules of discovery if litigation occurs, which could increase the liability exposure of the practice owner.

Managing Exposure After a Security Breach of Patient Information

If a security breach occurs in a dental practice, the practice owner must take the necessary steps in order to comply with federal law, in order to avoid a potential increase in liability exposure.

Rules Requiring Patient Notification of a Security Breach

The U.S. Department of Health and Human Services (HHS) has issued strict regulatory guidelines that dental practice owners must follow in the event of a security breach. The Federal Trade Commission (FTC) has also issued breach notification regulatory requirements that dental practice owners must comply with, in the event of a security breach.

Breach Notification Requirements

Depending on the type of security breach and the extent of the breach, a dental practice owner must notify affected patients, the Secretary of HHS and the FTC [if applicable], and, in certain circumstances, the media.

Conclusion

If you are not familiar with the American Recovery and Reinvestment Act, the HITECH Act, and the 2013 Final Rule your dental practice is probably not in HIPAA compliance. In fact, statistically, 85% of all dental practices are not in HIPAA Compliance.

Dental practices that have experienced a breach of patient protected health care information can significantly limit their legal exposure by complying with simple regulatory guidelines.