Most practitioners are aware of the risk of cyber crime but thankfully may not have had real life experience of them. However, as we handle the sensitive data of our clients, this makes us potentially attractive targets for cyber criminals. This article will explain what the risks are, how to reduce these risks, and how cyber insurance can help us if we are struck by a cyber incident.
What is a Cyber Incident?
Cyberattacks, such as ransomware, phishing, or unauthorised access to records, can disrupt our business and cause significant financial and reputational damage.
Phishing attacks are where a fraudulent email or message tricks users into clicking on malicious links or providing sensitive information like passwords or banking information. This might appear to come from a client or insurance company we are working with.
A therapist unknowingly clicks on a fraudulent email link, giving hackers access to their practice management software. Client records are stolen, and the therapist is left to manage GDPR notifications, fines, and client concerns. Cyber insurance would cover notification costs, regulatory fines, and reputation management.
Ransomware attacks are where malicious software is accidentally downloaded by the user which encrypts data so you can't access it or locks users out of their systems, demanding a ransom (usually in cryptocurrency) for access restoration. It often infiltrates through phishing emails, infected websites, or unpatched software (e.g. software that hasn't been updated with the latest updates to fix security vulnerabilities, bugs or to improve functionality).
A private practice's booking system is locked by ransomware, halting client appointments. Cyber insurance would cover the ransom payment and compensate for income lost during the disruption.
Malware infections are where malicious software is accidentally downloaded by the user but the hacker uses the software to take control of the computer and network and uses software to track what you are typing, including login credentials to your other systems.
A private practice unknowingly installs malware on their device and as they type their passwords into various sites and access client data, the malware is tracking keystrokes and accessing all log in credentials for their sites.
Password attacks are where a hacker uses software to automate the process of trying millions of combinations of passwords very quicky until it gets a match.
A therapist has a weak password or uses the same password for many of their accounts. It is guessed by a automation process and then all accounts using this email and password combination are exposed.
Human Error is often the biggest reason for a data breach and may come from yourself unintentionally or those working in your business as an associate , employee or freelancer.
A therapist accidentally sends sensitive client data to the wrong email recipient. Cyber insurance would provide legal support to address potential lawsuits and assist in rectifying the error.
Reducing the Risk of Cyber Incident
Password security
using complex passwords made of 16+ characters and numbers
using a distinct password for each account
enable multi-factorial authentication (MFA) which requires an additional step (e.g. code sent via SMS or email)
monitor unusual log in activity such as multiple failed log in attempts (which most software services do and notify you of)
create account lock out policies within your own services to limit how many log in attempts are permitted before the account is locked out
change the password on your home router to something that is different to the one printed on the device
use a secure password manager to store passwords as this will make it easier for you to use complex passwords and using different passwords for each account. Ensure the master password is secure and protected by MFA.
check if email addressed have been leaked on the internet by using the site https://haveibeenpwned.com/
Malware or ransomware
keep your computer and other software up to date with the latest 'patches' and fixes to improve vulnerabilities
install trusted antivirus software to detect and block malware
enable automatic scans and updates and keep the protection up to date
do not use untrusted software found on the internet or via pop ups, only download from trusted sources such as the official software developer website
scan usb drives or other external devices before using them
ensure that any printers or devices on the home network are secure and do not allow access to the network
practice safe browsing such as avoiding clicking malicious links (therefore, it increases the risk by allowing children to browse using your business device, even your business accounts are password protected)
implement email security such as spam filters to block suspicious emails and warn others about opening unexpected attachments or responding to unsolicited emails
keep client related email conversations in an email account that is separate to your person mail, but ideally also separate from the email address you subscribe to newsletters or other services
look for secure websites e.g. those with 'https://' in the URL instead of 'http://'. These websites encrypt the data transmitted ensuring it is secure and protected from interception or tampering between the browser and the website by hackers
educate users of your systems (e.g. virtual assistant, web designers, social media marketers, accountant) as if any of these people have a cyber incident on their devices and they have access to your systems then you could be affected too
When out and about
do not use public Wi-Fi in hotels or coffee shops as these may not be secure or they may be faked to gain access to your data. If in public places then use phone data instead or use your phone as a hotspot for your device
do not plug business devices into USB charging ports provided by buses, trains or other public systems for such systems can be hacked to obtain the data from such devices. To use a data blocker on any USB connections that you wish to connect to such a publicly accessed USB charging port or use a standard charging plug
ensure that devices auto lock when not in use
Human Error
reduce manual input of client data where possible such as using practice management systems which have client data auto-populated in their systems e.g. when sending an email within such a system it automatically populates with client data so you do not have to manually enter information
check the identify of people contacting you via email by verifying them through another channel (e.g. phone) or going direct to the official website of the person claiming to be contacting you
Education and Auditing
do your due diligence on all data processors you are using in your business to check they are GDPR compliant and they have good data security as it is our responsibility as data controllers to ensure we are using data processors that are going to handle our data securely. Document findings and keep records of this
auditing your business systems such as keeping a data inventory of systems and data processors you use, along with who can access those systems
the ICO has useful information on their website relating to cyber security here and on their ICO YouTube channel
the National Cyber Security Centre (NSCS) is a government backed organisation NCSC to support with learning and implementation of cyber security for small businesses on their website and their YouTube channel
How Can Cyber Insurance Help?
With all of the above in place it is possible that we can be a victim of cyber crime as spoof emails look more and more convincing, and mistakes happen with human error.
When a cyber incident happens we need instant expert technical advice to detect and locate the nature of the problem issue, repair the issue, restore access to systems and alert those affected e.g. our clients and staff members.
During this time we typically have to lock down computer systems to isolate the issue, which could mean our ability to use our booking and notes systems are down. In many cases this could impact our ability to operate our business and lead to loss of earnings during this time.
This process is costly as the fees for a cyber expert can be between hundreds to thousands per day. Furthermore, we may incur costs for potentially paying ransomware fines, paying legal fees for dealing with claims from clients or freelancers in our business if they suffer losses as a direct result of our cyber incident.
Then finally, we may also incur costs associated with Information Commissioner Investigation and any fines associated. Understandably, this is both costly and stressful in terms of time and money.
Cyber insurance is designed to help businesses manage the financial and operational fallout of cyber incidents. Here are some key ways it can provide protection:
Coverage for Data Breaches
If sensitive client data is compromised, cyber insurance covers the costs associated with responding to the breach.
This may include the time and costs associated with notifying those effected, loss of earnings during the investigation period, and any legal fees or fines associated with investigations.
Ransom Payments
In cases of ransomware, cyber insurance can help pay the ransom and provide expert support to negotiate with attackers.
Business Interruption
If your systems are taken offline by a cyberattack, cyber insurance compensates for lost income during the downtime, ensuring your practice can stay afloat financially.
Crisis Management
Cyber incidents can damage your reputation. Cyber insurance often includes access to public relations experts who can help rebuild trust with your clients.
Legal Defence Costs
If a client sues you for a data breach, cyber insurance covers your legal defence expenses, helping protect your practice from further financial losses.
Risk Assessment and Prevention
Many insurers offer tools to assess your cybersecurity vulnerabilities and help you implement preventive measures, reducing the likelihood of future attacks.
Obtaining Cyber Insurance
Typically, professional indemnity insurance used to include cyber insurance cover as part of their policies. However, due to the rising costs and risks associated with cyber crime most professional indemnity insurance policies now do not provide cyber insurance as part of their cover. This means you will need to obtain separate cyber insurance cover.
The cost of cyber insurance depends on the volume of data you handle and your exposure to cyber risks. Practices with robust cybersecurity measures often benefit from lower premiums.
Tailor your cyber insurance policy to meet the specific needs of your practice. For example, consider coverage for cloud storage breaches if you use online platforms to store client records.
Many insurers provide resources for cybersecurity training and best practices to help you avoid incidents altogether.
The Private Practice Suite Business Consultations
For support to optimise the way you run your private practice or to think through particular challenges you are facing in your business, or a particular business goal, please get in touch to see how Private Practice consultations can help you.
We offer one off 1:1 business consultation sessions via video conferencing or you are welcome to book a package of consultations if you would like to work on a specific business area over a few sessions.
Please get in touch for a free 15 minute consultation.
*CONTENT DISCLAIMER
The information contained above is provided for information purposes only. The contents of this article are not intended to amount to financial advice and you should not rely on the contents of this article to make decisions for your business. Professional advice should be obtained to explore your personal circumstances before taking or refraining from taking any action as a result of the contents of this article. Dr Sarah Simmonds, Trading as The Private Practice Suite disclaims all liability and responsibility arising from any reliance placed on any of the contents of this article.
** AFFILIATE DISCLAIMER
I recommend products and services that I have used myself or I have reviewed and believe to be helpful. Links marked with ** earn an affiliate commission for my recommendation of them to you. I ask that if you found this blog post helpful then I would value your appreciation by use of my specific referral link at no extra charge to you. Alternatively, if you do not wish for me to receive affiliate commission on such products then you can search for the links via traditional search engine or via links provided by others.
Comments