Preventing (and Responding to) Data Breaches: What Veterinary Practices Need to Know
Technology continues to revolutionize various industries, and the veterinary field is no exception. With the integration of digital systems, electronic health records, and online communication, veterinary practices have become vulnerable to cyber threats. The importance of cybersecurity in veterinary practices cannot be overstated.
Veterinary practices store a wealth of confidential and sensitive information, including pet-owning client’s (“Clients”) financial data, client information, and pharmaceutical inventories. Such data is attractive to cybercriminals seeking to exploit vulnerabilities. Veterinary practices have a legal and ethical responsibility to protect the privacy and confidentiality of their Clients. It is crucial for veterinarians and their staff to recognize the potential risks and implement robust cybersecurity measures to protect sensitive data, maintain operational continuity, and ensure Client trust. Adopting cybersecurity protocols, regular risk assessments, and staff training on privacy and compliance are essential to avoid regulatory penalties and potential lawsuits.
For example, on November 3, 2022, United Veterinary Care reported a data breach with the Massachusetts Attorney General’s Office, following the discovery by the company that personal information about its clients stored on its computer network had been compromised resulting in the compromise of clients’ names, Social Security numbers and financial account information.
United Veterinary Care sent breach notification letters to affected individuals, as it was legally obligated to do, but importantly, it serves as a reminder to any veterinary practice that shares Client personally identifiable information (“PII”) to keep the following cybersecurity guidance, (both pre- and post- incident) in mind:
By implementing strong data security measures, including data encryption, firewalls, secure networks, and access controls, veterinary practices can protect their valuable information from unauthorized access, data breaches, and ransomware attacks.
Pre-Incident:
- Cybersecurity Mindfulness: Adopt cybersecurity protocols, regular risk assessments, and staff training. These are essential to avoid regulatory penalties and potential lawsuits.
- Secure Communication: Modern veterinary practices heavily rely on electronic communication, including emails, online appointment systems, and telemedicine platforms. These channels, if left unsecured, can be exploited by cybercriminals to intercept sensitive information, impersonate veterinary staff, or spread malware. Ensuring secure communication channels through encrypted emails, secure messaging platforms, and two-factor authentication can minimize the risk of unauthorized access and protect both the practice and its clients from potential cyber threats.
- System and Network Security: Veterinary practices should prioritize the security of their computer systems, networks, and connected devices. Regularly updating software and operating systems with the latest patches helps address vulnerabilities and safeguard against known exploits. Implementing strong passwords, multifactor authentication, and network monitoring tools can fortify the practice’s defenses against unauthorized access, malware, and phishing attacks. Additionally, restricting administrative access and conducting periodic security audits are essential practices to identify and mitigate potential weaknesses.
- Employee Education and Awareness: Human error remains a significant cause of cybersecurity breaches. Veterinary practices must invest in comprehensive training programs to educate staff members about cyber threats, phishing attempts, and safe online practices. Staff should be trained to identify suspicious emails, avoid clicking on malicious links, and understand the importance of strong password management. Regularly reinforcing cybersecurity protocols and conducting mock phishing exercises can empower employees to actively contribute to the practice’s overall security posture.
- Backup and Disaster Recovery: Data loss can significantly disrupt veterinary operations, compromise pet care, and damage the practice’s reputation. Regularly backing up critical data to secure, offsite locations ensures that the practice can quickly recover from data breaches, ransomware attacks, or hardware failures. A robust disaster recovery plan, including periodic testing and updating, allows for swift restoration of operations, minimizing downtime, and protecting the practice’s ability to provide continuous pet care.
Post Incident:
- Assess the impact: Understand the extent of the breach and evaluate how it may have affected your practice. Determine whether and to what extent any of your Clients’ has been compromised and the potential risks associated with the disclosure.
- Contact the insurer: Notify the insurer about the breach and the fact that Client PII has been publicly disclosed. Establish communication with the insurer’s designated contact person or department responsible for handling data breaches.
- Follow breach notification requirements: Familiarize yourself with the breach notification laws and regulations applicable to your jurisdiction. Determine whether you are legally obligated to notify affected Clients about the breach and the disclosure of their PHI. If required, promptly provide the necessary notifications, ensuring compliance with the specific content, timing, and methods mandated by the applicable laws.
- Assess your own security: Review your own cybersecurity practices and evaluate the measures you have in place to protect patient data. Consider conducting a comprehensive security assessment or engaging a reputable cybersecurity professional to identify any vulnerabilities and implement necessary improvements.
- Strengthen access controls: Ensure that access to Client PII is limited to authorized individuals only. Implement strong authentication mechanisms, such as two-factor authentication, to protect sensitive information from unauthorized access.
- Encrypt sensitive data: Implement encryption for all Client PII, both in transit and at rest. Encryption adds an additional layer of protection, making it significantly harder for attackers to access or misuse the data even if they gain unauthorized access.
- Review your contractual agreement: Carefully review the contract or agreement you have with the insurer. Pay attention to the section addressing data breaches and potential liabilities.
- Understand the insurer’s responsibilities to the practice: This includes incident investigatory notification, content and frequency of updates regarding the breach as well as the steps they are expected to take to support your practice in mitigating potential lawsuits or legal claims.
- Engage legal counsel: Seek legal advice from professionals experienced in cybersecurity and data breach response. They can help you understand the legal implications of the breach, assess potential liability, and provide guidance on your rights and obligations as a practitioner affected by the breach.
- Document all communication: Keep thorough records of all communication with the insurer, including dates, times, individuals involved, and a summary of the discussions. This documentation will be essential for potential legal proceedings or for seeking recourse from the insurer for any damages incurred due to the breach.
- Monitor for identity theft and fraud: Advise Clients to remain vigilant and monitor their financial and personal information for any signs of identity theft or fraud. Provide them with resources and guidance on how to protect themselves, such as regularly reviewing bank and credit card statements and promptly reporting any suspicious activity.
- Implement incident response plan: Develop or update your incident response plan to include specific actions to take in the event of a data breach. This plan should outline steps to contain the breach, notify affected individuals, engage legal counsel, and coordinate with the insurer to manage the aftermath effectively.
By implementing a comprehensive cybersecurity strategy encompassing data security, privacy, secure communication, system and network security, employee education, and disaster recovery, veterinary practices can fortify their defenses against cyber threats. Embracing cybersecurity as an integral part of their operations will enable veterinary practices to thrive in the digital era while safeguarding the well-being of their pets and their pet-owning clients.