Cyber attacks are becoming more and more common as we put more and more data online. The value of this data has increased and attackers know they have a low risk and the opportunity for a big reward. Stolen data can end up on the Darkweb and be sold. Credit card accounts sell for $3-4 per account while medical records can go for much more. There are a lot of low-risk ways attackers can make money attacking businesses and medical practices. Small practice cyber attacks are becoming even more common because attackers know that most practices haven’t taken the necessary steps to sufficiently protect their data. In this post, we will go over 5 very real effects that a small practice cyber attack can have in the real world.
5 real-world consequences of small practice cyber attacks
If your practice has suffered an attack, you will take a hit in the wallet. If it was a ransomware attack, you may have to pay the ransom to get access to your data. But even if you don’t pay the ransom, you will need to pay for outside IT services to use your backup systems to restore operations. In addition, the ransomware malware needs to be removed and the vulnerability the attackers used to gain access will need to be patched. All of this takes time and will cost.
In addition, during this time, you likely won’t be able to see patients, or at least not as many. This means a reduction in income until the issue has been solved and your data has been restored.
Patients have also filed lawsuits against practices after breaches have occurred. A recent case was settled with the University of Washington for $4.7 million. The case was brought by patients whose data had been stolen in a robbery.
Your reputation will also take a hit:
Once your patients know that you have suffered a breach, your reputation will be impacted. Patients are now leaving reviews on popular sites letting others know that physicians have suffered a breach. Remember, it’s their data that was stolen. They could potentially become victims of medical identity theft or just your run of the mill identity theft. More and more people are suffering from this and as the population becomes more aware, patients will make choices based on which physicians do or do not protect their data.
Here is an example on Yelp:
Your operations will be disrupted:
For as long as it takes to clean your systems and get back up and running, you will be down. As was mentioned above, your income will take a hit from the reduced patient load. But what about the media attention? Breaches are required to be reported to the local media to help ensure your patients are aware of the breach. If the media decides to make a story of your breach, it will be on the news. Your practice will receive calls asking for interviews and from angry patients.
The owners of the practice may have a personal impact:
For small practices, the owners may suffer a personal liability in the event of a breach. Patients could file lawsuits against the owners specifically, depending on the practice structure. Regardless of this, owners would likely need to outlay money to restore the practice and handle the credit monitoring for patients. Small practice cyber attacks are expensive and this could hit the owners directly where it hurts the most, the wallet.
HIPAA Compliance issues:
The real elephant in the room is HHS and HIPAA compliance. While this one gets all of the attention, the others in our list are more likely to happen. If you suffer a breach and you report it, you will be investigated. However, most investigations end up with corrective actions plans rather than steep fines. The fines are reserved for those that truly didn’t do anything to meet their obligations under HIPAA regulations or in extremely egregious cases.
Cyber insurance will only help if you did your part
Many think that carrying an insurance policy to cover breaches is the best way to prepare. While insurance is certainly every practice should look into, there other factors that must be considered. It’s not an either-or choice. Practices can’t choose insurance instead of implementing necessary security measures to protect their data. All insurance policies will require practices to perform their due diligence. This means taking reasonable steps to prevent breaches from happening.
It would be similar to having car insurance, not maintaining your brakes, and then having an accident. After the accident, there will be an investigation. Once it was discovered that your brakes weren’t properly maintained, the insurance company would likely deny your claims. You didn’t do your part to prevent the accident from happening so they won’t cover the accident.
Cyber insurance isn’t in place of protecting your patient’s data.
Small practice cyber attacks cost in so many ways
The amount of money and frustration a breach cost is many times greater than what it would cost to just protect your data. Complying with HIPAA doesn’t have to expensive but it must be done. It all starts with a thorough Risk Assessment. Performing that will show you what areas you need to address and what you’re likely threats are. Not only that, but a Risk Assessment is required under HIPAA guidelines. There have been many fines levied against practices who didn’t perform a Risk Assessment and then suffered a breach. This can be seen as willful negligence.
A Risk Assessment will highlight all the areas that your practice needs to address to prevent a breach. Get started today on that and you will be much further along than most practices out there.