If you haven’t heard, on May 25th 2018 the European union implemented the GDPR. The General Data Protection Regulation. While we may think, I’m in the USA this doesn’t impact me. You’d be wrong. Not even two years later California followed suit with the CCPA. The California Consumer Protection Act. It’s only a matter of time before these types of regulations sweep across the country and we need to be prepared.
Big Data on the hot seat
If you’ve been following the news you will have seen that big data is constantly on the hot seat with Congress. It seems that almost once a quarter someone from Apple, Facebook, Google or Amazon is being called in front of Congress. Why? Because data is more valuable than oil. If we as a society don’t start to look at how we process and control the data that we have on individuals and businesses. We will walk a very slippery slope. Now it’s not all doom and gloom when it comes to data protections. In fact I think that the GDPR and CCPA are taking us in the right direction. However, we as veterinary practice owners need to know what impact it can have in our business so that we can be prepared.
Privacy Management
The regulation mandates a “Risk Based Approach:” where the appropriate organizational controls must be developed according to the degree of risk associated with the processing activities.
If you caught my earlier article titled “A diagnostic health framework for your
veterinary practice data.” This is where the framework idea becomes crucial. When collecting customer information, storing and processing that information. We need to take a risk based approach. Assuming that a breach were to occur, if we can show that a proper data security framework was in place. This can help to mitigate our liability. You can develop your own framework. The framework should contain the guidance as to how you work towards Confidentially, Integrity and Availability of your data. Here are a couple of questions to ask yourself to build out your own cyber security and data protection framework.
Do you have a disaster recovery plan in place?
Do you have proper cybersecurity protections in place?
Do you have proper user right controls implemented in your practice management system, merchant account services and local file systems?
Do you have regular cybersecurity at least once a year?
Do you have an incident response plan in place in the event a data breach were to occur?
Breach & Notification
According to the regulation a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
This is where things start to get a bit tougher for our practice. However, these tougher restrictions also protect us as a business from potential breaches that may occur from one of our vendors.
“I don’t have any valuable data, so why would anyone want to attack my practice? Plus I think most of the data I have is out there anyways” – Practice Owner
My primary driving goal is to erase this mindset from within the Veterinary Profession. First, you do have very valuable data. Unfortunately most practice owners don’t realize it until it’s too late. Second, the data is not already out there. If the data gets out there because of a breach to your practice, there are hefty fines and penalties for which you will be liable for. We will dig into these fines in the next section.
Accidental Breach
We all think of data breaches when it comes to a hacker intentionally trying to get access to the network. However these new regulations force us to be more thoughtful and intentional about whom we give access to our data. Let’s look at an example of an accidental data breach.
You’re in the process of hiring a new marketing firm to help you shore up the compliance with your client base. The marketing firm asks you to export your client list to a .csv file and send it over to them. You email the .csv file containing all the PII (personally identifiable information) on all 4000 of your clients to Bob. What you realize is that you sent that list to Bob Smith, your local Idexx rep and not Bob Jones. This would be considered an accidental data breach. For which you would then have to implement the proper incident response plan based on your data framework.
Fines under GDPR
“Regulators will now have authority to issue penalties equal to the greater of €10 million or 2% of the entity’s global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.”
This is what has me worried for most practice owners. They don’t think that they will be the target of a cyber attack. They come under attack and now are forced with the costs of recovering from the breach and now dealing with the legal penalties and fines. Cyberreason’s CISO (Chief Information Security Officer) Isreal Barak stated in a recent interview that single stage ransomware now accounts for less than 1% of cyber attacks. This is due to the prevliance of the multi-stage ransomware attacks.
Single Stage Ransomware – A single machine on the network gets infected and has all of its data and application access restricted.
Multi-Stage Ransomware – The attacker gets onto a single machine. Then uses that machine to gain access to the entire network. Then the attacker begins to harvest and collect any available data on the network. This may last 1 to 4 weeks. The attacker then restricts access to all data on all machines on the network. Sending a black mail ransom with specifics about the data they collected. Threatening to sell this data on the dark web.
As a practice owner not only are you faced with the costs associated with trying to recover your local network. Which according to the AVMA can cost upwards of $88,000. You are now faced with a potential fine upwards of 2% of your annual gross revenue. Let’s say you are a $2 million dollar a year practice. That leaves you with a total bill of $128,000.
We need to act now
If you’re a practice in the United States you need to act now. Ask yourself the questions above and start to build out your data security framework for your practice. Or work with a data and cyber security professional to build a framework for your practice. The better prepared we are today the less work and impact it will have on our businesses when these regulations become a national policy.
Clint Latham J.D.
Lucca Veterinary Data Security