Am I Covered for Data Breaches and Cyber Risks?

Incision Indemnity
\
Surgeons - Medical Professionals -
\
19th January 2022
\
9 mins read
Share:

Handling data is unavoidable!

After GDPR was introduced in 2016, and the Data Protection Act 2018 (DPA2018) passed in the UK, the security of personal data has had a higher profile than it had for many years. But managing data appropriately (and its close relation, patient confidentiality) has always been an important part of clinical practice for surgeons and doctors.

As a surgeon or doctor, you will certainly be handling sensitive health data about your patients. But you will also handle other categories of data about your patients. Personal data is any type of data which can be used to directly or indirectly identify an individual. This can include names, health related data, date of birth and postal addresses. Usually, the data will only be used for the purposes of providing clinical care to your patients and billing them (in private practice), but sometimes surgeons may also wish to use the data for training purposes, and some even as part of their publicity and marketing efforts.  Great care is needed to avoid inadvertent breaches of the data protection laws, and especially where the data is used for something other than clinical purposes.

Use of computers and electronic communication almost unavoidable!

The pace of developments in computing and electronic communication over the past decades has been remarkable. While most surgeons and doctors will still use paper-based records and notes for some purposes, there are now some treatments where the whole process, including obtaining the patient’s consent signature, is done electronically.  Virtually all surgeons and doctors will use email for communication as a bare minimum, and many have more than one email account.  Virtually all surgeons and doctors now use smart phones for messaging, photo sharing, mobile email and even taking clinical photos. Many others have embraced digital storage of patient records.  Some will also have set up small computer networks at home or in their clinics to help manage their practice alongside their practice manager and medical secretary.  Almost all surgeons and doctors will now need to use computers and computer networks to be able to practice, both their own and those provided by the hospitals they work in.  Today, the use of computing and electronic communication is now almost unavoidable in clinical practice.

What are the risks?

Unfortunately, if you handle patient data, there is always a risk that you will inadvertently commit a data breach.  These risks could range from ‘old school’ errors such as leaving paper patient records on a train, through to more technical breaches such as not having the correct patient permissions to use their data for certain purposes.

Similarly, if you use computers or electronic communication, there are inherent risks.  These could range from inadvertent errors such as accidentally sending sensitive patient information to the wrong email address, through to having patient data stolen by malicious third parties. Hackers have been known to gain control of a surgeon or doctor’s computer network or email account and to demand a payment to release the system – this is known as a network extortion threat.  In the past it was mostly surgeons or doctors with celebrity clients who were targeted, but now absolutely anyone could be targeted, especially as ‘ransomware’ can be deployed to attack large numbers of victims.  Unfortunately, there is no security in obscurity, and all surgeons and doctora are potentially vulnerable.

Patients have rights in relation to their personal data and its safety, so any of these incidents could be a data protection breach even if the surgeon/doctor is as much a victim as the patient is.  Under the DPA2018, data subjects are able to claim compensation for data protection breaches, both for emotional distress and financial loss. The Information Commissioners Office has the power to fine an organisation over £20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. On top of that, the surgeon/doctor may have to incur costs remedying the breach, or regaining access to a system that has been hacked.

While such cases would be rare, in principle it is possible for a pure data breach to result in bigger liability for the surgeon/doctor than a clinical negligence claim, and has the potential for reputational damage for the surgeon/doctor too.

What should I look out for and how can I protect myself?

There are many forms of cybercrime including phishing, social engineering, system hacks, ransomware and network extortion threats.  Hackers are sophisticated and manipulative, so you must be on your guard.  If you find that you suddenly cannot access your usual computer system, computer or email account, consider whether you are at the start of a network extortion incident or other type of cyber-attack and seek help immediately.

To manage your risks, make sure you are using a professional email and computer system with a good level of encryption, and that you have set strong passwords.  It is unlikely that free consumer email services such as Gmail and yahoo will be able to provide the level of security you need to protect patient data and avoid cyber-attacks.  Also, be alert to emails, computer alerts and even phone calls that don’t seem right.  Watch out for emails from addresses you don’t recognise inviting you to click on links or open attachments.  Even if an email looks like it comes from someone you know, look out for things that don’t ‘fit’, like a colleague whose spelling is usually perfect suddenly emailing you with a poorly written invitation to follow a link or open an attachment.

If you need to use portable devices to transport data, make absolutely sure they are properly encrypted.  Many Cyber policies (including the Incision one) contain important exclusions where an un-encrypted device is lost or stolen, so this is both a risk management issue and something that has a bearing on the availability of cover.  Think carefully about all the portable devices you use in your practice.  It may seem obvious to you that an external hard drive should be encrypted, but the same applies to any smart phone that you may have patient data on, and even the memory cards for your digital cameras.  Clinical photos are ‘data’ for the purposes of the DPA2018 too, so if your camera or camera memory cards are not capable of being encrypted, you would need to download them to an encrypted device and delete the images from the camera memory straight away.

Does my Incision policy cover these risks?

Your Incision suite of policies includes a specific policy to cover a range of Cyber risks (including data protection breach risks).  At the end of this article is a table providing an ‘at a glance’ summary of what is covered under that specific policy.

But a data protection breach or cyber incident can give rise to other problems for surgeons/doctors too.  For example, if a patient was so upset by an alleged data breach that they referred the surgeon/doctor to the GMC, then a GMC investigation could follow too.  Or if a malicious attack on a surgeon or doctor’s computers somehow interfered with a patient’s clinical care (perhaps deleting records such that an important follow-up was missed and a problem went undiagnosed), then a clinical negligence claim could follow too.

Therefore, if you have any concerns at all about a potential data breach or cyber incident, or if anyone alleges that their data has been lost or misused, the best thing to do is to contact the Incision medico-legal helpline for guidance immediately.  They will be able to assess what notifications are needed to protect your insurance position, and they or your specialist insurers and the insurers’ specialist professionals can also provide you with urgent guidance on managing the situation.

Contacting the Incision helpline promptly is particularly important because the terms of your Cyber policy require you to notify as soon as you become aware of any claim (within 14 days) or any circumstance which may lead to a claim (within 30 days).

Incision Cyber Cover at a Glance

Insuring Clause

What is Covered?

Security and Privacy Liability.

Claims for compensation from data subjects (including patients) for financial loss or emotional distress after a Cyber Event, for example, a hacker gaining access to your computer system and stealing your patient information.

Network Interruption Expenses.

Crisis Management Costs and Expenses and Loss of Business Income arising directly from a Cyber Event which occurs on Your Computer Network.

Event Support Expenses.

PR and crisis management support to protect against reputational damage etc following a data breach. There has to be a Breach of Security or Breach of Privacy, but not limited to Cyber Events, so hard copies left on a train could count.

Private Regulatory Defence and Penalties.

Investigation and fines by the ICO.  There has to be a Breach of Security or Breach of Privacy, but not limited to Cyber Events, so hard copies left on a train could count.

Network Extortion.

Money paid following a Network Extortion Threat. E.g., a hacker taking control of a system and demanding a ransom to restore access. 

NOTE: An extortion threat should be notified very urgently so that the threat is dealt with by specialists, and any necessary ransom payment authorised and paid by insurers in advance.

Liability arising from website media.

A defamation, plagiarism or copyright claim against the Insured relating to a post or information on your own website that you are solely responsible for.

Payment card industry fines or penalties.

A fine following a breach of payment card industry data security standards

 

What is Not Covered

 

If a Portable Media Device is not encrypted, then even if it is lost or stolen with sensitive data on it, there is no cover for the consequences of that data being lost or stolen.  It is vital to make sure all your Portable Media Devices are encrypted for cover to apply.

 

This policy does not indemnify you for loss of damage to computer hardware, e.g., the cost of a replacement laptop. If you have contents insurance (e.g., home contents insurance or contents insurance for your business premises), then you will need to check that policy to see if it will cover the cost of replacement computer hardware.