Last year South Africa experienced a surge in cyber attacks. Credit bureau, Experian, grabbed headlines with its massive data breach which exposed the personal details of 24-million South Africans. Other big organisations targeted by hackers have included a hospital group, a bank and a metropolitan municipality.
What happened to the hospital group isn’t isolated. Hackers are taking advantage of the Covid-19 situation to extract people’s personal information for their own malicious purposes, and the latest international trends in cybercrime are now reaching our continent.
As hackers accelerate their attack, healthcare practices will need to improve their data security, especially now that so many employees are working from home. They will also need to rethink their cyber liability, is the advice of industry experts.
The need to invest in cyber liability cover is made more urgent by the Protection of Personal Information Act (PoPIA), which will be enacted from 1 July 2021. This law will bring SA up to date with other privacy legislation, such as Europe’s General Data Protection Regulation (GDPR).
Both PoPIA and GDPR emphasise the need to protect personal client data from loss, damage or unlawful access. The onus is on healthcare practices to implement reasonable technical and organisational measures to ensure the protection of their patients’ details. This involves identifying all internal and external risks, establishing the necessary safeguards and frequently updating them as new risks emerge.
Just because a practice is smaller doesn’t mean it won’t be targeted for hacking. It is true that the larger the practice, the greater the risk and the more a cyber-liability policy will cost. But smaller practices are often more vulnerable because they’re mainly focused on treating patients, not ensuring they have the latest security measures in place.
Cyber criminals love targeting healthcare organisations because their databases contain patient names, birth dates, addresses, ID numbers, banking details and medical aid information. Often smaller practices don’t encrypt their patients’ information, so even if a laptop is stolen, it’s a potential data breach. Other practices are under the false impression that data storage is the responsibility of their electronic health record (EHR) systems provider, so they’re not liable if anything goes missing or gets hacked. This is simply not true.
The more data is exchanged between practices, medical aids, hospitals and labs, the more vulnerable it becomes to cyber attacks. Practices need to realise that even if they are not directly targeted, they can still be liable for data lost by a vendor or third party.
Doctors should aim to work together with third parties like labs and hospitals to keep their patients’ data secure. It’s a shared responsibility; everyone involved has a duty to keep it safe.
While cyber liability is covered by most malpractice insurance policies, it is usually limited and contains exceptions. It is therefore a good idea to go for a comprehensive cyber-liability policy that covers hiring IT experts to fix any data breach, paying a ransom to free hijacked data, compensation for loss of income from downtime or patients leaving the practice, hiring a PR firm to handle bad publicity and hiring attorneys to deal with lawsuits filed by patients, as well as any damages awarded.
The cost of your policy would depend on the size of your business, with an entry-level figure being around R2,000. Cyber insurance may seem like an unnecessary extra expense, especially as doctors already pay such high indemnity fees, but not having it in place is simply not worth the risk. The last thing you want to have to think about when you’ve been hit by a cyber attack is how you’re going to afford to pay for it to be fixed.