These days, creating a formal cybersecurity incident response plan (CSIRP) is a must for every doctor of optometry. The lack of a plan increases the risk to your data records and may worsen the outcome if you are hacked. Confusion over what to do and when can increase liability and leave you unprepared to address the concerns of patients and get your practice back on track.
Cyber attacks are now a common threat for small businesses, including optometric practices. According to Radware’s Global Application & Security Report, only 7% of businesses escaped an attempted hack in 2018–2019. Attacks are also damaging. Radware says impacts include:
- Operational loss—54%
- Service disruption—45%
- Negative customer experience—43%
- Reputational loss—37%
- Data theft—35%
If you are part of the 34% of businesses who don’t yet have a formal plan, it’s important you take the steps for creating a cyber plan now. Developing a plan now before you face a cyber crime incident can reduce your risk and give you peace of mind that you are prepared for the unexpected. Please keep in mind that while these steps and Cyber Liability Insurance can help you manage a cyber-attack if one were to occur and may crossover with a portion of your HIPAA plan, it is not a replacement for HIPAA compliance. It is still imperative to maintain HIPAA compliance to protect your patient’s data from unwanted breaches.
Follow these steps to get started.
1. Make a Risk Assessment
Make a risk assessment about the risks your optometric practice faces. Consider the likelihood and severity of threats, focusing on more than just the worst-case scenarios for added insight.
2. Identify Your Vulnerabilities
Look at what is at stake in the event of an attack. For your practice, this may be data such as patient records and financial details or systems such as daily operations and communications channels. Each vulnerability may require a unique response in the event of a hack.
3. Define Normal Operations
Every business has its own definition of normal operations and what constitutes a cyber attack. Your plan should define when it is appropriate to raise the alarm that a cyber incident may have occurred.
4. Plan for Detection
Decide how your business will detect a hack, data breach or other cyber incident. Options typically include in-house automated security systems, a help desk ticketing system that combines all support requests in one place or outsourcing monitoring to a security firm.
5. Assemble a Team
Your practice will need help responding to a cyber incident. Assemble a team that includes any IT team members as well as other key stakeholders. Your team may also include outside experts such as communications, legal and data forensics experts, along with your insurer.
6. Note Assets and Resources
If a cyber incident occurs, it’s important to know what systems and people you can count on. Take inventory of your cyber assets, such as backups, firewalls, log systems and software. Determine team members and outside partners in law enforcement and security you can turn to.
7. Plan a Cyber Response
Deciding how your practice will investigate attacks, contain threats and recover from a hack is key. Make sure your plan addresses each kind of incident you may face, delivers a plan of action and puts your assets and resources to use.
8. Prepare Communication Templates
A cyber incident often requires notification for affected patients and careful public relations management. It’s a good idea to prepare templates for these communications now that can be used in the event of an incident. Planning ensures compliance, consistent messaging and quick action.
9. Create an Event Log
It helps to stay organized as you respond to an incident. Use a cyber security event log to track the discovery of a hack, the actions taken and other technical details. Documentation helps your security and legal experts, and law enforcement as they assist your response.
10. Stay Alert for Threats
Remain vigilant for cyber attack threats. Practice going through your plan to ensure you’re ready. Update your plan when needed, and make sure you’re protected with adequate Cyber Liability Insurance coverage.
As a business owner, you have a responsibility to have a plan for protecting your business records and your patients’ personal information. Even with a plan, small businesses and health care providers continue to have an increased risk because of a lack of security resources and the value of the information you keep on file.
Protect yourself with Cyber Liability Insurance from AOA Insurance Alliance, administered by Lockton Affinity. Its broad coverage designed to protect you from the high costs that can come from any theft or breach of patient data.