How the General Data Protection Regulation Will Affect Your Veterinary Practice

Oct 14, 2020 at 12:32 pm
Clint Latham, JD

If you haven’t heard, on May 25, 2018, the European Union implemented the General Data Protection Regulation (GDPR). You might be thinking: I’m in the U.S., so this doesn’t impact me. But, you’d be wrong. Not even two years later, California followed suit with the California Consumer Protection Act (CCPA). It’s only a matter of time before these kinds of regulations sweep across the country, and we need to be prepared.

Big data on the hot seat

If you’ve been following the news, you might know that big data is constantly on the hot seat with Congress. It seems that almost once a quarter someone from Apple, Facebook, Google, or Amazon is being called in front of Congress. Why? Because data is more valuable than oil. If we, as a society, don’t start to look at how we process and control the data that we have on individuals and businesses, we’ll be walking a slippery slope. But, it’s not all doom and gloom when it comes to data protections. In fact, I think the GDPR and CCPA are taking us in the right direction. However, as a veterinary practice owner, you need to know what impact it can have on your business so you can be prepared.

Privacy management

The regulation mandates a “risk-based approach,” where the appropriate organizational controls must be developed according to the degree of risk associated with the processing activities.

When collecting, storing, and processing customer information, we need to take a risk-based approach. Assuming that a breach were to occur, if we can show that a proper data security framework was in place, this can help to mitigate our liability. You can develop your own framework. The framework should contain the guidance as to how you work toward confidentially, integrity, and availability of your data.

Here are a couple of questions to ask yourself to build out your own cyber security and data protection framework:

  1. Do you have a disaster recovery plan in place?
  2. Do you have proper cybersecurity protections in place?
  3. Do you have proper user right controls implemented in your practice management system, merchant account services, and local file systems?
  4. Do you have regular cybersecurity at least annually?
  5. Do you have an incident response plan in place in the event a data breach were to occur?

Breach and notification

According to the regulation, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

This is where things start to get tougher for your practice, but these tougher restrictions also protect your business from potential breaches that may occur from one of your vendors.

“I don’t have any valuable data, so why would anyone want to attack my practice? Plus, I think most of the data I have is out there anyway.” —Practice Owner

My primary goal is to erase this mindset from within the veterinary profession. First, you do have valuable data. Unfortunately, most practice owners don’t realize it until it’s too late. Second, the data is not already out there. If the data gets out there because of a breach to your practice, there are hefty fines and penalties, and you will be liable for them.

Accidental breach

illustration of bandit stealing confidential data from a computer

We all think of data breaches when it comes to a hacker intentionally trying to get access to the network. But these new regulations force us to be more thoughtful and intentional about who we allow to access our data. Let’s look at an example of an accidental data breach.

You’re in the process of hiring a new marketing firm to help you shore up the compliance with your client base. The marketing firm asks you to export your client list to a .csv file and send it to them. You email the .csv file containing all the personally identifiable information (PII) on all 4,000 of your clients to Bob. What you realize is that you sent that list to Bob Smith, your local IDEXX rep, and not Bob Jones.

This would be considered an accidental data breach, and you would have to implement the proper incident response plan based on your data framework.

Fines under the GDPR

“Regulators will now have authority to issue penalties equal to the greater of €10 million or 2% of the entity’s global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.”

This is what has me worried for most practice owners. They don’t think they’ll be the target of a cyber attack. But, when they come under attack, they have to pay for recovering from the breach as well as the legal penalties and fines. Cyberreason’s Chief Information Security Officer Isreal Barak stated in a recent interview that single-stage ransomware now accounts for less than 1% of cyber attacks. This is due to the prevalence of multi-stage ransomware attacks.

Single-stage ransomware: A single machine on the network gets infected and has all of its data and application access restricted.

Multi-stage ransomware: The attacker gets onto a single machine, then uses that machine to gain access to the entire network. The attacker then begins to harvest and collect any available data on the network. This may last 1 to 4 weeks. The attacker then restricts access to all data on all machines on the network, sending a blackmail ransom with specifics about the data they collected, and threatening to sell this data on the dark web.

As a practice owner, not only are you faced with the costs associated with trying to recover your local network, which, according to the AVMA, can cost upwards of $88,000, you are now faced with a potential fine upwards of 2% of your annual gross revenue. Let’s say your practice brings in $2M per year. That leaves you with a total bill of $128,000.

We need to act now

Veterinary practice owners need to act now. Ask yourself the questions above, and start to build out your data security framework for your practice. Or, work with a data and cyber security professional to build a framework for your practice. The better prepared you are today, the less work and impact it will have on your business when these regulations become national policy.

The following two tabs change content below.
With two senior Yorkies, Clint (CJ) understands the need to have a trusted veterinarian to care for his family members. Clint's goal is to help uncover the mystery of data security for DVM's across the country so they can focus on what is most important: quality care for our furry friends. While working and speaking with practices all across the country, Clint saw that there were a number of practices that have a great local IT guy who needs the security and data insights specific to the veterinary industry. In an effort to find a way to support independent IT professionals while simultaneously providing security and data insights to those who protect our animal companions, Clint founded Lucca Veterinary Data Security.

Speak Your Mind