As a surgeon, you will certainly be handling sensitive health data about your patients. Unfortunately, if you handle patient data, there is always a risk that you will inadvertently commit a data breach. These risks could range from ‘old school’ errors such as leaving paper patient records on a train, through to more technical breaches such as not having the correct patient permissions to use their data for certain purposes.
Also, surgeons are using computers, smart phones and electronic communication in their practises more than ever before. Some will also have set up small computer networks at home or in their clinics to help manage their practice alongside their practice manager and medical secretary. Again, there are inherent risks. These could range from inadvertent errors such as accidentally sending sensitive patient information to the wrong email address, through to having patient data stolen by malicious third parties. Hackers have been known to gain control of a surgeon’s computer network or email account and to demand a payment to release the system – this is known as a network extortion threat. In the past it was mostly surgeons with celebrity clients who were targeted, but now absolutely anyone could be targeted, especially as ‘ransomware’ can be deployed to attack large numbers of victims. Unfortunately, there is no security in obscurity, and all surgeons are potentially vulnerable.
Patients have rights in relation to their personal data and its safety, so any of these incidents could be a data protection breach even if the surgeon is as much a victim as the patient is. Under the Data Protection Act 2018, data subjects are able to claim compensation for data protection breaches, both for emotional distress and financial loss. The Information Commissioners Office has the power to fine an organisation over £20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. On top of that, the surgeon may have to incur costs remedying the breach, or regaining access to a system that has been hacked. Therefore, while such cases would be rare, in principle it is possible for a pure data breach to result in bigger liability for the surgeon than a clinical negligence claim, and has the potential for reputational damage for the surgeon too.
So, what should surgeons look out for and how can they protect themselves? This is a big topic! Incision has produced a more detailed guidance note for its members with tips on how surgeons can help prevent cyber-attacks and data breaches.
But perhaps the most important way for surgeons to protect themselves is to make sure that they have a specific policy to cover Cyber risks (including data protection breach risks). A specially-designed policy is important because pure medical indemnity policies typically have express exclusions for cyber risks and data breaches.
Incision’s policy has insuring clauses to cover Security and Privacy Liability, Network Interruption Expenses, Event Support Expenses, Private Regulatory Defence and Penalties, Network Extortion, Liability arising from website media and even payment card industry fines or penalties.