Privacy Breaches: Why Social Workers are Vulnerable and What You Can Do About It
March 5, 2022
In a digital age, more and more health care services are moving online. From electronic patient logs to virtual counselling and an increasing array of medical devices and equipment, technology has become more critical than ever to provide care. As a result, cybercrime against health care organizations has surged in the last few years, particularly with the transition to virtual care full-time during the pandemic.
With an ever-expanding database of personal health information (PHI) at stake, it’s a good idea for social workers to refresh their responsibilities—and their risks—when it comes to data security. What’s a privacy breach? What are the effects? Why are social workers vulnerable? And above all, how can you keep your clients, their data, and your practice safe? Keep reading to learn more.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
What’s a privacy breach?
A “breach of security safeguards” is the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
Why are social workers vulnerable?
Health care professionals, like social workers, have historically been among the most desirable targets for hackers. Here’s why:
Health records are highly coveted by cybercriminals since they open up opportunities for social engineering exploits, identity fraud schemes, fake insurance claims, and more. Even a single practice may have access to hundreds of names, birthdates, addresses, banking details, and more.
Although records have become increasingly digitized in recent years, smaller, independent practices generally have minimal budget to upgrade any outdated operational tech or antiquated software. Additionally, most social work practices have little in-house IT support and are often too overworked to regularly backup data, making them an attractive target.
Millions of social workers have shifted to offer online services in the last two years. And while virtual care is an acceptable and necessary substitute for in-person services, hackers can now gain entry to sensitive data through unsecured home Wi-Fi networks and unencrypted connections.
Rapid changes in technology, processes, and communications over the past two years have made social work practices more vulnerable as they adjust to virtual care. Additionally, reliance on employee personal devices to access business-critical applications may have weakened organizations’ overall security posture.
Social work clinics can be hectic and stressful. Even the best of social workers might accidentally mis-enter information, improperly dispose of a record, or misplace a personal device, opening the door to malicious threat actors. Human error also applies to clients; you might be secure on your end, but if you’re working virtually, it might be hard to help clients to adapt to new technologies and telehealth platforms.
What are the effects of a breach on social workers?
In addition to being the most targeted industry, health care professionals also suffer the greatest damages following a privacy breach. According to IBM’s 2021 Cost of a Data Breach Report, health care has taken the top spot for breach costs for the eleventh year in a row; average breach costs are at $9.23 million USD per event, a 29.5% rise from $7.13 million in 2020.
Why are breaches so costly?
Under Ontario’s Personal Health Information Protection Act (PHIPA), if a health care professional fails to safeguard, retain, or dispose of PHI under their custody—if they’re found negligent in the event of a breach—they could be liable for up to $1,000,000 in fines per violation ($2,000,000 for organizations).
Remediation & Legal Action
Breach cleanup usually includes fees for legal counsel and defence, data restoration, PR assistance, credit monitoring, and more. And there’s always a possibility that affected individuals may sue for damages, injury, or harm caused by the breach, compounding your organization’s overall losses.
The average time between first detection and containment for a health care breach is 329 days. If you needed to shut down to conduct forensic investigations or attend legal hearings, could your practice comfortably close for that long without jeopardizing patient care or losing clients?
Diminished goodwill, bad press, and loss of trust may arguably do more long-term damage than remediation costs, especially since clients typically have higher standards and expectations for privacy from social workers.
How can social workers protect PHI?
With breaches on the rise, it’s imperative for all social workers to take a more proactive approach to privacy management to avoid major financial, legal, and reputational loss. We know that you might not have the time, resources, or even the energy to consider any drastic changes to your existing security. But you should never compromise on patient safety—and protecting PHI is crucial to providing effective and ethical care, especially in our current global climate. Plus, it’s better to prepare now than to pay later with your profits, your practice, and above all, your clients’ trust.
Not sure where to begin? The tips below can help you get started.
1. Improve your digital hygiene.
Minimizing your risk of a breach minimizes your costs—including any regulatory fines levied by the federal or provincial Privacy Commissioner. Implement physical, administrative, and technical safeguards to protect records from unauthorized viewing, use, or disclosure. Basic defenses include:
- Use lockable filing cabinets and ID cards to control and limit access to areas where PHI is stored.
- Add extra layers of protection to all networks and devices, such as firewalls, antivirus software, and multi-factor authentication (MFA).
- Encrypt all digital records, including data-at-rest and data-in-transit, and routinely backup your information to a secure offline location.
- Practice good password etiquette.
- Keep systems up-to-date with the latest security patches (including any employee personal devices that are used) and regularly scan for suspicious behaviours.
- Make sure all security measures and programs and platforms used for virtual care meet PHIPA’s requirements, including the new amendments announced in 2020.
- Maintain and monitor an electronic audit log to keep track of and discourage unauthorized access to patient PHI. Regularly monitor your log for suspicious activity.
- Use virtual platforms that: offer end-to-end encryption, prohibit external access to private conversations; and do not record or capture data without the OCSWSSW’s approval and your clients’ consent.
- Make sure clients are aware of and consent to the risks of virtual care.
- Develop tailored incident response and business continuity plans in case of a breach.
For more guidance on cybersecurity measures, check out our helpful resources:
- How to Keep Employees Cyber-Safe While Working From Home
- How Can Healthcare Professionals Manage the Risks of Virtual Care?
- Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?
- Cyber Security & Privacy Breach Toolkit
- Sink or Swim: How Can Businesses Survive the Cybercrime Tsunami?
2. Build a cyber-aware workforce.
Remember, most privacy breaches are caused by human error, which can undermine even the strongest of security efforts. To mitigate this risk, be sure to review privacy policies with your staff. All employees should know their responsibilities for collecting, using, storing, and disposing of PHI. Provide regular security awareness training on:
- How to handle sensitive data and use software safely;
- What cyber threats your organization faces and how to identify them;
- How to spot phishing scams and report suspected emails to IT; and
- How to recognize and report signs of a data breach.
3. Invest in Data Security & Privacy Breach Insurance.
Keep in mind: if your organization suffers a breach, your general liability insurance won’t cover you—it’s not specifically designed to address privacy risk. That’s why all OASW members are encouraged to maintain a minimum of $50,000 in insurance coverage for Privacy and Security Breach Expenses and $100,000 for any network security and third-party liability expenses.
Why? The expense coverage will go towards breach remediation costs like client notification, public relations consulting, and data restoration, whereas the liability component will help you cover things like damages, settlements, and regulatory fines up to your limit. Whether you’re dealing with a major cyberattack, a lost briefcase, or even a snooping employee, a standalone Data Security & Privacy Breach Insurance policy can help you respond quickly and effectively and get your practice back online in no time.
4. Reach out to your broker.
Unfortunately, the bare minimum isn’t always enough to safeguard you from loss. If you’re ever sued by a third-party, $50k won’t sufficiently cover your legal defence, damages or settlements. Plus, on average, records involving personal health information cost upwards of $400 each to recover. That means if even 100 of your clients are affected, you’ll be out a minimum of nearly $40,000 in breach expenses already.
The solution? Work with a licensed broker that you trust. Brokers—like PROLINK—are knowledgeable advisors that can help you plan, protect, and become resilient in the face of attack. And as a member of OASW, we can also connect you to a specialized Data Security & Privacy Breach Insurance solution tailored to the unique threats you face as a social worker.
While our Professional Liability Insurance program comes built in with $50,000 of network security and privacy liability coverage, we also have an enhanced standalone offering for social workers that provides up to $100,000 in expense coverage and up to $250,000 in liability coverage to help you offset some of the financial loss from legal fees, damages, and associated expenses.
Plus, a dedicated policy help you access:
- Funds to set up credit monitoring and client notification for affected parties;
- An IT forensic investigations team to help you determine the size and scope of the breach;
- A breach coach to advise you on regulatory compliance, guide you through the legal process of navigating a breach under attorney-client privilege, and tell you what to report, how, and when; and
- A team of PR consultants to help you manage reputational harm.
To learn about your exposures—and how you can protect yourself—connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.