With an ever-expanding database of personal health information (PHI) at stake, it’s a good idea for social workers to refresh their responsibilities—and their risks—when it comes to data security. What’s a privacy breach? What are the effects? Why are social workers vulnerable? And above all, how can you keep your clients, their data, and your practice safe? Keep reading to learn more.

Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.

What’s a privacy breach?

A “breach of security safeguards” is the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.

RELATED: Privacy Breaches: Over 28 Million Canadians Affected in the Last 12 Months!

Why are social workers vulnerable?

Health care professionals, like social workers, have historically been among the most desirable targets for hackers. Here’s why:

Human Error

Social work clinics can be hectic and stressful. Even the best of social workers might accidentally mis-enter information, improperly dispose of a record, or misplace a personal device, opening the door to malicious threat actors. Human error also applies to clients; you might be secure on your end, but if you’re working virtually, it might be hard to help clients to adapt to new technologies and telehealth platforms.

RELATED: Surviving the Other Pandemic: What’s Ransomware, Who’s at Risk, and Why?

What are the effects of a breach on social workers?

In addition to being the most targeted industry, health care professionals also suffer the greatest damages following a privacy breach. According to IBM’s 2021 Cost of a Data Breach Report, health care has taken the top spot for breach costs for the eleventh year in a row; average breach costs are at $9.23 million USD per event, a 29.5% rise from $7.13 million in 2020.

Why are breaches so costly?

RELATED: The Consequences of a Breach: Can Your Business Survive a Cyberattack?

How can social workers protect PHI?

With breaches on the rise, it’s imperative for all social workers to take a more proactive approach to privacy management to avoid major financial, legal, and reputational loss. We know that you might not have the time, resources, or even the energy to consider any drastic changes to your existing security. But you should never compromise on patient safety—and protecting PHI is crucial to providing effective and ethical care, especially in our current global climate. Plus, it’s better to prepare now than to pay later with your profits, your practice, and above all, your clients’ trust.

Not sure where to begin? The tips below can help you get started.

1. Improve your digital hygiene.

Minimizing your risk of a breach minimizes your costs—including any regulatory fines levied by the federal or provincial Privacy Commissioner. Implement physical, administrative, and technical safeguards to protect records from unauthorized viewing, use, or disclosure. Basic defenses include:

• Use lockable filing cabinets and ID cards to control and limit access to areas where PHI is stored.
• Add extra layers of protection to all networks and devices, such as firewalls, antivirus software, and multi-factor authentication (MFA).
• Encrypt all digital records, including data-at-rest and data-in-transit, and routinely backup your information to a secure offline location.
• Practice good password etiquette.
• Keep systems up-to-date with the latest security patches (including any employee personal devices that are used) and regularly scan for suspicious behaviours.
• Make sure all security measures and programs and platforms used for virtual care meet PHIPA’s requirements, including the new amendments announced in 2020.
• Maintain and monitor an electronic audit log to keep track of and discourage unauthorized access to patient PHI. Regularly monitor your log for suspicious activity.
• Use virtual platforms that: offer end-to-end encryption, prohibit external access to private conversations; and do not record or capture data without the OCSWSSW’s approval and your clients’ consent.
• Make sure clients are aware of and consent to the risks of virtual care.
• Develop tailored incident response and business continuity plans in case of a breach.

For more guidance on cybersecurity measures, check out our helpful resources:

• How to Keep Employees Cyber-Safe While Working From Home
• How Can Healthcare Professionals Manage the Risks of Virtual Care?
• Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?
• Cyber Security & Privacy Breach Toolkit
• Sink or Swim: How Can Businesses Survive the Cybercrime Tsunami?

2. Build a cyber-aware workforce. 

Remember, most privacy breaches are caused by human error, which can undermine even the strongest of security efforts. To mitigate this risk, be sure to review privacy policies with your staff. All employees should know their responsibilities for collecting, using, storing, and disposing of PHI. Provide regular security awareness training on:

• How to handle sensitive data and use software safely;
• What cyber threats your organization faces and how to identify them;
• How to spot phishing scams and report suspected emails to IT; and
• How to recognize and report signs of a data breach.

3. Invest in Data Security & Privacy Breach Insurance. 

Keep in mind: if your organization suffers a breach, your general liability insurance won’t cover you—it’s not specifically designed to address privacy risk. That’s why all OASW members are encouraged to maintain a minimum of $50,000 in insurance coverage for Privacy and Security Breach Expenses and $100,000 for any network security and third-party liability expenses.

Why? The expense coverage will go towards breach remediation costs like client notification, public relations consulting, and data restoration, whereas the liability component will help you cover things like damages, settlements, and regulatory fines up to your limit. Whether you’re dealing with a major cyberattack, a lost briefcase, or even a snooping employee, a standalone Data Security & Privacy Breach Insurance policy can help you respond quickly and effectively and get your practice back online in no time.

4. Reach out to your broker. 

Unfortunately, the bare minimum isn’t always enough to safeguard you from loss. If you’re ever sued by a third-party, $50k won’t sufficiently cover your legal defence, damages or settlements. Plus, on average, records involving personal health information cost upwards of $400 each to recover. That means if even 100 of your clients are affected, you’ll be out a minimum of nearly $40,000 in breach expenses already.

The solution? Work with a licensed broker that you trust. Brokers—like PROLINK—are knowledgeable advisors that can help you plan, protect, and become resilient in the face of attack. And as a member of OASW, we can also connect you to a specialized Data Security & Privacy Breach Insurance solution tailored to the unique threats you face as a social worker.

While our Professional Liability Insurance program comes built in with $50,000 of network security and privacy liability coverage, we also have an enhanced standalone offering for social workers that provides up to $100,000 in expense coverage and up to $250,000 in liability coverage to help you offset some of the financial loss from legal fees, damages, and associated expenses.

Plus, a dedicated policy help you access:

• Funds to set up credit monitoring and client notification for affected parties;
• An IT forensic investigations team to help you determine the size and scope of the breach;
• A breach coach to advise you on regulatory compliance, guide you through the legal process of navigating a breach under attorney-client privilege, and tell you what to report, how, and when; and
• A team of PR consultants to help you manage reputational harm.

To learn about your exposures—and how you can protect yourself—connect with PROLINK today!