NOV-DEC 2018

MedEsthetics—business education for medical practitioners—provides the latest noninvasive cosmetic procedures, treatment trends, product and equipment reviews, legal issues and medical aesthetics industry news.

Issue link:

Contents of this Issue


Page 40 of 68

38 NOVEMBER/DECEMBER 2018 | MedEsthetics © GETTY IMAGES RULES OF ENGAGEMENT Federal government records show a surprising number of cases that are a result of "that careless moment when your offi ce manager leaves an iPad on the table while getting that latte at Starbucks," says Adatto. "People don't think about the fact that their laptop or tablet may have the medical history and personal information of 500 to 1,000 patients on it." Sometimes violations occur as a result of a mistake, but as any doctor knows, mistakes can be expensive. "Aesthet- ic surgeons love before-and-after photos," says Guimera. "In one plastic surgery center, the web designer uploaded a whole bunch of before-and-afters to the practice web- site. Due to a coding error, you could see all the meta data for the 15 or so patients involved when you Googled their names. The entire cost was about $5 mil- lion to that practice." Adatto agrees that failure to obscure a patient's identity by Photoshopping out a tattoo or a scar and scrubbing an image for any personal information that would tie that pa- tient to the image, is an easy mistake to make. And it hap- pens more frequently now that before-and-after photos have become such important marketing tools. "Recently, a plastic surgeon had a patient who was really happy with her results and signed off on all the consent forms to allow him to show the before-and-afters of her breast surgery," he says. "The images were sent to the website team, and a few weeks later, a family member happened to Google her name and those photos popped right up. The website team had not scrubbed her name. The case was settled out of court." As for external threats, Guimera points to ransomware as a growing problem, particularly for aesthetic practices because they are perceived as successful and more likely to have prominent, famous or celebrity clientele. "The demands are usually smaller—$750 to $5,000—and they typically demand payment in Bitcoin," he says. "They choose an amount they believe will be easier to pay in order to make the problem go away." HOW TO MITIGATE YOUR RISK Guimera's best advice for practices: Adopt a practice-wide culture of cyber security. First, use good passwords and do not post them in plain view. "You need to show your staff what good passwords are by giving them specifi c examples," he says. "Training must be meaningful to be effective. Train your people to log off their computers or tablets every single time they step away from their desk even for a moment." He also encourages providers and staff to be much more cautious with their mobile devices. If you must store patient information on your mobile device, make sure it is encrypt- ed and your device is password protected. "Aesthetic physicians love having their portfolios on their iPads or on their phones," says Guimera. "But this is a risk." Another risk that is unique to the medical aesthetic industry is paparazzi. Employees, patients and outside contractors may be tempted to leak information about celebrities and other public fi gures treated at your practice. "If you are an employee, leaking information to TMZ may seem like an easy way to make $2,000," says Adatto. "You need to make it crystal clear that you have zero tolerance for privacy violations." Keep in mind that the practice is held liable for the mis- takes of business associates, so you must have a written, HIPA A-compliant Business Associate Agreement for all third-party vendors who have access to patient informa- tion as well. "Risk analysis is your strategy and operations is your tactics," says Stone. "We recommend no remote access, secure servers and no PHI ever on a laptop. Patient infor- mation should all be internally held. Opening up ports to your data is like having more gates in your fence." Taking the time to complete a risk analysis and working with security experts to create protocols, train your staff and secure your networks is well worth the effort and expense for both your patients' and your practice's sake. Echo Montgomery Garrett is a freelance writer based in Marietta, Georgia. If you must store patient information on your mobile device, make sure it is encrypted and your device is password protected.

Articles in this issue

Archives of this issue

view archives of Medesthetics - NOV-DEC 2018