October is National Cyber Security Awareness Month, and it's the perfect time to ensure your practice—and most importantly, your patients—are protected.
Katherine E. McCarron, an attorney in the Federal Trade Commission's (FTC's) division of privacy and identity protection, presented at Optometry's Meeting® in June, offering resources that can protect consumers—including doctors of optometry and their staffs—from data breaches of their business and personal data.
Identity theft is among the top and most widespread complaints her division receives, McCarron said during her presentation. That's because the information has cash value—it can be used to file a fraudulent tax return, apply for a line of credit or open a bank account.
"That is why your personal information is so valuable to people who would like to use it and why consumers need to take special steps to protect their personal information," she added.
She offered this high-level strategy for protecting information:
- Take stock
- Scale down
- Lock it
- Pitch it
- Plan ahead
McCarron then detailed lessons learned from the more than 50 data security cases handled by the FTC.
Useful FTC resources if credit is breached
The FTC attorney strongly recommended that consumers access important and actionable resources at identitytheft.gov. At the site, consumers can report a theft, create a recovery plan and create other documents that can make process go more smoothly in the case of a cybertheft. That includes a strongly worded, pre-populated letter to file with the company where the fraud occurred. The letter might ask the company to remove the fraudulent charges, not to report the debt to a credit reporting agency because it's not your debt, place a fraud alert, or credit freeze on the account.
All the resources are available online and in print at bulkorder.ftc.gov.
"The website will take you through (a process) asking for specific details and then use those details you provide to create an identity theft affidavit," McCarron said, noting that the affidavit can be used to file a formal police report if an individual chooses to go that route. "This is a document you can use to help exercise a number of your rights under statutes that are in place to protect consumers and help them repair their credit after an identity theft occurs.
"It's a lot easier to recover from identity theft if you have a plan," she said.
If fraudulent charges or other suspicious financial activity are suspected, go to annualcreditreport.com. Reports are free on the website, she said.
"You can use that annual credit report to dispute charges," McCarron said.
Ounces of prevention
McCarron also listed 10 actionable steps to prevent a breach of patients' and personal information.
- Start with security: Have a plan in case a breach occurs. Don't collect personal information you don't need and only hold onto it as long as you have a legitimate business need.
- Control access to data sensibly.
- Require secure passwords and authentication. Don't use commonly used passwords such as 1, 2, 3, 4, 5, 6 ... the FTC recommends people use "pass phrases" and substitute numbers and special characters for letters (an ampersand for an 'a' or a '3' for an 'e'). An example of a pass phrase that would throw off cyberthieves, but would be easy to remember, might be "myfavoritefoodischocolate" but with special characters. She also suggested using different passwords on accounts. An effective way of preventing "credential stuffing," she said, is multi-factor authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who's trying to get in and out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities if they arise.
- Secure paper, physical media and devices (cellphones and laptops).
Learn more by watching a video of McCarron's presentation.
The AOA 2021 Virtual Learning Livecast, Oct. 1-2, offers over a dozen courses specifically geared toward integrated, doctor-paraoptometric education. But registration closes Monday, Sept. 27.