Protecting Patient Data: Why Private Aesthetic Practitioners Must Prioritise Data Security
Data is big business. Hackers steal sensitive data and then sell it. It sounds far fetched, but the more sensitive the data, the more valuable it is.
In 2023, there were 2814 data breaches involving 8,214,886,660 records. The 3rd largest breach was of 815,000,000 patient records, which were offered for sale on the dark web. The data included the patients names, age, gender, address, passport number and ID numbers.
But your patient records are safe, right? Your records are “Protected with SSL security” and are “GDPR Compliant”
These two phrases are the software equivalent of “Advanced Aesthetic Practitioner”
They mean very little with regards to how securely your patients personal and sensitive health information is stored in whichever software you use.
The problem is you probably have no clue and likely, haven’t given it much thought because:
1) you’ve come from the NHS, where data security is someone else's problem
2) you don’t really understand what you should be looking for to keep your patients data safe
3) you’re a bit tight and don’t want to pay too much for software!
4) you’re a Data Controller, so you have ultimate reponsibility and must ensure GDPR compliance of the patient data you are trusted with
What’s the difference between personal and sensitive data?
Personal data and sensitive data are two related but distinct concepts when it comes to data protection and privacy.
Personal Data:
Personal data refers to any information that relates to an identified or identifiable individual. It includes any data that can be used to directly or indirectly identify a person.
Examples of personal data include:
names,
addresses,
phone numbers,
email addresses,
identification numbers (such as social security numbers or passport numbers),
IP addresses
Personal data can be relatively broad and encompasses various types of information that can be used to identify or distinguish an individual.
Sensitive Data
Sensitive data, on the other hand, is a subset of personal data that requires extra protection due to its potential impact on an individual's privacy and security.
Sensitive data typically refers to information that, if disclosed, could lead to harm, discrimination, or other significant risks for the individual.
Sensitive data requires much stricter safeguards.
Sensitive data can include details such as:
financial information,
health or medical records,
racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
sexual orientation,
biometric data,
criminal records
How can you tell if software is appropriate for sensitive patient data?
Just like the average person doesn’t know the difference between a medic injector and a lay injector, most practitioners have no idea how to tell if their software adequately protects their patient data. So here are the things you need to check:
Account verification - the person collecting the data and the person entering the data should use verified accounts
Password protection - all accounts should be password protected
Data should be encrypted & anonymised in transit
Data should be encrypted & anonymised at rest
Data should be stored in HSM-compliant cloud storage
Access to data should be on a need-to-know basis, with restrictions for non-clinical staff
Auto-logout after a period of inactivity
PIN protection on handover to patients - where devices are handed to patients to sign or check forms, access to other patient data should be restricted
Patients should retain ownership of their data and should know who has access to their data and request it’s removal
If you’re using pen and paper, Excel and email, salon software, free software or software that’s built by non-software specialists using offshore agencies…it’s on YOU to check that YOU are looking after YOUR patients personal & sensitive data.
If patient data is compromised, you can guarantee that their Ts & Cs are such that they have no responsibility and it’s your registration at risk.