Is our solo clinic a real target?

Yes, but differently than larger firms. Top vector: Instagram or Facebook account takeover - that is where patients book and where the portfolio lives. Losing a 30K-follower account means months of lost revenue. Second vector: vishing by fake botox / filler sales reps.

Why are before/after photos special under GDPR?

They are simultaneously medical data (GDPR Article 9 - special category) and likeness data (Article 81 of Polish copyright law). One leak = potentially three claims: GDPR, likeness, and personality rights (Polish Civil Code Article 23). Requires dual consent (treatment plus separate publication), encryption, restricted access, deletion on consent withdrawal.

Can we use Dropbox or Google Drive for patient photos?

Only with a signed Article 28 DPA (Google Workspace Business with DPA, Microsoft OneDrive for Business, Dropbox Business with DPA). Free consumer versions - no. Plus at-rest encryption, MFA, sharing controls (no public links), audit log on every download.

Are Booksy and Versum safe?

The systems themselves are stable and certified (Booksy provides Article 28 DPAs for business clients). Risk lies in clinic access accounts: MFA, unique passwords, no shared logins, data minimisation in the booking form, GDPR information notice at booking.

What about IP cameras in treatment rooms?

Hikvision and Dahua have known CVEs (CVE-2021-36260 and similar) allowing pre-auth takeover. Mitigation: quarterly firmware updates, separate VLAN, change default passwords, no internet exposure (remote viewing via VPN with MFA).

Almost never. Cosmetic procedures are not 'health services' under the Polish Act on Medical Activity (Article 3(2)). Exception: a clinic with certified medical staff offering borderline procedures (medical laser, podiatry). Then the size threshold (50+ staff) decides. Scope test in the NIS2/UKSC pillar.

Solo or small clinic with a few hundred patients - usually no. Clinic with 1,000+ patients processing medical data at large scale - yes (Article 37). DPO outsourcing 800-2,500 PLN/month.

What if a patient asks for photo removal?

30 days from written consent withdrawal (Article 7(3) + Article 17). Procedure: acknowledge in 7 days, remove from social media and website, remove from clinic CRM, remove from backups on next rotation, document withdrawal in patient card and register.

How much does minimum cyber cost for a solo clinic?

8-20K PLN/year: Microsoft 365 Business Premium with EDR, immutable cloud backup for photos (200-500 PLN/month), CyberAudyt CyberCerber audit (see pricing), cyber insurance 3-12K PLN. Less than one facelift treatment.

Can I use a personal Instagram for the portfolio?

No. Personal accounts lack business MFA, no verification, no DPA. Required: Meta Business account, phishing-resistant MFA (FIDO2/U2F key, not SMS), email recovery on a separate domain from the firm domain.

What about voice deepfakes?

Realistic 2026 vector: attacker clones the doctor's voice from a LinkedIn recording and calls reception asking to change a botox-supplier account number. Defence: second-channel verification (call back on a known number), pre-agreed passphrase, written procedure for all phone-based financial instructions.

What if the clinic is hit by ransomware?

Disconnect infected workstations (do not power off), preserve logs, notify CERT Polska (cert.pl/zglos), notify UODO within 72h (patient medical data). Check No More Ransom before any payment decision. Run a post-mortem - root cause is usually receptionist phishing or Instagram compromise.

Aesthetic Medicine Clinic Cybersecurity Guide

Aesthetic medicine clinic cybersecurity covers five industry-specific layers: protection of before/after photos (GDPR Article 9 plus personality rights), Instagram and Facebook account hardening (the primary revenue channel), secure booking systems (Booksy, Versum, Moment), MFA on the clinic management system, and quarterly IP-camera firmware audits (Hikvision CVE-2021-36260). One annual external assessment covers all five.

1. What is industry-specific

Aesthetic medicine is not a “typical SMB” from a cyber perspective. Three risks that no standard SMB plan addresses.

Patient likeness as currency. Before/after photos are simultaneously medical documentation and marketing material. A leak = triple violation (GDPR + likeness rights + personality rights). The patient has the right to be forgotten after withdrawing marketing consent; no deletion procedure = real UODO fine.

Instagram as revenue channel. Solo or small clinics typically book 60-90% of appointments via Instagram or Facebook. A 30,000-follower account is years of work. SIM-swap or “from Meta” phishing takeover = months of lost revenue and reputation damage.

Low attacker entry threshold. Vishing of fake botox sales reps, fake “filler sample delivery” calls - these are not infrastructure attacks but reception-staff attacks. The attacker does not need to be technically sophisticated, just industry-aware.

Clinic defence plans must differ from accounting firms. Emphasis: social media accounts, photo privacy, gallery access control, phone-based procedures.

2. Five defence layers for the aesthetic clinic

Instagram and Facebook on business accounts (not personal), Meta Business Suite, business verification, separate recovery email on a domain other than the firm domain. Phishing-resistant MFA - FIDO2/U2F hardware key (YubiKey, Google Titan), never SMS (SIM-swap vulnerable). No shared accounts; each staff member with own Meta Business role. Image-publication policy: separate consent from treatment consent, time-limited, easy to revoke.

Layer 2 - Before/after photo protection

Triple regime: GDPR + likeness + Civil Code. Photos are medical data (Article 9), likeness (Article 81 Polish copyright), and personality rights (Civil Code Article 23). One leak = potentially three claims. Patient damages claim is independent of the UODO fine.

Dual consent. Two separate documents: 1) treatment + medical documentation consent (Article 9(2)(h), non-revocable as needed for treatment); 2) marketing publication consent (revocable, optional).

At-rest encryption. Photos in the clinic database - encrypted. Photo backup - encrypted. Work phones with photos - biometric lock + device encryption. Never patient photos on personal phones.

Restricted access. Audit log on every gallery view. Reception staff cannot see other doctors’ galleries. Each doctor sees only own patients unless team consultation.

Consent withdrawal procedure (30 days). Written withdrawal → acknowledgement within 7 days → removal from Instagram, Facebook, website, marketing materials within 30 days → removal from backups on next rotation → entry in patient card and register.

Booksy, Versum, Moment all offer Article 28 DPAs for business clients - sign before use. MFA on the clinic account (free, often unused). Form data minimisation - allergies, medications, chronic conditions stay in-clinic consultation, not online booking. GDPR information clause at booking.

Layer 4 - Clinic management system

MFA on the clinic management platform (Estima, ProgMedica, e-Doctor, others). Separate login per doctor and receptionist with audit log. 3-2-1 backup with immutable copy - ransomware doubles down on photos (double extortion). Monthly restore test. Vendor patches: subscribe, install critical CVEs within 7 days.

Layer 5 - Hardware: IP cameras, IoT, diagnostic devices

IP cameras. CVE-2021-36260 (Hikvision) and similar Dahua issues allow pre-auth takeover. Defence: quarterly firmware updates, separate VLAN (no access from reception network or patient Wi-Fi), change default passwords, no internet exposure.

Diagnostic devices on a separate VLAN. Medical lasers, IPL lamps, diagnostic units often run unpatched Windows. Segmentation - no direct access from email, browser, patient network.

Patient Wi-Fi = separate guest network. Different SSID and VLAN.

3. Compliance specifics

GDPR Article 9 for medical data plus photos. Required: information clauses, dual consent, processing register, DPAs with Booksy/Versum, cloud provider, clinic system vendor.

Likeness rights (Article 81 Polish copyright). Every publication of patient likeness requires consent. Revocation = deletion obligation.

NIS2 - almost never applies (see Section 1 FAQ). Scope test in the NIS2/UKSC pillar.

4. Budget

Annual ranges, 3-15 person clinic, 50-500 patients/month, 2026 PLN:

0-1K: free MFA, SPF/DKIM/DMARC, BitLocker, written policy.
1-5K: Microsoft 365 Business Premium with EDR, immutable cloud backup for photos 200-500 PLN/month, YubiKey hardware keys for social media (2-3 units).
5-15K: annual CyberAudyt CyberCerber (see pricing), professional phishing simulator, cyber insurance 3-12K.
Above 15K: clinic networks, DPO outsourcing, biennial penetration test, retained SOC.

One Instagram-takeover incident with months of recovery = multiples of an annual cyber budget.

5. 30-60-90 day plan

Weeks 1-2: Social media + clinic system - MFA on Instagram and Facebook with hardware key (not SMS), MFA on the clinic system, MFA on Booksy/Versum, MFA on email. Audit Booksy/Versum DPAs and cloud provider DPA.

Weeks 3-4: Backup 3-2-1 with immutable for the photo gallery and patient cards. First restore test. BitLocker/FileVault on all photo-bearing devices. Biometric lock on work phones.

Weeks 5-8: Dual-consent template (treatment + likeness). Written marketing-consent withdrawal procedure (30 days). Information clauses at booking and on the website. Brief team training - phishing and vishing pattern recognition (fake botox sales rep).

Weeks 9-12: External vulnerability assessment (CyberAudyt CyberCerber). IP-camera firmware update, separate VLAN. IoT device inventory and segmentation. Written IT security policy.

6. CyberCerber for aesthetic clinics

Fixed-price external vulnerability assessment covering all five layers - including social media accounts, booking systems, IP cameras. Three products: PreScan (free diagnostic in 24h), CyberAudyt (full vulnerability assessment, report in 5 business days), Pentest (for clinics with corporate-client or regulatory requirements). Guarantee on CyberAudyt: if the report does not surface at least three actionable findings, full refund.

Free PreScan · Pricing · Services for aesthetic medicine clinics.

7. FAQ

(See faq field in frontmatter - 12 Q/A pairs.)

NIS2 and Poland’s UKSC for SMBs