An expert shares strategies veterinary practices can implement to protect their business from cyberattacks.
In 2021 alone, prominent organizations like the Colonial Pipeline, JBS, and CNA Financial made front-page news by falling victim to cyberattacks that incurred severe financial damage. However, Fetch dvm360® Conference presenter Clint Latham, JD, said the veterinary industry has been largely passive and unconcerned with cybersecurity. Rather, veterinary professionals tend to assume they aren’t a target, because they are small businesses and, therefore, small targets.
“This is the most important thing that no one in vet med is talking about,” said Latham, addressing the audience in San Diego, California.
However, Latham cites a Malwarebytes study that found more than a third of small-to-medium-sized businesses were affected by a cyber attack.1 Because veterinary medicine is grouped together with the entire health care sector in the study, he said, it can be difficult to determine exactly how many veterinary practices have been affected. With rough estimates based on the study, Latham said approximately 11,000 veterinary practices are victim to a cyber-attack each year, or 228 per week.1
“Every 39 seconds, a business is attacked,” Latham said.
He continued to explain the damage a cyberattack can do, referencing a June 2020 American Veterinary Medical Association online presentation concerning cybersecurity that stated their average cyber claim was $135,000.
“Often the cost of downtime is more than the ransom demand…how long can you survive without your practice management system?” asked Latham, “However, if you pay the ransom, you become a repeat target. You get put on lists…and then people know to go after you because they know you’re not properly protected.”
Latham also talked about animal hospitals and large veterinary organizations being targeted, losing millions of dollars in the process. The reason these attacks do not make the news frequently is that the federal government doesn’t get involved in a cyberattack unless the ransom exceeds $500,000.2 To emphasize the danger, he pointed to an open letter released by the White House on June 3, 2021, that states, “No company is safe from cyber-attacks.”3 Simply put, Latham wants veterinary professionals to know the risk is real, and the consequences could be devastating. “
However, Latham stated that protecting veterinary practices can be simple and inexpensive, once the threat is acknowledged and taken seriously. He put forward 5 actions that all practices can take right now to minimize their exposure to cyberthreats.
1. Take advantage of password managers
Latham explained that the first step in having strong passwords is using a password manager. Making easy-to-remember, commonly used passwords, as well as duplicating them across multiple accounts, creates an easy vector for attack by cybercriminals. However, remembering complicated passwords with symbols and random characters for dozens or hundreds of accounts approaches impossible for the average person.
Why are strong passwords important? Many attacks are carried out using compromised password lists acquired from the dark web. A good password manager will make it easy to create complicated and unique passwords for every account in a matter of seconds. They also easily integrate with Windows, Mac, and every modern web browser. Most even work on both Android and iPhone, too, allowing everyone to safely have access to their credentials at the touch of a button. Another great feature is that they allow for easily sharing passwords with staff, and they can send a notification if a password has been comprised. When an employee leaves the practice, there is no need to change every password in the hospital; simply deactivate their access to the password manager itself. No more worrying about who might be walking around with access to the organization’s critical data, Latham said.
2. Update, update, and update again
Latham said that one of the easiest paths into a network for attackers is a known exploit. Every software company offers regular security updates for a reason: vulnerabilities are constantly discovered and shared among cybercriminals. It is a constant game of cat and mouse between the attackers and the companies patching their software. Deferring and ignoring updates only makes a system more vulnerable over time. That is why everyone should regularly update anything that touches the internet, according to Latham. In addition to computers, things like smartphones, tablets, smart thermostats, Amazon Alexa or Google Home devices, ring camera systems, and more are included. Despite Microsoft releasing a fix in April 2017, the eternal blue exploit that was used to conduct the largest cybersecurity incident to date in February of 2017 is still a vulnerability on approximately 50,000 servers.4 Not keeping systems up to date is flirting with disaster, Latham said.
3. Use free cybersecurity tools
“Thirty seconds can save you hundreds of thousands of dollars in a cyberattack,” said Latham. When it comes to cybersecurity, there are some powerful free tools at everyone’s disposal for protecting their business, stated Latham. With zero financial investment, there’s no reason not to take advantage of anything that can lower the risk of becoming a victim. Three free, effective tools are as follows:
- Have I Been Pwnd: Many people are going about their day right now, unaware that their online accounts have been compromised. Cybercriminals could have access to accounts and already be doing damage, or they could be lying in wait for a moment in the future before striking. This is a great tool one can use to find out if any of their accounts have been compromised, with details about when and how the attack occurred. Simply plug in an email address and it scans the dark web to find out if that email has been part of any breaches. Knowing an account has been compromised allows the user to take action to prevent or limit the damage, such as changing passwords and canceling credit cards.
- Virus Total: This is a comprehensive tool that scans any file or document using more than 50 antimalware engines. Its best used for checking the safety of any file received via email or filesharing sites before opening it. It is recommended to scan any file that looks strange, comes from an unknown person or source, or is accompanied by a suspicious email. This simple task could prevent malware from running on the practice’s network, doing damage measured in dollars and causing untold headaches.
- Blacklight: Scanning for malware isn’t just important for files; websites themselves can be malicious actors as well. If a website appears suspicious, try entering the URL into Blacklight, and it will scan the website and determine if anything nefarious is going on behind the scenes.
4. Staff training
A chain is only as strong as its weakest link, and unfortunately, the weakest link in cybersecurity is the human element. Latham said it is critical to train staff on how to spot phishing attacks, how to keep information private, why passwords need to be complicated, how to use the free tools, and how to confirm who they are talking to. The best systems and IT services money can buy can’t stop a person from making a mistake.
“Even if they have a Master’s degree in cybersecurity, they’re still going to be too busy to catch every mistake,” Latham said.
Everyone on staff needs to know what to do if they think they’ve fallen victim to a cyberattack. According to Latham, the sooner one acts, the sooner damage can be mitigated.
“Make sure your staff feels comfortable enough to come to talk to you in the event they make a mistake because it can save you hundreds of thousands of dollars in headaches,” Latham said.
5. Business continuity: bouncing back when disaster strikes
“Are your backups actually ransomware proof?” Latham asked the audience. Data backup is crucial. However, data itself is useless if there is no way to access it when an attack occurs, said Latham.
Business continuity planning is the process of planning for disaster recovery. It is having a backup plan and the ability to implement it quickly to minimize downtime.5 This can look like a backup server that takes over if the main one goes down, or it could be a plan for restoring important files in the case of data loss. A practice might have done the due diligence of simply backing up their files, but what happens in the event of a flood or fire? Can they access patient records or financial information? It’s a vital topic to discuss with IT because good business continuity can turn a cyberattack from a disaster into a minor inconvenience.
When it comes to cybersecurity, an ounce of prevention is worth a pound of cure. The growing threat of cyberattacks is an important consideration all in the veterinary industry must take seriously. It is critical to be prepared to prevent disaster and to have a plan B or even C for when the worst-case scenario becomes reality.
- Ransomware shuts down 1 in 5 small businesses after it hits. CNET. Accessed December 2, 2021. https://www.cnet.com/tech/services-and-software/malwarebytes-state-of-ransomware-shutting-down-1-in-5-affected-small-businesses/
- Reporting computer, Internet-related, or intellectual property crime. The United States Department of Justice. Accessed December 2, 2021. https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime
- What We Urge You To Do To Protect Against The Threat of Ransomware. The White House. Accessed December 2, 2021. https://sbecouncil.org/wp-content/uploads/2021/06/Memo-What-We-Urge-You-To-Do-To-Protect-Against-The-Threat-of-Ransomware.pdf
- Still More than 50,000 hosts are vulnerable to ETERNAL BLUE Exploit. GBHackers on Security. Accessed December 2, 2021. https://gbhackers.com/still-50000-hosts-vulnerable-eternal-blue-exploit/
- Business Continuity Planning (BCP). Investopedia. Accessed December 2, 2021. https://www.investopedia.com/terms/b/business-continuity-planning.aspf