The Most Important Thing No One is Talking About: The Current State of Cyber Security in Vet Med
Cyber security has become a bit of a buzzword in 2021. The high profile cyber attacks on businesses like, The Colonial Pipeline, CNA, Kasyea & JBS have raised a lot of concerns amongst larger organizations. However, veterinary medicine largely remains unconcerned. With common messaging of “Why would anyone want fluffy’s medical records” and “Our IT guy has us covered”. However the statistics tell us that over one third of small to medium sized businesses were affected by a cyber attack. (1) With veterinary medicine being lumped into the health care sector it's hard to know exactly the number of practices that are affected each year. However, using the rough estimate of one third of small-medium sized businesses from the research of Malware bytes (1). Roughly 11,000 veterinary practices each year are affected by a cyber attack. That's 228 veterinary hospitals per week!
Why don’t we hear about all these attacks?
In June of 2020 the AVMA gave an online presentation concerning cyber security and why having a Cyber Security PLIT was important. The AVMA trust division stated that at the time of the presentation their average cyber claim was $135,000.00. Unfortunately a ransom demand of $135,000.00 isn’t large enough to be newsworthy. In fact, in order for the federal government to get involved the ransom has to be in excess of $500,000.00. (2) The sad fact is that just because we don’t hear about them doesn’t mean that it's not happening. On June 3rd 2021 the White House released an open letter to all businesses in the United States. (3) They specifically state “no company is safe from cyber attacks”. Yet the veterinary industry largely thinks they are in some sort of safe zone. This is largely due to a lack of understanding how cyber attacks work.
Building a cyber attack
Contrary to popular belief cyber criminals rarely seek out an individual business, unless that business will net them millions of dollars in ransom. Thus how are cyber attacks crafted to attack smaller businesses and more importantly veterinary hospitals?
The waterfall approach. When a cyber criminal looks to go after small businesses they build an attack like a waterfall. As a river flows down the river it looks for the path of least resistance. Thus the cyber criminal will build an attack vector that looks for known exploits that will allow them to easily flow into the hospital. We can look at the steps used by cyber criminals by analyzing the seven links in Lockhead Heed Martins Cyber Kill Chain (4). The seven steps are:
6. Command & Control
7. Actions & Objectives
These tools then look for a weakness in area’s 1-3; which are then deployed to the world wide web. The most common attack vector is email Phishing followed by business email compromise. A few industry examples include sending hospitals fake resumes embedded with Ransomware, or gaining access to the clinic email address. Which then gets them access to cloud based practice management systems allowing them to create fake invoices to send to all of your clients.
5 Simple Steps to Protect Your Hospital
The great news is that it doesn’t have to be expensive or complicated to start protecting your hospital from the waterfall of cyber attacks. Thus we are going to cover five actions you can take that will have the greatest impact on your veterinary hospital’s cyber security.
“Education is the most powerful weapon you can use to change the world” - Nelson Mandela
1- Passwords: Start by leveraging a good password manager. The recent JBS & Kasyea attacks carried out by ReVil, using compromised password lists they acquired from the dark web. A good password manager will make it easy to create complicated and unique passwords for every account you use. They also easily integrate with Windows and Google’s Chrome web browser. They allow you to easily share passwords with staff and notify you if any of your passwords have been compromised. The best part is that when an employee leaves you simply deactivate their password manager access and don’t have to change every password in the hospital.
2- Update, Update and then Update again: One easy path down the river is through known exploits on the network. All technology software companies offer regular security updates. Some of these updates are known as Zero days. Which indicates that these vulnerabilities are actively being exploited by criminals and you need to update immediately. Thus you should regularly update anything that touches the internet. Not just computers and the software that they use. But also any IOT (Internet of Things) devices. Things like smart phones, tablets, smart thermostats, Amazon Alexa or Google Home devices, ring camera systems. The list goes on. If it touches the internet. The eternal blue exploit that was used to conduct the largest cyber security incident to date in Feb of 2017, is still a vulnerability on roughly 50,000 servers. (6) Even though Microsoft released a security update to fix the issue in April 2017. If you learn anything it should be to keep everything up to date.
3- Leverage Free Cyber Security Tools: One great way to mitigate your cyber security risks is through the use of Free cyber security tools. Here are three tools we recommend you bookmark
1- Have I been Pwnd - https://haveibeenpwned.com
This is a great tool to see if your email accounts or passwords have been compromised. It scans the dark web ‘bases’ and looks for your account details. If you're not using a password manager you should be running your accounts through this website at least once a quarter.
2- Virus Total - https://virustotal.com
This is an amazing tool to scan resumes or any other documents that are emailed to you. It will scan the files you upload against 50+ antimalware engines. Most files even if you download them won't do much good until you try to open them. Thus uploading them to virus total before you open them can save you hundreds of thousands of dollars in losses from cyber crime. Any document you get from a person you don’t know or the email looks somewhat suspicious. Upload it to virus total first.
3- Blacklight - https://themarkup.org/blacklight
Think that website is tracking you or might be doing something else malicious? Enter the URL into Blacklight and it will scan the website telling you what’s going on behind the scenes.
4- Staff Training - The weakest point in any cyber security plan is the human element. If we can arm our staff with how to spot phishing attacks, how to keep information private, why passwords need to be complicated, how to use the free tools mentioned above and how to confirm who they are talking to. Will go a long way in helping to protect our hospital. Most importantly our staff needs to know what to do if they think they’ve fallen victim to a cyber attack. The sooner we can act the faster we can mitigate the damages.
5- Business Continuity over backups - It's great to have your data backed up somewhere. However, how useful is that data if you have no way to use it in the event of a disaster. Investopidia defines business continuity as “ Business continuity planning (BCP) is the process involved in creating a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.”(5) The second aspect of this definition is the most important “are able to function quickly in the event of a disaster”. We’ve had countless hospitals that thought their data was protected until disaster struck. Only to be left with data that’s no good or are unable to access it. Always make sure you test your backup plan. Never just rely on your IT person's word. We see too often that they thought they had everything backed up, but it was backed up to a harddrive connected to the server which was also encrypted. Good business continuity can turn a cyber attack from a disaster into a minor inconvenience.