When thinking about cyber security and data protection it can get overwhelming at times. Where do we begin? If you even think about it at all. For most Veterinary Practices the idea of having a security audit outside of your local IT company seems crazy. However, having worked on the other side of the isle I know for a fact that security is a secondary concern when compared to ensuring that the administrative side of your technology is functioning. For example looking back at my career as an administrative IT CIO, I’m often amazed at the lack of basic security measures that we took. Using the same password format for all our clients, lack of 2FA ( Two form Factor Authentication), the same admin username for all our clients and the list goes on and on. Let’s look at another example, NVA. NVA had over 400 hospitals get hit with a bad ransomware that took their hospitals out at the knees. NVA has a very robust IT team, but the one thing they are lacking? A dedicated IT security team. And this incident shows. Having a bit of inside knowledge as to how this incident occurred I can tell you that if you are counting on your local IT guy to handle your security . You may become the next NVA.
Where to start?
It helps to have a basic understanding of the 7 categories of control. As we look at each of these categories we will also look to what categories I see addressed and often overlooked by most Veterinary Practices.
1) Directive
This is one that is often overlooked by most practices. If you carry a cyber security liability insurance, like the one offered by the AVMA here. Then you need to address the Directive side of your cyber security and data protection plan. Directive is defined as “an official or authoritative instruction.” To put it simply do you have policies and procedures in your employee handbook around the proper use of the technology in your practice? Do you have an incident response plan in place in the event a staff member makes a mistake?
2) Deterrent
In his book Cyber Deterrence and Cyber War, Martin Libicki describes these options as (1) “deterrence by denial (the ability to frustrate the attacks)” or passive deterrence and (2) “deterrence by punishment (the threat of retaliation)” or active deterrence. When it comes to our staff, deterrence by punishment is NOT a great option. It puts our employees on the defensive. They will unlikely want to notify us in the event they make a mistake that leads to a breach. We want to create an environment that empowers our staff so that they can then take the actions outlined in our incident response plan to help mitigate any damages. We are all human and make mistakes. That’s why we need a deterrence by denial approach.
Thus we must look to the deterrence by denial approach. This looks at your business as a whole. Then analyze the parts to come to an over all risk summary. Start by performing a BIA, Business Impact Analysis, on the different areas you touch data in your practice. You can also start by downloading our FREE eBook 5 Simple Steps to Protect Your Practice. To start building your deterrence by denial plan.
3) Preventive
This is also one that is largely overlooked by most veterinary practices. Which I find interesting. As in Veterinary Medicine we are always trying to teach our clients the importance of preventive medicine in the health of their pets. Yet we so often over look the importance preventive medicine when it comes to our technology. One of the easiest and most effective ways to help prevent a cyber attack is to train your staff. You can work with us to schedule simulated attacks on your practice to fully understand your exposure and help to educate your staff. To book your training click here.
4) Compensate
Compensation is all about mitigating risk down to an acceptable level. Never will you be able to get your total risk to 0. However, you can compensate in certain areas to bring the risk level down to an acceptable level. For example for most practices it’s far to expensive to have a redundant network stack in the event there is a major failure or data breach. However we can compensate that risk by implementing the Lucca Data Vault. A lower cost solution that provides us with a copy of our server that can function at a certain level of performance to ensure that we can still see and treat our patients, in the event of a network failure. As you run through your BIA (business impact analysis) you will be able to see areas that are in need of compensation to help mitigate risk for other controls that are impossible or too expensive to implement.
5) Detective
Are there bells and whistles that go off if your veterinary practice data has been breached? Do you know what to look for? Do you know where the fire extinguisher are located? Think of the detective controls as the security system for your data. There should be some form of notification or alarm that is rang to notify you of an issue that needs attention. At Lucca we do this through a centralized console that manages all the devices on your network, makes sure they are always up to date and sends us an alarm if something is not right. All of this information is at our finger tips.
6) Corrective
You’ve heard me mention through out this article about your incident response plan. For most veterinary practices their IRP is “call the IT guy”. By the time you get a hold of your local IT person it’s gonna be too late. You need clearly defined steps that you take in the event a data or security incident occur. Calling the IT guy is not a corrective plan. Having been on the other side of the isle I can tell you how frustrating this is for both the IT company and the practice when an incident occurs. As no ones really sure what to do. Which leaves everyone extremely frustrated and tempers flaring. Take time to document and share your IRP with your staff. You’ll thank me later.
7) Recovery
Recovery countermeasures aim to complement the work of corrective countermeasures. They also try to get the system back to its normal condition before the attack occurred. You should also have a complete DRP (disaster recovery plan) in place that outlines the measures that are to take place in the event that the other controls have failed and you must seek a recovery. The more detailed you can be the better. I have worked with countless DVM’s and CVPMs that are very technical and think they have their basis’s covered. However, when we start to look at the different scenarios that can take place and how they will recovery they start to get overwhelmed. Again as we say in contract law, “prepare the worst and hope for the best.” When everything is clearly defined, there are no ambiguities and everyone is on the same page. Makes for a far faster and smoother recovery process.
If you need help implementing or reviewing any of these controls within your practice contact us today!
Peace Love and Plants
Clint Latham J.D.