As someone who is dedicated to protecting veterinary practice data. I find that the veterinary industry is in a bit of a grey area. Let me explain.
Whenever I ask a practice if they are worried about cyber attacks, I’m usually met with a No. With a response; “Why would a hacker want my data? We don’t have anything special.” However, if I ask about the Covetrus data breach that occurred back in early 2019. I’m met with rage and practice owners feeling like they have been taken advantage of. Just read the comments section in the VIN article to get an idea of what I’m talking about. Here in lies the issue I’m referring to.
We kinda think our data is valuable
We don’t think our data is valuable enough to protect it from cyber criminals. However, if we find out that a business is using our data the way they outline it in the EULA (end user license agreement); this makes us very upset. The biggest issue is that for the average practice owner they have no clue how valuable their data truly is. Or how a business partner is using their data.
In an article in the LA Times “Shadowy data brokers make the most of their invisibility cloak”. States the data trade business is a $200 billion dollar a year business. While most of these businesses hide in the shadows, collecting and selling your data without you ever knowing it. What’s even scarier is that a lot of businesses that provide us with a valuable service are doing the exact same thing. The issue for me lies in the transparency of the act. This also gets to the core of GDPR & The California Consumer Protection Act. While both of these acts put extra strains on businesses to protect their data. It’s core design is to help with data transparency. What data are we collecting, how we are using it and most importantly do you agree? Hopefully in this article we can help to shed some light on how valuable your data is. While providing you some guidance to start protecting it.
Why hackers find our data valuable
We can and should dedicate an entire article to this subject. However for the sake a brevity let’s talk about why your data is valuable and why a hacker wants it.
Your data is insanely valuable to you!
How long can you run your business without access to your practice management software? How long can you function or process payments without the internet? How will you service your customers if you can’t answer the phone? Ask any practice that has gone through a cyber attack and you know the answer. Not long. That’s why hackers know the easiest way to get the pay day they are looking for. Is to prevent you from being able to access your data. Enter the world of ransomware. Sure we hear about the NVA’s of the world where over 400 practices were held ransom in late 2019. What we don’t hear are the facts that 43% of all cyber attacks are done to small businesses. With terms like, hospital, medical center & clinic in many of our practice’s names. This moves the veterinary industry up into the top 15% of industries that are targeted by cyber crime. An article from CNBC in Oct of 2019 “Cyberattacks now cost companies $200,000 on average, putting many out of business”. The facts showed that over half of small businesses that were attacked; couldn’t afford the cost of the breach and had to close its doors. Not to mention if you pay the ransom your business is now marked as a company that will pay. Putting you on a short list of companies to directly seek and attack. Can you afford to run your practice without access to your client data?
Your customers pay you
Another easy way for hackers to cash in. Is to steal your client records and then start to email them fake invoices indicating that your clients still owe you money. The problem is that the money is going to the hacker and not you. While also destroying your reputation and relationships with the clients you’ve worked so hard to maintain. This one of the biggest reasons practices reach out to me for help. Their customer records were stolen. Fake invoices are being sent out and they don’t know how to stop it. On top of that, their CSRs are spending all day taking phone calls from clients trying to mend the relationship.
In short cybercrime prevention is one of those things you don’t think will happen to you until it does. Just like my primary DVM tells me with my Yorkies. Clean Their Teeth! Why? Because maintaining a healthy mouth goes a long way in helping to maintain a healthy pet. The same can be said for cyber crime. It’s time we realize as an industry that our data is valuable and we need to take a preventive approach to keeping our networks healthy.
Read your EULAs!
Before you sign up for a new service make sure you understand what is going to happen with your data. There are many cases where a vendor will use your data to help provide you with better products and services. For example I regularly work with cyber security teams to review threats and logs across all of the practices that we service. This is done in an anonymous fashion, as to NOT identify any particular hospital, person or patient. Rather to look at security threat trends across all hospitals. This data allows us to shift our focus and attention to better serve and protect our practices. Against the ever growing and changing cyber security landscape.
The issue comes when a vendor has access to your data and decides to then monetize this data. But this is where things get very grey from a ownership rights perspective. Let’s look at an example.
Let’s say I start the company Vet Widgets. Vet Widgets is a parasite detection and prevention company. My parasite widget allows you to scan a pet and in 5 secs and will tell you if the dog or cat has one of 1000 different parasites. Vet Widgets connects with your practice management system to automatically record any findings. Vet Widgets also has its own website where you can log in and run any number of different reports to see trends in parasites in your city, town, county, state and even worldwide.
In order for Vet Widgets to accomplish this we need to take your data, combine it with the data of all of the other practices we serve to allow you to see these trends. This may sound all good. However, what if a new drug manufacturer, Drug X, comes to me the owner of Vet Widgets and says.
“We would like to buy your data at 1 million dollars per year. So that we can learn what clinics, in what states & when would best benefit from our new hookworm prevention medication”.
Are you ok with your individual clinic information being sold to Drug X as gain for Vet Widgets without your consent?
This is where things get interesting. As Vet Widgets wouldn’t be selling just the single data set of your practice. But rather the data of thousands of practices together. However, without your practice participating in this data transaction on parasites. There is no data to be sold.
Enter GDPR and CCPA
There are two big differences between GDPR and the CCPA. With GDPR in the example set above.. Vet Widgets would have to notify you of the potential sale and get you consent for your practice data to be used in this fashion. With the CCPA Vet Widgets would have to notify you, not gain consent, but rather allow you to have your practice data opted out of this transaction. It will only be a matter of time before this type of legislation becomes a national policy in the United States. As legislators are seeing the value of data and the potential for business to charge you a fee for their services while also being able to then resell your data on the open market. Where there would be no data without your participation.
In my humble opinion; I think there is a way for data to become a benefit for all involved. If I as the owner of Vet Widgets wants to sell your data as part of a larger data set. You as the original data owner should also profit from this transaction. Maybe it’s as small as a %0.1 of the overall sale. But the sale of the data and the transparency of the transaction are there for everyone to see. Maybe the $1000.00 payment you don’t see as fair. Then you can opt out. But this keeps everyone informed and with the opportunity to make an informed decision. The problem is that many of the EULAs that I have read are very vague as to what they do with your data with their 3rd party affiliates. Thus the first step is to ask for clarification. Then for you to perform a cost benefit analysis on the service the vendor provides, how much it costs and the potential for them to profit off your data. As the title of this article states. Are you willing to pay to have your data stolen from your practice?
Thinking about going to a cloud based solution? They now physically hold all of your data, the heartbeat of your practice. Make sure to ask and get clarification on the data use issues.
The Definition of Steal – “to take (the property of another or others) without permission or right, especially secretly or by force”
Data backup; the biggest mistake I see practices making
The first step whenever I look at a practice’s data is how it is protected. How is it backed up, how often is it backed up and how fast can I recover the data?
How is it backed up?
This is about to get a bit more technical so bare with me. You should be asking yourself how our most valuable data is backed up. This includes your practice management system, xray & dental Images and your accounting\HR information. If you are backing this information up to just a local hard drive you’re in big trouble. There is an endless list of why this is a bad idea but for the sake of brevity lets just say. If you’re the practice that has a hard drive plugged into your server as a data backup call me we need to talk.
The first step is to find a way to back that data up to the cloud. Some form of offsite storage where the data is yours. Again read the EULA of any cloud storage provider to make sure they are just housing the data and not doing anything with it. Again not paying to have your data stolen out from underneath you. Then you can continue to use your local hard drives as a quick file recovery solution. But in the event you get hit with ransomware and your backup hard drive is also encrypted. You have the cloud as your fail safe.
How often is it backed up?
Again if you are that practice with the hard drive or drives plugged into your practice management system and backing up once a week. Call me, I’m scared for you! What we need to think about here is in the event of a major data loss. Hardware failure, cyber attack etc how much data will be lost? You may be asking yourself
“Lost??” “None because we are backing it up!”
Let’s look at a real world example. This practice was backing up their Avimark database to a local hard drive every Friday at 7pm. And swapping those hard drives every other week. The practice was busy, business was good so they were expanding their practice. In the expansion they were moving their server from being on top of the litter box in the water heater closet to an actual data closet. On a Thursday night they shut the server down, unplugged it, moved it to it’s fancy new home and went to power it on. The server turned on, so at least they thought. But the computers couldn’t connect to Avimark. Well the short of the story was, there was a disk corruption issue. Meaning the disks needed to be wiped and everything re-installed.
Because they had the last backup as of Friday the week prior. They had lost 6 days worth of data. All the SOAPS for all the patient records that week, the new appointments that had been scheduled. Everything that was done that week. Gone! I want you to think about how much data can you afford to lose should this happen to you?
How fast can I recover the data?
The other question becomes how fast can you recover the data. In the example above it took them over a day and a half to get the server back to functional. Imagine a Friday morning, one of the busiest times in your practice and you have access to nothing. Not only did they lose 6 days of data. They couldn’t enter any additional data for another day and a half.
Now our data is back but we have to spend countless hours trying to back input the data that was lost. Trying to get CSRs and associates to remember everything they did, correcting charges, following up with clients to find out what day you scheduled them for. While trying to still manage our active patient load. The good news is that there are data solutions that keep your data private (it’s yours after all), can be backed up every hour and make mirror copies of your server. Thus allowing you to completely recover your data within a 2 hour time period. While only losing, at a worst case scenario, 59 minutes worth of data. (assuming the last backup was at 10:00am and then disaster hit at 10:59am. With the data backing up every hour)
Conclusion
Lets recap and provide you with some quick bullet points to take action on.
Realize your data is actually very valuable! And just because you’re in animal health doesn’t mean you’re not a target in the healthcare industry. Especially if your practice name contains the words, hospital, clinic or medical in the title.
Talk with your vendors! The good news is that there are a lot of really good vendors in the veterinary space that do have your best interest at heart. But don’t be afraid to ask questions and get clarification on how your data will be used.
Check your backups! Review how, where and how quickly you can recover your data. I can’t tell you the number of VMG meetings I’ve been to with the practice owner that states “I could go back to paper, it’s not a big deal”. Then they get hit, have no disaster recovery plan in place and are beating down our door for help. Don’t let this be you.