Data breach incidents have been on the rise in the last few years, with many companies, hospitals, veterinary practices and other organizations reporting their data being compromised. This, however, is not surprising because as technology progresses and our information continue to be moved to the digital world, malicious actors are increasingly becoming creative and coming up with ways to access the information without authorization.
Successful data access by these unauthorized actors resulting in loss of data or data being used maliciously is called a data breach.
Veterinary practices have become attractive targets for cyber criminals due to the amount of data they are able to obtain in a successful compromise. They have also become a top target due to the nature of a majority of veterinary practices not taking cyber security seriously. Via aging technology, lack of security controls and proper data backups.
What a data breach means to your veterinary practice
A veterinary practice suffering a data breach may be devastating due to the damage such malicious actors may leave behind. One of the most extreme outcomes of a data breach is data loss.
If a veterinary practice had a poor data backup system, the result is a total loss of clients, personal and veterinary practice data forever. Not being able to recover the data also means that, as a practice, you will need to start over again, including collecting information from your clients.
This can be devastating and may lead to huge financial losses, especially for small and medium-sized practices. Practice owners whose practices have been compromised are also likely to face legal challenges from their clients, especially in cases where sensitive data such as social security and credit card numbers were involved, leading to identity theft.
Most veterinary practice owners and managers think that by using their practice management system backup system that they are covered. Unfortunately these backups are never tested for integrity and as a result very rarely result in a successful backup.
How data breaches occur
As a result of a lack of security measures and systems put in place by practice owners, hackers can manage to access your data using some of these methods outlined below.
Denial of Service(DoS) and Distributed denial of service attacks(DDoS)
Both Dos and DDoS aim at flooding a network with requests until it can not cope anymore, resulting in network outages. Although in many cases, hackers or DDos initiators are not able to access the information. They also deny veterinary practice owners the ability to continue using their network, resulting in a data breach.
In many instances, though, it has been found that DDoS attacks do not amount to a breach of data and many people who take part in such attacks do it to cause havoc and losses to a practice.
Man in the middle attacks
This type of data breach involves using an already established communication channel to access unauthorized information without being noticed. Attackers are able to intercept network protocols such as IP addresses and access information they are not authorized to have. In most cases this is used in veterinary hospitals that don’t implement a separate isolated guest wifi network. Allowing bad actor to access all your hospital information generally from within your parking lot.
Password attacks
Data can also be compromised if system users use weak passwords that are easy to guess. This has become a very common method of attack and has resulted in many veterinary practices being compromised. Are you still using the same password for your server and practice management system that was issued by the vendor?
This also occurs when you use the same email address to access a varity of sensitive accounts without creating complex unique passwords for each account. Once your email account is compromised every account associated with that email account is now at risk.
Phishing
Phishing emails have also been found to work for unsuspecting victims, which helps hackers gain access to unauthorized accounts such as emails and social media accounts. These accounts contain other linked accounts containing personal data such as social security numbers and credit card information.
At Lucca we get calls at least once a week from veterinary practices that have been compromised via phishing attacks and need help cleaning up the mess. The most common is sending fake invoices to all your clients asking them to pay for outstanding veterinary service bills. They configure rules within the email account so that you have no idea this is going on until you start getting calls from your clients.
Malware and virus attacks
Your system can also be compromised by malware attacks and viruses that can access your data and communicate with remote servers where they upload the data for hackers to access; such as key loggers and ransomware.
A key logger runs on your network capturing every key stroke. Think your in the cloud so your safe? Not in this case. They gather your practice management system URL, save the user names and passwords for the key stake holder in the practice. With it being cloud based they can access the system from anywhere. Now they have access to your client database which generally results in them sending them copies of invoices that your clients have already paid.
Ransomware is where the cyber criminal deploys software/malware onto your network to encrypt all of your veterinary hospital data preventing you from accessing it. Depending upon what type of back up you have it will encrypt your backups as well. These criminals then request that you send them $150,000 or more to unlock your network and data.
Most malware attacks are carried out through email spams where users click and download attachments that might be laced with viruses and malware.
What to do in case of a data breach in your practice
Get information about the breach
After realizing that your data has been breached, the first thing you need to do is to get as much information about the breach as possible. Ideally, you would need tools such as intrusion detection and/or prevention systems (IDS and IPS) that helps in logging where security compromises have occurred and track the source of such compromises.
Determine how much data has been exposed
As a practice owner, the next thing you should do is determine how much of your system came under attack and how much data was accessed unauthorized. It is important to have such information in order to determine the extent of the data breach, which can help you recover fast.
Investigate the type of data that has been stolen
The type of data that has been stolen is also an important consideration. Data such as social security numbers, credit card information and personal identifiable information (PII) are more sensitive than guides and documentation, which may be found on the same systems.
The risk of personal data is that hackers can assume the identity of the hacked accounts and result in long-term financial and legal problems.
Contact experts to run an audit on your system
After a breach of your system, ensure that you consult an IT audit expert, like Lucca, to take a look at the damage done and advice on what to do next. This includes coming up with plans to ensure that such compromises do not happen again in the future.
Initiate data recovery
Practice owners are required to initiate a data recovery process, where they are required to use backed-up data to get up and running again. To do this, they must correct the mistake that led to the initial data breach.
Take the steps to learn your risk level
The best defense is a good offense. Lucca Veterinary Data Security can perform and IT Health & Cyber Security assessment on your network to determine where your gaps are. Lucca will also help you prioritize and budget for those gaps to help keep your practice safe in the 21st century. Schedule your FREE consult to determine how an IT Health & Cyber Security Assessment can help your practice.
Peace, Love & Plants,
Clint Latham J.D.
Lucca Veterinary Data Security
www.lucca.vet
The People of Veterinary Medicine Podcast