I should start off and say that C.I.A. does not stand for The Central Intelligence Agency. Instead what it stands for is Confidentiality, Integrity and Availability. Each of these concepts are vitally important to protecting the heart beat of your practice. A prescription without a diagnosis is malpractice. C.I.A. allows us to diagnose our practice data to then create a prescription to keep it safe. We will look at each of these concepts and how you can use the C.I.A. to better protect your veterinary practice.
Confidentiality- How do we keep the bad guys out!
The unfortunate truth is that most practice owners don’t think that they have any data that someone would want.
The truth is, if you collect any personally identifiable information. I.e. Name, address, phone number, email address or credit card number. You have data that people want. More importantly you have data that the bad guys want to prevent you from accessing. The cornerstone of any security professional’s career is to look at and analyze what data we have and how do we get it safe and healthy. This goes beyond the data found in our practice management system.
For Example: I spoke with a practice that had their email compromised by a hacker. This hacker was then sending fake invoices to all of their customers. The customers who were paying these invoices were sending money to the bad guys and not the practice. When we think of data confidentiality we need to analyze all aspects of the data we use in our practice and how to keep it confidential.
Encrypt your Data
Do your doctors travel or work remotely? One way to help keep your data confidential is to enable data encryption on that local laptop. Both Microsoft and Apple offer built in encryption services. Microsoft uses Bit Locker and Apple their Filevault. Which is as simple as clicking a button to turn it on. Encryption prevents a bad actor from accessing the data if the laptop was stolen or lost without having the users credentials.
Keep your internet communication Private
Leverage a VPN service. If your clinic has a business class firewall you can implement a VPN service. Which stands for Virtual Private Network. This creates a secure private internet tunnel between your computer and the firewall at the practice. This makes it far harder for someone to steal our communication from our home network, hotel or coffee shop internet. While also having the additional protection of the firewall monitoring for any bad behavior.
Integrity – How to we manage the change of our data
Separation of Duties
One of the ways that we can manage the integrity of our practice data is through the separation of duties. I see a lot of practices within their practice management system giving far to many rights & responsibilities to almost every staff member.
Example: One practice was having drugs ‘smartly’ stolen by a CSR who had access to drug inventory in the practice management system. It wasn’t until a security audit was done that they found out what was happening. The user was creating a drug request in the practice management system for tramadol for patients that we’re on the drug. Just as their Rx was about to come due. Then taking the drugs out of inventory and then deleting the transaction.
When we seperate the duties of the people controlling the sensitive information within our practice it helps us to create for better data integrity. Integrity is all about putting in the proper controls so that the data can not be manipulated in a malicious way.
One aspect of data integrity that is often overlooked is how a practice’s data is backed up. The biggest issue is that I have never seen a practice regularly test their backups. This test helps to create the cornerstone (Not Idexx Cornerstone hahaha) of our data integrity. When I talk with my DVM about putting our 15 year old Yorkie under anesthesia for a teeth cleaning there is a backup plan that is in place. We talk about how the equipment is tested, what people are involved; all with the goal of ensuring the health integrity of Atreyu. Our data is the life blood of our practice and one way to ensure the health integrity of our data is through proper backups.
Availability – How we make sure good people have access to the data they need, when they need it.
This is the section that gets a bit more technical in nature. But bare with me I’ll break it down in terms that make sense. Once you have looked at the confidentiality aspect of the data in your practice. You should have a good idea of what data you have and what data is most important to your day to day operations.
Is a term we use in the security industry to indicate data that needs 100% up time. For most veterinary practices this is going to revolve around your practice management system and credit card processing systems. We need to make sure that we get paid!
Example: Most practices are backing up their practice management data either to local hard drives or to one of the cloud backup solutions offered by the larger practice management software firms. I have seen countless practices that have been down for 4 days or more without access to their practice management data. While they were trying to get the data restored from one of these solutions. Remember testing the integrity of our backups in the section above? Can you see how each aspect of C.I.A. builds on each other?
As I write this it’s summer here in the U.S. I received a call from a practice in the New Orleans, LA area. One of their biggest concerns was how to deal with the tropical storm and hurricane season. They regularly lose power and internet and had a scary incident where a power surge almost took out their server and backups. This was a clear availability issue. We need to look at battery backup or laptop solutions that can run on LTE (cell data services) that will allow us to access our data and check customers out during a power outage.
I spoke with a practice in New York that needed to get their doctors remote access to their system to finish up their SOAPs from home. Their local IT guy set up a solution that allowed them access. However because Confidentiality wasn’t taken into consideration, just Availability part of the equation, this created a security gap and the hospital was attacked. This is not to blame the IT guy. Most IT professionals are administrative IT professionals. People who are really good at helping with the day to day tasks and issues that come up in the practice. Most times they are so busy with the admin side of IT that IT security becomes an afterthought.
Ever wondered why bigger firms have IT teams and IT Security teams? This is not because they have more sensitive data. This is because they know that they are both very specialized areas of practice. Just like a lot of general practitioners won’t do chemotherapy treatments. This goes to the oncologist. Not that the GP doesn’t know a decent amount about how mitoxantrone works. Rather they know there’s someone with a far better skill set to see the treatment through completion. To ensure the integrity of the health of the patient.
One way to keep your practice safe is to think about your business in terms of C.I.A. Anytime you are about to make a change with regards to your data. Think about how this change affects each of these 3 characteristics.
Confidentiality – Keeping the bad guys from accessing good information
Integrity – Who can change what within our data.
Availability- How do we make sure the people who need access to the data, have access when they need it.
If you’re interested in a FREE 2 week Cyber Security Awareness training program for your clinic. Please reach out to Clint Latham at firstname.lastname@example.org