What is cybersecurity? According to Juliana DeGroot of the data loss prevention software company Digital Guardian, “Cybersecurity is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyberattacks. It aims to reduce the risk of cyberattacks and protect against the unauthorized exploitation of systems, networks and technologies.”
According to the nonprofit Identity Theft Resource Center’s 2021 Data Breach Report, the number of reported data breaches jumped 68% in 2021 over the previous year. In each of the past two years the number of attacks involving ransomware doubled, and in 2021 these represented 22% of the total number of reported cyberattacks. Because of the increasing sophistication of ransomware attacks, with computer systems affected at school districts, major universities, police departments and hospitals, the White House held an international counter-ransomware event in October 2021. Representatives from more than 30 countries participated in the effort. The U.S. Treasury Department’s Financial Crimes Enforcement Network released a report in October 2021 stating financial institutions reported suspected ransomware payments of almost $600 million for the first six months of 2021—much more than the $416 million in payments reported for all of 2020.
The Financial Trend Analysis was written in response to the increase in number and severity of ransomware attacks against U.S. critical infrastructure since late 2020. For example, in May 2021, hackers used a ransomware attack to extort a multimillion-dollar ransom from Colonial Pipeline, causing gasoline shortages. Other recent attacks have targeted various sectors, including manufacturing, legal, insurance, health care, energy, education and the food supply chain in the United States and across the globe. As Treasury Secretary Janet L. Yellen noted, “Ransomware and cyberattacks are victimizing businesses large and small across America and are a direct threat to our economy.”
Malware is any software designed specifically to disrupt, damage or gain unauthorized access to a computer system. Ransomware is the most common weapon of cybercriminals. After encrypting all the files on a victim’s devices, the hacker makes a demand for ransom that the victim must pay to regain data and the use of the computer. Botnets, where hackers take mass control of infected devices and direct them to do their bidding, are also common in malware. New ransomware can turn your computer into part of a bot system that infects devices, locks them up against your use, then spreads malware via spam email to your entire contact list.
According to Clint Latham, JD, of Lucca Veterinary Data Security, we all hear about big companies paying large ransoms after being taken over by malware. But most of us don’t think about the vulnerability of our veterinary practices, although many bad actors target small businesses.
“Every 39 seconds there is a cyber-attack of some kind, and 64% of companies worldwide have experienced a cyberattack of ransomware. In the year 2020, there was 423% year-over-year growth in this activity,” he reported
at the Independent Veterinary Practitioners Association (IVPA) continuing education event in the fall of 2021.
He also reported that 94% of malware spreads through email and 43% of companies pay the requested ransom, with the average ransom request being $377,000. This number is probably influenced by the fact that the FBI will only investigate cybersecurity-related attacks if the ransom is greater than $500,000.
Unfortunately, said Latham, if you pay the ransom, you often become a repeat target. “Because of the growing importance of technology—especially with younger clients and younger practice owners—we are heavily reliant on our technology. So we have more risk,” he said.
Every major credit card brand requires merchants that store customers’ card numbers to follow the Payment Card Industry’s Data Security Standard (PCI DDS). However, if you have an open Wi-Fi connection in your veterinary office to allow clients to use your internet while waiting, a hacker can be parked in your parking lot and find a computer on your network that is doing credit card transactions and download all the data. That’s why you should segregate the Wi-Fi you use for your business functions from the rest of the network.
The so-called “cyber kill chain” consists of reconnaissance followed by weaponization (delivery of the weapon through exploitation of weaknesses) and installation of the bot command and control of the computer network and actions, Latham explained. The National Veterinary Associates (NVA) had 400 of its 700 hospitals compromised with ransomware in 2019, he shared, which prevented these practices from accessing their patient records, payment systems and practice management software.
The ransomware attack encrypted records on the company’s practice information management software and demanded payment to decrypt the files to restore access. In addition, he said Merck had $670 million in losses not just from ransom paid but also from lack of data and the loss of an entire infrastructure. Neither of these companies was a target, he said, but each was using a compromised tool or software.
According to Veterinary Information Network (VIN) News, malicious code can enter a computer through multiple means. It might come through a phishing campaign, which involves email appearing to be from a reputable source that lures the recipient to click on a link or download an attachment that then infects the computer. It could be a program that crawls the internet looking for vulnerabilities in systems. As a result, you can lose money from a bank account, be attacked through social media, or be infected from a fake resume sent as an attachment by email.
If you have images on a laptop that are considered medical records, these can be lost. The U.S. government passed a ransom disclosure act requiring you to disclose within 48 hours that you have paid ransom. If you don’t disclose your ransom payment, you will be considered funding criminals and might be subject to penalties. While this seems like a terrible approach, it is currently the law.
Regarding cybersecurity, the veterinary industry has four barriers to overcome, Latham said. The first is that 90% of ransomware installed on your computer results from human error in opening attachments that could have been recognized as false. Second, in the veterinary field, practice owners are trusting and empathetic, so they often fail to recognize their risk. Third, most people in veterinary medicine do not believe their data is valuable, so they
fail to protect it. Lastly, most veterinary practice owners think “My IT guy has us covered,” but most people working in IT are generalists, not specialists. Fundamentals to protect your practice include:
- Being sure everyone in your workplace understands how to identify and avoid “phishing lures,” also known as “bait,” which are the tactics cybercriminals use to create vulnerability where they can plant malware. Along with making sure your staff has training, it is especially important that they feel they’re psychologically safe to come to you if they make a mistake, such as opening a suspicious attachment. You do not want them to delete the email or restart the computer instead of sharing the incident with you.
- Back up data regularly to an offline source and test your incident response plan frequently to be sure your efforts are effective. Think very carefully about your data backups—how often you do them (ideally, at least daily), where you keep them (preferably offsite) and how fast can you recover your data. Data must be confidential, available and have integrity. If you are using a network hard drive and server for backup, your backup is likely to be compromised in the event of a cyber-attack. If your backup is in the cloud, with the speed of cloud downloads it could be four or five days before you can access your data.
- Be sure operating systems and applications on all the practice’s devices have the most current versions, with security patches updated regularly.
- Keep anti-malware software up to date.
- Test your IT team’s work to make sure you’re not vulnerable.
- Segment your network so your public Wi-Fi for clients is separate from the Wi-Fi for your office processes.
- If a message appears on a device warning of an infection, immediately disconnect the device from the internet and from the workplace network to try to prevent the problem from spreading.
Latham recommended a free tool called Blacklight, found at themarkup.org/blacklight. You can right-click
a suspect website address, copy the URL and paste it into the box on the Blacklight page, where it will give you information about user tracking technologies associated with that site. Another free tool Latham recommended is virustotal.com/gui/home/upload. Because attachments can be dangerous and even resumes have been known to be infected with malware, this site allows you to scan an attachment for danger before you open it. After you navigate to this site, you can drag an attachment over for scanning to find between 35 and 40 types of malware.
A third site he recommended is haveibeenpwned.com, where you can key in an email address or a password and it will tell you whether you have been compromised.
Additional resources are available from the AVMA, including a valuable blog post written by Isaac Monson, assistant vice president and senior risk consultant at HUB International, and Erik Bernstein, president of Bernstein Crisis Management Inc., found at avma.org/blog/cybersecurity-your-practice. Take cybersecurity seriously and protect your practice before it’s too late.