Cyberattacks and ransomware are once again in the news, and veterinary clinics aren’t exempt from the impact of cracks in digital security. Threats include privacy breaches, extortion, lost data, and more. This isn’t a topic veterinary professionals can afford to ignore.
Fortunately, with preparation and prevention, you can safeguard your client and patient data, and have a plan in place to respond quickly if bad actors set their sights on your business. We spoke with Isaac Monson, assistant vice president and senior risk consultant at HUB International, and Erik Bernstein, president of Bernstein Crisis Management, Inc., to find out how to put smart safeguards in place and what to do if you come under attack.
How can I prevent cyberattacks?
Every organization should expect to deal with a data breach at some point. As veterinarians, we know that prevention is the best medicine, and preparation is key to protecting practices and reputations. Failing to prepare and prevent will put you on the back foot from the get-go. Here are reasonable, common-sense steps smaller organizations can take to lessen the likelihood of falling victim to cyber criminals:
Back up your data and keep up-to-date
Implement offsite backups for all data, and regularly update security patches on both individual laptops and the practice's network. While simple to implement, this action will help maintain a critical firewall for the network.
Educate everyone on the team
Cybersecurity awareness training for your staff is one of the most important prevention tasks you can undertake. Keep your staff current on cyberthreat trends and tactics, common red flags, what to watch for and be suspicious of, and how to report odd or suspicious network activity if they observe it. Fortunately, cybersecurity awareness training is widely available online, with relatively inexpensive options.
Assess existing technical controls
Network vulnerability testing and penetration testing are two important assessments that you can work with cybersecurity vendors to complete, and both types of assessments are intended to identify opportunities for improvement.
Other ways to prepare for cyberattacks
Some other important steps you can take include implementing multi-factor authentication for remote, email, and privileged user account access; additional email security to alert you to external or potentially malicious emails; remote desktop protocol (RDP) management; and endpoint protection (EPP) and endpoint detection and response (EDR) tools.
It’s also important to develop an incident response plan and business continuity plan. Like most plans, these are best created before you need them. When developing these plans, consider reviewing your liability insurance plan to know your coverages and the resources available to you. The AVMA Trust offers a variety of policy options that protect against cyber threats. If you’re not sure what your coverage includes, you can contact your agent at any time to discuss.
What are the signs that our system may have been compromised?
There are a few glaring and obvious examples, like a ransomware notice on your desktop that tells you your files have been locked. Or you may find out that your business email has been compromised after you pay an invoice sent by a scammer pretending to be a vendor.
Unfortunately, by the time you see those signs, it’s already too late. These are both real-life examples and reinforce why it’s critically important to have robust and regular data backups and how cybersecurity training can be a first line of defense. When you and your team know how to recognize a phishing email, for example, it’s easier to recognize real invoices versus real threats to your system.
"By the time you are seeing signs that your system has been compromised, it is already too late."
– Isaac Monson, Assistant Vice President and Risk Management Consultant, HUB International
I suspect or know that I’ve been compromised. Now what?
As a small or mid-sized business, your cyber incident response plan doesn’t have to be complicated or highly technical. Essentially, it needs to be a playbook that you and your team can use to begin contacting the right partners to get your network and business back up and running.
Contact your insurance agent
If you have a cyber insurance policy in place, one of your first calls should be to your insurance broker and insurance carrier to report the incident and determine if you should file a claim. Notifying the insurance company will activate breach response resources if they’re needed, including legal counsel, forensics, and crisis management. These resources will also be able to assist with notifying clients and restoring records, if necessary.
Get law enforcement involved
Report the incident. Cybercrimes aren’t reported to law enforcement at the same rate as other crimes, but they should be. The FBI’s Cyber Division works exclusively on these crimes and can provide increased protection when they are reported.
Implement a communications plan
Whether or not you have a cyber insurance policy, you may need support in forming a response and notifying clients. A crisis management plan, or even a consultant or crisis management company, can help. AVMA members who are facing a data breach or other threat to their reputation have access to a free consultation with crisis management experts from Bernstein Crisis Management. As an AVMA member, you receive up to 30 minutes of free consultation and advice—enough to help you stem the tide of attack in most situations. AVMA members also qualify for significant discounts if additional consultation or services are needed.
How you respond will depend on exactly what has happened and whether/what data has been breached. Communication requirements related to data breaches are governed by state laws and regulations, and these tend to be very specific. The Federal Trade Commission's Data Breach Response guide provides a good overview of steps to follow, and it’s critical to understand exactly what is required in your state. This is a time to consult legal counsel and/or a qualified breach coach to ensure you follow the letter of the law.
In any crisis situation, how you communicate with clients will impact your future relationship with them. Be sure to follow the three Cs in your communications: compassion, competence, and confidence. A data breach can put a practice’s reputation in question, but responding with those three traits can help mitigate damage.
Get hold of clients in a timely manner
If their contact information is still available, clinics can reach out to clients via telephone or email to inform them what has happened and how the problem is being rectified. If clients’ contact information is lost, you can use more public channels: social media like Facebook and Instagram, or a community forum like NextDoor.
Explain what happened and how it affects them
Clients’ first question in a situation like this will be, “What does this mean to me?” It’s important to put yourself in their shoes in crafting your communications and responding to any questions they may ask. If their personal information, such as credit card information or home addresses, has been compromised or lost, they need to know. The key is to tell them with compassion, acknowledge how they feel, and show professionalism and competence. While apologizing may put you in a murky legal position, you can and should express understanding and empathy.
"The key is to tell them with compassion and acknowledge how they feel."
– Erik Bernstein, President, Bernstein Crisis Management, Inc.
On the other hand, if no one’s personal data was affected, be sure to say that! If the breach is limited to patient information only, let your clients know. It’s still important to explain any burden this puts on the clients—which might include asking for their help and understanding during the process of recreating patient records, for example. In that vein, don’t forget to mention any disruption or slowdown in service that clients might experience as a result of the breach. Again, make sure your tone is compassionate.
Rebuild their trust
Once clients know how the situation affects them, clinics can begin rebuilding trust. Explain that you’re implementing new security protocols to avoid a repeat situation in the future. If you promise clients in the immediate aftermath of an incident that you’ll follow up, it’s important to stick to that promise and reach out as soon as you have a response for them. During every communication post-crisis, portray competence and confidence while handling the situation. You will get through it—and your clients will, too.