Cyber security. It’s not exactly the sexiest subject, and as a Vet or Practice Manager its probably not your specific area of expertise. It might even be a little bit intimidating.
We get asked a lot about how to protect veterinary practices from cyber attacks, so we’ve put together a list of the top 7 areas we target when beginning to work with a new practice. Each of the below sections can be a VAST topic, but we’ve condensed it down to quick and simple ‘bitesize’ chunks.
This is less about prevention and more about preparation. In the case where your protections fail, you will need to have prepared a robust continuity plan to enable your practice to keep functioning.
The key here is BACKUP, BACKUP, BACKUP! We say it three times because this it SO important, and with backup we always apply the rule of three:
- Three copies of data (this includes the live version)
- Two media types (for example an external hard drive and the cloud)
- One offsite copy
Also, always test your backup data! The last thing you want needing to rely on it and finding out it doesn’t work.
Over the past 8 years veterinary practices have become more and more reliant on the cloud, in fact we don’t currently work with any practices that have no cloud based systems. There seems to be a common (and dangerous) misconception that data in the cloud is inherently ‘safe’. This just simply isn’t true.
When we talk about cloud security, we divide it into three areas:
- Backup – Look to have some form of basic backup in place so that if ever there was to be a platform disaster your data would be safe.
- Access control – We would recommend restricting access e.g. only permit users access from authorized locations e.g. your practice or even just outside of the UK
- Auditing – If you ever fall victim to a breach you are going to want to know how it happened. Some services such as Office 365 enable you to automatically act on the audit information by blocking unusual activity
It’s important that you protect your internal network too. The three most urgent areas for vets to get right are:
- Firewall – The firewall is the bouncer for your business, it acts as a buffer between your business and the internet. You need to keep a record of what is open within your firewall and regularly review it, ensuring nothing is unnecessarily left open. It’s basic and inexpensive but it works!
- Guest Wi-Fi – Create an isolated wireless network for your clients and staff personal devices to use when visiting your premises. Keeping your business Wi-fi isolated means you are reducing the risks of unauthorised users gaining access to your data via the Wi-Fi. You can even configure some guest Wi-fi systems to use a Facebook ‘check-in’ as the password, meaning free Marketing for your practice!
- Secure Remote Access – This really depends on your practice setup, but its easy to implement simple fixes. Essentially it boils down to reviewing who has access to your network and data remotely and ensure that you are using the best technologies available to keep them secure. (You will nee the help of a professional for this, but we’ve written a guide to help you on your way)
Server and endpoint security
This is a bit of a monster section so bear with us. We’ll start with the basics, when we refer to an ‘endpoint’ we mean laptops, desktops, thin clients etc! There’s lots to consider here so we’ll start with the easiest:
- Anti-virus – Don’t use free anti-virus. Just don’t! It is expected under GDPR that every single device your practice has must have professional grade anti-virus that is kept up to date. No exceptions.
- Advanced Threat Detection – This often comes as part of many modern anti-viruses. It incorporates things like behavior analysis, looking how any potential threat behaves and acts accordingly.
- Software Patching – There is no excuse to not be regularly updating your software. It a basic step that is expected as part of GDPR, this means your operating systems such as Windows and any third party software you might use on your system such as Google Chrome.
- Mobile Device Encryption – At a minimum look to encrypt your hard disk. This means that if your device is lost or stolen your data will be safe as a key is required to get access to it (which only you will have). If you are on Windows 10 you have access to Windows Bitlocker technology which is completely free of charge.
Does your practice use any mobile devices or tablets? This is generally quite common for Farms vets who travel from site to site and with practices who use systems with Apps.
- Anti-virus – If the devices that your vets use are owned by the practice then you must make sue that they have some version of anti-virus installed (You can use free versions here if you want)
- Mobile Device Management – This ensures that all your mobile devices remain compliant as per your practice policies, allows apps to be centrally deployed by you and retains control over your data should the device get into the wrong hands.
There’s a lot of very clever technology out there to protect you and your practice network but there is one thing it cannot defend and that is your staff! Luckily there are a few things you can do to try and mitigate the risk:
- Review Access Rights – Ensure that your team only have the ability to access the platforms, files and actions that they need to do their job.
- Website Filtering – Control the sites that your employees have access to and ensure they don’t accidentally access a compromised site.
- Real-time education – Utilise solutions such as phishing simulators. These simulators help by training your employees to identify and report dodgy emails through customised and authorised phishing campaigns.
This is another big topic, which we will go into in more detail in a dedicated blog. But as you are here now, here are the basics:
- Passphrase (with multiple words) – Use multiple passphrases and where possible make the associations unique to you. Just remember your brain likes to picture things e.g. Projector Table Light
- Unique password per site – Always have unique passwords for each key site (e.g. banking, ecommerce sites etc.). If hackers get one password the first thing they will try is using those credentials on other sites.
- Account lockout policy – A lot of hackers utilise dictionary, or brute force attacks, by enabling account lockout after a certain number of attempts of hacking, your account will be locked and you will be informed.
- Password managers – Remembering multiple passwords can be challenging, use password managers such as Dashlane or LastPass.
- Multi-factor authentication – Where available utilise technology such as Multi Factor Authentication. MFA requires you to confirm it is you accessing the site via another method e.g. text, email, phone, RSA device etc.
So there we are… the best 7 ways to protect your practice from cyber attacks! It’s a huge amount of information to digest in one sitting and it may seem like a mammoth task. If you have any questions, no matter how big or small, just book in a chat with one of our Veterinary IT Experts here.