“How did the hacker even get into my practice systems?” It’s a question we get asked a lot. Most owners or practice managers don’t think that their practice would ever be a target, so cyber security is never really on their radar. This, coupled with the huge amount of data and emotive nature of the work makes them prime targets for hackers. The ‘it will never happen to us’ mind set is exactly what created the opportunity for the ransomware attack on the NVA (National Veterinary Associates) last year – which lasted for 4 months and impacted over 400 veterinary hospitals across the US!
Having worked within the veterinary industry for over 15 years, we’ve seen a pattern in the way that hackers have breached practices and caused havoc. Below we’ve narrowed down the top 5 ways that a hacker can get into your practice.
Phishing for Vets
Phishing is when hackers lure email recipients and web users into believing that a spoofed website/link is legitimate. We’ve all had those fake Amazon emails drops into our Inboxes, thanking us for a purchase we never made and encouraging us to click on a link.
Unfortunately, theses days, Phishing emails are becoming harder and harder to spot especially within the context of a veterinary practice. For example, we have seen live examples of practice managers transferring funds based on an email they thought was from one of the managing partners, but was in fact a malicious hacker.
Something as simple as just opening a Phishing email can open the door to a hacker and you might not even know that it has happened. Often once in your systems a hacker will sit and wait until the most advantageous time to strike. In the latest case we’ve seen a hacker had actually been in the email system of a practice for over a month!
Insecure Remote Setup at Veterinary Practices
If you use a PMS such as Robovet, Teleos RX Works, you probably have a server system running locally, and therefore are more likely to have a way to access remotely, whether due to multiple practices or you want to be able to work from home.
Without getting too technical, if you can access your system remotely (even if this isn’t something you do on a regular basis) and you don’t put the necessary measures in place, then it’s possible that a hacker can too! Once they are in your system they can wreak havoc.
During lockdown we noticed a surge in veterinary practices being caught out by this as everyone rushed to be able to access practice data remotely. If you need remote access to your systems you really should make sure that this is set up by a professional to ensure your practice is kept safe and your data secure.
If you would like more information on setting up remote working at your practice read our article Remote Working: Getting the Basics Right for Your Practice or download our guide “Preparing Your Practice and Team for Remote Working”
Veterinary Specific Social Engineering
Social engineering is when you are lured into providing confidential information to a hacker. They gain your trust by acting like a person of authority or importance, asking for information (such as credit card information, personal information or even just a password) that you could legitimately be expected to provide. This particular trick is easier to pull off when your veterinary practice is busy and your staff are distracted, often the person who falls victim won’t realise what they’ve done until its too late.
The example we gave for Phishing is also a case of Social Engineering. In this specific case a hacker presented themselves as a partner at the practice over email and extorted a large sum of money. Once the money is out of your practice account it’s near impossible to get back.
Veterinary Software Patches
This is a key area that a lot of veterinary practices fall short on, even after the instigation of GDPR which requires all businesses to keep their software up to date. Let’s use Microsoft as an example. Throughout the lifecycle of its products Microsoft has traditionally released software patches to close loopholes and backdoors in their systems as they find them. But earlier this year they bought a selection of their products commonly used by Vets to ‘end of life’ (which means they are no longer being supported or updated). The older a software gets the more well known these loopholes and backdoors become, if they aren’t being closed your risk of being breach increases exponentially.
Unfortunately, not many veterinary practices are aware of this, and are continuing to use these out of date products, inadvertently putting themselves at the mercy of hackers and getting in trouble with the ICO.
(Note: the end of life systems referred to are: Windows 7, Office 2010, Exchange 2010, Small Business Server 2011 and Windows Server 2008. For more information read our article on the 2020 Problem or download our guide “The major IT disaster that will affect 1 in 3 veterinary Practices“
Breach via Practice IoT Devices
IoT stands for ‘Internet of Things’ which is essentially all smart devices, for example smart TVs, Amazon’s Alexa and Google Home, you can even get smart fridges these days! The most famous case of a breach via an IoT Device (and in our opinion the most ridiculous) is a hacker stealing money from a casino in America having got into their systems via a fish tank smart thermometer!
The most likely IoT culprit you have in your veterinary practice is a smart TV, probably on the wall in your waiting room. It might surprise you to know that it would take a hacker only 2 minutes to access your practice systems via that TV.
The issue with IoT devices is that they are generally not updated as often as our computers, however they still access our systems via the internet. The most common issue we find with veterinary practices is not only are they rarely ever updated but that the practice manager or owner have bought and installed the smart TV themselves, without configuring it securely, mostly due to not knowing they had to.
If whilst you’ve been reading this you’ve been thinking to yourself ‘well now you mention it, this is just common sense’ then you are right! But unfortunately, most often it’s the obvious ways in that work best for hackers.
If you would like to learn more about how to protect your practice from hackers and cyber attacks, why not watch our on-demand Beware of Hackers Webinar.