vet clinics – how vulnerable and exposed is your business to a cyber attack or internet hack or ransomware hijack?
Vet clinic contingency plans
Vet clinic back up plans – and deployment
Best (and latest) best practice password guidelines for your vet clinic
Identity theft – how to protect yourself
Free wifi – use it at your peril
How at-risk are you – or not – from cyber viruses – the type of virus that no vaccine will ever, sadly, eradicate.
At the moment it seems like NZ is being attacked on multiple fronts with viruses – we’ve got Delta wreaking havoc with everyone and, if that’s not enough, there are some really mentally sick and cruel people infecting businesses and private citizens with computer viruses.
Over the last couple of weeks some pretty big kiwi companies have been brought to their knees for a few hours because their website – or other It systems – have been rendered inoperable.
As at recording this – mid September 2021 – Kiwibank is still having issues.
The multinational company Olympus issued a statement yesterday stating it’s “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network”.
Ransomware as a service is big. I know – who would’ve thought you could buy such a service! But it’s a huge business.
It’s a form of organised crime which your clinic could be either hit by directly, or get caught up in the crossfire from one of your suppliers.
A year ago, Universal Health Services – which runs 400 hospitals in the US and employs 90,000 people across 45 states was attacked.
Here in Hamilton, the Waikato DHB was hit by a Ransomware attack which crippled Waikato hospitals and clinics from the Coromandel, down to Ruapehu, from Raglan to Waihi – for weeks!
The attackers typically go for organisations they believe have information so sensitive – like healthcare, that the victims will pay to keep confidential – or wealthy – and can therefore afford to pay the ransom.
Now, true or not, real or not, you and I both know that public perception is that if you’re a vetmed professional you earn a fortune which means that owning a clinic is a license to print money.
It doesn’t matter that this is incorrect.
Perception is everything.
Which means you and your clinic could be a target. If not your clinic specifically, the sector generally. The NZVA made reference to this last year – and urged members to make sure their cyber security was updated.
Because of the perception that vetmed is lucrative, we must all be extra vigilant.
When last week’s attack hit, you may have experienced the fallout yourself in your vet clinic – you went to process an EFTPOS payment and the system was down.
As I’m recording this, you may still be impacted – especially if you’re part of the Kiwibank network.
Once upon a time, before VetStaff, my husband and I owned a website development and hosting company. I’m pleased we sold it, as it was getting really stressful. It doesn’t matter how many firewalls you put in place to protect a website from attack, it can still happen. But when it’s someone else’s business – that wasn’t a level of stress or responsibility I enjoyed at all.
Unfortunately, there’s no vaccine to protect you against cyber viruses.
Therefore, what I wanted to talk about today are some of the things you need to have in place to help protect your clinic’s website from getting infected and/or attacked.
If you have an email address you look after at work, then this episode is for you, just as much as it’s for your practice manager or principal who owns your clinic.
If you don’t have someone dedicated to looking after your clinic’s IT network – consider outsourcing that function to a company that specialises in that. This is too responsible a function to do yourself or to put that weight of responsibility on someone on your team, if your background isn’t IT security.
Even though I consider myself reasonably IT literate, I would hate to be, say, the practice manager in a clinic and have the IT network as one of my responsibilities.
I struggled a few years’ ago to stay current with the ever-changing IT landscape. Today things change even faster. To expect someone to stay abreast of all the changes that take place daily in the IT world is a huge and, I believe, unreasonable expectation to put on someone.
A few weeks’ ago I was locked out of VetStaff’s website. At the same time I also couldn’t send or receive emails. It turns out the server that hosted the server that hosted the server that hosted the server we use, was hit by a DOS attack.
It was the Friday afternoon things went down in Countdown New Lynn – I remember it well because I was flicking between getting updates on that news and the outage that had hit lots of NZ businesses – including ours.
The purpose of today’s podcast is to get you to think about the service you provide to your clients and what Plan B do you have in place if your computer system goes down.
Once of the most simplest ways to help protect yourself – and your business – is to always ensure you have the latest software update installed on your computer and your mobile phone. Those updates that can be a pain in the proverbial to install – do them – because they serve a security purpose.
If your clinic is attacked – a DDOS or hack of some kind – or you’re caught up in a service provider’s fall out – can you still function?
Will your phones still work?
Are you able to send / receive emails?
Which of your patient monitoring systems need the internet to run and if they can’t run, what are the ramifications of that? Are your patients’ lives at stake? What emergency procedure do you have in place ready to kick in, if you need it?
Have you practiced it? Does it work? Do you know how to restore your data?
Let’s say your system has a complete meltdown – maybe gets hit by lightning – a complete Act of God – that destroys all your files – maybe even some critical equipment.
What contingency plan do you have in place should something like that happen at your clinic?
Okay – so you do daily back ups and therefore you think you’re okay … it’s not something you ever think about because you back up.
But when was the last time you attempted to restore your backup?
Does everyone know how to do it?
And then when you’ve restored it – does it work?
In my office we do two lots of backup: we have a daily back up and a weekly one. The daily one is to the cloud. The weekly one is on some kind of disk thingy which we swap around. The backed-up disk is kept offsite so that if there’s, say, a fire, and we lose everything, we’ve at least got files that are only a week out of date.
A couple of months ago, the BBC published a story about how the Bangladesh Central Bank lost over $100m to hackers. It turned out that the bank’s system was protected only by a cheap internet router with no proper inbuilt firewall services.
According to Alan Chew – head honcho at Houston Technology Group in Hamilton – there are still many kiwi businesses running their IT systems relying on outdated firewall systems. If you’re relying on a home-level router & firewall system to protect your business, it’s like driving a car without wearing your seat belt.
Here are some kiwi stats:
- In the first quarter of this year – 2021 – $3million was lost as a direct result of cyber crime in NZ. That figure was an increase on 7% for the last quarter of 2020.
According to CERT NZ – Phishing and credential harvesting is one of the most reported incident types to CERT NZ, making up 46% of all incident reports in the first quarter of this year.
Phishing campaigns – those are fake emails made to look like the real thing – can have a big impact on individuals through to large organisations, and can result in financial, data, operational and reputational losses.
Phishing is often the precursor to other attacks and scams, like email compromise and data leaks.
Because phishers are just getting smarter and smarter, recognising a scam is getting harder and harder.
If you’re working late at night remain extra vigilant – because clicking on a link you shouldn’t have – because you’re tired and/or distracted – can bring everything around you to fall down in one big screaming heap.
Here are X ways to double check a phishing email:
Believe it or not, the phishing email is sent from a gmail or Hotmail or other general & pubic domain name. When an email LOOKS the part – that is, they’ve used all the colours and branding of say, your bank or one of your suppliers, and you’re tired, you may not even check that the email’s phished.
Always, always, always check the FROM email address.
Because the FROM address won’t necessarily be the address they’ve used to get you to open the email.
Hypothetically speaking, someone could send an email address from firstname.lastname@example.org – you think you’re getting an email from me because that’s the address that showed up in your inbox – but they’ve just masked their real address with my address.
So always check and double check the email address.
Also, make sure the address is the real mccoy – that it’s not something like customerservice at asbbank.net – instead of dot co dot nz.
Many phishers will distort the URL to make it look like the real thing but a word maybe deliberately misspelt or they’re using the wrong suffix – a strange dot-something instead of dot com or dot co dot nz.
Carefully check the spelling – for example some phishers but domain names that, at a quick glance, look like the real thing. When you’re tired an “r” and an “n” together look like an “m”.
X – English isn’t the writer’s first language
Some emails are pretty good while others are obviously scams.
If the email is supposedly from a corporate you’d expect the English to be good – if it’s not, it’s probably a phishing email.
Look for grammatical mistakes – not spelling mistakes. We all make spelling mistakes from time to time but words used outside of their correct context are giveaways.
This can happen when a phisher uses, say, Google translate to craft their message – they won’t have the English language skills to realise what they’re sending isn’t grammatically correct.
Another question you can ask yourself is whether the email you’re receiving is consistent with other emails you’ve received from this person – that is, the person who’s supposedly sending you the email?
mouse hover over links – including hyperlinked words like “click here”
When you hover your mouse over a link on your laptop or desktop, check the real link address in the bottom of your screen – it’ll show up in full down there. If it’s not legit – ie, the correct company website address then it’s a scam.
It’s not as easy to do this on a mobile phone but you can copy and paste the address and see where it goes by opening a URL window.
In NZ there’s almost cyber attack happening every hour – that’s 25 per day causing around $13million dollars worth of damage. An increase of 68% on the previous year.
When it’s time to replace your router or your firewall make sure you upgrade it with a sophisticated version – not another firewall of the same genre as the one you’re replacing.
Also – create a new password.
I remember having coffee with one of our webdevs a few years back – we were talking about cyber security. He wanted to prove to me that most businesses didn’t change the passwords that came with their wifi gear. I didn’t believe him.
I thought that changing the password that came with the piece of gear would be step number one. Turns out not – the web developer I was having coffee with was able to login to the café’s wifi. If he wanted he could have changed the password and created all sorts of havoc.
He didn’t – he told them about the huge gap in their security system.
Double check your wifi security password – please make sure it’s unique and not the one it came with when you set it up.
Now that you’ve changed your wifi’s password, what do you do if you’re attacked by a DDOS attack – that’s a distributed denial of service attack. Like what happened that Friday I was talking about earlier.
One of the first signs you’re under attack is that you won’t be able to send / receive emails.
Another way is to visit your website – you’ll find you won’t be able to access it. It’ll say it’s unavailable right now and to contact your internet service provider – your ISP.
Hopefully, if your server is being professionally managed and hosted – it’s not a DIY thing under the principal’s desk – and your ISP will already know you’re under attack. They will have taken steps to mitigate risk.
Now, because you’re an ontoit clinic – you’ll have an incident response plan – you and your team will know what to do next AND they’ll know where to find this information.
If you’re at the receiving end of a DDOS attack, because your customers might not be able to get hold of you – if you have VOIP phone lines – they could be down too – your reputation could be affected.
Remember – your customers don’t know what’s going on – they just know they can’t get hold of you, you have their precious fur baby and they’re worried about it.
So what is a Denial of Service attack – here’s how CERT NZ describes it:
“When you type a URL for a web page into your browser, you send a request to the site’s computer system asking to view that web page. DoS attacks work by ‘flooding’ a website with fake requests in an attempt to overload the system. As websites and networks can only process a certain number of requests at once, this blocks any genuine requests from getting through.
Imagine it like the other kind of traffic. If the amount of cars is normal, theoretically, traffic should flow easily and everyone should get to the right destination on time. If you increase the flow of traffic exponentially, from all different directions and with no merging like a zip, traffic will come to a standstill. Then all the services in the city that rely on the roads grind to a halt – no pizza delivery, no rail-replacement bus home.
What that ends up looking like is that a website can’t load or loads slowly, or a payment can’t go through, or people’s internet being down. The cars on the road can’t get to their intended destination.
The distributed part relates to the practicalities of how attackers can best deny service. To overwhelm a big service like a bank, an attacker might struggle to do so from one place, so recruiting many other computers and their network connections provides a way to gang up on the victim. Sometimes this pool of attackers are doing so on purpose, but more often the systems doing the attacking are co-opted in an earlier, separate, hack.”
Is it possible to protect yourself against DOS attacks?
The answer to that is maybe … possibly … but you need to talk to your internet service provider about your situation and whether it’s possible or not.
When you talk to them you want to ask them how your clinic can get DOS protection.
CREATE A PASSWORD POLICY FOR YOUR BUSINESS
I mentioned before about having a Plan B policy, or SOP in place.
Something else you can do is have a password policy. This is a good way to make sure your staff has the right information to help keep their user accounts safe, and the business’ networks and systems secure.
I can’t think of any position in a clinic that won’t require access to the clinic’s computer network.
The more people you have accessing the network, the greater the opportunity for a vulnerability to develop.
Having a password policy is one way you can mitigate this risk.
Strong passwords are a good place to start.
Creating strong passwords for network accounts is an effective way to protect your clinic and keep it safe from attack.
The first thing you need to do is make sure your team understands what a good password is, and why it’s important. As a rule, passwords should:
be unique — used for one account only, not reused across many accounts
be long and strong. A passphrase made up of four or more words is often better than a password (and easier to remember)
avoid being based on personal information. For example, don’t use your pet’s name or your mother’s maiden name as your password. Personal information like that is easy to find online. It’s often the first thing an attacker will use when trying to access someone’s account
the password should be kept safe. Encourage your team to use a password manager to store their passwords in.
We’ve put some guidance together on creating good passwords that you can share with your staff.
https://www.cert.govt.nz/individuals/guides/how-to-create-a-good-password/ – add to PCWN website
I’ve added a video produced by CERT.GOVT.NZ on how to create a good password – you can find it at episode 46 at pcwn.fm
If you want to make sure the team at your clinic create strong, unique passwords for their accounts, you need to give them the tools to do so. This could mean updating your password policy.
Talk to whoever’s responsible for your clinic’s IT. They’ll probably be extremely relieved and excited to hear you’re visiting your cyber security policies.
However, if you manage your own network, you’ll need to:
- review the rules around what kind of passwords your system will accept – some need to have a combination of words, upper and lower cases, characters and numbers, be greater than 12 characters long, etc – I’m sure you’ve thought up great passwords to a new account only to discover after you’ve painstakingly typed it in, that it’s unacceptable.
- define rules that will stop the system accepting weak or common passwords
If you manage your network on a cloud service, you might not be able to set the rules around password use. However, you can encourage staff to use good passwords and emphasise to them why it’s important.
Best practice advice on password management has changed recently. The National Institute of Standards and Technology (NIST) has released new password management guidelines you can follow.
Here’s what you need to do.
1. Ask your staff to set strong and unique passwords instead of asking them to change their password regularly
Asking staff to change their password regularly is counterproductive to good password security. People choose weaker passwords when they know they have to change them often.
When I worked at Telecom I had one password with two variations – depending on whether it was an odd or even numbered month. Instead, you want to ask them to create one long, strong and unique password for their account.
If your system currently prompts staff to change their password on a regular basis, change the setting. Staff should only have to change their password if you suspect their account, or the business network, might be compromised in some way.
2. Ask for longer passphrases
A passphrase of four or more words is stronger than a mix of characters, symbols and numbers, and it’s easier to remember. For example, ilikeeatingbreakfast.
Some password systems set rules asking staff to include a mix of symbols, letters and numbers.
The problem with these rules is that people tend to use predictable methods to meet these requirements.
It often means they’ll tag a ? or ! to the end of their password so that it includes a symbol. This creates passwords that are hard to remember. Instead of imposing a set of rules like this, ask your staff to use longer passwords or passphrases.
3. Encourage staff to use two-factor authentication (2FA)
Using 2FA adds an extra layer of security to accounts.
It’s more secure than asking security questions to authenticate users in a system.
This is because security questions often relate to personal information that’s freely available online and easy for attackers to find, particularly on social media.
Using 2FA instead means that anyone who logs in to your system will need to provide something else to verify that they are who they say they are. This could be a one-time password or code sent to their phone, for example.
Using 2FA to secure your business
4. Set up protection against vulnerable passwords
Simple passwords such as Password! or Welcome1 are easy for attackers to guess. Attackers often use databases of common passwords when they’re trying to gain access to accounts.
If you manage your own network, set up your system so it won’t accept common passwords. You can configure your system to only accept long, strong passwords instead.
If you manage your network on a cloud service, circulate a list of common passwords that staff should avoid using.
Some staff may worry about remembering their passwords, so encourage them to use a password manager.
A password manager is an app that stores and protects your passwords. The only login details they’ll need to remember is for the password manager itself. If you allow / use a password manager at your clinic make sure everyone uses the same one OR you have a list of approved password managers.
You can find different password managers by googling “Password Managers”.
When it comes to choosing a password manager there are several things your clinic needs to consider – for example:
Cloud vs local?
Where do you want it to “live” – at your clinic or in the cloud?
Cloud-based options can be more flexible to access from wherever you need, easier to set up and easier to maintain. However, it does require trusting the provider implementing multi-factor authentication.
Locally hosted options require putting less trust in external parties, but will mean you’ll need to stay on your toes and ensure you what’s needed to maintain your password app.
Also, locally hosted options can limit your ability to access from external locations such as staff members who’re working from home.
3. Security features
The first important feature your password manager needs is strong encryption algorithms and practices.
Encryption algorithms, like software, can have vulnerabilities that allow people to decrypt the data without having the original private key.
It’s important the password manager you select uses up-to-date encryption algorithms.
Also ensure it uses multiple layers of encryption, so one weakness does not lead to the compromise of a database.
Strong encryption key practices are also important, especially if you are considering cloud-based password managers.
Password managers rely on the concept that only the end user can decrypt the database with their master password.
If the tool provider maintains their own access or a copy of your master password so they can decrypt the database, this can introduce a lot of risk.
Have a chat to your internet service provider first – they’ll be able to steer you in the right direction.
Other important security features to consider are:
- Multi-factor authentication for accessing the password database. This is especially important for any end users who are storing sensitive passwords – for example banking, client/patient data, your accounting or client management software, or if the password manager is cloud-based.
- There is no ability to reset master passwords without multi-factor authentication. Password reset functions are often abused in order to bypass authentication. Having it so users can’t reset their master password is the best way to ensure this process can’t be used as a bypass technique.
- Now – even though the #1 rule of passwords and PINs is never share, sometimes there are times when sharing “secrets” with external parties is required. For example, you may need to share passwords or other secrets with support vendors, and your password manager should help you manage this in a safe and secure way.
- Logging of all activity in the password manager. Having logs of who accessed what passwords, and when, is particularly important if you have any shared passwords. You’re also likely to want to log authentication, both successful and unsuccessful, to assist detecting account compromise.
So that’s security when it comes to passwords and websites.
What are you doing to protect your identity – because if there’s a password breach like I’ve just talked about, there is every possibility identities could be stolen as well.
The department of internal affairs at dia.govt.nz has a whole section on what to do if you think your identity has been stolen.
If you think this has happened to you, they identify five different scenarios that raise red flags for you:
- You’ve lost or had stolen, documents
- Your mail has been stolen or misdirected
- You’ve received suspicious mail or phone calls
- You think someone has obtained a document in your name
- You’re concerned about strange transactions or something else
The different types of information which can be stolen and then used to steal your identity include:
- Your name, date and place of birth
- Your address and phone number
- ID – including your passport and driver’s licence
- Bank account numbers
- Email addresses
- Social networking details
It’s hard to determine the extent that identity theft occurs in NZ but the DIA estimate it costs the NZ economy approximately $200 million each year.
It’s hard to prosecute – oftentimes the perpetrators are doing it overseas and/or online.
In the days of social media where everything and everyone is soooo public, it’s really easy to forget that what you’re saying and sharing online could be picked up by people with less than honourable intent and use it against you down the track.
There are some pretty basic steps you can put in place when it comes to protecting your identity.
For example, always shredding important documents – bank accounts, letters from the IRD, ACC, your bank, your doctor, specialist, pharmacy.
Remember to take the labels off any medication bottles or packets before you throw them in the bin.
Check the security accounts on all your social media sites – what have you labelled as public and what’s protected?
I hope you’ve found this helpful – I’ll put links on episode 46 at pcwn.fm for you to refer to, if you’d like more info.
The biggest thing I can stress right now though is to stay updated with the latest software updates, get the professionals involved – this is too serious for you to DIY – and if in doubt, treat the “link as leaky” – that it will just open up a whole bunch of infiltration holes.
Free wifi – use at your peril
And lastly – as attractive as free wifi is, please don’t use it for doing anything you wouldn’t want anyone else having access to because they’re not safe or secure.
How many times have you, say, stayed at a hotel and they’ve given you the password to the “guest” login to the free wifi – the exact same password they’re giving to everyone else.
You don’t know who’s lurking around inside the hotel’s free wifi network. You don’t know who’s been there before you and planted a virus that could infect your system. Or could copy your keystrokes. Or gain access to your personal information like your bank account, your clinic’s bank account, patient files.
Use free wifi to play games that require internet access. Use it to listen to podcasts or watch videos but please don’t use it to clear emails or to do confidential work on.
When you’re chatting with your IT professionals about shoring up your clinic’s security make sure it’s super selective about which wifi systems it’ll allow access to and from.
For example, maybe if you’re the clinic owner, or you’re the PM or HR manager who works from home sometimes, that it’s okay for you to have access from your secure wifi settings at home but it’s not okay for you to work from the café down the road using their free wifi.