Joseph Axne is the founder and owner of IT-Guru, a provider of information technology services to veterinary practices. He previously headed technology infrastructure for the nationwide 911 dispatch system of American Medical Response, a medical transport company.Read Articles Written by Joseph Axne
Veterinary practices have become more and more dependent on computers and computer networks as they go paperless or paper light. Because of this dependency, having an information technology security strategy is a must to ensure your hospital’s computer systems stay functional so that you can schedule appointments, provide medical treatments, and charge clients for your services.
A layered approach is necessary to protect hospitals from the many nasty threats in today’s world. The leading threat is ransomware, a virus that encrypts your data, holds it hostage and causes major downtime. I have seen malware infections shut down hospitals’ computers and networks for three to five days and in some cases two weeks.
In a 2017 survey of 1,700 IT professionals, 75 percent reported that ransomware had led to business-threating downtime and 57 percent stated that ransomware had caused the loss of data and even hardware.
Even if you think your computers and networks are secure, there is no 100 percent guarantee. However, you can take steps to provide your practice with reasonable security.
Here is what I do to virtually stop ransomware attacks at my clients’ places of business. Review these seven areas to see if your hospital has gaps that need filling.
This is by far the most important measure you must have in place to protect your hospital. Remember that backup systems have changed over time, so a simple data backup is not going to solve your issue. Consider:
- RPO (real-time protection option): In other words, how often do you back up your practice data? I recommend hourly throughout the business day. At least every 24 hours is a must.
- RTO (real-time objective): How quickly can you be up and running should your main server fail? I recommend solutions that can get hospitals back online in one hour. I often see RTO solutions of three to five days, so be sure to understand what you have in place before an issue occurs. You don’t want a long downtime when your clinic is dependent on technology.
2. Staff Training
Cybersecurity and phishing education is a must. Malware often gets into computers and networks because of a human mistake. Clicking a hyperlink in a false email can pave the way for malware. Spam protection doesn’t do enough to stop these simple threats, and virus protection can allow the threats to pass through.
I work with companies that offer ethical phishing services. These services can phish, or fool, your employees and look for vulnerabilities. These companies educate your team into the habit of identifying mistakes to avoid and can assist your practice in becoming more secure.
3. Operating System Patches
Ensure that the computer or device you use has been updated with critical patches. Software and device manufacturers often release patches monthly. One example is Microsoft and its Windows operating systems. Microsoft’s patches are released every second Tuesday of the month. Ask to see your patching report and make sure all workstations are at least up to date with critical patches. Patches plug security holes that can let malware in, and they help prevent malware from spreading should it get into your computers and networks.
Make sure you understand the patching level of every machine on your network. If you have any operating systems that are no longer supported or patched, like Windows XP, it’s time for an update. Also keep in mind that support for Windows 7 is set to end about a year from now — in January 2020 — so having a plan and a budget to retire those old operating systems by the end of 2019 is a must.
4. Third-Party Critical Software Patches
Your operating system probably has software installed that must be maintained as well. These are applications like Adobe Flash, Adobe Reader, Java, Silverlight, Firefox and Chrome. All these apps connect and touch the internet in some fashion, and they must be kept up to date. Otherwise, if you happen to be surfing the internet and a website is compromised by malware, sophisticated attackers can use your outdated software to slipstream malware into your computers and networks. This can happen through the simple act of browsing the internet.
Ask to see a report of all the different third-party applications installed on each computer at your hospital. Either uninstall what is not needed or make sure the apps are updated to protect against known threats.
5. Business-Class Firewall and Security Subscription
Ensuring that your hospital’s gateway — all inbound and outbound internet traffic — is protected by a business-class firewall is a great security practice. I am not talking about a device issued by your internet service provider or one you purchase from Best Buy or Office Depot. The firewall should have a built-in security subscription to protect your practice by inspecting each and every packet that goes in and out of your network.
These devices also can assist with providing secure Wi-Fi and allowing you to have two configured networks: public for your clients’ and staff’s personal devices and private for any approved devices like hospital laptops and tablets.
6. Web Protection
Security beyond the firewall helps protect against threats. DNS (domain name services) protection is a recent security layer that has stopped virtually all infections I have been seeing. Six years ago was the last time I had to clean up an environment from malware infection, and I can honestly say this one layer was crucial.
DNS is a simple service. Instead of remembering an IP address like 18.104.22.168, people remember names like Google.com or Yahoo.com. DNS takes the name and transcribes it into a number. Security services around DNS will help ensure that if you try to visit a website or IP that is compromised, your access will be stopped. If your computer becomes infected and the malware “phones home” to the attacker, the call won’t take place, preventing the machine from becoming fully infected.
Ask what type of protection outside the firewall is in place to protect DNS queries. If you don’t have anything, I recommend adding this layer as soon as possible.
7. Anti-virus and Anti-malware
Having a centralized anti-virus solution is a must, but it also should detect and fight malware. These solutions usually require a paid subscription. Free versions work but are often not centralized for management.
Ask to see a report of each and every machine in your hospital and make sure that centralized anti-virus or anti-malware software is installed and active. The software is good only if it is kept up to date and runs correctly.
Using a layered approach to computer security will protect your hospital from costly downtime caused by ransomware and other malware.
If you’re not especially tech-savvy, ask for help from the person responsible for your hospital’s IT operations.