How Healthy Is Your Cybersecurity?
Veterinary telemedicine providers aren’t doing enough to protect themselves and their clients from hackers.
Are you considering implementing or expanding veterinary telemedicine? Are you concerned about the security of the information transmitted back and forth? You should be. Cybercrime is on the rise in incidence, severity and sophistication. Stories about ransomware continuously dominate headlines.
Health care is increasingly at risk of cyberattacks that can cause significant losses, both operationally and financially, for anyone who is unprepared. An estimated 94% of human health care organizations have been cyberattack victims, according to one report. The more digital that medical and veterinary data become, the more vulnerable they are to cybercriminals.
Attacks on human health care institutions have interrupted essential services and shut down computers. Affected services include appointments, elective procedures, laboratory results, prescriptions, payroll and accounting. The potential also exists for taking over medical equipment, like surgery robots.
Many of these services are embedded in telemedicine and must be protected during in-person and virtual visits. As people work remotely, the endpoints requiring protection are amplified.
An Ever-Present Threat
Cyberattacks are not limited to large human hospitals but also extend to small businesses and individuals, all of which use the internet extensively. The internet has revolutionized how we exchange information and conduct business. Today’s world has already moved from the internet to the IoT (Internet of Things) to the IoE (Internet of Everything). Unfortunately, cybersecurity has lagged, such that breaches are no longer exceptions.
The most significant threat to veterinary medicine is the disruption that cybercrime could cause to small clinics. Considerable harm could come to veterinary clients’ personal and financial information. Health care data, considered more valuable than credit card information, is being used to create new identities.
Cybersecurity concerns must not deter enthusiasm for telemedicine despite the increased strain on those responsible for security, because the benefits of virtual care exceed the risks. In human health care, telemedicine is expanding meteorically to improve care, meet urgent needs, reach underserved populations and respond to patient preferences. Veterinary medicine is chasing the trend.
Additionally, human health care, to be followed closely by veterinary health care, is moving toward a system that is measured and quantified, continuous and proactive, technology-enhanced, data-based, artificial intelligence-enriched, integrated and connected. Virtual care is an important component of the trends toward the continuum of integrated health care.
As digital health, data storage and accessibility, artificial intelligence, and computing power advance, medical information will be increasingly digital, comprehensive and more accessible than ever. Before long, digital devices, such as wearables that monitor significant health parameters, will increase the veterinarian’s ability to maintain, if not exceed, current standards of care and do so remotely. Those standards likely will reside on a solid foundation of digital trust.
Prevent, Mitigate and React
What are general tips for addressing cybersecurity? The National Institute of Standards and Technology summarizes successful strategies as focused on prevention, mitigation and reaction, concentrating on people, processes and systems. All cybersecurity strategies depend on organizations and individuals. Each organization must safeguard against cybercriminals by developing appropriate strategies and policies.
For example, Texas A&M University has a robust information technology division that sets strict, relevant policies required of all university employees. Some might find the policies intrusive because they require extra steps and permissions. Still, in the complex labyrinth of interconnected computers and internet access, only one nonsecure computer or careless employee is needed for cybercriminals to hack the entire university system and hold valuable data for ransom.
One has only to imagine the consequences of cybercrime involving veterinary research at educational institutions, the hospital operations at veterinary medical teaching hospitals, or the personal information of faculty, staff and students.
A small veterinary practice would not have the resources or need for an elaborate IT system, but it can develop processes and information systems to mitigate security threats. Even small businesses must be aware of the risks associated with connections involving employees’ devices and computers.
Another risk is user passwords, which should not be shared, weak or kept in nonsecure physical or digital locations. Competent outside vendors should help develop a strategy.
Communication strategies to achieve a desired level of cybersecurity are essential but complicated. Cybersecurity is complex and hard to grasp by the untrained. People often see a cyberattack as something that might occur in the future rather than as an immediate threat or an occurrence that happens to someone else. They must be well-informed about the serious risks associated with cybersecurity and be motivated to understand and apply the information. This knowledge, understanding and commitment must become requirements of employment.
Layers of Protection
Many business leaders lack sufficient knowledge about cybersecurity, so it is reasonable to assume that most veterinarians lack expertise, too. As such, outsourcing security protection services to a reliable third party is an option. The good news is that while the volume of cybersecurity incidents has risen, the percentage of organizations reporting having achieved a high level of cyberresilience is increasing, too. Precautions matter and are largely effective.
Some organizations have turned to insurance coverage as an added protection against cybercrime. While insurance can help with the financial burden of a cyberattack, it cannot help with the reputational aspect of a data incident, nor can it retrieve lost data. Never use insurance as a substitute for good security.
Cybersecurity is a necessity today and must become a household word. Veterinary practices and all employees must take personal responsibility to protect against cybercriminals. There is no digital health without some risk of data security risk. Still, cybersecurity concerns must not retard progress in human or veterinary health care when it comes to telemedicine and digital health.
Innovation Station guest columnist Eleanor Green is the former dean of veterinary medicine at Texas A&M University and a senior adviser and consultant with Animal Policy Group. She is a founding board member and co-chair of the Veterinary Virtual Care Association. Guest columnist Ashby Green is the chief financial officer of Soma Global Inc. and the founder of Gazelle Capital. He has nearly 25 years of accounting, finance and leadership experience. Guest columnist Dave Summitt is the chief information security officer at H. Lee Moffitt Cancer Center and Research Institute in Tampa, Florida. Guest columnist Mark Cushing is a political strategist, lawyer and founding partner of the Animal Policy Group.
CRUNCHING THE NUMBERS
The 2020 Cyber Resilient Organization Report, produced by IBM and Ponemon Institute and available at ibm.co/2OyhkiS, found that:
- 51% of organizations reported a significant business disruption during the past two years due to a cybersecurity incident.
- Loss of skilled staff (41%) and a lack of budget (40%) were the top reasons organizations said they did not improve their security posture.
- 16% stated a lack of C-level buy-in and support for their lack of a healthy security posture.
- 45% of organizations had no plan for how they would respond to a ransomware attack.
WHAT YOU CAN DO
Consider taking these cybersecurity steps:
- Establish measures to detect, prevent, contain and respond to cybersecurity events.
- Create programs and processes to maintain email security. Passwords should be robust, secure and not shared.
- Educate employees about cybersecurity.
- Ensure that knowledge of and a commitment to cybersecurity are requirements of employment.
- Consult with or employ cybersecurity experts and managed service providers.
- Explore the feasibility and availability of cybersecurity insurance. Insurance protection should not be an excuse for not deploying a good cybersecurity program.