Considering cybersecurity: 9 ways to protect your hospital

Sponsored content from HUB International

From having clients’ or employees’ personally identifiable information (PII) stolen to being locked out of the hospital’s practice management software or online appointment systems, the impacts of a cybersecurity incident can be devastating. Fortunately, with preparation and awareness, you can protect your hospital, your clients, and your reputation.

Why cybersecurity matters in veterinary medicine

It’s easy to think that cyber criminals might only target large organizations, but mid-sized businesses often fall victim to cyber attacks as well. Businesses that present an easy target due to poor cybersecurity hygiene are often identified and exploited first, and with the emergence of artificial intelligence making it easier (and less expensive) for cyber criminals to conduct their attacks, any organization of any size can be targeted.  

A cyber incident can lead to serious legal consequences, and the cost of responding to an attack can be significant: experts may need to be called in to investigate the attack and “clean up”; threat actors present in the network might demand a ransom in exchange for restoring access to hospital software or PII; and business can be lost due to the operational disruption caused by the attack and the time needed for recovery. Additionally, depending on the nature of the incident and the type of information that was stolen or exposed, an attack might result in liability settlements and regulatory penalties. 

What is PII?

Veterinary hospitals often store PII such as employee driver’s license and social security numbers for I-9 documentation, protected health information such as medical documentation associated with an employee illness or workplace injury insurance claims, payment data for clients, and even proprietary business information or intellectual property. For hackers, protected health information is particularly valuable—up to 10 times more lucrative than credit card data on the black market.  

Understanding cyber threats

Cyberattacks generally fall into two categories: internal and external. Internal threats come from current or former employees and can occur either by accident or with malicious intent. For example, a team member might unknowingly click on a phishing link or fall victim to a social engineering scam. On the other hand, a disgruntled employee might deliberately install malware after a dispute. Conversely, external threats typically involve hackers using phishing, ransomware, or vulnerabilities in your software either to gain access to valuable information or to hold your system hostage. 

Regardless of the source, the path to a data breach often follows a familiar pattern:  

• Step 1: Reconnaissance. The attacker gathers intel about your system, including weaknesses like open ports or unpatched software. 
• Step 2: Initial Access. The attacker exploits a vulnerability such as a weak password. 
• Step 3: Privilege Escalation. The attacker moves from user-level access to admin control. 
• Step 4: Maintaining Access. The attacker installs backdoors or other tools in order to remain inside your system undetected. 
• Step 5: Covering Tracks. The attacker obscures or deletes evidence of the breach. 
• Step 6: Extracting Data. The attacker steals, encrypts, or corrupts your business’s data. 

While some cyberattacks become apparent during one of the early steps, sometimes, a business owner won’t even know that they’ve been hacked until they receive a ransomware message—or worse, a client calls to say their credit card was stolen. 

Human error: The ultimate cybersecurity vulnerability

Even with good technology in place, human error is a significant source of cyber vulnerability. Social engineering tactics like phishing emails or phone scams are simple, cheap, and incredibly effective, and during such attacks, criminals pose as vendors, banks, or even other staff members to trick an employee into clicking a malicious link or handing over login credentials. Phishing has become increasingly sophisticated, with tactics like: 

•          Spear phishing, which targets specific individuals using personalized messages.
•          Clone phishing, where a legitimate email is duplicated with a malicious link.
•          Whaling, which goes after senior leadership or individuals with financial access.

Training your team to recognize and report these tactics is your first and best line of defense.  

Small changes, big returns: Nine ways to enhance your hospital’s cybersecurity

1. Ensure that all new technology deployments are hardened according to industry configuration standards, such as the CIS Benchmarks. 
2. Update your software regularly, including operating systems, browsers, and antivirus programs. Cybercriminals exploit known vulnerabilities, and patches are your shield. 
3. Use a password manager and enable multi-factor authentication (MFA) wherever possible. 
4. Ensure that your identity access management practices enforce the least privilege and need-to-know principles. Restrict permissions for users to only what they need in order to do their jobs. 
5. Back up your data consistently—both to the cloud and to a secure local drive. Make sure your backups are immutable (unable to be altered by ransomware). 
6. Vet third-party vendors before introducing new software or platforms to your network. Ask about their security protocols and breach history. 
7. Educate your team through regular cybersecurity training. Encourage hospital staff to report suspicious activity without fear of blame. 
8. Create policies for internet use, device management, and remote work security, especially if you have team members that access systems from home or public networks. 
9. Conduct regular penetration testing and remediate all findings. This will limit the ability of threat actors to infiltrate your organization. 

How to know if you’ve been compromised

The signs of a cyberattack can vary significantly. Some signs of an attempted or ongoing attack are obvious, like receiving a ransomware note or a suspicious invoice that drains your account. Others are subtle: slow systems, unusual login times, or reports of odd client account activity.   

By the time you notice an attack is underway, the damage might already be done.  

Your hospital’s data is valuable, and your clients’ trust is priceless. Having the ability to 1) quickly detect a cybersecurity event 2) identify the event as potentially malicious and 3) declare an incident and trigger the response plan* before things can escalate, is crucial to mitigating the impact of a cybersecurity incident.  

*The moments after a data breach are crucial, and a rapid response is essential to minimizing the fallout from an attack. HUB and the AAHA Recommended Insurance Program have prepared an incident response plan which hospital owners can use to prepare for cyberattacks. If you’re interested in receiving the cybersecurity response template, please reach out using the contact info below or contact your HUB International representative.  

Bio: Jessica Molina is a Senior Risk Consultant for HUB International specializing in veterinary risk management. In her role, she collaborates with internal and external clients to reduce risk and improve operations for a national veterinary medical association and its membership.  Jessica has over 20 years of vet med experience, having served as a hospital administrator, management services & consultant, director of operations, and a corporate regional operations advisor. These experiences included safety oversight responsibility, including risk assessments, program development, and training. She is also an experienced Human Resources professional with extensive experience driving company programs from employee life cycle management to risk mitigation.  

Contact: [email protected]