It is a day like any other in your veterinary practice. Clumsy puppies and hissy kitties are coming in for their vaccinations. Your associate is working hard in surgery. You can hear the chatter from the front desk team as they are taking calls and answering questions from clients as you are moving from exam room to exam room. Then there are some of the worst words spoken that can be heard in a veterinary hospital: “Um doctor, something is wrong with our computers…all of them.”
Interrogations ensue and not one person ever really knows “who done it” or “how it happened”. All that you know is that your team can no longer access your software or your most important files to help you serve your patients and clients. All of the PDF docs, Word docs, and photos have been locked down and encrypted. When you try to open any of them a message reads that you must pay $10,000.00 in bitcoin to get your files back and then it gives you payment instructions. What a great day! These types of viruses are called RANSOMWARE and they are a plague upon veterinary hospitals all over Texas and North America.
Most of the time this invasion is done with subtlety through an email. The email appears to be from either a co-worker or someone who is likely to email the hospital. The subject line may read: “Please help me open this” or “Please look at this” or some other subtle but firm command to help with opening or looking at something. The unsuspecting user opens the attachment. It is an executable file (these end in .exe) and now every computer in your entire network is infected and every file is encrypted. You have a choice. Pay the ransom and hope they are kind enough to remove the encryptions…or…you tear down your entire network and start over. Oh and there is a third choice, all of your data was backed up and secure…your IT consultant shows up and has your hospital back up and running within a few hours. That last one represents the vast minority of practices who are hit by these techno bandits.
This is a nightmare that I have witnessed several animal hospitals suffer through over the last few months. I am writing this to save all who read it a great deal of heartache, downtime, and money. This is America and you are free to ignore my advice, but I suggest you do what I am about to tell you if you haven’t done so already.
STOP! Do not open email attachments without VERIFICATION
Read the subject line. If the subject is not a common subject line that you see regularly, STOP. Do not open the email. Contact the person who is sending it in person (if possible). Delete it otherwise. I know many veterinary hospitals have a publicized email address for clients and vendors, this brings me to the next order of protection.
Overhaul and Change your email system…immediately.
Stop using any email addresses with your clinic’s domain name. Yeah I know you paid for it but your email addresses are not private if you did not select the privacy option when establishing your website and email hosting. Remove all email addresses from your web pages. These butthole hackers can also find your email addresses on your website and mimic it. So please, remove email addresses from your website pages. Now, you need to create two brand new email addresses. I suggest you only use Gmail because they have great filters.
- Create an email address for client communication only. Give this out in your ON HOLD message, give it out on your business cards. DO NOT PUT IT OUT ON YOUR WEBSITE. Your website should be equipped with a “contact us form” that is filled out by the client and then it automatically emails to your client communication email address.
- Create an email address for vendor communications only. Give this out to your lab services, your pharma suppliers, and other vendors you purchase services and products from.
- Forbid the staff from utilizing any personal email and all social media other than these two email addresses on your hospital’s network.
- Designate only 2 or 3 people on your team to handle emails and the practice social media pages.
Backup Your Data
Veterinary hospitals are data heavy businesses and this is why they are targeted more often than other businesses by ransomware pirates. There are patient medical records, inventory records, accounting records, HR records, and diagnostic imaging records. Often, these software systems that operate these records exist on the same network and server. There are some hospitals who do a great job of backing EVERYTHING up. There are others who only backup the patient medical records but they do not backup anything else…these are the ones who suffer the most in these virus attacks.
These are applications you should use to backup your data:
For all PDF docs, Word Docs, Excel Docs, and Photos
Dropbox – my favorite
Carbonite
Google Drive – my least favorite
For all Diagnostic Imaging Records (.DCM .TIF .JPG .PNG)
All of your images for x-ray, ultrasound, CT and MRI should be archived offsite. These are critical medical records for your patients that you are required to keep by law. Dropbox and carbonite are not a wise option for diagnostic images because they do not allow you to retrieve and review them easily. The most effective backup of your medical images is with a DICOM PACS (picture archival communication system). The old school PACS were a server that was setup in your hospital and they would cost anywhere from $50k to $100k. The new PACS are now cloud based and they much more affordable. Usually these services are based on a flat monthly fee or a per exam stored fee.
My Favorite PACS:
VitalPACS.com (by VitalRads.com) yes…shameless plug for me.
AccuVue (by Radmedix.com)
Keystone (by Asteris.com)
For Patient Medical Records
There are many Veterinary Patient Management systems, each will have their own way to backup your records. Some older versions of systems like Avimark or Cornerstone will ask you to backup to a server tape or to a separate hard drive that you must execute and take home each night. The modern cloud based records systems connect you to a cloud server where your records are always protected and backed up two and three times. My favorite way to backup our patient records is via the cloud. It is automatic and yes it costs less, much less. None of us are responsible for backing up the system and taking a hard drive home each evening. The system backs up on its own and we have peace of mind.
My Favorite Cloud Based Patient Records:
Accounting and HR Records
I believe that accounting and HR can be as complicated as patient management systems. They come in all shapes and sizes. I really like Quickbooks online for accounting. As far as HR is concerned, you can now hire a freelance HR consultant to help you with OSHA, State, and Federal employment compliance. Most of these folks will ask you to use their forms which are usually stored in Excel, PDF, and Word. These should be backed up on your Dropbox, Carbonite or Google Drive.
Hire a professional IT consultant – aka propeller head or computer nerd
If there is anything that you need to do, other than everything else I have written about…it is this. Please hire an IT Professional and keep him or her on retainer with your practice. Do not hire your technician’s husband or your associate’s cousin. Hire a real IT professional who has experience in working with law offices, health care clinics and other professional offices which are data heavy. A good IT consultant is often a quirky person and will demand that you do everything a certain way. Follow their instructions without argument, it could save your practice someday.
So, there you have it! You now know what it takes to protect yourself at a basic level from these a-hole ransomware invaders. There are some victims of this crime that have paid the ransom and luckily they got their data released back to them. There are others who paid and then nothing happened. They were double screwed. Do not take any chances with this serious threat. Act now to protect your hospital and your clients.
-RW