The Cybersecure Vet Practice
UVSA’s Cybersecurity “Best Practices” recommendations to promote the safe, efficient, and effective operation of business-critical eCommerce systems.
It can happen to any veterinary hospital, big or small. In the fall of 2019, the National Veterinary Associates was hit by a ransomware attack that affected more than half of its properties, according to a report by Brian Krebs. Last summer, the Maine-based Portsmouth Herald reported that a ransomware attack wiped out inventory data and patient records from York Animal Hospital, demanding $80,000 in bitcoin to recover the files. The practice refused.
To help veterinary clinics combat the rise in cyber threats, the United Veterinary Services Association (UVSA), a national trade association comprised of distributors, manufacturers, and suppliers of animal care products in the veterinary channel, has created Cybersecurity “Best Practices” recommendations to promote the safe, efficient, and effective operation of business-critical eCommerce systems.
According to a Cyber Edge 2020 Small Business report cited by Patterson Veterinary, 2.5 veterinary hospitals are affected by a cyberattack each week on average.
The UVSA recommended best practices for partners and associates are:
End User License Agreements (EULA)
EULAs are now standard practice for those engaged in B2B e-commerce. EULAs should be in place for all users prior to allowing systems access. Each EULA should clearly articulate what is and is not considered acceptable use, the limits of that use, expected behaviors around access credential security, and acceptance of risk and/or loss of access should the user provide their credentials to third parties in violation of the EULA or in any way utilize the platform in ways not explicitly intended within the EULA.
Site Access and Utilization Logging
Logging the access and utilization of site customer credentialed activity is necessary for EULA compliance monitoring and notification to users in the event of EULA violations or the event of a potential security breach.
Multi-Factor Authentication (MFA)
MFA is now a cybersecurity best practice for commercial and financial systems. Implementation of multi-factor authentication protocols should be in place as a required component for platform access. MFA control procedures provide enhanced identity and access management control while limiting the risks associated with credential reuse and sharing. MFA provides added security controls for critical data.
- If full MFA implementation is not possible, consider requiring MFA for a subset of user actions focused on securing private party data (SSN, licensure information, etc.) and financial data (payment information, bank information, etc.).
- If full MFA implementation is not possible, consider using a CAPTCHA test to differentiate human vs. bot (machine) users for all access or to limit access to privacy/financial data (as described above).
Third-Party Access EULA
In the event a third party requires access to provide an authorized business application, each third party should execute a EULA prior to receiving systems access. Such access should then be delivered only through an approved application programming interface (API).
- A third-party EULA should clearly define acceptable platform use, limitations on platform use, security expectations for connected systems, security expectations for retrieved data, data usage limitations, and rights to audit access and data security/utilization.
- The API should allow access via unique third-party credentials and limit that access only to data required by the third-party for [BW1] legitimate business operations. Use of the API can be subject to rate limits and data limits to ensure the e-commerce platform is not unduly loaded.
The “Best Practices” recommendations were developed by IronNet, a cybersecurity company engaged by the UVSA as a subject matter expert, based on the work of the UVSA Distributor Working Group on Cybersecurity.
Photo credit: istockphoto.com/bagira22