Please ensure Javascript is enabled for purposes of website accessibility

Report: Animal care companies need to heed cybersecurity calls too

Betsy Watkins, chairman of the United Veterinary Services Association Board of Directors. (Submitted photo)

The industry that provides supplies, pharmaceuticals, vaccines and other products for animals to veterinarians across the country is calling for increased cybersecurity to prevent data breeches, financial fraud, and economic losses.

The United Veterinary Services Association released four cybersecurity recommendations after a ransomware attack impacted more than 700 animal health care networks around the globe. The association represents distributors, manufacturers and suppliers of animal care products.

“When you think of a cyberattack or a ransomware that’s occurring, the big focus is on ransom, but really the implications of a company functioning, it can ripple all the way through the organization,” said Betsy Watkins, chairman of the UVSA Board of Directors.

The association is not aware if any companies in Maryland were impacted by the ransomware attack, but Watkins said that anytime the industry is hit, it could impact the national supply chain for animal needs on everything from gloves and sheets to needles and syringes.

“If it’s a wholesaler or distributor, it could be pet foods, it could be medications, pain medication or insulin for a diabetic pet that really could have implications to the overall wellbeing of the animal,” Watkins said.

The recommendations were put together by IronNet, a cybersecurity company engaged about two years ago. IronNet interviewed distributors to identify the business models and understand where there were potential security risks. The report was released in August, and Watkins said the association members have reacted positively so far. It’s also attracted publicity in trade and industry publications.

The best practices include end user license agreements that are in place for all users prior to allowing systems access; site access and utilization logging of site customer credentialed activity; implementation of multi-factor authentication protocols; and third-party access end user license agreements with access delivered only through an approved application programming interface (API).

Some of the companies that serve the veterinary industry overlap with the human health industry so they benefit from cybersecurity protocols developed in that space. But Watkins said veterinarians and their suppliers have a duty to protect the information of pet owners from breeches, even though animals themselves would not fall under federal patient privacy protections through HIPAA.

“It’s not the patient’s information that needs to be protected, being the dog or the cat, but we need to ensure that the pet owner’s information is protected,” she said.

At the practice level, many veterinarians are running online stores and have online deliveries that need to be safeguarded.

And the report identifies end-user agreements as particularly important because the industry has marketplace sites and places where multiple parties are accessing data in the interaction between the veterinarian practice, veterinary distributors and manufacturers. The report states that a third-party EULA should clearly define acceptable platform use, limitations on platform use, security expectations for connected systems and retrieved data, data usage limitations, rights to audit access, and data security.

Watkins said in her own organization, they emphasize continual training of employees to make sure everyone is playing their part in cybersecurity.

“Everyone has a responsibility for due diligence to protect our systems,” Watkins said.

Multi-factor authentication was highlighted as a cybersecurity best practice in the report because it is seen as achievable and fairly easy to implement. The report suggested that if full implementation is not possible, companies consider it for a subset of user actions focused on securing private party data like social security numbers and financial data. A CAPTCHA test to differentiate human vs. bot could also be used for all access or to limit access to privacy or financial data.

“The goal of the UVSA is to pass on the relevant information that will help the supply chain provide the best possible care to our patients, which are our pets,” Watkins said.