This Week on the Uncharted Podcast…
This week on the podcast, Stephanie is joined by Joe Axne of IT Guru to talk about some of the wacky things that clinics do when it comes to information security and technology. Information technology (IT) can be an area where veterinary medicine struggles to keep up-to-date. It's a good example of you don't know what you don't know. We talk through some of the things that practices should consider in terms of protecting themselves from the outside as well as the top practices for educating themselves and their teams about information security. Let's get into this…
You can also listen to the episode on Apple Podcasts, Spotify, Google Podcasts, or wherever you get your podcasts.
Thank you to our sponsors! To learn more about this week's sponsor, GuardianVets, check out their website HERE.
Got a question for the mailbag? Submit it here: unchartedvet.com/mailbag
Upcoming Events
May 21: Retain Your Team: Speak the Languages of Appreciation in Your Workplace
You can be the leader of a happier, more satisfied team, and it starts with understanding how each person in your practice feels the most valued.
Join us as we discuss the languages of appreciation and how they can help you motivate, train and retain your staff in this 2-hour, LIVE workshop.
June 8: Creating Content That Clients Crave
Many practices have heard that “content is king”, but few have systems in place that actually generate impactful content.
This extremely interactive session will explore the types of content that are most valuable, the potential impact of such, and proven methods for great content development.
A UVC MEMBERSHIP IS YOUR KEY TO FINALLY GETTING THINGS DONE AND GROWING YOUR VETERINARY PRACTICE.
Episode Transcript
This podcast transcript is made possible thanks to a generous gift from Banfield Pet Hospital, which is striving to increase accessibility and inclusivity across the veterinary profession. Click here to learn more about Equity, Inclusion & Diversity at Banfield.
Stephanie Goss:
Hey, everybody. I am Stephanie Goss, and this is another episode of the Uncharted Podcast. So, this week on the podcast, I am not joined by Dr. Andy Roark. But in fact, I am joined by another person who I really enjoy having conversations with, and that is my friend, Joe Axne, from I.T. Guru. Now, we are going to nerd out. We're going to get extra nerdy about information security and technology on this episode.
Stephanie Goss:
It's a little bit different than our normal format, but I promise that I have a reason for wanting to have this conversation with you guys. I recently was a part of a conversation on a management forum about something that had nothing to do with what we're talking about here. But in the course of talking to this manager, they revealed something that their team was doing that is a common mistake that I see practices making all the time.
Stephanie Goss:
When I thought, “Oh my gosh, this is a big, giant flaming red flag. And this is something that more people need to know is big problem and talk about.” So, I sent Joe an email. And I said, “Hey, I know that you see this all the time. I would love to jump on and have a conversation with you about this issue and more. Things that we need to do to educate ourselves on how to keep our clinics, our clients' information, our team's information safe from the outside in. And from the inside out.” So, let's get into this one, shall we?
Meg:
And now the Uncharted Podcast.
Stephanie Goss:
Hey, everybody. It is Stephanie. And while I do not have my usual partner in crime, Andy Roark here with me this week, I am super excited to introduce you guys to one of my friends. I have been throwing around the idea of doing an episode like this with Joe for quite some time. And I'm super excited that Joe Axne from I.T. Guru is here with me today.
Stephanie Goss:
Now, Joe and I met, gosh, probably four or five years ago. I met you at VHMA. Joe was actually presenting at the Annual VHMA Conference. I think we might have been in New Orleans. I will tell you guys, I was still working in the practice. And Joe was talking about IT-related things. In his session, he had a picture of a clinic that he was working with. And he had before-and-after pictures of what their IT closet setup looked like.
Stephanie Goss:
I remember sitting in that session and I immediately was texting my practice owners from your session, Joe. And I was like, “We need to hire this guy. This is amazing. Our attic looks like the rat's-nest-before picture he showed. And now I want it to look like the after pictures.” I came up to you afterwards. And I remember telling you, “Hey, I would love to talk to you and pick your brain.” And I have really enjoyed our conversations ever since then. So, welcome to the podcast.
Joe Axne:
Yeah. I think I remember too. I think I was exposing that IDX123 was the password. Yeah, if you're still using that password, that's … I just have a clinic right now I'm working out of Houston. I'm like, “Let me guess, your password's this.” They're like, “How did you know?” I'm like, “Well, it's-“
Stephanie Goss:
Because that's everybody's password. Before we get into it a little bit, because I have a very specific question that I sent you an email about recently. Because I was talking to some fellow managers in a manager group I'm in. I saw a post and I was like, “Oh my gosh, I want to talk about this with Joe.” Tell us a little bit about you and I.T. Guru so that everybody gets to know you a little bit.
Joe Axne:
Oh, sure. So, I.T. Guru, we help clinics and hospitals with their computers and networks. So, think of us like a strategic partner. We help … There's all this technology out there and demands in the veterinary clinic, as we know, are higher with short staff and such. So, we're just helping clinics pick solutions that help them become more productive, more efficient, more effective, work smarter versus harder.
Joe Axne:
And then, just make sure that it's really riding on the proper platform. In this case, foundation. Like a foundation of a house, you got to have that foundation in place, proper foundation, before you just build anything on top of it. So, we're very foundational, very proactive. But we help them with all their IT needs and picking and selecting solutions that integrate well with veterinary practices.
Stephanie Goss:
I love it. You guys, one of the things that I love about talking to Joe is that from the very first time I heard you talking about IT stuff … IT stuff can be tricky. I have the computer-minded brain. I've always been the IT troubleshooter at my practice. But for a lot of people, it gets really complicated really fast.
Stephanie Goss:
And one of the things that I love about you and your team, Joe, is that you really make the complex themes seem not overwhelming. And I never walk away from a conversation with you guys feeling like I've done something wrong, which is not the case a lot of time when it come to IT. We're looking at it and we're like, “Oh gosh, I've been doing everything wrong for so long.”
Joe Axne:
Yeah. I always feel like everything. But the standards have changed, right?
Stephanie Goss:
Yeah.
Joe Axne:
So, as we go from year to year to year … There are new standards in 2022, which, in our opinion, everybody should be aligned to. But the reality is they're not. And we got to get them there. So, we're seeing … Even if you get to standards that are, say, 2018, 2020 standards, it's better than being on the 2014 to 2016 standards. So, it's just the move shift the mind frame of, “We get it.”
Joe Axne:
A little bit behind the times on the technology curve. COVID really drove us into that. And I think we're starting to up steam around that. But yeah, there are a lot of changes around these security standards. Stability standards that you want to really start getting an understanding around that maybe doesn't really fall in the lap of a practice manager anymore. Their main responsibility. It's hard for those practice …
Joe Axne:
They're doing so much today. And it was. Back in, 2013, 2014, yeah, they could … I know some really, really sharp practice managers through VHMA. They're maintaining on their own. But for the majority, yeah, it's tough to do on your own for sure.
Stephanie Goss:
You need help.
Joe Axne:
You need help.
Stephanie Goss:
Well, I think you had a great point that COVID drove a lot of our practices to using technologies and using information in ways that we never had before. Both in terms of using it, but also accessing information from clients. So, that was actually why I reached out to you because I was in one of the manager forums. And having a conversation with a fellow manager. And they were asking for some help from the group.
Stephanie Goss:
They were like, “Hey, my team … ” They were in AVImark practice and they were talking about something else completely. But one of the things that caught my eye was that they said, “Well, in our client area, in AVImark, we are putting the client credit card and driver's license information. Because when I came to the practice, I found a set of note cards in the filing cabinet where they were literally handwriting client information.
Stephanie Goss:
“So, I want to get it into AVImark so that we don't have handwritten credit card information laying around.” And I was just like, “Oh, man.” And I remember immediately sending you an email because I was like, “Oh, it drives me crazy how few people understand the huge liability that we take on ourselves when we don't understand the risks when it comes to protecting our client information. So, that was kind of what I wanted to talk to you a little bit about today.
Stephanie Goss:
That case specifically. But also just in general, you've seen a lot of crazy things. Your team sees things repeatedly when it comes to information security. So, I thought we could talk about that a little bit. So, tell me, you've got to have seen some crazy things in terms of bad information security, and practices that are happening regularly in the industry. What are some of the things that you guys see repeatedly that practices are doing that are really risky, that they may not realize are risky?
Joe Axne:
I think number one is the password on the monitor. I mean, it's right there on the monitor. So, there are crew and cleaning crews that come in. There can be people that can get into the environment and they can get physical access. Let's not give them that much ease of access. There are stories of cleaning crew logging in and using the credentials that are right on the monitor. They're getting into the system. So, we don't see that.
Joe Axne:
Everything you were referencing the very beginning there of confidential client information, let's just call it payment information. That all falls underneath what's called PCI. That's the Payment Card Industry Data Security Standard. So, an acronym for that is PCI DSS. So, every business is under this standard, okay?
Stephanie Goss:
Yeah.
Joe Axne:
If you take credit cards or you're getting any financial information, whether it be over the phone or whatnot, or online, et cetera, you fall underneath becoming PCI compliant. So, there's a compliance here that many folks don't understand. Sometimes there's even these questionnaires that go out. And you have to be able to answer, “Yes,” to those questions. If you answer, “Yes,” and you're not actually doing them, and then something happens, you're going to be held on the hook.
Joe Axne:
The credit card company is going to wash their hands like, “We didn't cause this. You caused it. You get to pay for this, not us.” So, it all falls underneath that PCI, which we just call it PCI. So, even the written, like you were saying. Even having a handwritten note still falls under PCI. I mean, it's just, you're not supposed to have that.
Stephanie Goss:
Right. I remember when I started in practice, we thought we were doing one better by starting to ask clients to sign a waiver like, “I'm okay with leaving you my credit card info.” Because we thought, “Well, at least that way we're getting permission versus just the Post-it Notes that had somebody's credit card information written on it.” But I think, to your point, it really is one of those cases where we don't always know what we don't know.
Stephanie Goss:
I remember finding out for the very first time about PCI compliance the hard way. Because we had had a client's card. And someone else had brought the pet in, and we had run some charges. And they reported a charge back to their credit card because they were like, “I didn't give permission for this.” And we thought, “Well, you had given us your credit card to have on file. And we thought this was an appropriate situation to use it.”
Stephanie Goss:
My team and I learned the hard way because the bank was like, “No, we're not responsible for this charge. This was hand processed. You didn't have permission. None of these boxes were checked.” So, we wound up not only having to pay for it and have it come out of our profit. But have to pay the fees associated with that charge back. So, I think practices learn about some of that stuff the hard way. But we really do, I think, are doing it with good intentions, right?
Joe Axne:
Right.
Stephanie Goss:
And some of us are even doing it like, “Oh, well, if I get their written permission or if I get them to sign off on it, it must meet the standards.” And I think that's what's so interesting. I would love for you to share a little bit more about some of those things that not only practices should think about in terms of getting some education to understand what their role is.
Stephanie Goss:
But also, the hard part is where do we find that kind of information? That's the part that often, as a manager, feels so overwhelming to me. A company like yours, that does IT services, it makes sense that you guys would know all of that kind of information. But if I'm a practice manager, where do I even start with trying to educate myself on stuff like that?
Joe Axne:
Yeah. You want to start with a payment processor. That's always the best route to go. They're going to educate you quite a bit around that because they themselves will even tell you that you have to become PCI-compliant. Or even though you're using, say, a credit card terminal that is tokenized, that had encrypts … What that means is it encrypts … So, PCI compliance really comes down to making sure everything that is stored and transmitted is done so in a secure fashion. So, encryption is key there.
Joe Axne:
So, back to, say, AVImark and you putting it into an open-text file, a field inside that database. That database is not encrypted. So, that field is not … Certain practice management systems nowadays, like the web-based ones that are coming out, the web-based PIMS. If they're storing credit card information in there, yeah, they know on the backend what it has to comply to from a PCI compliance aspect.
Joe Axne:
So, you can store that information with a provider that allows you to … We have an online payment portal as well. So, we never touch our clients' credit cards anymore. They have to put all in there and it's all stays within a completely PCI-compliant platform that they're maintaining. But I still have to go through the questionnaires. I still have to answer everything that goes with that outside of that network. Because there's a quite a bit to it.
Joe Axne:
And it really comes down to there's certain PCI controls that you have to have in place. And the number one is building and maintaining a secure network. So, you have to have that in play. So, that's big. When we say that you have to have that proper firewall, which we don't typically see. This is that device that protects everything coming in and out. All your default system passwords for all your gear on your network have to be changed. I mean, that's a requirement. That's a requirement now.
Joe Axne:
I'm doing an assessment right now. I swear, I hopped on a server. There's a switch that's online. I go to the web interface and switch … It's just a web login that I can get to. And it's, in this case, a NETGEAR switch. So, all I do is I look up that model, default password, Google it, bam, there it is. Pasted it in. Bam, I'm in-
Stephanie Goss:
Sure enough.
Joe Axne:
I'm all the way in, and that's how the bad guys … That's how the bad actors are also doing this as well.
Stephanie Goss:
Sure. Well, that makes sense to me. When I think about it from the practice's perspective … One of the things that I love about how you approach IT, and in the conversations that I've had with you is, practice managers are … Again, and practice owners … they are busy. And this is usually an area where we acknowledge what we don't know what we don't know. So, we're like, “I don't understand how any of this works. I'm literally going to plug the thing in. And if I change the password and then I ask you to deal with it, that seems messier than just leaving the password the way that it is.”
Stephanie Goss:
So, it's coming from a place of good intention. And they're thinking, “This'll make it easier for somebody else to help me down the line.” But for your point and your perspective, the minute that, that gets plugged in, then the clinic becomes at risk just as much if they have the password written on the monitor or the bottom of the router. As if someone like you, who has some experience of knowledge, knows to just say, “Well, what model is this? Let me just Google it. And I have a hot chance of finding out the default password.”
Joe Axne:
Bam. So, it's really that there's a lot to that. And there's a lot going on in segmentation now that has to happen in clinics or hospitals. So, we see a lot of clinics and hospitals just … We call it just one big flat network. You have that thing in the back that all the cables are plugged into. That's your switch. So, everything can see everything.
Joe Axne:
So, your Amazon Alexa, and your Sonos, or your Sonos Music System, or your Voice over IP phones, or your IP-enabled cameras. Whatever it is, Google Smart whatever they call it, it's all connected to the same network, right?
Stephanie Goss:
Sure.
Joe Axne:
So, we're promoting as new standards for 2022 is really … That all has to be segment. So, we want our phones over here, over on this in this little segment and network that doesn't necessarily have to talk to anything else in the clinic. So, does Amazon Alexa really have to interact with your AVImark database? No, it doesn't. So, it's proper segmentation of these devices or these smart devices.
Joe Axne:
It's Internet of Things is what it's really called. That's what we're getting to. We're getting to this, everything you touch. And we're talking about it even from a worker's phone, a private … One of the staff's private personal phone. Should that be on the private network of the clinic? No, it should be on a public network. But that public network is completely … Everybody that attaches to that public network is completely isolated from each other. So, they can't see each other. You're in a bubble.
Joe Axne:
Or think of it like a swimming pool in a … If you envision a swimming pool, you don't get the whole pool to play in. You just get a lap lane. But think of it even more as you can't see what's going on in any other lap lanes besides what's in your lap lane. So, that's really what [inaudible 00:17:18] is getting to is that we have to really segment. It's really important. We are working with more and more clinics. Even printing, segmenting printing. So, printing on its own segment. Voice over IP on its own segment.
Joe Axne:
So, segmentation's key there so that we're allowing the only access that needs to be allowed between … Say, you do have an on-prem phone system and it's like, “Well, I need the access, because we get recordings.” Well, that's okay. But that's the only thing allowed over to that system is to get into the recording. And a lot of these camera systems are exposed to the internet as well? And they're sitting on the same network.
Stephanie Goss:
Right, yeah. Because you want to have access to it when you're not there. So, that the clinic is thinking about it from that perspective like, “I need it to connect because I need to be able to see it from my phone when I'm at home. Because otherwise, what good does it do if it's recording?”
Joe Axne:
Correct. Agreed. Agreed. But if somebody gets into that, and say, let's not quite … When somebody gets into that, what are they really going to have access to? Maybe they only have access to that system. But it can't bleed over until your other systems like, oh, now they have access to all your shares and all your information. And maybe even your AVImark database where they actually have access to the information inside that database. Now they have credit card numbers.
Stephanie Goss:
Yeah. Well, it's not a far reach when you think about it. If you have somebody who can get into your network and they can access your video cameras. To illustrate your point, if they're seeing your video cameras and your practice has … I will raise my hand. Guilty as charged. I'm picturing the monitor in my head at my front desk as someone new was training. And they were just like, “I cannot remember the password,” and wrote it.
Stephanie Goss:
And it was posted literally at the front of top of the monitor. And if someone can access your video cameras, and now they're looking at your front desk, they're seeing the password. And to your point, if everything is on that same network and they have access to the passwords, they could get in. And just type in the password and start accessing more and more information.
Stephanie Goss:
I think we think that something like that is far-fetched and it's not going to happen to us. But you and I both know that it happens to clinics constantly. Maybe not to that degree, that someone hacks in. Maybe it's more likely that someone within the clinic or someone who has access to the building accesses some of their information. But you and I connected a few years ago over … I was working in a clinic. And we actually did have some challenges with outside coming in.
Stephanie Goss:
And we got a virus that filtrated through a few practices that I was working with. Our servers went down, and we were down for weeks. We couldn't access any our information. We had no access to AVImark. All of the systems were affected because it was virus-based. So, once it got in, it started spreading, and then other things were affected. And it was catastrophic in a lot of ways for a lot of the practices that were affected.
Stephanie Goss:
It's one of those things where I've always been comfortable with computers. I like technology and I like getting nerdy. So, it doesn't surprise me. And I have a lot of colleagues who don't like technology. And who are the ones who are like, “I got this email and I open this file.” And I'm just like, “Oh, please don't open … Who is it from? What is happening?”
Stephanie Goss:
So, I think that's the hard part about veterinary medicine is that we have a lot of practice owners and a lot of practice managers and people in general who are learning new technologies for the first time. I really believe that this is one of those times where we should be okay with not knowing what we don't know and play to our strengths. And say, if we don't understand the technology but we're using it, we have a duty to get somebody on our team to help us understand that technology. And make sure that we are playing it safe.
Stephanie Goss:
Because I will tell you, I mean, I think when it first happened, I have colleagues at another local practice who were affected by our server outage, who were still reconstructing files. And having challenges six months later. It took them six months to rebuild. They had to get a brand new server. Even then, there was challenges. I mean, we freak out if we lose power in the clinic for a couple hours on a stormy afternoon.
Stephanie Goss:
Imagine if you're faced with six months of not being able to access your AVImark mark files or your patient charts. Trying to remember, “Well, this pet was here six months ago. And I have no idea what their blood work was.” That's utter pandemonium.
Joe Axne:
It just reach havoc on your productivity. And we can't do that right now.
Stephanie Goss:
Hey, everybody, it's Stephanie. I want to jump in here for just one quick second and make sure that you know about a workshop that's coming up from the Uncharted community that you are not going to want to miss. Now, you might not be the person who's in charge of marketing for your practice. If not, write this down and pass it along, because we are being joined by none other than the Bill Schroeder from InTouch Practice Communications.
Stephanie Goss:
Bill is amazing. He is a wonderful, he is funny, he is kind, and down to earth. And he loves nothing more than working with veterinary practices and cheering them on about digital marketing. And Bill is joining us on Wednesday, June 8th, from 7:00 to 9:00 PM Eastern, which is 4:00 to 6:00 PM Pacific. He is talking about creating content that clients crave. He is going to teach us how to explore contents that are the most valuable and that have a huge impact.
Stephanie Goss:
And talk about proven methods for great content development. Bill did this workshop for us live in person previously. And I said, “Hey, Bill, I would love for you to bring this to the Uncharted community, but also to veterinary medicine and beyond.” And he is doing just that on Wednesday, June 8th, if you would like to find out about this and all of the upcoming events from Uncharted, head on over to the website at unchartedvet.com/events. And you'll be able to find all of the things that are coming, that you are not going to want to miss. Now back to the podcast.
Joe Axne:
We know the trends. We understand it's hard to find staff. We understand this new term out there is the Great Recession. The Great Resignation of everything that's happening. People getting burned out, changing careers, all this kind of stuff. So, every business is trying to more with less right now, which you is hard. So, we have to hold this thing together technology-wise, so that you're never in that down situation.
Joe Axne:
So, there's a whole prevent model that gets you there. And there's not one thing that will protect your practice. There's not just one thing that does it. So, these PCI compliance … And really, there's now more and more clinics are coming to us and say, “Hey, we're thinking about cyber insurance. We're hearing about these clinics getting … ” The experience you went through called-
Stephanie Goss:
Ransomware.
Joe Axne:
… ransomware. So, it's malware. It's different than a virus. Virus is signature-based and it could be stopped by antivirus software. But that's not what we're blocking anymore. So, we're blocking malware, and rogue detection, and just bad actors. People that get a foothold. So, they get a foothold by phishing you with a link. Then, it installs a small piece of software on a computer that gives them backend controls.
Joe Axne:
Now they're in. Now they have a foothold. And now they're doing the traversal. Now they're looking. “Okay, how can I laterally move throughout this network? And then strategically position a complete attack, so it shuts everything down on you.” And you're held with a ransom bill that says, “Hey, pay us $8,000, $10,000. And we'll give your information back, or good luck.”
Joe Axne:
Number-one thing with that is you have to understand. You have to have visibility of what you have today. And make sure that you have the right prevention techniques in. That's a layered approach. So, that includes firewall, antivirus, web filtering, patching of the computers, like Microsoft Patching. Third-party application patching like a Java, Adobe Flash. All the third-party apps and such that go with that. So, that's that prevent.
Joe Axne:
When I say, “Antivirus,” it's really what we're considering, it's called Next-Gen AVImark. I'm going to get technical here, but it's called EDR solution, endpoint detection and response. So, the easiest way to think about this is that your clinic or hospital today, they lock their windows, lock the doors at least when they go home. Nobody's leaving the clinic unlocked that night, right?
Stephanie Goss:
Right. Yeah. Sure. Yeah.
Joe Axne:
Most clinics though, they have camera systems and even alarm systems that give them insight of what's happening in that practice, right?
Stephanie Goss:
Right.
Joe Axne:
So, the alarm system is there, say, through big, popular ones like ADP. ADT Alarm System, motion goes off. Somebody's walking through the clinic that should be walking through that clinic, it's going to set off an alarm. And get the authorities involved that need to get involved to go find out what's happening. That's what EDR is.
Joe Axne:
We got to have an understanding where you're at today. We got to make sure you have the prevention pieces that are in place. But now we have to have a way to detect and respond if that bad actor gets in. So, it's just that alarm system. So, the good EDR solutions are going to have things like, “Well, that's … ” And the ones that are being made are being obviously made by the ex-NSA folks. They're the ones that kind of put us in this situation, to be honest with you.
Joe Axne:
But we've got great relationship with these folks about what are the methods really used to start doing that? So, then now it's not signature-based anymore, but it's strange behavior that's happening. Again, technically, it's like, “Well, it loaded the script. And it accessed and it's testing its rights. Then, it also downloaded this weird network scan tool. Why would a doctor want to network stand tool on their PC? They wouldn't. So, that's the alarm. Bam, something's wrong. Now we got something to do.”
Stephanie Goss:
So, instead of being like the motion-sensor alarm physically at the clinic. And you think about, if somebody walks into your building, it's going to trip the motion sensor. The EDR technology is looking for those things that would be like motion in your practice. But on a information-technology level like, “Has something out of the ordinary been installed? Is there some new script that's running in the background that just looks weird?” Then, when something like that does pop up, then it triggers that alarm, right?
Joe Axne:
Yeah.
Stephanie Goss:
So, that somebody who … Whether it's the program that you're using, or if you use a company. And you guys do something like this. You have the ability to help practices monitor that kind of stuff. But it triggers that alarm so that somebody says, “Hey, you should look at this because this is not normal.” Am I understanding that right?
Joe Axne:
Yeah. Well, it's just like how ADP goes to another alarm company. Same thing here, it goes to a SOC, we call it. A security operation center. They review it, look at it. If they really feel that something bad's happening, then at a click of a button, they can isolate that computer. So, it can't touch anything. It can't talk to anything else. It's just, now it's back into … Like with that lap lane we had talked about, it can check in and see what's happening.
Joe Axne:
So, we've seen things get caught like somebody opened up a Microsoft attachment. We're back to macros, believe or not. I mean, macros were old-school ways to hack. But there's macros that can fire and prompt like it's trying to log into your Office 365 account. You put your credentials in. Bam, now they have your credentials. Now they have your email, you know?
Stephanie Goss:
Yeah.
Joe Axne:
Now in the meantime, it's running. But boom, we want to isolate that machine. So, it can talk back to the secure server, but that's it until we get it cleaned up. And first of all, understood. And that response is part of, understand what's really happened here. How did this initiate? How this happened. But stop it in its track before it becomes full-blown. So, 1 system down in the clinic is much better than 25 systems down in the clinic, right?
Stephanie Goss:
Yeah, absolutely. I would way rather have one piece of it out for a while than the whole thing. Because let me tell you guys, it was painful. It was so painful. Even prior to … That was probably the worst thing. But I remember a few years before that, my practice also, we were using AVImark. We actually had a system for making backups, which is another common source of challenge for practices, I think, from an IT perspective, There are a lot of …
Stephanie Goss:
We know that we probably should be backing up our data. I think a lot of us do. But there's a lot of people who don't know that, that is something that is your responsibility. I was in a practice where we did. We had a process. Every night, someone would literally sit there with the tape in the server and run the backup through AVImark. We came across a challenge.
Stephanie Goss:
We had a problem with our AVImark data, and the AVImark team was great. And were supporting us. They're like, “We need to go back to the previous version.” When we went to open, it didn't work, so we had to go back and as it turns out, we had been having problems and we didn't realize it, because we weren't testing the information regularly. And we wound up having to go back to two or three weeks before we found a version that could be restored.
Stephanie Goss:
And we had lost three weeks' worth of patient visits, and chart notes, and charges, and changes. I will tell you guys, it's one of those … It seemed so small, but I mean, again, it took us probably six months to catch up from being set back three weeks' worth of work. Because think about how many things that we do all day in the practice that involve our computer systems.
Stephanie Goss:
I mean, we're putting stuff into your PIMS all day long. Patient notes, schedule notes, chart notes, charges, all of those things. Now all of a sudden you have to recreate three weeks' worth of that while you're still trying to see patients all day long. And manage the workflow that's still coming in the door. I think a lot of us just don't think about those things because we love animals.
Stephanie Goss:
Our vets went to vet school to be vets, not to be computer people. So, I hear that and I hear it a lot. And one of the reasons I wanted to talk to you was because I think it's time for us to acknowledge, okay, we don't have to be computer people. But that doesn't give us the right to stick our heads in the sand. And just ignore it and pretend like it's not happening, because we have moved into the current millennia in terms of technology. And we're utilizing stuff left and right.
Stephanie Goss:
And it is our job to protect not only our businesses and ourselves, if we're practice owners or practice managers. But also, to protect the information that clients are sharing with us. That is legally and policy-wise … PCI is a great example of that … a duty that we have signed away when we accept credit cards that our practice, saying we are going to protect and uphold this information safety. And that responsibility gets taken seriously at some point, whether we want it to be or not.
Joe Axne:
So, yeah, so you got the awareness of what you have, the prevention, detection response. There's always recovery. So, we want to move away from the word backups. Backups is singularity and it typically means just you're backing up a subset of data. Okay, do you have backups of your pictures, right?
Stephanie Goss:
Sure.
Joe Axne:
Do you have backups … What we really want to-
Stephanie Goss:
Yeah, like my iPhone makes the backup to the cloud. I think that people get that.
Joe Axne:
Yeah. And it's automated. You know that. So, you have that iCloud. So, do I. I love it. I had to increase it because I'm using more and more space, whatever. But I want that, because I want to make sure I can always recover it. Because I have a lot of information on there. And I'd never want to go through a whole setup and redownload all my apps and stuff. It'd be a nightmare.
Joe Axne:
But yeah. It's called business continuity and disaster recovery. So, you need a business continuity plan, but you have to have disaster recovery. So, just like fire, flood, tornadoes, earthquakes, hurricanes, we can't prevent those. We're not going to prevent the natural catastrophe. It's literally impossible. It's extremely, extremely difficult. But you have to be prepared for that. You have to be prepared for the worst-case scenario.
Joe Axne:
And that includes today that a bad actor gets in. And then spreads its ransomware to every single machine and takes you down. How are you going to recover from that? So, really the question really comes down to two simple things that you need to be asking your IT folks, if you're working with folks, is, what's my RPO and RTO, we call it. So, a real-time protection option.
Joe Axne:
How often are we backing up throughout the day? That's a number you should know. So, we recommend hourly. That's where you should be. Hourly at least. We see mostly people every 24 hours. But that means, worst-case scenario, you're rolling back a full day's worth of work. Maybe two days or maybe three weeks if that backup wasn't running. So, yeah, RPL, real-time protection.
Joe Axne:
So, ask that question. How often are we backing up? And it needs to be periodically throughout the day, because more and more clinics are paper-light and utilize this technology. So, then number two is, how quickly can we get back up and running, should a failure occur? That's really important. And that's one that no one really asks until it hits. And that's not the time. It's not time to deal with fire when your house is on fire, right? We want to know before that.
Joe Axne:
And there's technology out there that does that. So, it backs up every hour and offsite replicates every hour. It can spin up every night a test to make sure it works properly. And it alerts you if it's not working properly. But it can also act as a lifeboat, we call it. So, say your server gets hit and it gets completely wiped out.
Joe Axne:
We actually have a clinic running on our lifeboat right now as we speak, on the East Coast, out of North Carolina. So, their server, in this particular case, wasn't a hack or anything. It was just servers … The age and equipment was old. We rebooted it. It didn't want to come back online, so we note the disaster-recovery plan. Hour later, bam. Less than hour, we had them up and running. Emergency gone. They're seeing patients. And they've been running for good 25 days on it. So, I think this week, yeah, it just was just [inaudible 00:37:18].
Stephanie Goss:
Wait, can we just stop for a second and think about that? Because I'm going to date myself here and tell you all how old I am. But when I started in veterinary medicine, it was literally like you ordered a server from Dell and it would take three weeks for it to show up in your clinic. Then, once it got there, you had to wait for your IT people locally to come out and plug everything back in. And set everything back up.
Stephanie Goss:
Then, you had to call AVImark and get everything reinstalled. You're talking about a four-to-six week process if your server goes down. But you just said that your server could go completely down and you have a practice back up and running within an hour. And not only that, but they can sustain that run?
Joe Axne:
Yeah. Yeah.
Stephanie Goss:
That's crazy.
Joe Axne:
We have to now because Dell servers now averaging more around 45 to 60 days to get it because of the whole change.
Stephanie Goss:
Sure, supply chain.
Joe Axne:
I had one, it took six months to do it. But yeah.
Stephanie Goss:
Oh my gosh.
Joe Axne:
You can run it and sustain it on a lifeboat. And it's a exact clone. Everything's there. It's the whole thing. It's just cloned so that there's no reinstallation of AVImark. Everything's exactly the same. So, server fails, it gets hacked, or whatever, you get put in place. And then you get back up. So, we just have this philosophy of never pay the ransom. With the right … And this technology is not cutting-edge, bleeding-edge. This is stuff that's been around for now 10 years. So, 10 years.
Joe Axne:
So, we've been riding this stuff ourselves for over eight years. So, this isn't cutting-edge, bleeding-edge type of stuff. It's affordable, but it's just one that many people don't know until they ask these questions. Because you really need to ask, “How quickly can we get back up and run and should a major issue occur?” Know that number.
Stephanie Goss:
That was going to be my question, because this is super interesting to me. So, if the technology has now been around for some time, as you and I both know that it has. And it is not expensive, especially not when you consider the grand scheme of loss of work and the labor that has to go into doing it yourself if your server goes down. We're talking about weeks to months of work.
Stephanie Goss:
Like I said, it took us six months when you … And you factor in all my extra staff time. And we worked overtime at night, reentering all of the data. That is a huge cost for practices. Why do you think more practices aren't looking at this and investing in this kind of technology, in this kind of support on an IT level? What is the barrier there?
Joe Axne:
I think the barrier is they don't know. So, that's why it goes back to that first one. You have to know. So, maybe you're not in charge of it anymore of implementing it as a practice manager. Because maybe it's outside your skillset to be able to handle as a practice manager. But you have to be in charge of it. So, we have a philosophy that somebody has to be responsible for it. But you can ask or partner with folks that responsible for implementing and ensuring that that's in place.
Joe Axne:
But the number-one reason is they don't really know the risk that they're in. So, you really have to understand that first. So, if no one's giving you insight of, say, your technology lifecycle management, like how old machines are. What do you have? Reports that are showing you a clean, concise, centralized report of all activity around your Next-Gen AV solution showing you everything that's been caught, was caught, was isolated from the web protection piece.
Joe Axne:
Because I mean, that's the number-one conversation we're having right now with folks is phishing. Phishing is on the rise. I mean, it's the number-one thing that we're seeing within security report. So, you need to be given reports, so it gives you insight. So, you can make the decisions. If you're not getting that information, you can't make that decision. I think that's the number-one reason. It's just, they don't know what they don't know.
Stephanie Goss:
So, if you're a practice manager or a practice owner who's listening this. And going, “I don't even know where to start.” You talked about two things that every practice should be able to understand and know. And if they don't, they need to ask their IT person, which is the … Tell us again … the R … the response time.
Joe Axne:
Yeah, yeah. RPO, the real-time protection option, and the RTO. So, it just goes to how often are we backing up? Then, how quickly can we get back and running? Yeah. So, those are the two questions.
Stephanie Goss:
Okay. Besides those two things, yeah, what are some of the things that they should know?
Joe Axne:
Yeah. Well, they need to look at status reports. Security-level reports. Just things that are in place. So, whoever you're working with should be working with something that's centrally controlled. And be able to report to you what activity that is catching or preventing. So, all those reports help you. And then that regular backup … So, yeah, look at those reports. And understand, have there been any problems?
Joe Axne:
By asking for the reports, it's holding the people that are responsible for protecting you or assisting you, it holds them to that level of-
Stephanie Goss:
Sure. Accountable.
Joe Axne:
… making sure that they can provide it to you. But more importantly, can they explain it to you in a easily explained manner?
Stephanie Goss:
In English.
Joe Axne:
Right, in English instead of geek speak, right?
Stephanie Goss:
Yep. In simple English.
Joe Axne:
We'll let them see what we have. And be honest and say, “Whoa, whoa, whoa, I don't understand. Re-explain that. So, there are many times that I have conversations. If I ever talk too technical, just let know. And I'll try to bring it down to more of layman's terms because … But yeah, the regular assessments and reporting on the data backup strategy. Making sure those managed data … Offsite replication's occurring.
Joe Axne:
The security and what's in place. What's being caught? What are the trends? What's happening? Again, the number-one conversation we're having right now from our web security piece is that we're catching people clicking on something. But our web security's preventing it from getting the payload. Does that make sense? So, because [inaudible 00:43:29] email.
Stephanie Goss:
Yeah, sure. So, somebody's accidentally clicking and they're not realizing.
Joe Axne:
Right. So, then now we have a conversation around, we need to really look at your email controls here. And we need to really control that centrally. In this particular case, I'll be honest, this clinic that we were showing these reports to, everybody uses personal email still. Gmail, AOL, Hotmail, Yahoo. It's like, “Let's use a domain name. Let's get everything in. Let's put the proper spam protection, phishing protection.” Then, we're also going to be adding a little bit of another layer.
Joe Axne:
And that is ethical phishing here. It's like, “We'll try to you ourselves. And if somebody gets caught, we'll provide them training to why. So, that we can help you stop this so it doesn't become an issue.” Because we're preventing it. That's great. But there may be something that could slip through. But we have other layers to help from the slip throughs. But this is an area of concern. So, just again, getting the data. Getting it understood. Looking at those reports and making informed decisions now, you know?
Stephanie Goss:
Yeah.
Joe Axne:
You're making truly informed decisions around IT security in that case, because you now have the power of proper information. That's what's key here, the proper information. Insight.
Stephanie Goss:
Yeah. I love it. I think about it in terms of, I always ask our IT person, “Can you explain it to me like on my 10-year-old? Just talk to me at that level. I need to understand it.” I think that's one of the things that I always tell my manager friends is, “Don't be afraid … Don't worry about feeling dumb because people who speak a geek speak, who have that background, it's just like us when we start talking in veterinary terms.”
Stephanie Goss:
Sometimes we find ourselves talking with clients. And we start throwing around the jargon and the big words. And clients are looking at us and it's just going right over their head. That's the same for us when we work with IT people, because we didn't go to computer science school. We didn't take programming. We don't understand the language that's being used. You really truly are talking about two different languages.
Stephanie Goss:
So, I think I tell my colleagues all the time, “There's nothing wrong with saying, ‘This is not my job. I don't understand how to do this. I need you to translate and talk to me in basic layman's terms. Because I really do want to understand it.'” And I think that's one of the best things that we could do for ourselves is to just say, “It's okay to know what we don't know.” It doesn't absolve us from really the need to figure it out. Because ignorance will only carry us so far.
Stephanie Goss:
But when we get hacked and our server's down for four months, I don't want to be in the boat of feeling then really crappy that I didn't know what I didn't know, you know?
Joe Axne:
Yeah. That's not the time to … Time to have those conversations ahead of time. And then yeah, I agree. I just was at an IT conference, because we stay up on professional development, trends, and what we're seeing. And even some of these folks, my peers, they'll talk with everybody. I was like, “I don't understand what you're saying. You need to … ” I'll say the same thing.
Joe Axne:
Because literally, they'll sling some acronyms around. I'm like, “I don't know. Okay, you got to help me [inaudible 00:46:57].” But it's okay. And you're right. You can't … Then, once you understand that, “Okay. Okay. Oh yeah. Okay. That makes sense now.” But right. Making informed decisions on what you have, that's what's key. And assuring that you're aligning to some type of standards.
Joe Axne:
So, that's another big key that you really want to make sure that your IT folks you're working with, they have some type of standard that they're shooting at. So, that's, in our case, standard operating system, like Windows 10. That's what we want. We don't want to see Windows 7 or XP. And you can't see that Windows 7 bad, XP worse. 7's just as bad. But I mean, you want-
Stephanie Goss:
I'm laughing because my practice was the practice with the computers still on XP. It's that legacy system that you can't get them to retire.
Joe Axne:
Because they don't patch. Microsoft doesn't patch anymore. You know what? The hackers that. They have the vulnerabilities there. So, all it takes is you going … Your endpoint into that endpoint. So, it's kind of strange. The new endpoint isn't the machine anymore. It's like, what's running on the machine? So, it's the browser is the … So, that browser's not even being updated.
Joe Axne:
So, these hackers know that. Then, so they know the vulnerabilities to get in. So, you're low-hanging fruit in that case. You're easily picked off. You don't want to be that low-hanging fruit. There is no 100% secure, but you just got to position yourself way up there. Again, there's no 100%. But the majority of people out there are going to pick off the low-hanging fruit ones, because it's lot easier than having go through hoops and ladder to get where they need to go. But yeah, I mean-
Stephanie Goss:
Sure. Well, it's the path of least resistance.
Joe Axne:
… what we talked about today is really 2022 type of standards. 2020 standards would be you have to understand what you have. You have to understand the trends or what's happening. And got to get insight and glean into that. That's going to help you make the informed decisions.
Stephanie Goss:
Well, the whole reason I wanted to have this conversation with you was because I'm hoping that there are a lot of our listeners out there who are listening and actually going, “I don't understand any of this. But I'm now a little nervous because I feel like my practice is … ” I don't know what I don't know. And I'm hoping that people are like, “Now I can educate.”
Stephanie Goss:
And I would love to see us as a industry, as a whole, investing more time and energy into having some basic conversations. Because we can't give ourselves technology and tools. And think about just how many things we've added technologies-wise into our systems, into our everyday lives, over the last two and a half years. If something goes wrong and all of that stops working overnight, think about how many of us would be in a panic.
Stephanie Goss:
It's scary to think about. But I think it's really important as a manager, as a leader, as a practice owner to think about, okay, this is a part where I raise my hand and say 1-800 phone a friend. Because I don't understand this, so where do I start? So, if we have people who are listening or who are feeling that panic. And want to reach out to you, or who have questions about, “Where can I educate myself? How do I get more information about this?” Where can people find you?
Joe Axne:
Sure. Just the web's easiest, itguru.vet. So, I-T-G-U-R-U.vet. We're an IT company. All we is focus on vet clinics and hospitals. So, we standards of care developed that when we align the standards of care, one, you're going to have less issues. Two, when you have issues, we'll fix them really quick. There's Schedule a Consult and Contact Us forms on our website.
Joe Axne:
The Schedule a Consult's the easiest way. It has a link directly to my calendar and allows you to book some time to just chat. Let's just take a 10-, 15-minute chat. Let's understand who you are. What type of practice you're. What your concerns are. Then, from there, if it makes sense, we can do an IT assessment or a security assessment. And yeah, take it from there. So, let's just chat.
Joe Axne:
See what's keeping you up at night around this. If there's certain thing, or if there's a certain problem that you've been through that you never want to be through, again, we can help you through that. But we're helping clinics one at a time, just get them educated on what they have. That's the best thing.
Joe Axne:
Once you have that information, think about … It's like, diagnostic in labs. Now can now give you the proper treatment plan. So, we got to do the diagnostic in labs.
Stephanie Goss:
That's one of the things that I love about chatting with you. I promise, you guys, it's painless to have a conversation with Joe. Your whole team is fantastic. But I think if you do nothing but get some more information out of the conversation. And figure out, where do you even start? Because I remember after you and I had the first conversation, I went back to my practice. And I was super fired up after that VHMA.
Stephanie Goss:
And I was like, “We need to look at overhauling our system.” And my practice owners were like, “No.” And I was like, “Okay. But really we should think about this.” They were like, “We can't deal with this right now. We don't have time to look at all of this.” But for me, it was eyeopening to just start to think about, where are we? And that initial conversation with you gave me that little bit of knowledge to say, “Okay, I need to educate myself more.” So, that when I did a little bit more digging and I understood, I could point out very specific things that were at risk.
Stephanie Goss:
And when I brought those to my practice owners and I said, “Hey, guys. We're storing the client's credit card information in the Notes section in AVImark. And this is not encrypted. It is not password secured. We are also using credit card processor. We're bound by PCI compliance. If we don't start storing the numbers through that, and a client information gets out, then this is what the potential penalties would be.”
Stephanie Goss:
And I just had a conversation like that in one of our one-on-ones with them. And they were just like, “We had no idea. Please sign us … Fix it. Do whatever needs to get done. Get it fixed.” And it became, again, a path least resistance. But we're not going to know what we don't know until we start the conversation.
Stephanie Goss:
So, if you're listening, you're like, “I have no idea where to start, but I also am not sure that my practice owner is going to go all in on the idea of making radical changes.” Or if you're a practice owner who's like, “I can't possibly afford this,” I think is worth having a conversation. And just starting to get some basic knowledge and having a starting point.
Joe Axne:
Yeah. Everybody that's listening to this, just mentioned this call. We'll do this free at no cost. No cost. No obligation to buy anything. It's our-
Stephanie Goss:
Joe is about educating.
Joe Axne:
It is. It's all about education. And we're doing it one practice at a time right now. It's a lot of them. Hundreds of them. But we're there to help you. And one thing that I always promise folks is I'm not going to be that pesky sales guy that just … I have those guys that call me every single week, that's trying to sell me something. And I always see the number come up. I'm like, “I'm not going to do that.”
Joe Axne:
So, it's, “Hey, here's what we found on the diagnostic and the labs. Here's a proper treatment plan. If it makes sense, let's do it. If doesn't, you're not going to hurt our feelings.” But you're going to walk away knowing everything about your specific environment that you need to make informed decisions on. So, take advantage of that because it's well worth it.
Stephanie Goss:
I love it.
Joe Axne:
Well worth it.
Stephanie Goss:
Thank you so much for having this conversation with me today, Joe. This was so, so fun. I hope that it feels helpful to those of you who are listening. And we will drop the link to I.T. Guru in the show notes for all of you. Thank you so much for your time and for joining me today, Joe. I really had fun.
Joe Axne:
I appreciate it. Thank you for having me. Appreciate it. Thanks, Stephanie.
Stephanie Goss:
Take care, everybody. Have a great week. Well, everybody, that's a wrap on another episode of the podcast. Thanks so much for spending your time with us. We truly enjoy spending part of our week with you. As always, Andy and I enjoyed getting into this topic. I have a tiny, little favorite ask. Actually, two of them. One is if you can go to wherever you source your podcast from. And hit the Review button and leave us a review. We love hearing your feedback and knowing what you think of the podcast. And number two, if you haven't already, hit the Subscribe button. Thanks so much for listening, guys. We'll see you soon.
Facebook Comments