During episode #40, Clint Latham, the Founder of Lucca Vet, gives an overview of what cybersecurity in the industry currently looks like and sheds light on where consolidators’ vulnerabilities lie. Our conversation touches on what consolidators should do when they acquire a practice, how to keep data more secure, and the value of psychological safety in your workplace.
Welcome to Consolidate That. I’m really excited for the guest that we have today. Ivan, why don’t you go ahead and introduce Clint to us.
Hi. I’m Ivan Zak. Very excited to introduce my friend, Clint Latham. He is the founder of the company called Lucca and he owns two senior Yorkies. Clint understands the need to have a trusted veterinarian for his family members. Clint’s goal is to help veterinarians realize the value of their data and help them to take steps to protect it so that they can focus on what is most important quality care for our four-legged family members. While working in speaking with veterinary hospitals all across country, Clint saw a drastic increase in number of cyber-attacks to veterinary industry. Clint decided to build a solution to keep hospitals protected while simultaneously giving IT costs under control, providing veterinary hospitals the services they need and nothing they don’t.
Clint, welcome to the show. Thank you for joining.
Thank you. I guess I should probably update my bio listening you say that, because yeah, Yorkies unfortunately passed away this year. We’re now in full on puppy mode. We waited like three months I think, and then yeah, now we’re in new puppy mode. We have a b we way to victory months I think and then get our new puppy boats are able Whoodle now, so I should say.
What is that? Is it anything with poodle? So what is that? Whoodle?
Yeah, he’s a soft-coated Wheaten Terrier mixed with a Poodle.
Wow! I’m behind.
I don’t know what the first part was, but I know what a poodle is.
Yeah, Wheaten Terrier. I didn’t really know much about them either, but then they just kind of like – as far as like everything we’re kind of looking for in a dog, it just checked all the boxes. Yeah, that’s my bio –
You just like to say Whoodle. That would be so cool.
Clint, it’s been a while since we connected last time. I know you were just starting with Lucca, and I thought it was a really cool idea. We just started with VIS and we were talking about helping consolidators from different angles. It seems like you progressed in that way more than we did. You’re working with multiple consolidators and you’re also working with individual hospitals. But I want to dive into what we started to share before the recording. You told us about the attacks that are happening in the hospitals, and consolidators and some figures associated with that. Why don’t we start with that?
Yeah. I guess what we are talking about is that, the veterinary industry as a whole is really interesting when it comes to cyber security. Because when you talk to a consolidator, like every time you have a meeting with like a CEO, a consolidator, they’re really worried about the data. But then on the flipside, they’re not really worried about it, right? I go, “Who really wants Fluffy’s medical records?”
What we’re talking about earlier is it, it’s interesting and that VetMed a number of years ago was kind of caught up in cyber security incidents from a criminal standpoint as these attackers were going after the medical industry as a whole. VetMed kind of got lumped into that as an ancillary. What we’ve seen over the last couple years is actually correct targeted attacks towards the industry as a whole. With consolidators, consolidators that are really unique position because there’s a lot more money flowing through the consolidator. Once the criminal or cybercriminal realizes that the hospital that they’ve crafted a fake resume for or whatever because we’re always hiring. Once they realized that that hospitals owned by ma consolidator, they realize the pockets are much deeper.
We generally see claims so much or how deep you want me to go here. Generally, it’s two stages, right? It used to just be like if they’re going to deploy some sort of ransomware attack, they’d get in, lock you out of the data and it was done. Once they lock you out of the data these days, especially within the last 12 to 18 months. They’re already been there for weeks. They have started pulling all sorts of data. They hide the traffic, making it look like it’s Adobe signatures that are coming through, so hopefully your firewalls and stuff like that don’t catch it. They look for other ways to try to mask massive amounts of data coming through, so it looks like normal traffic.
Maybe they might hide it as like, you’re using one of these bet bolts. They may try to use the same signature so that you can’t see 200, 300 gigs worth of data coming off the network. But they steal all your data, then they tell you they have all of your client records, they’re going to then sell it on the dark web, unless you pay them. Then if you refused, then they look you out of your data. It’s interesting, as they’re targeting, if they realize that you’re part of a consolidator, that claim usually goes – it will still usually stay below half a million dollars. Because the half a million dollars is the FBI threshold. In order for the FBI in United States involved, it has to be over half million dollars before they’ll even look at the claim.
If they stay just below that, now in these cases with consolidators removing hundreds of millions of dollars, a quarter a month that to request 400,000, 500,000, 449 that they’re going to have the money to do it. They’re really sticklers about it. Where as oppose to the individual hospital that’s individually owned. They’re usually requesting about 135,000. I think the AVMA, their cyber security peel IT in 2019 was about $132,000 was their average claim for 2019. We can imagine that that’s gone up somewhat over the last year, especially since we’ve seen a 400% increase in cyber-attacks, especially since the start of COVID.
There are so much interesting that you said there. Essentially, there’s business out there that attacks veterinary hospitals or consolidators and they have a price tag. Essentially, there’s also – FBI has a price tag when they would care about you. I assume if you have 15 hospitals attacked each by 400,000, they will still say, “I don’t want to deal with it, because it’s only one 400 each.” I don’t know how that works.
Yep. Another big thing that happens a lot is like business email compromise happens a lot in the consolidator space. Again, because they know the amount of money that’s moving around so they try to get access to the email account to request wire transfers, all sorts of stuff. I mean, now, we’re seeing SMS messages that are pretending to be the CEOs of these companies. We’ve seen wire transfers of $50,000, $60,000. We’ve seen them get upwards of like $90,000 where they start requesting these wire transfers. Then unfortunately, a lot of times, it’s the third or fourth wire transfer, then somebody hire ups like, “Well, wait a minute. Where is this money going? It’s not coming to us.” But you’re right, it used to be $250,000, but then I think it was in 2018, they raised it to $500,000 because they were so inundated with requests they couldn’t keep up. Rather than figuring a way to stop it, they just raised the threshold.
They just said, “We’re not going to do it.” It sounds right.
That’s about right. That’s so interesting. Now, you got me worried on many levels. We have now something that nobody cared about. I was again just with certain degree of not being educated on the topic. I thought, “Okay. What can they steal from that hospitals? That Fluffy had diarrhea last week? What kind of data? This is way more serious, especially locking down the data. I’m going to take a little bit turn into this whole situation that we’re dealing for the last three years in VIS, is the data merging normalization and everything else. In order to operate business, I mean, some consolidators do pull the Excel sheets and from 80 hospitals together into one. But those are more sophisticated, they pull the extraction agents, whether it’s ACT bit works or vet data, data point, whatever you’re using or something proprietary. They put a data agent on the server-based applications and then pull the data in the central warehouse.
I assume that everything that’s gone to AWS or Google is very well protected once it’s there. How safe it is and do you know anything about these extraction agents. Is that making a hole in the data and it’s compromising the data? Is there anything that we can know better about using these extraction agents?
You’ve been there. It’s encrypted end to end.
Yeah, I know. Exactly. That’s the other thing. The other piece that we hear a lot in the vet space is honestly like if a hospital came to me, a new person came to me and they’re like, “I’m really concerned about cyber security. I want to make sure that we were protected.” I would still have them go server base today. It’s far safer. Everybody says, “Well, why is that when it’s in the cloud? There’s a redundancy.” There isn’t a single cloud-based practice management system that has – like if you go to – it’s the federal agency. It’s a security and information security administration. One of those big acronyms like the NSA. They release bulletins and they also help – the White House released a letter in June of this year, about like their top five things to all businesses across the U.S. should do from a cyber security standpoint. That was after like these $40 million ransomware hits to CNA and the beef plant.
But there isn’t a single cloud-based practice management system out there that takes some basic cyber security approaches to help not allow access to that data if my credentials are compromised. There’s nothing in there, like I’m talking very basic stuff to if a basic location lockdown. Like locking it to the IP. I think one of them will allow you to login from an IP address.
If you have a static IP, you can lock it there. But other than that, if I get on the network and then the credentials are so compromised, like to if a basic stuff isn’t there. What we see a lot in this business email compromise, especially cloud-based practices. Once they get access to the clinic email, and how many clinics out there even with consolidators because they do the buy-and-hold, right? It’s buy the hospital, put them in the bucket. Don’t change anything. That hospital is still running on that free Gmail accounts that they’ve been using for 20 years. It’s still the IDEXX, 123 password or whatever it is. That’s the same password that they’ve used for everything.
They get in, they get access to the email account, they’re able to recover a login credential for the cloud-based practice management system. They start pulling invoices because now they can basically log in to that practice management system from anywhere. They start pulling invoices from the hospital. Then they log in as the account and send invoices to all your customers saying, “Hey! You didn’t pay for this dental. You remember this $365.23 change and here’s all the items” and the customer is like, “Oh, yeah! We did do that, but I’m pretty sure we paid.” Or like, “Hey! Your credit card didn’t go through, can you repay this.” We’ll see hundreds of thousands of dollars being paid to some fake bank account that’s not going to the hospital, and then the hospital catches on, or people start calling like, “Now, I see the charge on my account that I just paid you again. I need you to refund me.” Now, the hospital is dealing with this whole like customer management thing. You have people leaving because they’re like, “What the hell? You charged me twice.” Then it’s a huge mess.
I got on soapbox here a little bit, but still today, because of some of those risks, it’s far easier for us to protect a server-based practice management system. We can really lockdown the access controls. We can monitor who has access to the data, how it’s being pulled out. We can limit the data tools. We can do all of that. With the cloud, it’s kind of – it’s the Wild West and we have no idea what (a) how they have it protected, assuming they have good IAM controls within AWS or the Google cloud, but we don’t know.
Clint, coming a PIMs background and being a fan of the cloud-based PIMs as a user experience. The ease and sort of the software technology side of it. What do you think is a good, happy medium there? I think that a lot of the industry understands the need to be cloud-based just for flexibility and growth so that you’re not running an extremely old, outdated software and for financial, minus getting attacked. It’s financially beneficial to not have a server in your own cloud. What’s sort of the options there?
I would challenge the question on beneficial of not having a server. There are two pieces there. If I put my CIO hat on, so if I was like the chief information officer for a bunch of hospitals. If I take the cost of a good server. We’re talking SSDs, RAID 5 or RAID 10, however you want to configure it. That hardware is probably going to cost me$7,000 to $10,000 one time. It will probably cost me $3,000 to $4,000 in labor, depending on what the hourly rate is where I might have an IT professional set that up. If I amortize that over a seven-year period, the life of that server and especially with some of the support costs, it’s still far cheaper than going to a cloud, especially with some of the big ones like ezyVet.
ezyVet is insanely expensive to switch to. It is not cheaper in any way to go to ezyVet. From a cost perspective, a local server still – you can’t beat it. I mean, you can’t beat that cost when you spread it out over the life of the server. It’s just far cheaper. You take $12,000 to $14,000, divide that over a seven-year period. What’s your monthly cost versus if you go to Cornerstone Cloud or if you go to ezyVet or if you go to – Rhapsody has a unique kind of billing model, which may allow you to save some money there. But that will be my first thing. The second piece though, if I also look at it from a reliability on the infrastructure side of things, the cloud is beneficial and that it helps reduce our dependency on the local infrastructure.
But again, we’re now heavily dependent on Internet and most hospitals aren’t ready to then put in a duplicate line, right? You also need a firewall to be able to handle the redundancy for that duplicate line. Now you add the cost of a second business class line, a firewall and the yearly subscription isn’t really cheaper. I don’t think so, with the hundreds of hospitals that we’ve looked at and talked about this conversation. But to play devil’s advocate to myself, I do think it does make the workflow, the overall hardware that you should have to purchase. I mean, at that point, if you’re cloud based, you could probably throw in, and like buy a couple of Chromebooks, throw them in the closet. If a machine dies, just throw that Chromebook there, you’re up and running in a couple of minutes because you basically just need a web browser.
There are some benefits and it depends on where you want to spend your money and what’s important to you. I don’t know if that was the right answer. For me, I do think the cloud is the future once we as an industry can start thinking about cyber security being important rather than an afterthought. It’s something that we can kind of have to do, and that one of these companies is going to get hit, right? I mean, we already saw MBA get hit, 400 hospitals that got hit because of some infrastructure that they use and how they access all their hospitals and how they set things up. With the Kaseya attack, it’s only going to be a matter of time before we see one of these other companies get hit, what we call the supply chain attack. Because now, you have access to thousands of businesses and not just one or maybe a hundred.
Yep. I still have tons of questions. One is a very, very quick answer that you can provide. One is, which PIMs has that local IP login lock?
I think it’s ezyVet that will allow you to lock it by location. I think they’re the only one right now that will allow that. Nobody has 2FA, which is basic, right?
Can you expand because not everybody understands what that is?
Yeah. Two form-factor authentications. Basically, – and it can be done really nicely so that it’s not an interruption to the hospital. Basically, I need some way to authenticate myself after I enter an email address and password, right? Because if we look at the history of cyber security, the idea that when software is being made, that we would have to have user accounts to protect people from accessing it wasn’t even something we thought about, like it wasn’t – cybercrime wasn’t there and so it was an afterthought. Like how do we put a Band-Aid on this problem. Again, if we look at most hospitals, again, their passwords are on sticky notes everywhere. Like when we do an audit, if we do a physical audit, you’d be surprise with the amount of information that can get in just by coming in and putting my elbows on the counter and asking for an appointment. The amount of information I get, bank accounts, you name it.
We know hospitals as a whole generally aren’t very data protective or conscious when it comes to cyber threats. We have really bad username and password combinations that likely have been exposed hundreds of times. Then, we don’t have this secondary piece to where if that – somebody then tries to login as us, it alerts us. Where I think this can be done really nicely is that, especially with browsers, all browsers are fingerprinted unless you’re using the Brave browser, but I doubt anybody in the hospital is using Brave. I think 99.9% of hospitals use Google Chrome.
That browser is fingerprinted. Once you authenticate once with two FA, it should hold that two FA for 30 to 60 days before you have to re-authenticate. It’s not like every morning you have to come in, pick up the phone, hit yes to say, “Yes, it’s me” or go into an email account and get a unique code to log you in or use Authy or one of this easy two FA applications. But if our credentials were compromised in somebody say in Bangladesh, then try to login as us, it’s going to see a new location, it’s going to request that two FA. You should get then get immediately notified that’s somebody is trying to access your account from a new location. Then it immediately notifies you to change your passwords because you’ve been compromised. These are basic things that we can do to help keep this data safe that we just aren’t doing.
More questions. This is fascinating.
I’m moving into a faraday cage, that’s all I know. I’m just going to –
I’m going off the grid now, guys. This is my last podcast.
Don’t get me started on personal privacy either.
Here’s this scenario. Just to be practical for those that listen to this, because a lot of consolidators are. There are two things that as a consolidator I want to do as soon as I buy a hospital. I want to be able to get the data, and that’s why I started with the question. I kind of want to go back to it and ask it again. What we probably would do immediately when we buy a hospital, we would want to put some sort of agent and there’s like five, six providers right now. Then we want to get the data. That’s part one question and how safe is that and how that compromises in addition or if you have other means than this particular gateway for the data for yourself is not that dangerous or how can you protect it?
The second question kind of leading to – well, we’ll help with the first one. As soon as we bought the hospital, let’s say our message, we’re not changing anything at least for now and then your PIMs is your PIMs. Let’s leave it on the cloud out of it or in a combination of, because we might have 20, 30 hospitals cloud plus server-based. One of those things that during in acquisition – this is where it’s softball to you. How do you find you to help with the pre-assessment? But then after that, what do you do at minimum after. Because early consolidators don’t have the finances to actually invest into the full infrastructure. What are those minimal things that if I have a combination of server-based and cloud-based that I should do immediately post-acquisition?
Okay. The first thing, I mean, if I was consolidator and let’s say I want stuff to be in AWS, because I want the development platform, I want all that, all the fancy stuff that comes with it. I mean, it’s pretty simple. I mean, you can do end to end VPN connections from – as long as the server – again, this is another problem, is that most hospitals don’t have a firewall, a basic business-class firewall either, right? Like doing basic IDPS, which is intrusion detection system. But if they do have a firewall, I mean, you basically just could create, I mean, within AWS, you can create as many end-to-end connections as you want. Once the data is encrypted, you’re fine, right?
Think about it like if you are using the Internet, like every time – there’s this whole idea that VPNs are the end-all be-all security, you hear this a lot on the radio, and “Oh! Express VPN.” You want to be safe. It’s like, “Well, if I go to a coffee shop, I won’t touch anything work-related unless I’m connected to a VPN. Because at that point, it encrypts my communication. What’s fun to do is you can – I mean, there is free software. There are operating systems that I can install on a thumb drive. There’s one called Tails. I plug it in my computer, it will boot and there are whole bunch of hacking tools. One thing I can do is I can buy a $20 Wi-Fi card off of Amazon, plug it in, put it in monitoring mode and it just sniffs every bit of traffic that’s coming through. Like, I’m not recommending this, I haven’t done this per se.
Sure, you do.
No one saw you wink. This is a podcast. I saw him wink. Did you?
If you want to get free Wi-Fi at a hotel or you want to figure out what room somebody was staying in, you sit in a hotel lobby because the way Wi-Fi works – this is another thing most people understand is that when you’re a Wi-Fi access point until everybody switches to Wi-Fi six, and then there’s still some limitations there. But with Wi-Fi, is that, when I sit down in that lobby and I would go to login and it will ask me, what room number and what’s your last name. As soon as I key that in, my computer tries to communicate to the access point. When the access point communicates back to me, it sends the request to every device connected to that access point. It’s then up to the device to say, “Nope, not me, not me, not me, not me, not me, not me” and then your computer says, “Yeah, it’s me.”
If I have a cheap $20 Wi-Fi card that’s running on Tails, in monitoring mode, I can sniff all that traffic and I can dump it to a massive log file. There’s a guy called Kim who used to go to small businesses, including veterinary hospitals. He would sit in the parking lot and he would use basically Wi-Fi sniffing, because the way credit card transactions used to work as the computer use to have to hold it in the raw text in memory. He knew once he could grab that kind of raw memory and I’m making this really short. There’s a lot more technical stuff that he did. He could get credit card, so he stole, I think it was like $50 million just by accessing free Wi-Fi from small businesses.
Quick question. How exactly did you fund your initial startup?
Actually, a friend in the industry was the one who is like, “Dude we need to do this.” I was like, “I’ve got some money to help keep myself alive.” I need somebody to start investing in this” and that’s how it all came about, yeah.
What should I do as a consolidator if I’m buying a hospital with server or cloud. Are their measures that we can call Clint and say, “Clint, can you help us?”
Yeah, even that. It’s free. If you go to our website, lucca.vet. You’ll see there’s a button at the top that says five simple steps to protect your hospital. Click on that. It’s an e-book. It gives you the five things that you can do with it, basically are free, like we do recommend the password manager. That’s pretty cheap, anywhere from five to ten bucks a month, depending on how many users, and how complicated you want to get with it. But it’s got five things in there that you can do to really help step up your cyber security game that really don’t – you don’t have to involve us. Now, if you wanted to reduce the load, one thing that we talk about in the book is just backups. I can’t tell you of all the audits we’ve done, consolidator or not.
Again, because most consolidators are buy-and-hold. They don’t really touch it. The IT guy stays in place. There hasn’t been a single hospital that we’ve audited that I’ve said, “If you got hit, you’d be able to recover.” I can’t tell you how many hospitals that we’ve audited or looked at. I mean, I think to any consolidator out there, that should be the scariest thing, right? Because if I come to you, let’s say I was going to – I own the hospital and I was like, “Hey, Ryan and Ivan. I want to sell you my hospital.” You said, you’re like, “Okay. Cool. Let us tap in the PIMs.” I’m like, “Well, yeah. About that, my practice management system is empty. How much are you going to give me for the hospital?”
Yeah, that will drop in price.
That’s a new business now.
Exactly. Yeah. Right. Because you have no customer records. It’s this idea that, “Well, who wants Fluffy’s records?” With CCPA, GDPR that’s in the UK, and now CCPA being replicated I think amongst eight other states in the U.S. and CCPA is the California Consumer Protection Act. There are some and we’ve worked with some data attorneys on some audits with some consolidators as we’ve gone through this because there are a bunch of legal requirements once they get access to that data. Then depending on what data they’ve accessed, you then have to provide privacy protection services, like LifeLock kind of stuff for your customers. How much does that cost? How many customers you have in that database? What does that cost?
There’s this idea that, “We don’t really have any that’s of any value.” It’s like, “No, you do and you just don’t realize it.” Again, if we think about like the Covetruses and these other big titans of the industry, there’s a reason that they want those data connectors in your hospital. Just like Martin. I love Martin, but Martin and I will get into this conversational all the time. Martin is like, “Yeah. It’s not worth anything.” I’m like, “Martin, if it’s not worth anything. Why do you want it? Why do you want that?” Because it is worth something and it’s just unfortunately, the veterinarian is told that it’s not worth anything and we shouldn’t have to worry about it.
Thank you. Thank you so much for joining us. Can you please help us again, and where do people find you if they want to tap into this whole wisdom that you have and find help on the cyber security? Where is the best place to find you?
Yeah. You can just to our website. It’s www.lucca.vet and you can go to our free like education resource button there. We put in a new article that’s cyber security in veterinary related every week. I think we have hundreds of articles there that touch on the industry specific. If you want to learn about it that way. We also have the free eBook. Again, it’s called Five Simple Steps to Protect Your Hospital. You can download that and take a look at that and start implementing that sort of stuff. Hand it to your practice manager if you’re a consolidator. I know most of them sometimes have like a director of IT, but that one person is trying to manage hundred hospitals. I’m assuming they probably don’t have the bandwidth for it.
Again, another interesting job I probably wouldn’t want. So I think when we’re talking about the consolidator space, because yeah, really overworked and a lot of problems for them to manage. You can hand it to them and then maybe they can get it to the practice managers, they can then kind of learn how to start implementing this stuff over a weekend, or spread it over a few days to really start protecting the hospital. I also do a podcast, not anything cyber security related. It’s called The People of Veterinary Medicine. We just try to find amazing people doing amazing things in VetMed and tell their story. It really isn’t a thing to do with cyber security, but we just love the people in the industry and try to tell their story.
Yeah, I’ll be speaking at Wild West Vets and Fetch this year, also the Independent Veterinary Practice Association, but I don’t think that probably doesn’t matter to consolidators. So yeah.
Great, Clint. Well, thank you again so much for joining us. This was eye-opening and fantastic to hear. We hope to have you back again for another episode.
Yeah. Thanks for the time. I really appreciate it, guys.
Well, two more questions that we usually ask at the end. Is there a book, a video, or TED Talk or anything that inspired you recently that you would recommend to the listeners?
If you’re interested in just overall the impacts that data have on you as an individual, which then definitely replicates to a business is Edward Snowden’s Permanent Record. I think it’s probably one of the most important books that’s been written when it comes to technology and the impact that it plays. You’ll really be amazed of the stuff that’s going on that we don’t realize and how much of our lives are really being tracked on a day-to-day basis, and how much a view is really out there that’s permanent, you can never erase. I think that’s really important. Yeah, if I had to read a book.
We also ask usually for someone else in the industry that you think would be a great guest for this podcast.
If you haven’t interviewed him yet, I think Josh Wiseman would be great. I think Josh would be amazing just because one thing that we talk a lot about cyber security is the importance of what Josh calls psychological safety. What I mean by that is that we come into a lot of hospitals where the receptionist makes a mistake because these cyber criminals are professionals at tricking people. Then the manager’s first response is to chastise that person for making mistake. It’s like, no, what you don’t realize is that these people are professionals and you have a receptionist that’s not a cyber security professional to understand that they’ve been tricked. We’re in an insanely empathetic industry, one reason that I love it.
We need to find a way to allow our staff the psychological safety to be like, “I think I made a mistake. I think somebody got me.” Because those minutes are incredibly, incredibly valuable. The sooner we can mitigate an incident, and implement our incident response plan, the sooner it goes from a minor inconvenience, to a major disaster, right? Allowing our staff to have the safety to come to us if they feel like they’ve made a mistake is insanely, insanely important. I think Josh is also writing a book for AHA and like building culture in the hospital and stuff like that. I think he’d be the right guest. Especially –
I love Josh, yeah.
Yeah. Any consolidators that are looking to change things.
Up their game, yeah. Well Clint, thank you very much. I have a lot of questions that I will ask after the recording.
All right. Awesome. Thanks, guys. I appreciate it.