The Future of Independent Veterinary Practices: Episode 6, With Clint Latham JD

Name: Veterinary Care
Brand: GeniusVets

Welcome to the Future of Veterinary Practices - Episode 6, Featuring Clint Latham JD

We have a fantastic guest today, the founder of Lucca Veterinary Data Security, Clint Latham. As a pet parent of two senior Yorkies, Clint understands the need to have a trusted veterinarian to care for his family members. With Clint's guidance, Lucca Veterinary Data Security helps uncover the mystery of IT and data security for doctors of veterinary medicine across the country so that they can focus on what's most important—quality care of our four-legged family members.

While speaking with veterinary hospitals all across the country, Clint saw a drastic increase in the number of cyberattacks on private practices. So, Clint decided to build a solution to keep hospitals protected while simultaneously keeping IT costs under control, providing veterinary hospitals the services they need and nothing they don't. Clint is also a board member of the Rocky Mountain Veterinary Medical Reserve Corps, Vet Partners member, and Purdue Law School graduate. I tell you, he's a brilliant guy.

Clint, thank you so much for taking some time out of your super busy schedule to meet with us today, tackling some things that are mysterious to a lot of veterinary practice owners. We share the same clients, brilliant people; doctors, business owners are brilliant people, but no one is brilliant at the things that they didn't study or really put their efforts into. And many times, certainly when it comes to the data side of the business, the cyber side of the business, the technology isn't exactly the specialty of the practice owner. But more and more, our businesses rely on our computer systems, and there are threats, data leaks, and all sorts of things happening that practice owners need to know about.

We've got a lot of just great topics that we're going to tap into today. We'll bring some of these things to the forefront, peel back some of the mystery, and help people understand what they should be paying attention to when it comes to their IT and their data security.

But before we jump into that, Clint, I've got a couple of questions that we've been kicking off every one of these interviews with this season. First, what are you most looking forward to once COVID is completely over and we can all just go back to real business as usual? What are you missing?

Street photography. I love to create abstract art from street scenes, and so I shoot primarily in black and white. But what's tough is that a lot of times you use people as part of the scene, but they're not the main focus of the scene. And many times, it's all about finding the right shadow and light and the combination of those things that create these unique abstract images, but then people interact with them. If you took the image without a person, it would take some time to try to figure out, "Well, what is this?" But when you add a human element into it, it's like, "Oh, this is somewhere in the street and people are interacting with this light that we normally miss on a day-to-day basis."

So when I would travel and go to conferences, I always get up like at dawn, or generally, conferences will end a little bit before dinner, and so at sunrise and then at sunset, I would like to go out and walk and just try to keep my mind creative and shoot street photography. And it's hard when you're not traveling because you can't get to unique places and find unique lighting situations. And then also with everybody working for home, you can find a really amazing spot and you're like, "Okay, now I just need somebody to interact with this space," but there's nobody there, so that makes it tough. Middle of the day is also fun too, especially if you're in a big city because the light then will reflect off of building walls and windows and cast these crazy... It almost looks like water on the streets that people walk through and interact with.

So yeah, I'm waiting for that to be over where people are out interacting and moving again. And also I think being able to travel. That's my favorite part of the conferences, is being able to surround myself with people like you guys, like in Vegas, it was the last time we got to hang out.

Are you going to get back to events as soon as they're happening?

We'll see. Again, to me, it comes down to, who's going? I feel from a health perspective, I'm in a better position to handle a disease than, unfortunately, a lot of other people, so I'm not so much worried about it from my own personal health perspective. I don't know. So it depends on if people go. If other people aren't there, then there's no purpose in me being there because what I value the most is just being surrounded by so many amazing people in the vet space who are so much smarter than I, and just being able to learn. And so, if they're not there, then I miss out on that key element. So if people are going, then I'm there. It might also be a snowball effect because we're all thinking the same thing, "Well, if nobody's going, why would I go?" So hopefully.

Next season, we're going to be just meeting with all of the heads of all of the big event programs and to be covering stuff like, what are they doing to get people back live? What do they anticipate in terms of people showing up? And what are they doing to keep things safe? And all those sorts of issues. So those would be pretty interesting. The third season we'll be rolling out right before, all the way up to June. And June starts, events start happening, at least are on the calendar right now. So we'll see. Let me ask you another question related to all this what's been happening. Throughout the past year, all the craziness from COVID, political tensions, oh my gosh, the stresses, what have you been doing to protect your mental health?

I do a number of things. I don't know how to back this up. I don't know. When I first got into technology about 10 years ago, I was also studying at a local Buddhist temple, so I spent about five years, six years going through their teacher training program. So this idea of mindfulness practice and learning to release yourself from the attachments of the world has always been very important to me, an important aspect of my spiritual life. And so like a daily meditation routine has just been part of something that I've always done. And I think especially this year with the challenges that we face, a lot of times we can think about the reasons that we can't do something.

And I think having a good mindfulness practice where you can sit down... And a lot of times people will get it mixed up where they think your mind just goes blank and you have this DMT-like spiritual experience. But a lot of times mindfulness is just really being present with yourself, understanding your shortcomings, where you're really... When I start to get in those spaces where I start to doubt myself in this practice, I really sit with that and I understand every aspect of what that feels like. And so that when it arises when I'm conscious in the day-to-day world as soon as I start to notice those feelings and sensations, I can then recognize them, label them and then tell myself to change. So that's the first aspect of it.

And then the second piece is always exercise. I love to mountain bike. I love to backcountry ski. Like right now in the winter, the snow conditions have been terrible, so I haven't been in the backcountry a lot because it's just been really, really dangerous, but you can always backcountry ski, for lack of a better term, at the ski resorts where the snow's controlled. So I get up at like 4:30 and I'll climb to the top of the ski resort, have some coffee, changeover, and ski down. And so that hour and a half or something that does first thing in the morning to my mind and my overall wellbeing, I think I wouldn't change that for the world.

And I think there's also a lot of science to back up the fact that when they compared exercise to placebos like they gave people a drug saying, "Hey, this is going to make you feel better," exercise always won out over and over again. And I think it has like an 80% effective rate on depression and a lot of those things where we don't even see that with a lot of the heavier drugs. So I think exercise and mindful practice have been really important to me.

Let's change course a little bit. I want to dive right into this really unique area that combines your expertise with the veterinary industry. And I don't think it's stretching to say, you're one of the leading experts in this area, this niche of the industry. So we've been talking, we're asking a number of people this season about trends in the industry, particularly the trends of data tracking, aggregation of that data, and sharing the data. Data's become so much more important to businesses and empowering business owners in incredible ways if they have access to that data if they understand what they should be accessing and why, and all of that. And unfortunately, still not enough veterinarians really even understand that part of it let alone the other things we'll be getting into. So can you kick us off here and tell us a little bit from your perspective, how data helps practice owners streamline their operations and maximize their profits? What are those benefits? Where are they coming from?

I think it's with any business. If we just look at my business as a whole, one of my goals is to bring on more people than... I've always had this desire to create a really amazing workplace and give people a place that they're not just a number. And this is my personal goal outside the goals I want to achieve within the vet space. But in order to accomplish that, I need to look at, "Okay, well, what's my recurring revenue? What's project revenue? How do I understand that?" I think also some basic things, I think where you guys come in, where if I'm investing money in trying to communicate to potential clients, what is that return on investment? How many people am I bringing in?

Another interesting thing that I was talking to a doctor about in Dallas that I had never heard any other doctor talk about before is that he went in and figured out what his average spend per customer was, like what was his average yearly spend. And so he figured that each customer on average would spend roughly $5,000 with him over a three-year period treating their animal. And then he started to think about things like we were talking about, well, how can he start to look at tracking phone calls and understanding where he can improve on just general customer intake.

Because if our CSR picks up the phone and somebody's like, "Hey, my dog's got this problem, I'm just looking for a vet to get help." If she's like, "Oh, we're too busy," or however they handle that initial call could cost him $5,000 in the long run. Because on average, they live in that area for three years, so he figures that for him, they should be a client for at least a three-year period. So these are just some things that you can do and think about with data. And that's just barely scratching the surface.

When you start working with organizations that really focus on their members, understanding these aspects of the business like VMG and others, TVCs working with people on this, and there's a ton of great veterinary consultants that will help people dial these things in and financial companies. But many vets are out there just operating without this information. So that lifetime value, being able to calculate that, let's start there. But please keep going. What else do you see in ways that this data, where they can get it from, and how it's going to help?

This is actually an interesting thing for me to think about because I normally think about the other aspect of it and just trying to help veterinarians realize that the data they have is actually valuable, then, how do we protect it? Rather than helping them try to figure out how to use it more properly, which I think is an interesting question and as somebody who's involved in data should think about it more often. But I think another conversation that I think we've touched before is just this idea that most practice management systems have terrible reporting. So even in looking at your customer record database, there's a lot of data points in there that can help you understand what is really resonating with your community and your customer base, how do you better communicate to them to get them to come back?

I think even the fact of maybe looking at historical medical records as just a medical professional. Internally, we have a knowledge base of things that we commonly see that are problems or issues that arise with a lot of the different practice management systems and they're all documented and we review. And then anytime a support ticket comes in, we also document that data. So for us internally as IT health professionals, we review this data constantly to see if we see trends and if there's a way for us to mitigate that issue beforehand.

I think there's a reason that data is more valuable than oil because not only by looking at the data in a certain way or learning how to understand use what we actually have, not only can we make our business better, bring in you more customers, but if somebody else got ahold of that, they would understand everything that we're doing, our weak spots and then can use that data to exploit us to then move in next door and essentially shut us down. So I think there are a million different ways, for lack of a better term, especially in this industry, to skin a cat.

Data is just the starting point, and then understanding where that data comes in. We can track phone calls these days, we can track email, we can track all the data points in the practice management system. But I think one important thing to talk about that a former colleague of mine used to talk about a lot is garbage in is garbage out. So you also have to be smart about the data that you're collecting and how you properly use it in order for it to be effective. So I'm not sure I really answered the question there because it was very high level, but I think it really depends on looking at what problems you have and then actually being able to measure those problems by putting in KPIs and saying, "Okay, well, we're having a problem we're just not generating enough revenue on our gentles. Well, why?"

That's generally the thing that I start with is why. Gather, collect, and then analyze and then report. And so let's first gather the data points, let's analyze that data, and then let's report on it and figure out where we're at. So it's all about starting with the problem and seeing what data points you have to then make decisions off that data.

You can dive into data and just find all sorts of ways to improve your business in ways that maybe it's not super pain point, but sometimes just because you're not feeling pain doesn't mean that there isn't something wrong there that could just vastly be improved?

Yeah, and I think that's a really interesting point because you're preaching to the choir on that one, mostly because unfortunately, most hospitals... My goal again, just to bring back to my overarching goal in the industry is to help veterinarians realize the value of their data and then help them take the necessary steps to protect it, it doesn't mean they necessarily do business with me and my company. And unfortunately, for most veterinarians, they're like, "Oh, well, I went cloud-based, I got nothing to worry about." Or, "I'm just a small hospital in Iowa, why would anybody want to come after me?" And unfortunately, because you don't, back to your point, you don't have a current pain point, and then unfortunately you do become a pain point.

I think the FBI director said just this last year with the 400% increase in cyber attacks that we saw in 2020 is that there are businesses who have cyber-attacks and there are those who are just waiting in line to be attacked. And so it's just a matter of time before something happens, and you've got to figure out ways to mitigate that. So I think you're right. Again, a lot of times people are like, "Well, I don't have a problem, so why should I even look at this or even consider it?" When I think from any aspect, from your guys' perspective, maybe we do have good client acquisition, but maybe there's room for improvement, and areas to be better in our communication and our branding to our end customers.

From a cybersecurity perspective, I can tell you, the one reason I got into this industry is that it is so bad. And I love the industry so much because most practice owners are so empathetic and they're just the nicest people. Honestly, I just feel so bad for them because really, there's a big target on their back and they don't even realize it.

It's a great segue into talking about... So we talked about some of the benefits. I don't think we could possibly overstate the case for how important it is that they understand what data they can use and how that can help them, tons of benefits there. But let's talk about what cybersecurity issues are currently facing vet practices. Where are those vulnerabilities? What are the potential threats and dangers that they may not realize at this point that are threats and dangers to their current business?

What's interesting is over this last month and a half, maybe a couple of months, maybe since the first of the year, ransomware is always a big one. Ransomware is where essentially a hacker figures out a way to get into your network and encrypt all of your data, and then when they encrypt... Well, I take that back. It's far more complicated than that now because they realize that just encrypting it, that there's that maybe you're working with a professional like myself and that you'll get your data back, and so it's a little inconvenience, but it's not that big of a problem. So what they're doing now is they're figuring out a way to get on your network, they start pulling all of your data off your network first. And so if you don't have the right tools in place to monitor this kind of traffic, they may be there for a month maybe.

And then all of a sudden, then they'll drop a package down and then they encrypt the network. And so basically what happens is they encrypt everything so you can't access it. A good friend of mine, Brandon, always says, "Well, what's your practice management system worth if it's empty?" So at that point, if you can actually access your practice management system, it is technically empty, because you don't have any access to it... You don't even know what your client's phone number is at that point because you can't access it. So then what they do is they then say, "Hey, we've encrypted your data. If you want the key to unlocking it, it's going to cost $150,000 in Bitcoin."

Although I think we're seeing that go up because the FBI, again, saw a 400% increase this last year, and so they got so many claims because it was like anything, it was over 150 grand at that point became a federal offense. And so what did the FBI do to combat this? They just raised the limit. So they raised the limit to half a million dollars. And so now what you're seeing is there's a lot of these organizations that are requesting 350, $400,000 in Bitcoin to be able to unlock that account. Now, the interesting thing is there's no guarantee that they're actually going to unlock it because once they have your money, who cares. I can give you the key, but, A, it may not work, but it doesn't matter because I already got your money.

And then the worst part about it is, is that now there's a target on your back as you being a payer, as somebody who will pay. And so now you went from this being a small clinic in Iowa that you didn't think would ever get attacked to now actually having a direct target on your back to the rest of the hacking community knowing that you will pay. I think the ABMA, just released the cybersecurity PLIT insurance last year, it came out before that, but they started pushing it a lot last year. And talking with them, I think their average claim right now is around $150,000. It's like $133,000 and some change for most hospitals. So that's what ransomware is.

Do you happen to have stats on how much is this happening right now?

A business gets attacked every six seconds. Unfortunately, I don't have good numbers on the vet space attacks specifically. If we look at then how many small businesses are there in the US, I would say vet practices make up probably maybe a 10th of small businesses in the country, at 36,000 practices. So doing the numbers, my guess would be one practice gets it at least once a week, just doing the math on what the averages are. I wish I had a better way to track that. Another great data point. But what we see is a lot of just reporting that comes into the federal government and some of these other bigger cybersecurity companies that are working on tracking and analyzing this data.

And unfortunately, they don't segment it out into industries other than general health care, which is the biggest target generally, and veterinary then gets lumped in there because they use terms like hospital, medical, all these terms. And, the hackers are smart because they go after the medical industry, not because of the HIPAA regulations, but because they know that they're so slow to change and the bureaucracy is so high within a lot of these hospitals and stuff that it takes forever to make these big changes and implement changes, that they are just the easiest targets to get in because they're going to have the most holes in the fence for them to sneak through.

And I will tell you, the vet space is no different. I can't tell you how many practices, we're actually working on a bigger project right now where we're auditing a bunch of hospitals, and the owner's like, "Yeah, I think we're doing really well. I think this hospital is really our shining light. I'd like to start there." And when we started looking in, they've got an X-ray system that's still using Windows XP, so I'm like, "If this is what you consider as good, I can only imagine what the bad is."

You mentioned something there, the X-ray system. So like a lot of the people watching, a lot of practice owners across the country, if you ask them to list what they thought, their potential points of exploitation in their IT infrastructure might be, I bet very few of them would say their radiology equipment. I think you get people that understand, "Okay, there's the phishing email, and I'm not going to open an attachment that sends me from a prince from Nigeria or something." And unfortunately, not even everybody understands that, but can you bullet point out what are all these different points that maybe people aren't thinking about that are actually threat points?

I think this is a great example that we saw two years ago with The New York Times. How many people in the hospital, if your receptionist had a down minute in one to read an article in The New York Times, you would probably be okay with it. You'd be like, "Yes, that's fine. Whatever." So what happened is, The New York Times doesn't source their advertisements directly, they use these ad brokers. And essentially what these hackers have done is they knew that, "Okay, what we're going to do is we're going to craft an ad that's going to do what we call a drive-by download."

So really anything that touches the internet in the hospital is at risk. And so when we think about like the X-ray machine, that's just one point. And so the way this would work is if you got caught up in this situation, what may happen is you're on the front desk machine and maybe you're running Windows 10 that has been updated, so it's a relatively safe device for all aspects. You might have some basic antivirus and some stuff like that. You go to The New York Times, this ad then got injected. And I think the statistics on the ad were over 250,000 workstations were compromised in a 15 minute period before The New York Times even realized what was going on. So people were going to read this article, wherever this advertising popped up, it automatically scans your machine and looks for any vulnerability.

So your machine may be relatively safe, but they see that you're running a version of Adobe Reader that's six years old, you're using an Adobe Reader application that hasn't been updated in a long time. And they know that, "Oh, well, I can run across a SQL cross injection script into that application that will allow me to then communicate back to my servers and download a payload." So at that point, the ad then calls back home and says, "Hey, on this machine, we're going to use this vulnerability. And it may then dump something on the network. At that point, it's going to start worming across the network, and it's going to start calling home. So if that X-ray machine, sure, you may not really browse the internet that much, but it's so old that it's basically like a six-lane highway as far as the options we can use to get into your network and do whatever we want.

And so at that point, once it's in, it starts scanning across the network, it starts communicating with all your machines. It sees this X-ray machine, it calls home and it's like, "Hey, this is our Trojan horse right here, this is how we're getting through the gates." And at that point, it's just sending stuff in, all behind the scenes, you may not even notice. And then next thing you know, you're locked out of your data, key loggers could be happening, they could be stealing your bank account information. The options at that point as to the data that they can gather to then take advantage of you are unlimited.

Listen, a lot of practices are going to the cloud. Let's talk about it because I think it's almost a segue to get into some solutions. But before we do that, let's also help people understand, what does this even mean? What does it mean for managing their IT that they're going to go to the cloud?

I think this is the scarier thing that's happening in vet med is that, and I don't know if it's the communication that's happening or just the assumption like, "Oh, hey, our practice management system is in the cloud." And I think this is a great way to go. I think if I put my CIO hat on, chief information officer, and I'm looking at the technology in your hospital and how do we better leverage technology in our hospital, I think going to a cloud-based practice management system is a great choice. There are a number of benefits to doing that as opposed to having a server-based system.

With that being said, I think back to our original point when it comes to understanding the privacy of your data, having complete, exclusive rights to that data, there are some questions to be had, and I think some honest questions to be asked to your provider when you're looking at one. But those issues aside, I think most people are like, "Well, my practice management system's in the cloud," whatever, not a big deal. However, what we're seeing now, back to the original example where I talked about this idea of a keylogger. Keyloggers are really common in hacking scenarios. And what they do is, say I put a keylogger in - t's a program, it's actually going to track keystrokes and they're letting you use your computer. And there's an easy way to help mitigate the risks of a keylogger that we can talk about that's pretty easy to implement, but unfortunately, most practices don't use it. So I know it's a major problem. But again, if I get a keylogger, then what's going to happen is now not only I'm going to have your email address that you're using, especially if I set it up on the reception machine, think about what I'm going to be able to get, and the practice manager. I really need access to two machines in your hospital, and I'm going to have a wealth of data to be able to basically take you out at the knees.

And so if I run a keylogger, now I know that, "Okay, cool. I see that they're going to want to practice managementx.com, and they're logging in the practice manager, is logging in with this username and password. And because most practice management systems, the benefit of the cloud is that you can access it anywhere, So now I may be running some servers in Eastern Europe, maybe Pakistan, India, one of those locations, I create a simple VPN, I connect over to a server in the US so it looks like I'm US-based. I log in, now I have access to your entire client history and charges and everything.

And what we've seen happen is they log into your email account, they set up a whole bunch of rules, and then they start sent resending invoices that you would have normally gotten in your practice management system, except they're charging it to a fake bank account. It's not a fake bank account, it's just a separate bank account, it's the hacker's bank account. So they're sending these invoices that were legit at one point saying, "Hey, this is practice management, animal hospital Y. Hey, we forgot to charge you for this dental, so can you send us 350 bucks? Here's a quick payment link to make it easy. Sorry for the confusion."

Meanwhile, you have no idea that these emails are going out. You have no idea that they're logging into your cloud-based practice management system, and it's happening all behind the scenes. And this is probably one of the more common tactics that we see being deployed to vet hospitals is this whole process of essentially recreating their invoices and then sending them out through their email accounts.

I think you're really freaking these people out. Does a practice need to change their PM to something safer? Or can they just keep the same one?

Yeah. I think the idea of cloud-based versus local, there's a lot of question, honest questions to be asked there in determining who we feel comfortable having, what access to what data when it comes to a vendor standpoint. That's another conversation, but I think the solution to that is basically if you implement what we call a password manager, it creates really complicated passwords, but then if you're using a cloud-based one, you can then click into, there's like an addon in the browser and you just click auto flip, you just click on auto-fill. So you go to the website, you click autofill and it passes information in. So I'm actually not typing any keystrokes.

So at that point, I have a really complicated password that's only used one time, I'm not replicating that password anymore. And then I'm accessing that way, and there are no actual keystrokes involved other than actually clicking. So I'm never at any point actually typing that password out. So if there was a key logger on in my environment, they would just see mouse clicks, but they wouldn't see the information being passed. Now, that's not to say that they couldn't... That communication from the browser to the password manager should be secure, so you shouldn't also have to worry about third-party applications being able to sniff that traffic without some certificate or secure handshake involved.

So you should also be okay that way, but it also really depends on what password manager you're using and how that looks. So I wouldn't say you necessarily need to switch practice management systems from that standpoint, what I would love to see is for these web-based ones is for them to implement either an SSO option, which we can help out with. SSO just basically stands for Single Sign-On. Basically, the person logs in once, and then it passes all these really secure, encrypted passwords to the applications that they need.

That would be great, but I understand from a practice management system, they're not worried about if you're accessing QuickBooks or if you're accessing that source or some of these other IDEX online packs, that sort of stuff, they're not so much concerned about that, but it'd be great to see them at least implement what we call 2FA, where if a receptionist logs, whenever she logs into that practice management system, she has to answer the phone and just hit the button one and say, "Yep, that's me logging in."

So if that was ever compromised and they tried to log in from another location, all of a sudden they would start getting phone calls to that front desk and saying, "Whoa, somebody is trying to log in, we got to change the passwords, our passwords have been compromised." So those would be a couple of things I would love to see implemented in the industry, but I just haven't seen yet.

We took that step at GeniusVets a couple of years ago and implemented password managers just for everyone. I can say at first, they're a little disruptive, it's a little different path of doing things, they seem a little bit complicated to set up, but really not once you get in it. And then very quickly, it just becomes much easier than trying to remember passwords and keeping them in some spreadsheet or having some document of everything that you're doing or any of those sorts of things, just a much better approach to doing it. That's a basic thing that people can do, but again, I want people to get a sense of, there's just a lot. And frankly, this is an area where people even if they're fairly decent at IT, or if they have an IT guy, then that's great. If they already have an IT company that they're working with, can you give an example of some things they should be asking to test because a lot of IT guys, data security is not their bag?

Yeah. And this isn't to throw the local IT guy under the bus, and having been on that side of the aisle, I worked as a software developer, and then I worked in networking and the infrastructure and that sort of side, and then moved into security. It's unfortunate, when we look at the hospital side, we have our GP. So you're a general practitioner, but if a dog gets cancer, you're going to say, "Hey, let's go talk to this oncologist to see what we should do." Because it's a very specialized area. And unfortunately for most IT people, we assume that they know everything about everything, but the hard thing is they're so busy...

Look, knowing a number of people in the industry that do that work, they're getting upwards of 50 to 60 tickets a day for just basic stuff, and they may be a one or two-man operation. And so they're just trying to keep up on the administrative side of things. And so in any way, I'm not trying to throw your local IT guy under the bus, but I think a great example of where you think you have an IT company that's going to solve everything is MBA. MBA is this massive organization that has lots of money to be able to hire a complete IT team. And they have a number of people on staff, but yet, 400 of their hospitals were hit with ransomware.

Now think about your hospital, if you're doing really well and you're 20% profitable, you're doing better than most practices out there, do you have the budget I guess in your mind, you're thinking, do I have the budget to hire a security professional and an IT professional? And I think that was the problem I'm trying to solve because I realized that if we focus on a lot of... Their IT guys aren't going to want to hear this part because unfortunately, it takes money out of their pocket, but if we focus on the security issues, first, it shores up our stability of the infrastructure within the hospital, which has a downstream effect on our overall costs.

And a lot of times, some of these other issues that pop up that are just Band-Aids that we're putting on from an IT perspective to try to get things going through, so we can be smarter about how we manage that technology. I hope that answers the questions, I could go on.

You touched on something else too that I want to circle back around to a little bit, a few minutes ago. You started talking about some of these outside vendors that you need to give some level of access to your data for various reasons. So that's data sharing. One thing that I want to call attention to before we dive too deep into this question is, and I love how you framed it earlier, data's worth more than gold. I really want to make sure that anybody listening, I really want every veterinary practice owner in the country to understand how valuable their data is and how it's getting shared and understanding the value of that data, and that they actually do have some leverage in those relationships that they should be paying attention to that and asserting their weight a little bit. Can you maybe talk about a little bit, when does data sharing, vendors and things like that, when does this data sharing become a threat to independent practices?

I think it's a big threat right now. I think the light of it got brought to the forefront during Covetrus data breach, which we saw two years ago. I think I was asked to talk about it at the VHMA Conference in 2019, I think it was, turned the year that it came about, I guess, because 2020 was such a blur, it seems like it was last year, but I think this is a good example of how somebody is pulling your data and not realizing it. And I think actually this really sets up a great example because they're pulling this data, and a lot of times they may be pulling it through, I think it's their Guardian Service, which backs up the Avamar practice management system.

I think that's what they call it, the Guardian Service, which backs up the data. They're pulling all this data, they're dumping it onsite. And again, now they're taking, they're aggregating all this, but in this case, they were then using the pharmacy company that they just acquired, and I always get the names mixed up. And we talked about this before, so I can't remember which one it is, oh - Vets First Choice actually, but they combined and they became Covetrus. And so they started marketing directly to the independent vet. Now, this was such a sheisty move that when I was asked to present on it, I put my legal discovery hat on. And I started looking and I started seeing what information I could pull, and I couldn't really get anybody on the independent side to provide me any information. So I was a little bit skeptical that it actually happened. However, until I got to the presentation and I had a number of people in the room come up to me and show me branded emails from Vets First Choice that were sent on behalf of their hospital to their customer base to buy drugs from Vets First Choice.

Now, since then leadership in Covetrus and staff has changed., but I think this is just one example of where they're selling you a potential benefit service, this backup, and I have another story on that'll make your hair stand up on the back of your head, and then on the back end, they're using it to steal your customers right out from under you. I think another aspect would be okay, sure, they're aggregating all this data, and then they're dumping off to somebody else who's going to use that data, but maybe they're going to sell it to somebody, a small business, a consultant isn't going to buy this veterinary dataset for 1,000 bucks or whatever.

I'm going to get all the data I can for practices in Louisiana for 1,000 bucks, and then they're going to buy that data. And now they can basically look within like a 10-mile radius to know exactly what kind of revenue you're doing, what's popular. They get all this data set, so then they can help their customer move in right next door and start to build their own business and do it a little bit better because they have this dataset. I'm clutching at straws on the example because I have seen that in other industries. Again, I want to be clear, I don't know that Covetrus is doing that, but I think that this is just an example of how, when we're sharing our data with other organizations, that this is something that could happen.

Again, just to reiterate, that was just an example, I'm not saying that they're actually doing that just for the record. But I think this has put the potential for things to be set up in a way that could be a little bit dangerous. Back to this backup service, we're talking with a hospital right now, they got attacked in November of last year and they're still trying to get out of it. And they were using this backup service and they've still been working with Avamar to try to reimport all this old data. We're five months into this deal, and they're basically still without all of their data in their practice management system.

So you're paying for a service that's supposedly helping you protect your data and cover it up, but then on the other hand, when you go to pull that data, it's not coming in and there's a whole bunch of problems. And so I think this is just like the hospital, is just really getting stuck between a rock and a hard place because it's like, "Well, now you have all my data, you can do all this stuff with. And now when I try to get it back, I've been paying you for months, and I can't get it back, where's the win for the individual practice?"

What kind of steps would you take to mitigate some of these threats? Do you set up a local server that you can take on and offline just back up, obviously you should be doing backups, especially to the cloud quickly so that you're not getting much new data in between, but perhaps a hard backup on-premises that you can connect and not disconnect on more like a weekly basis or anything like that?

Yeah. I guess this is a little bit of shameless self-promotion time on the platform that I built that I'm really proud of. We built the Lucca Data Vault and what we do is essentially ship you out a little... Basically, what it looks like to you is a little computer. And we basically, once we configure it and get everything that we need for your specific hospital, we ship that out to you, plug it in and turn it on. At that point, then we can access it remotely. And what it does is, we look at all the data sets that are important in your hospital.

And this would be part of our initial assessment when we do a gap analysis and our IT health assessment to look at what's going on. We look at the different data sets that we need to protect within your hospital. And then we take that and then we back that data up to this little device every hour. So now we have an onsite device, so if we do. for example, we had a hospital that deleted their entire attachments folder the other day, and so we had to recover 40,000 items. And so we can recover that, it's a lot faster to recover that locally than it is from the cloud. However, if the hospital were to get hit with ransomware and it would completely take the server offline, that's great, or it's not great.

It's great that we have this local backup, but we need something to read and write and manage all that data and communicate it out to the rest of the machine. So what do we do? What we do is actually replicate your entire environment in our cloud. And so you essentially get a little German Shepherd icon, it's Lucca, it's our logo, she's our mascot, on some of your key machines, like reception, maybe a tech station, and maybe your practice manager's machine. And so if your server were to tank at like four o'clock, or you were to get hit with ransomware at four o'clock in the afternoon when you're about to be really busy, you double click an icon, it tells our cloud environment to turn your environment on.

So it takes probably about five minutes, 15 minutes at the most, maybe to fully spin up. And then at that point, you're up and running with a complete copy of your environment in our cloud. And so you can access customer records and you can continue to check customers out, move people through the hospital, and then after hours, we can take the time to either work with your local IT person to figure out what we need to do to recover that server, or if you're working with us in some capacity to manage a lot of that in-house IT work, we can figure out what we need to do to get another machine.

In some cases, it just makes more sense at that point, just to maybe move your entire environment to the cloud, and we're already there, so really, it's just a matter of just scaling the resources and turning some additional stuff on, or if you'd rather be back to the local environment, how do we get that server up? But the most important thing is that we can do it in a manner that we're not rushed. We don't want to just slam a solution in and cause a bunch of problems, we want to take our time to do it right. And so I think having a complete copy of your environment, that's yours, again, it's completely segregated, we're not aggregating any of that data, we're not mining any of that data.

It's completely isolated in what we call your own VPC. So your own Virtual Private Cloud within the Lucca Cloud infrastructure. So no other hospital touches your environment, it's all isolated to you. And so at that point, we can determine what's best. So it's really a layered approach you need, and then we can also do I guess this is also one important thing is that in our backups, in our cloud system, we also do versioning. So we keep 30-day versions of each file or 90-day versions of each file. So you could have a reception, she's just working on a checkout sheet and she made a bunch of terrible edits, it's really bad.

And you're like, "We just want to go back to the original version because we got way in over our heads, we need to think about this a little bit differently." We can go into our cloud, with a quick little command line, we can search with a specific date that we want and pull that file back down to your local infrastructure. So yeah, that's another thing. So it's really a layered approach to really protect your hospital.

There's another side of this too, there's another side of not just really making sure that your practice IT infrastructure is secure to avoid problems, but there's also when you really do have a super healthy IT infrastructure that actually adds value to your practice. And we're in this era of consolidation that's going on, we're at a time when a lot of practice owners are getting towards the end of their careers, they're cashing out, they're getting bought. Good for them, they've built their business, they've worked on for a very long time like anybody. Any business owner, if you are considering selling, and I just want to say, I hope that you consider alternative exit strategies, not just selling to the highest bidder necessarily because some of our previous interviews really brought to light, like our interview with Dr. John Tait last season. I know that you've been involved in some situations and some good stories about seeing practices that were exploring acquisition and that either had data insecurities blow up in their face and ruin their valuation, and conversely, they were really, really tight, and that actually made their prices worth more. Can you share a little bit about that?

Yeah. One thing that we're seeing that's become really popular is that we're having practices reach out to us because they're like, "Hey, we're trying to sell, but the bank won't finance this until they can realize what the risk of this asset is." And so the banks are getting smart knowing that technology is required to run most businesses and they want to know what the overall risk level you can take it out at the knees, not being able to run your business anymore and being shut down. And then now them trying to figure out how to recoup this cost of this loan that they just gave you.

I think one, I guess, we'll talk about the bad before the good, so there is a practice and I'll leave it very general because it's a really unfortunate situation, I don't want to call them out, but it was a really unfortunate situation in that it was a practice on the East Coast, they were getting ready to sell, unfortunately, we got involved afterward. So there wasn't really anything we could do at this point, but they had gotten hacked and the owner of the practice, again, because once they got hacked, they got access to all of his Facebook log-ins and all the other social media accounts.

And the hacker then realized that this owner was making some questionable ethical decisions within his personal life and some of his relationships. And so the hackers then made all this information public, it got out, the bank then found out about this personal information, and then you can combine it with this hack, and the bank was like, "We're not touching this. We're not going to be involved." And I think they had already set the closing date, everything was ready to go, and then it basically all got blown up, again, because they got hacked at the ninth hour or the 11th hour, I should say.

And it wasn't necessarily that they got hacked that did it, but it was that there was a bunch of personal information that was exposed about the current owner that was going to destroy the reputation of this practice, again, then removing potential clients from the new owner, which then would affect them being able to repay that loan. And so, it blew up. It was a really terrible situation, not only for the new potential owner because they're looking really excited about becoming a practice owner, but they needed the capital to be able to purchase it, and then also for this business owner who, probably call it a total of 15 minutes of decisions over maybe a month period that destroyed 30 years' worth of work.

But what we're seeing on the other side is that if you're a practice that thinks about this stuff more smartly, you think more like a CIO, you've got proper technology, lifecycle management in place, and A, not only is it saving you money because you can be smart about how the money is spent, you shouldn't have to be spending the money twice, but also the infrastructure is running really well, you don't have a lot of overall problems, there aren't a lot of gaps. And so at that point, the bank is going to come in and say, "Oh, this looks great." Like, "Okay, sure."

There are always areas for improvement because things are always changing, but from a lot of perspectives, they're like, "Look, this is great because we know that this owner isn't going to have to invest 20 to $50,000 to get this practice up into the 21st century. This is a great investment," assuming everything else fits in line. They're basing the entire valuation on the technology, but it is becoming a key aspect in acquiring practices. We're just about out of time here today, I know that you did have a hard stop that's going to be coming up. I also know that you've been working with Patterson Veterinary University on a class to teach practice managers how to think like a CIO, an information officer. Can you tell us a little bit about that?

Yeah. I guess it comes back to this idea of better technology lifecycle management. And I see the question, if it isn't broke, why should I fix it? But I think that is a great example. When we have proper technology life cycle management, and of course, we're trying to help teach you how to think about your technology properly. How many practice managers are like, "Okay. A, I'm buying business-class machines. And B, I should be replacing, especially the receptionist machine every five years." Because we as technology professionals know that hardware gets hot, it starts to burn out, so at that five-year period, it's starting to get questionable.

And so sure, we may be able to roll that machine, if it's Windows 10, we can still update it, we can still patch it. We may be able to roll it down to maybe the comfort room, where it's not really used that much, but you still need a machine in there. But you're going to be asking yourself, why didn't I replace that machine when you only have one receptionist machine. Again, it goes down at 3:30, four o'clock on a Tuesday when you're insanely busy and now you're like, "Okay, how are we checking people out?" You're having to change your entire business workflow when you're your busiest. And I can tell you right now, nobody has a disaster recovery plan.

So we're also including some information like that, like, what is your actual plan? How do you actually think about it? And we've created some great materials, I'm really excited about it. We're about 75% of the way through it, so it should hopefully be coming out the next month or so. And it really covers everything, how to think about your technology, cybersecurity, backups, the whole piece. And should help you think more like a C-level technology executive, and help you make smarter decisions and be smarter with the money that you have, and we're hoping to help a lot of practices.

When that comes out, how will people find it?

Patterson has PBU, which is Patterson University. And essentially, you go on and you sign up, and I'm not sure what the costs or pricing structure is, because we're still working on that, but you would go on and you could just search for IT or technology. We're putting three courses together, so you could either buy all three courses or you could just pick which one you think is maybe your weakest area. And then it's all online, and you'll get to hear my amazing voice walk you through all the slides. And hopefully, I help provide you some information.

Based on most of their courses, they're not terribly expensive to do. We're talking a few hundred bucks at the most, so it's generally not that expensive. But Patterson hasn't told us what the costs or anything yet, so I can't quite elaborate. We're getting on the final touches and I'm really excited to see that come out.

Talk about some great information that's not that expensive, you also have been generous enough to bring something here today. Go and check out the chat, we're going to drop a link in the chat to a fantastic download you should take advantage of that Clint has put together here, 5 Simple Steps to Protect Your Practice. Do you want to tell us really quickly about that?

Yeah. So it's a free ebook that we put together, and really it's things that you can implement over a weekend. And again, just back to my core value, helping veterinarians realize the value of their data and taking the necessary steps to protect it. And so it just walks you through five things that you can do over a weekend that has the biggest bang for your bucks. So what we were trying to think is, what can we give you that's simple enough that you don't have to be a technology professional to implement, but it has the greatest return as far as protecting your hospital?

And so that's really what the aim was, is to help better educate you about maybe some of the gaps you have that you don't realize, and then allowing you to DIY it if you want to implement those yourself.

…

Clint Latham, founder of Lucca Veterinary Data Security, again, thank you so much for spending some time and opening this world of IT to us and allowing us to hopefully help some practice owners and some practice managers open their eyes to some of the threats, some of the things that they can resolve, the value of this data, why they should be protecting it.

Listen, everyone whether you have an IT professional right now or not, you should definitely be going to check out Lucca.vet. That is the website, L-U-C-C-A.vet. And just reach out because you got somebody here who would do a fantastic job helping you out. And the reason why I wanted to bring you on, not only are you brilliant at what you do but really ethical, good person who will look out and put his clients first before his own business. And that's just so aligned with our philosophy here at GeniusVets.

And everybody, thanks for stopping by. You guys are all very busy, I hope that you got a lot out of this. Watch the newsletters, next week, we've got another fantastic interview lined up for you. So check the newsletter for information on that. And remember, if you are a veterinary practice owner or a manager, you already, right now, have a full-page profile for your practice on GeniusVets.com. It's true. We've put them up for you, and you can go, you can claim it.

We've got another link that we're sending out, so you can go claim your profile, check it out, at least make sure that the information is correct and you can take advantage of claiming it. It's totally free. It's an awesome thing that we just want to give to you. All right. Well, I'm David Hall, co-founder of GeniusVets, signing off.