Imagine coming into the office one day and getting word that all of your patient data, past records, tax documents, and financial statements had all been stolen-or worse yet, erased.
Imagine coming into the office one day and getting word that all of your patients’ data, past records, tax documents, and financial statements had all been stolen-or worse yet, erased. This may seem like a nightmare scenario getting infiltrated by malicious hackers, but it could actually be a case of ex-employee tech revenge.
Adam Parker, OD, president-elect of Virginia Optometric Association, says employers are vulnerable to these scenarios, and ODs are especially at risk considering the array of people they work with to make patient care possible.
Tech revenge, as Dr. Parker explains it, is a fired employee trying to inflict harm on you or your business through technology. As technology is streamlined, all of a practice’s data can fit onto a flash drive. That flash drive can easily fall into the wrong hands, especially if those wrong hands once used to be the “right” hands.
Related: 6 steps to survive a ransomware attack
From stolen devices-computers, hard drives, or equipment-to hacking of company files, tech revenge can lead to reputation sabotage by way of posting negative online reviews on Yelp or other review sites.
In one case, a vengeful ex-employee replaced several slides on a sales PowerPoint presentation with inappropriate videos. In another, an employee hacked the manager's email to send out obscene messages to coworkers.
“It's becoming easier to fall victim to tech revenge,” Dr. Parker says. “People can now enact revenge from the comfort of their couches.”
An OD’s reputation is especially important in the local community, says Dr. Parker. A vengeful employee who doesn't have the know-how to execute a more technical form of tech revenge can easily target an OD’s reputation. This is especially worrisome because reputation attacks aren't necessarily illegal, yet they can be unfair and cause much harm, Dr. Parker says.
Tech revenge doesn't have to be limited to just office employees. A practice can be vulnerable to anyone who has access to technological components of the business:
• IT staff or contractors
• Business consultants
• Associate ODs
• Cleaning personnel
While Dr. Parker doesn’t presume everyone is out to get everyone else, he does say it’s important to protect vulnerabilities from acts of opportunity and the unknown. Many people have access to privileged information that you may not realize.
Related: Optometry must adapt to evolving AI
There are many reasons why an employer might find herself on the receiving end of tech revenge. However, most can be grouped into one of several broad categories:
• Payback. Some people are vengeful by nature, and despite their seemingly friendly attitudes, the claws come out when they don’t get what they want.
• Robin Hood syndrome. There are people who take it upon themselves to teach employers lessons, especially when they think they were wronged or were treated unfairly. Often, this has a component of harming the employer while simultaneously attempting to do “justice” by former coworkers.
• Mental illness. Some people simply cross boundaries and may have psychological problems that can be triggered. Though this is not to be considered a common cause, it is a possibility that should be considered.
Related: Will optometry’s fear of disruptive technology backfire?
While the reasons are many, the loss to a business can similarly come in different ways.
• Data. Data is one of the most important modern-day business assets, and it’s the most common target for most employee revenge schemes. Data should be prioritized in terms of security.
• Money. Financial loss via missing cash or electronic funds is an obvious factor, but it can also come in the form of stolen property, bogus orders placed with vendors, or refunds given to clients.
• Reputation. A good reputation is vital for any OD wishing to do business in a community. Spiteful ex-employees could tarnish a reputation by writing negative reviews, sending obscene emails, calling clients, or souring contractor or vendor relationships.
• Staff. Vocal employees may sometimes attempt to convince others to leave the company, which could lead to a loss of important staff members. The Society for Human Resource Management (SHRM) estimates employee replacement costs to equal about 6–9 months’ salary for a given position.
Lastly, employee tech revenge costs the employer time. Reversing the damage caused will take time to undo, and time is a commodity you can’t get back.
ODs wishing to protect themselves and their practices from such malicious procedures first need to isolate possible damages as much as possible.
It begins within the office with something as simple as locks on doors to rooms with sensitive or valuable assets, Dr. Parker says. Some areas should also be off limits to employees and vendors, such as the primary office that has the checks and primary data servers.
“I put one of those button locks on my door, and all my staff thought I was crazy,” he says. “It's my office,” says Dr. Parker. “It's where I keep the checkbook, all the employee files, and it’s where I keep all my contracts.”
Related: How technology changed optometry’s role in cataract comanagement
Data protection involves a similar concept:
• Restrict access for each account you create. Nobody should have administrative level access or be able to access the business’ full database. Not only is this playing with fire, it may also lead to a Health Insurance Portability and Accountability Act (HIPAA) violation. If a virus gets installed while a user is logged on as an administrator, that virus now has administrative access.
• Define user roles in your electronic health records (EHR) to customize access for each user, giving them only what they need.
• Do not share user logins because this is another potential HIPAA violation. Each user should have his or her own login and should use only that when accessing data. This allows potential violations to be tracked to the person committing them.
• Passwords should be changed every three to four months, and administrative passwords should never be shared.
• Have different passwords for different network systems. This ensures that knowing one password doesn’t mean knowing all other passwords.
• When hiring new employees, create new passwords for that person rather than revealing existing passwords.
Related: Managing your employees’ social media use
Some of this may seem burdensome, but anything less can lead to major risk exposure from not only ex-employees but hackers as well. Dr. Parker recommends having a separate file on each employee that lists all passwords and accounts to which an employee has access. It’s then a simple matter of opening the file to see what accounts need to be deleted or have its passwords changed if an employee is let go.
Social media is more reliant on reaction than prevention. Apart from deleting employee access to company social media accounts, Dr. Parker also says ODs should monitor social media accounts for odd activity after any firing.
Google also provides an option to set up email notifications for whenever key phrases or words show up on news stories, articles, or new reviews. Lastly, Dr. Parker recommends not befriending employees on social media networks.
Related: How I prosecuted an embezzling employee
Ultimately, the best preventative measure lies in treating employees well. Content employees don’t typically seek to enact nefarious plans on unsuspecting bosses, apart from those seeking to defraud them.
Be fair with employees, and be clear with your expectations. When an employee is not meeting those expectations, make it clear what an employee is doing wrong before disciplinary action is taken. This helps to prevent situations in which employees don’t understand why they were fired, which is a common precursor to ex-employees feeling like they were treated unfairly.
Not all situations can be prevented, Dr. Parker says. If you suspect you’re the victim of employee tech revenge, don’t take it on yourself to confront the employee. Contact the police, an attorney, and your IT specialists if you think you’ve been compromised.
Related: 4 steps to adjust staff salaries