Here are the resources and transcript from episode 106 of our podcast Oral Surgery Admin’s Time Out Podcast: Practice Management Success Tips, which you can listen to below or find wherever you listen to podcasts. If you enjoy it, please subscribe, leave a 5-star review, and share it with your oral surgery colleagues.
Gary Salman and Black Talon Security have shared a very thorough emergency planning kit with listeners of this podcast. Get it below.
Join host Jill Dunnam and co-host Gary Salman (Black Talon) as they talk all things cybersecurity. They cover the latest trends in cybersecurity; how long hackers scan networks and steal data before encryption and ransoming for it; what they’re doing with your patient data on the dark web, why a cybersecurity is best equipped to fully protect your practice; and practical, proactive steps you can take today to defend your network.
Join host Jill Dunnam and co-host Gary Salman (Black Talon) as they talk all things cybersecurity. They cover the latest trends in cybersecurity, how long hackers scan networks and steal data before encrypting and ransoming it, what they’re doing with your patient data on the dark web, why a cybersecurity is best equipped to fully protect your practice, and practical, proactive steps you can take today to defend your network.
Jill Dunnam 0:04 : Hello, everyone, and thank you for joining our podcast. Welcome to the Society of OMS Administrators Practice Admins Timeout for Practice Management Success Tips.
Today we’re here with Gary Salman, CEO at Black Talon Security. Welcome, Gary, and thank you for joining us today to discuss this important topic. First, please tell us about yourself and Black Talon.
Gary Salman 0:25 : Thanks so much, Jill, for having me today. I truly appreciate it, and I’m looking forward to helping educate all your members.
Gary Salman: So in terms a little bit of background on myself: I have been in the dental technology space since the early 90s. I actually started my career as a programmer. My dad’s a recently retired oral and maxillofacial surgeon, and my freshman year of college, he came to me and said, “Hey, I need some software for my office, and there doesn’t seem to be really any specialty software out there, why don’t you help write it?”
Gary Salman 0:56 : So long, long story short, we built out a very sizable company servicing hundreds of OMS practices across the country. I built out one of the very first cloud-based health care platforms right out of a data center here in New York, where I still live. In 2002, we actually had about 2,500 OMS users running our cloud technology, you know, from all over the United States. So you know, that was my background from a OMS perspective.
Gary Salman 1:24 : I started getting into security when we deployed our cloud technology. Even back then, you know, talking 19 years ago, the Hackers were out there. I mean, they weren’t doing the type of damage they’re doing now, but, you know, systems were getting attacked. So I kind of, quote unquote, cut my teeth in security back then, trying to understand how Hackers breached these networks and the types of technologies and software that are available to prevent these breaches.
Gary Salman 1:50 : After that, I sold the company, worked for that company for many years doing OMS, practice management software and imaging. And then about, you know, five years ago, I was starting to get phone calls: “Hey, our practice got hit with ransomware. We’re down. What can you do to help us?” You know, “We need help. We can’t function.” And you know, the position I was in, I really couldn’t do much. And then those calls started to become a little bit more frequent. And I said, “Alright, there’s something going on here, I haven’t really experienced this before. Now, these practices are in a state of panic, you know, maybe there’s something I can do.” So we got a whole bunch of really smart people together, and some investors—mostly oral surgeons—and we started Black Talon. You know, we pulled some pretty significant talent into the organization, folks that worked for Fortune 100 companies, folks that worked on Wall Street that did data security, etc. And we said, “You know, what, we can do a really good job at helping this dental community prevent these types of ransomware and cyber-attacks.” And that’s basically how we started the organization.
Gary Salman 2:59 : I also have about 17 years of law enforcement experience, so I think what that does is it helps me understand the criminal element, right? I’m very technical, I understand programming. I’ve literally written millions of lines of code throughout my career. And this law enforcement background allows me to kind of think like the criminals and understand the criminal mind. And by combining those two traits, you know, we’re able to do a lot of really good things to help protect practices just like yours.
Jill Dunnam 3:27 : Wow, impressive. You’ve been doing this a long time, along with some influential players in the cybersecurity industry. Plus, it really sounds like Black Talon is a specialist in this field, much like OMS practices are a specialist in the dental field. So can you tell me what are some latest trends you’ve been seeing in cyber-attacks?
Gary Salman 3:44 : Yeah, you know, the game is constantly changing, right? We come up with measures to block these attacks, the criminals come up with counter measures. And over the last couple of years, we’ve really seen an evolution of cyber threats. If you go back three years ago, typically the average OMS practice that got hit would have maybe a server encrypted with ransomware, maybe a couple workstations. And the ransom demand might have been $5,000, $10,000. Right? Not a huge amount of money in today’s standards.
Gary Salman: Then we started seeing more widespread hits where you know, the entire practice was impacted literally every workstation and server was encrypted with ransomware. And the ransom demand started creeping up: $30,000, $40,000, sometimes more if you’re a larger practice, and the impact was greater. The amount of downtime increased from a couple days to maybe a week.
Gary Salman: And then about two years ago, at this point, I started warning that the intelligence community was basically, you know, picking up this intel that the threat actors were going to start stealing data and doing what’s called a “double extortion,” which basically means they not only encrypt all of your data with ransomware, but they steal all of your patient data first. And the reason they started using this methodology was because they could almost guarantee a payment from the business or the health care entity. Because if, say your practice has a viable backup, and you can get your system back online, and they just encrypted your data, you’re not going to pay, right?
Gary Salman 5:21 : However, let’s just say you do have a viable backup. But the threat actors, right, the Hackers, stole your data, and they’re telling you, “Hey, if you don’t pay us the ransom demand, we’re gonna publish and release all of your patient records.” That puts you and your doctors in a very precarious situation, right? Because what decision are you going to make? Are you really not going to pay them and have all of your patient records published and sold? I will tell you that close to 100% of OMS practices that have been put in that position opt to pay, because they don’t want all of the data exposed.
Gary Salman: So that’s the trend that we saw recently. But what are we seeing today? So what we’re seeing today is actually a triple extortion.
1. So the first one was the encryption of the data.
2. The second extortion methodology was the theft of all the data and the encryption.
3. And now what we’re seeing is the contacting of the data.
Gary Salman 6:14 : So what do I mean by that, Jill? What we’re really talking about is if the practice refuses to pay, they will extract the data out of all of the information they stole. So they’ll go into the databases, they’ll pull the patient’s names, their email addresses, their phone numbers, and they will literally contact them directly saying, “Hey, we hacked, you know, North OMS. The business owners and bosses are refusing to pay. We have all this data on you. We’re going to sell data and extort you directly if you don’t pay us $5,000, or tell the practice to pay us the money we’re asking for.” And they will literally send out emails—-
Gary Salman: Case in point, we just finished up a GP practice, not an OMS practice, but a GP practice in Arizona, where they actually didn’t contact the patients. But they got a list of all of the employees and their date of birth, their social security numbers, their home addresses, their cell phone numbers—and you can guess probably where: from an Excel spreadsheet in the HR file on a server—and literally started emailing all of the employees and doctors in the practice saying, “We’ve stolen all of your information, right, your identities are at risk. You tell the boss to pay us, or we’re going to perform identity theft on you personally, right?” So this practice was already facing a million dollar, a $1.1 million ransom demand that they refuse to pay, because they didn’t have enough insurance. And now they’re going after the employees directly.
Gary Salman 7:43 : So talk about turning a practice upside down and creating utter chaos. That’s what they try and do. So you have to understand, obviously, they’re criminals, and they will do whatever they can in order to get paid, because they’ve invested time at this point to get into your system, take this data, encrypt it. They want to make sure they get paid.
Gary Salman: So these are the types of trends that we’re seeing is they keep ratcheting up the threat level. And eventually, you know, the business breaks, right, they either have to make a decision to pay or they’re just going to, you know, walk away and deal with all the consequences from a, you know, a compliance standpoint, an HR perspective. So it’s definitely rough out there right now, and I think a lot of practices and you know, administrators don’t understand what’s really happening. They’re all betting the farm, that they have a cloud backup, or their data’s on the cloud, or they have a valid backup. And if they get hit with ransomware, they’re just going to press you know, the magic pink button on the backup system, and everything’s just gonna turn back to normal and they’ll, you know, have business, conduct business as usual the next day, and that just doesn’t happen. Most practices will be down for about two solid weeks, right? That’s the big issue. That’s also part of the trend, now. It’s gone from a couple days to a week to really a minimum of two weeks of complete outage before you’re restored.
Jill Dunnam 8:59 : Another trend I’ve been hearing about is that cyber criminals are not only stealing that information, but selling it on the dark web. Can you talk about that a little bit?
Gary Salman 9:07 : Right. So this is our personal data, and you can do some research, and you’ll see that other cyber firms are reporting about the same percentages. But in all the cases we deal with because our business is not only about prevention, but we get calls from practices all over the country saying, “Hey, we got your name. We got hit with ransomware. Can you help?” But about 75% of victims of ransomware attacks are also victims of data theft. So what the Hackers do, as I started to talk about before, is once they break into the system, they will do what’s called data exfiltration, which means they steal every piece of data they can get their hands on, which is usually close to 100%. And once they steal this data, if the practice refuses to pay the ransom demand, what they will do is they will publish between 1 and 10% of your data. And it’s on the dark web, so as long as you have a browser and your computer set up properly, and you know what you’re doing, you can actually go and look at your own data. And it’ll have the patient’s name, click on it, for instance, it’ll have their x-rays, it’ll have their lab reports, health history forms, everything, right there for public view.
Gary Salman: And the reason they do this is basically to get a little jab in, right? They basically say, like, “Hey, you don’t believe us? Alright, we’ll prove it to you, here’s a link, go to it, and you’ll see your patient data being published.” So what often happens then is the practice has to now make a decision, they’re like, “Okay, this is real. They really did steal our data. It’s not, you know, an idle threat. We may have a different decision tree, right? Now, we may actually have to pay because the ramifications of all of this data leak is huge.”
Gary Salman 10:39 : If you look at some of the OMS practices that are out there, especially the multi-office ones, or the very large single location ones, the amount of patients you have in your databases is huge. There are OMS practices out there that have way more data than a lot of hospital systems have. Why? They’ve been in business for a long time, they have many locations, many doctors, you know, obviously, there’s a large number of patients flowing through. So they’re OMS practices that have, you know, close to a million patients in there. Imagine that data being dumped on the dark web.
Gary Salman: So why did they dump it? Well, first is this threat, right, to kind of just almost guarantee that the practice is now going to pay them because you don’t want that data out there. Then there’s value to the data. Hackers and criminals know that health care records are really accurate in terms of identity, you know, first name, last name, address, date of birth, social, driver’s licenses, insurance cards, sometimes credit cards, if the practices isn’t securing those properly, and they know that the data is going to be accurate. So if they want to do identity theft, etc, there’s tremendous value there for them.
Gary Salman 11:44 : And a lot of these databases, as much as people want to believe that they’re secure, and, “Oh, I talked to them, they’re encrypted, right? My data is safe.” The reality is, many of these databases are old technologies, many of the passwords are weak, right? There’s public information out there on how to exploit these databases. So, you know, I think a lot of practices hang their hat on the fact that “Oh, my database gets taken, it’s all encrypted, it’s protected.” I would challenge you to think differently about that. Because if you look at these big data breaches, or some of these Fortune 100 companies, do you really believe their data wasn’t encrypted? You know, of course, it was, right? But the Hackers figure out a way to get into these databases and extract the data. So that’s why this data is so valuable. And that’s why we’re seeing it stolen in three quarters of the cases.
Jill Dunnam 12:32 : That’s horrifying. So what happens once the data is sold on the dark web, somebody buys it? And also kind of along that, what are the implications for oral surgery practices with HIPAA?
Gary Salman 12:43 : Right? So that’s the problem, right? You have compliance issues, you have state issues. And I want a lot of your members to think about this, because I know many of your practices have patients from bordering states, right? So, think about northeast. You could have a practice in the New York area that has patients from New Jersey, from Connecticut, obviously, you know, from New York. So now you have three state regulatory bodies that are going to be knocking on your door asking about this. And then obviously, you have HIPAA.
Gary Salman: So we work with a lot of attorneys on these cases. Pretty much every practice that has a ransomware attack typically retains counsel, so we work directly with counsel. So we have some really good insight in terms of actually what’s happening here, not, you know, theoretical, or I read an article about it per se, firsthand knowledge. And typically what happens is, if it can be proven in a couple of different ways that the data’s actually been stolen, the attorney is going to tell the practice, “You have a reportable event. You’re going to have to file with the Office for Civil Rights. And there’s a portion of the HIPAA law related to patient notification that will be enacted, and you will have to send a letter to every single patient, you know, indicating that their data was, you know, potentially compromised, you know, they have the option to get identity theft monitoring, you know, through the practice, you’d have to set up a call center, so patients can call and ask questions; typically, the attorneys will set that up for you so you’re not fielding those calls at your practice. But I mean, that’s typically what happens.
Gary Salman 14:16 : Your information will be 100% public. There is a website that is literally called “The Wall of Shame” that is hosted by the Office for Civil Rights. And the second you file, your name will be posted to this public website and database, and it will indicate the type of event. So it’ll say like North OMS, hacking incident, and then the date, and then the number of patients impacted. And the problem with that, Jill, is that becomes, quote unquote, you know, a Google search. So someone searches North OMS, and Google will return a listing to that on The Wall of Shame. Right? So now you have a PR issue.
Gary Salman: So yes, there’s tremendous HIPAA issues related to this. I did a podcast just the other day with an attorney who’s represented a whole bunch of OMS practices in these ransomware cases. And one of the things he’s starting to now talk about, and he discussed it on this podcast/webinar the other day, was the fact that attorneys, right, are starting to mine this data, and starting to establish class action lawsuits against these practices.
Gary Salman 15:23 : So now you have a whole litany of issues. You have, “I gotta pay this ransom, my practice is down. My data has been released, I’m filing with the Office for Civil Rights. And now I have potentially law firms coming after me for class action suits.” Right? So it’s not as simplistic as people think it is. Because I hear a lot of technology, people go out there and say, “Well, you have a good backup, Jill, right? You’re backing up well, so if you have a ransomware attack, you’re fine. Don’t worry about it, you just restore your data.” They’re really missing 90% of the issue, right? They’re really missing all the ramifications of the actual attack, not just the restoration of data. Of course, I’m a huge proponent of having good backups. And we’ll talk about that as well. But you can’t bet the farm, per se, on just having a good, viable backup.
Jill Dunnam 16:09 : So many aspects of that scenario that we would all prefer to avoid. I would like to back up just a little bit and want to talk about when the cyber criminals really get into the network. So is it true that a lot of times they’re already in there undetected? You know, on average, I want to say, how long would you think Hackers have been there? And what are they really looking for?
Gary Salman 16:30 : Right. So as part of our investigations into these cyber events, we perform what’s called a forensics investigation. This is where we take basically a mirror image of the impacted machines. And we have certified forensics analysts that, you know, work for us. And they analyze every, conceptually, bit and byte on the machine. And what they’re able to do is determine what the entry point was, right? The date and time that they got onto the system, what files they accessed, what files they took, the types of malicious tools—known pretty much as like hacking tools—that they deployed on the network, when they disabled, you know, the antivirus software, etc. And as part of this investigation, we’ll have, quote unquote, you know, ground zero, right, or patient zero, depending on what terminology you want to use.
Gary Salman: So let’s say patient zero is the workstation at the front desk, someone clicked on a phishing email, or it was a hacking incident. We’ll know literally to the second when that person gained access to that machine. And then we can also say, “All right, they gained access on, you know, 9/2/2021 and on 9/22/2021, the ransomware code was executed.” Okay, so you have about a 3-week period, that they were actually in the system. And we know because of high-speed internet, and you know, the ability to move data around really fast, couple hours in almost any one system is plenty of time to download your entire patient database, right? Maybe not all your cone beams and your x-rays, because those are pretty big, but a couple hours in a system is usually more than enough to offload all of your data.
Gary Salman 18:04 : So our average to answer your question is about three weeks. The threat actors will go undetected in your network for three weeks now. So many practices, when I talked to them about this, say, “Oh, well, our IT company will pick up on this, and they’re going to know.” And I said, “What tools do they have in place to know this?” And typically, I get the million-mile stare, and they have no idea. And I say, “Look, I’ve never once, in four years, had a dental practice—we’ve had some businesses that are an exception—but I’ve never once had a call from a dental practice saying, “Hey, our IT company thinks we’re under attack. We need some help.” When they actually call is when they have a note on the screen indicating that their system has been encrypted by a threat group, and they’ve you know, all the files are unaccessible, because they have ransomware. That’s the endpoint, right? That’s when they know that they’ve been compromised. Not some alarm going off on their computer, where their IT company’s system is warning that this system is under attack.
Gary Salman: We have dealt with those types of events and been able to block ransomware attacks because there were some indicators going off that network is under attack, but I’ve never seen it in the OMS space. But many practice administrators and doctors kind of have this feeling that some alarm bell’s gonna go off and alerts gonna go out and they’re gonna take some type of proactive measure to block it. I haven’t seen it.
Gary Salman 19:27 : So many larger businesses—I’ll use larger meaning relative to an OMS practice—they have what’s called a SIEM in a SOC. It’s basically a Security Incident and Event Management.
Gary Salman: So for instance, if a Hacker gets into your system and creates a new account on your computer, without a SIEM, an event logger, telling someone that this is happening, you would have no idea, like if I log into your computer right now, there’s no alarm bells going off anywhere. But if a business has this SIEM, that information is transferred to a SOC, which is a security operations center, someone sitting in front of a monitor literally sees a computer has a new account. Why? Why did that just happen? And then they can literally take human action from there. The problem is the cost, right? Most OMS practices probably can’t afford something like that, because the SIEM in SOC solutions sometimes run $5,000 a month. So that’s where typically, you know, these medium sized and larger companies have this. I will tell you that this XDR software that I recommended earlier is getting closer and closer to that. And you know, it’s not a true SIEM in a SOC solution, but it is an autonomous solution that, I think I forgot to say this, an artificial intelligence system that will basically operate on its own and, you know, fend off an attack.
Jill Dunnam 20:45: Wow. So you previously mentioned to me that a threat actor had not only encrypted a client’s data and ransomed it, but because they had access to the company’s network long before they were detected, they were able to threaten the executives directly. Want to share more about that event?
Gary Salman 21:00 : Yeah, sure. So full disclosure, this was not an OMS practice. This was a business, you know, about $7 million a year in annual revenue. They contacted us through an insurance company, and said, “Hey, we got hit with ransomware. And you know, we’re struggling to get our systems back online.” So when we got onto the system, we started asking some questions. And the IT person said, “Well, I’ve already emailed the threat actor my information, and I’ve been emailing back and forth with him.” And we said, “Alright, well, what email address did you use?” He said, “Well, I’ve been using my personal.” And we say, “Can we look at that?” And we looked at his personal communications with this threat actor, and unfortunately, it had the employee’s real name, and their cell phone number. So we advise them that you’ve now given the criminal information about who you are personally, right? So that’s an issue, they could come after him, family, things like that target them, you know, from electronic standpoint, obviously. They also have your phone number.
Gary Salman: So about a day later, he started receiving phone calls through, you know, people can get these anonymous Google phone numbers. And he started receiving these numbers he didn’t recognize, and he picked it up. And it was actually the threat actor, calling him, basically demanding the ransomware payment be made immediately. So he had a very quick conversation with them ended up hanging up the phone. We advised him to no longer take calls from them, for obvious reasons. So a couple of days later, when the ransom still hadn’t been paid yet, because there’s still some evaluation going on in the network and backups and other things, we get a frantic phone call from the chief financial officer saying that he is now receiving these voicemails on his phone and the rest of his executive team—CEOs, vice presidents of the
company—are also receiving very threatening messages. And they were escalating: it went from let’s play a little nice with our victims to, you know, full on threats.
Gary Salman 23:00 : So you know, from a psychological standpoint, this is very damaging to the organization, because it was at first a business transaction, right, their businesses isn’t functioning, but now it’s turned personal. And this is when things really started to escalate. And frankly, what basically started happening is the executive team was like, “Alright, we probably need to pay more than we think we need to pay, because this has to stop.” So in a sad kind of way, the criminals won by doing that. And that’s not what we want, right? But that was the outcome.
Gary Salman: It turns out that the Hackers were able to exploit a file containing the entire executive team’s information right out of their email system. So they had everyone’s personal information. So this was not going to go away. This wasn’t “Hey, they did a little research and came across someone’s phone number.” They had everything, right. And that’s typical in these cases, like I described before. So then they started, like I said, with the voicemails and the, you know, harassment via phone. It’s horrible, because every time their phone rings, the CFO would say, “If I don’t recognize the number, I’m in fear that it’s, you know, him calling me again.” That’s something we don’t think about. Right? We talked a little bit, Jill, about them contacting employees through email, but now this is really personal, right? Someone actually calling your cell phone and making these threats, you know, ratchets it up quite a bit.
Jill Dunnam 24:23 : It sounds like you guys have a recording of one of those voicemails, are you able to share that with us today?
Gary Salman 24:27 : We do. And I think this is something that I’ll say it’s tough to listen to. But it’s important, right? Because I think your members need to understand what is actually happening right now. So I’m going to play it for you here. We did bleep out some stuff. There was a tremendous amount of profanity, and some threats, and the dropping of people’s names and hometowns. So we did cut that out of the recording to protect them. And I do want to reiterate: this is our client. This is not something we just grabbed off the internet for show and tell. So I’m going to go ahead and play this now.
Hacker 25:01 : Hi is Josh from [REDACTED] restore. Hello, why are you insulting us with this hilarious offer? Twenty-five thousand is nothing to us. We have seen your contracts, invoices, and renumeration. You know that you have money… so stop [REDACTED] us and let get down to business, shall we?
Hacker 25:22 : We would consider anything from a thousand hundred, a thousand, uh, I have to check our offer for you. Yes, we would consider anything from a hundred thousand and upward.
Hacker 25:38 : If you continue to waste our time like that, we will start leaking your information. We will send it to your clients so they can see how secure their information is in your hands. We will send it to your competitors, and also the local news, the local New Jersey media. The press just loves this kind of stuff, especially lately.
Hacker 25:02 : And I do believe we can divorce your side. And we can auction your files from our document platform for anyone to buy. It wouldn’t be much money, but if you don’t pay, this is what we are going to do.
Hacker 26:13 Do you really hate your company that much, Mr. [REDACTED]? We have already proved to you that our decryptors work. After the payment, we will also delete all your files from our cloud server. It’s not too difficult for us to do that. Don’t… Don’t be so greedy. A hundred thousand is not that much for you, so stop [REDACTED] with our patience and why don’t you send this amount.
Jill Dunnam 26:44 : Wow, so for any of our listeners who couldn’t understand some of that, we will have the transcript loaded in the show notes if you want to review that on what they were actually saying some of it was a little hard to understand.
Jill Dunnam: Definitely, in reality, this is very eye opening. It’s just so beneficial to be able to learn from other people’s experiences, we can take steps to avoid finding ourselves in a similar situation.
Jill Dunnam 27:05 : Being prepared really helps to shed paranoia and fear. Can you, Gary, provide us with some preventative measures that our colleagues could take now to help them avoid becoming a victim?
Gary Salman 27:15 : Absolutely. And I think that’s the key here, Jill, right. As crazy as this stuff is, I will tell you that if practices implement sound security measures, above and beyond probably what they’re currently doing, this stuff’s actually preventable. And that’s got to be a big takeaway: as horrifying and sad as this stuff, is you can win this battle. And that’s the message that, you know, I want to come across to all of your members is, hey, you just got to step it up a little bit, right, you got to be willing to invest. This is kind of a cost of doing business now, right, is securing your business, you know, and your patients and the livelihood of your doctors.
Gary Salman: So let’s go through some things that practices should be doing in order to protect themselves. So let’s start with backups. Right? backups are critical. We know it’s not the end all to be all. But it can often change the path you may have to go down when you’re the victim of an attack. Now, keep in mind backups are also good for non-cyber events: floods, fires, you know, server meltdowns, civil unrest, right? There are practices out there that were in some major cities that had their windows smashed, and all their computers stolen, right? They may have wished that they had a plan in place to try and prevent the loss of their data. So backups are critical.
Gary Salman 28:36 : Most practices nowadays seem to have migrated strictly to cloud technology. Now, that’s good, but there’s also a problem there. Anything that’s connected is vulnerable. We’ve had numerous cases where the practice has called us and said, “Hey, I got your name from this person. We got hit with ransomware. But we have a cloud backup.” And you know, in the back of our head, we’re like, “Alright, this may still be really bad for them.” And we’ll log into their cloud technology, and there’s no backups there. The threat actors have figured out how to get into it, and how to wipe the cloud backups. But I do believe that cloud backups is a good technology, but everyone’s got to understand that it’s not the end all to be all.
Gary Salman: We are recommending something called an air-gapped backup. Now this is a very old school approach. And if you’ve been in your practice for—call it more than seven-ish years—you probably remember the days of having to hook up some type of backup device to your server, running a backup, and then hopefully disconnecting it, and popping in a new backup solution. Right? Cloud came, and the IT companies were like, “Aw, that’s ridiculous. That’s old school. Who the heck does that anymore, right? You just need to back up to the cloud.” Well, let’s go back to my first statement where the cloud gets wiped and now you have an encrypted server with no viable data, and your cloud backups are gone. So what do you have? Nothing. So this concept of air gapping has come back, and I will tell you that most of the Fortune 500 companies, right, these multi-billion dollar companies are now doing this. They will literally run their backups and disconnect them from all network access. Why? Because if it’s disconnected, quote unquote, air-gapped, no one can touch it. So we’re recommending now that practices go to this air-gapped technique, you know, having some external backup solution that is rotated every day, and literally leaves the office, you know, the kind of the old school where a doctor used to throw it in her backpack, for instance, or her bag and bring it home with her, and the next day, bring it back. So something happened, like, “Hey, that’s horrible. We lost a day, but we haven’t lost 20 years.” So backups are critical.
Gary Salman 30:39 : Now, the next part of that, Jill, is validating your backups. So I will challenge every one of your members here. How many of you have actually asked your IT company to restore all of your data, and then point your practice management software and your imaging software at that restored data and open the data?
Gary Salman: So the other thing we see is practices get hit with ransomware attack, they have what they consider a viable backup, we start pulling the data off the backup, and we’re like, “Hey, guys, where are all of your x-rays?” And the IT companies like, “Whoa, hold on. Yeah, there’s a problem here. Someone forgot to flag that folder or drive. We don’t have that data.” Or worse your practice management software and all your EHR.
Gary Salman 31:24 : So this type of technique, right, having them restore and validate is critical, right? You should invest, say, a Saturday of your time to do this, right? And you can’t take their word, right? The IT company. You want to put eyes on it. And what I’ll say is randomly pick 10 patients over the last couple months. And then once they restore it, open up those patient records and make sure everything is there, all the attachments, the 2-D images, the 3-D images, you know, EOBs, insurance claims, everything is there. And then you can say, “Hey, we did our due diligence, right? We did a good deed for this practice. We know our data is being backed up.”
Gary Salman: What is your course of action, when the data is not there. You can’t make the IT company produce it if they screwed up and didn’t back it up properly. So backups are critical.
Gary Salman 32:13 : Hackers break into systems in two ways, for the most part. One is through social engineering, where they trick a doctor or an employee into clicking on a link or opening an attachment. And then that action results in the delivery of the ransomware code directly into the computer, and then it spreads throughout the network. And the other way is a hacking incident where Hackers literally kind of do this spray and pray thing where it will scan the internet for, you know, hundreds of millions of IP addresses. And if they happen to come across your practice, because your IP address is exposing a vulnerability, they’ll then sit there and pick their way into your system. So vulnerability management is critical. Vulnerability management is not patching computers per se. Vulnerability management involves typically a cybersecurity company analyzing all of your computers every couple of hours looking for vulnerabilities on at least a monthly basis. Analyzing your firewall to make sure it’s configured properly, making sure it’s not exposing things.
Gary Salman: We see this all the time. We’ll run tests on a firewall today for a client. And then in four weeks from now, we’ll run another test and firewall’s all of a sudden exposed. Well, how the heck did that happen? Someone made a mistake at the IT company. They left something open. The software on the firewall was out of date. Another vendor came in and made changes without notifying the IT company, and they’re leaving the practice exposed.
Gary Salman 33:38 : So having this on-going vulnerability management handled by a third party to validate? You gotta do this, because the Hackers are scanning your network, probably one of the best quotes I’ve heard—I sit on a lot of different panels with federal law enforcement—and one of the agents said, “That there’s two ways to get a pen test, penetration test: you can either pay a cybersecurity company to do it. It’s going to cost you a chunk of money. Or you can have the Hackers do it. They’re not going to charge you anything, but it’s going to cost way more than that penetration test would have cost.” And as funny as it sounds, that agent nailed it. Right? He was dead on and he made that comment and it’s just like you’re gonna do it or the Hacker is gonna do it for you. And that’s why businesses are getting breached.
Gary Salman: So right, training your staff, so they don’t click on these things. Doing this vulnerability management and penetration testing to make sure that your devices and your firewalls aren’t exposed is critical. Assessments, like a security risk assessment, a risk analysis, these are critical components, because practices—it doesn’t matter what size you are, whether you have six computers or you know, 160—you have exposure. And most of the time, practices have no concept of where they’re exposed, because they don’t know the correct questions to ask.
Gary Salman 34:55 : So these risk assessments basically walk you through potential exposures, right? So, you know, one of our security guys, for instance, will get on the phone with the practice administrator and the IT vendor and say, “Hey, we’re going to spend about an hour and a half on a call. We’re going to go through approximately 125 questions, and we’re going to help understand where you have risk. And then we’re going to make really good suggestions on how you can minimize that risk.”
Gary Salman: And the interesting thing, Jill, is that a lot of times the recommendations that our security folks make, they don’t cost the practice anything, right? Hey, it’s like, “Do this, instead of that. Use this piece of software, instead of that. Turn this feature on because you’re not using it, it’ll help secure.” And you’re like, “Wow, I never even really thought about that. I didn’t realize that could be a breach point for us.” So assessments are really important.
Gary Salman 35:45 : There is some new technology out there called extended detection and response. The best way I can describe this is think of it as antivirus on steroids. The big problem right now is antivirus software doesn’t typically stop really any form of ransomware. It’s highly ineffective. And just think of it logically: if a $7 piece of software, right meaning this anti-virus software can stop ransomware, everyone would have it, okay.
Gary Salman: There is some newer technology called XDR, which is extended detection and response, which uses artificial intelligence. It’s an agent that sits on all of the computers in the practice, and it looks for the fingerprints of an attack, it looks for the types of tools that Hackers would deploy in your network to launch an attack. It has the ability to analyze code that’s coming into your system, and instantly determining if it’s malicious or not, and killing it. So the concept here is that this XDR software sits on all of your computers, it then communicates back to basically a supercomputer in the cloud, and it’s saying, “Hey, here are all the things going on in the network. Oh, on computer one, there’s a little something that looks weird here. Computer five, whoa, this looks like a hacking tool. Computer seven, whoa, this is malicious code.” And then within a fraction of a second, it launches basically a counter strike: it’ll kill the malicious code, it’ll isolate those three computers, and then it instantly alerts a company like ours, saying, “Hey, this network’s under attack. These are the things I’ve done, you know, you may need to get involved as well.”
Gary Salman 37:22 : Very effective technology. This is the type of technology that practices should have. This technology should be deployed by a cyber firm; this is pretty advanced technology, we’ve had IT companies that have tried to deploy this, and they’ve literally shut the networks down for the practice for days, because they didn’t understand how to use it properly. So: very, very effective. And I will tell you that, starting now, but definitely in 2022, when you start renewing your cyber policies, they’re going to ask you if you’re using this technology, and I’d be willing to bet that in 2022 to 2023, this is going to be a requirement, right? This isn’t going to be optional anymore. I mean, if you want cyber coverage, you better have this type of technology along with some of the other things that I’ve just described in place, otherwise, they won’t bind coverage.
Gary Salman: So those are some of the things that can be done from a cyber preventative perspective. The other thing, Jill, that I think a lot of practices, forget about, it’s like, “Hey, let’s prevent the fire on this side of the office. But on the other side, we’ve completely forgotten about something.” That’s email, right, we get a lot of phone calls from practices all over the country saying our email got hacked. And way too many practices, put basically zero focus on their email. But I want everyone on this podcast to sit back and think a minute, and be honest with yourselves and say, “What’s in my email that shouldn’t be there right now?” And then think about someone having access to every single email account in your practice, including your doctors, administrators, financial people; if all that information was accessed, what would that mean for your organization? That’s what’s going on, right?
Gary Salman 38:57 : So what happens is a lot of these IT companies will say, “Oh, you need email? no problem. We’ll turn on Office 365. We’ll turn on Microsoft 365. We’ll get you all set up. You’re good.” There’s 600 controls within those platforms that have to be checked in order to ensure proper security. Do you really believe the IT companies are doing that? Zero chance, right? So then these email systems get breached. And it puts the practice in a very precarious situation, because even though we told the doctors not to send patient information through the email, we all know they do, right? The referral’ll send it to you. And then you’re gonna say, well, the referral sent it to us, it’s not our problem. Oh, no? Your email just got breached, and you just exposed that patient’s data; that’s not your problem? So it doesn’t quite work that way. Right?
Gary Salman: So we need to think about all the possible places that you have exposure and deal with it. And this is really where, you know, specialists like us come in: we can help identify where you have risk and then put things in place to protect them. So that’s a very high level, Jill, those are what I would call the basics that need to be in place from a cyber perspective.
Jill Dunnam 40:04 : Couple things in there I wanted to note: you mentioned IT companies and cybersecurity companies. I want to hear your thoughts on the difference between the two.
Gary Salman 40:13 : Right. I think this is the biggest problem in the industry right now. Mostly in health care. We don’t see it as much in the business world. But in the health care space—dental and medical—what’s happening is the practices and these health care orgs are saying, “Ah, my IT company can do security for me, I’m fine.” And to most administrators, to most doctors, that’s the only answer. They need to hear. “Oh, my IT does security? Fine, good, we’re protected, we’re good. High five, everyone, we’re doing the right thing.”
Gary Salman: So let me ask you this. Everyone works in the OMS space. Your child needs orthognathic surgery; where are they going? You sending them to the orthodontist? Are you sending them to the GP? Or are you saying, “Heck no, they’re going to an OMS.” But the orthodontist, the GP and the oral surgeon: are they all doctors? Of course they are. But they have very different roles in the health care space. So what we see now is because cyber is so hot, the IT companies are running around, they’re posting all this stuff on their website saying, “Oh, we have technology that will stop ransomware and protect you.”
Gary Salman 41:19 : But they have no one in their organization that has any credentials or training to be able to do that. They’re literally buying a piece of software off the internet and dropping it on your network and saying, “See that little icon on your computer. That’s the new anti-ransomware software, Jill. You’re good. Don’t worry about it. have I taken care of you for the last 10 years? Have you ever had a problem before? Don’t worry about it. This is all hyped up.”
Gary Salman: That’s what we’re seeing going on right now. It’s no different than a doctor saying that he or she is a doctor and has no DDS, DMD, or MD behind their name. Anyone in the IT space can hang a shingle on their website and say they do cybersecurity. There is no regulatory body that says you have to have certain credentials to do this. To get cybersecurity credentials, like legit credentials, you got to be in this space for a long time, you have to take a very complex tests and classes in order to get you know certified. But people think that, “Oh, Dave has built my home network. He knows how to build servers. He fixes any problem we have. So by default, he must know cybersecurity.” It’s a totally different animal. Okay. It’s kind of like saying, “My dentist can perform a colonoscopy on me, right?” It’s a harsh example. But that’s literally the analogy that, you know, I came up with, because that’s what’s going on right now.
Gary Salman 42:44 : So everyone’s trusting their IT folks to do security. And then they turn around. I think probably the saddest story I have is client now, but she was a client of mine with my very first company back in the early 90s, a great friend of mine, husband’s the OMS, they came to my wedding, you know, met my kids, everything. And she got the letter from OMSNIC, and OMSNIC was advising all of their OMS practices to engage with a cybersecurity company to mitigate risk. And they recommended us, so she calls me up. She’s like, “Hey,” this is, you know, three years ago. “Hey, I just got this letter from OMSNIC, What’s going on?” So I explained everything to her. And I said, “Marie, listen, you know, you have to do in the end what you think is right for your husband in your practice. But I’m telling you this stuff is real, because we see it all the time.” She’s like, “Alright, let me get talk to my husband. I’ll get back to you.” So she calls me back two days later, she’s like, “Listen, Joe is the head of IT at the local hospital. He knows what he’s doing. He’s promised me that he knows how to, you know, protect my practice. So I think we’re just gonna stay with Joe.” I said, “Okay, Marie, no problem. If you need anything from me, let me know.”
Gary Salman: Fast forward, you know, about two weeks later, on a Saturday night, I get a phone call from her. And I’m like, “Whoa, what is going on here? Why is she calling me this late.” And I pick up the phone and she’s literally crying hysterically. She’s like, “You were right. You warned us. We got hit. Every machine is encrypted with ransomware. There’s a note they stole all of our patient data. We’re one of the busiest practices out here. You know, we have 100,000 patient records. We’re going to lose our business, you know, my husband’s going to lose his livelihood.”
Gary Salman 44:16 : Right, but this is exactly my point: as an OMS, right, or an administrator for an OMS, you understand the concept of specialization. And the concept of specialization 100% applies in the IT space as well, right? We’re not an IT company. We don’t sell computers, we don’t sell firewalls. We don’t really sell anything. We conduct highly sophisticated tests using very sophisticated software and highly trained individuals to help you protect your practice, versus a generalist who is going to throw a piece of software on your computers and tell you you’re fine and you’re good to go. So long winded answer, Jill, but I think that’s the best way I can describe it, right? The concept of specialization is so critical in any aspect of business or health care.
Jill Dunnam 45:01 : It definitely makes sense. I feel bad for any of our listeners who have an IT guy named Dave or Joe.
Gary Salman 45:07 : Yeah, exactly.
Jill Dunnam 45:09 : Gary, if somebody’s listening really needs to get your help. What’s the best way for them to get in touch with you?
Gary Salman 45:16 : Sure, couple ways you can always visit BlackTalonSecurity.com. You can also email sales at Black Talon Security dot com. I’m happy to give out my direct line as well. That’s no problem. I always say that I want to be a resource and I want to educate even if you’re not a client, call me ask me a question about something. This is a community. But my direct line is 914-600-1256.
Jill Dunnam 45:43 : Great, thank you for that. Also, it sounds like you have some helpful resources you want to share with our listeners today. Please tell us about the emergency planning kit you’re making available to everyone in the show notes.
Gary Salman 45:53 : Sure, one of the things we see in any type of incident, whether it’s a flood or fire or cyber event, is these types of events cause a lot of chaos and panic. And often there’s a lot of disorganization, misinformation, or better yet, lack of information.
Gary Salman: So what we’ve done is we put together a document which SOMSA will distribute it to everyone, which basically helps you put together what we call an emergency kit, kind of “Hey, pull here in case of fire.” And what this kit does is it allows you to consolidate a lot of critical information in a single place. And what we see in a lot of practices is, “Oh, the doctor only knows that. Oh, the practice administrator only knows that. Well, I can’t get a hold of the doctor, she’s on vacation, and we need this data. Who’s gonna figure out how to get it?” And in these emergency situations, many times, hours are critical, days are critical in terms of being able to get back online. So what this emergency kit will do is it will help you understand all of the important information that you need to consolidate. And I’ll just give you an example: critical phone numbers, license numbers, account numbers, discs, right? CDs to reinstall software, policy, numbers, etc. so that in the event you have an issue, you can say, “Okay, this box is located here, let’s get the box so we have all this information, because we’re going to need to start disseminating this, we’re gonna need to start contacting people.”
Gary Salman 47:20 : And in many cases, this can shave off a day to maybe two or three days of recovery time, because you’re all organized. Sometimes these events happen on the weekend, can’t get a hold of the people you need to get ahold of, but you pull out your emergency kit, you’re like, “Yep, I’m prepared for this. I’ve, you know, put things in place to prepare. And here it is, let’s go.” And then you know, it’s a great, from a leadership perspective that’s strong, to be able to show that you’re really organized, and you’ve thought through these scenarios, it’s no different Jill, then practices preparing for some type of medical emergency, right? You basically run through the whole scenario, maybe minus dialing 911. So conceptually, the same thing.
Gary Salman: The only other thing that I would want to add, Jill, to this is, and we’re seeing this now, is your cyber policy, right? What the Hackers will do, is actually search for a copy of your cyber liability policy. And then they’re going to read it and be like, “Oh, North OMS has a million dollar policy. No problem, we can ask for a million dollars now.”
Gary Salman 48:24 : I highly recommend you never store your cyber policy in your email, or on any computer. Print it out, right. Keep it on some type of removable device, which I don’t love, but that’s another option. But it needs to be somewhere pretty much hard copy because the second they get a digital version of that, it’s going to be kind of game over for the practice. And typically they’re going to max out the policy for you, so you’re going to be left paying all the additional fees, like legal fees and compliance fees because the Hackers know that they’ll get the million dollars, and you’ll have no policy left to pay for the attorneys and everything else. So anyway, just a really good piece of advice.
Jill Dunnam 49:03 : Great. It’s crazy how criminals get so creative about that.
Gary Salman 49:06 : No doubt.
Jill Dunnam 49:08 : So now that emergency kit is such a fantastic resource. Thank you so much, Gary.
Jill Dunnam: And I also want to say thank you all for listening to this episode of Practice Admins Timeout. We love bringing you practice management success tips and information on great companies that are striving every day to support what we do.
Jill Dunnam: If you enjoyed this episode, please be sure to rate the podcast. sharing it and following us on Facebook, Twitter and LinkedIn also helps other people find our content. Bye for now.