Episode length: 1h 14m | Published: 2021-08-23
Dental practices hold an enormous amount of sensitive data — patient records, financial information, insurance details — making them high-value targets for cybercriminals. Prosperident's David Harris, Wendy Askins, and Amber Weber welcome Gary Salman, CEO of Black Talon Security, for an urgent and practical discussion on cybersecurity breaches and ransomware attacks.
Topics covered include:
About Gary Salman: Gary Salman is the CEO of Black Talon Security, a cybersecurity firm specializing in the protection of dental and healthcare organizations.
Employee theft increasingly involves digital access — practice management software, billing systems, and patient payment portals. Prosperident investigates financial crime wherever it occurs in your practice.
You are listening to the Dental Practice Owner's Podcast, brought to you by Prosperident. From our unique perspective as dentistry's embezzlement experts, Prosperident's team can bring you the information that is important to practice owners. The Dental Practice Owner's Podcast brings you strategies, tools, and tips that you can use and dentistry's thought leaders as guests. So sit back, relax, and listen to Prosperident's Amber Weber, Wendy Askins, and David
Harris. Talk about the issues that matter to you. Is it the Dental Family?
Welcome this evening to our Prosperident Power Hour. I'm Wendy Askins, one of your hosts from Texas. We also have Amber Weber, a co-host from Texas. David Harris, Prosperident, CEO from Halifax, Canada. And we are so honored to have Gary Solomon here with us this evening from Black Talent Cybersecurity.
Cybersecurity is like way over my head, but it's something I'm very interested in and I'm very afraid of it, honestly. And Gary's going to lay it all out for us in an easy, simple manner to understand so we can learn how to protect ourselves. We also have Sheila O'Driscoll on our chat with us this evening. So if you want to chat us up and make comments that are relevant to
the subject matter, please feel free to do that. If you want to submit a question, we ask that you use the Q&A button at the bottom of your screen so that question comes directly to us and we can get Gary to answer that for you. Now, we're ready to start. All right, well, thank you so much and honor to be here.
Let's go ahead and get our presentation going. Just one second, Gary, you're one slide ahead of us, buddy. All right, no problem, go for it. It's good to be enthusiastic, but we're not there yet, man. Well, we are excited that our audience is joining us again. We're getting ready for our final curtain call.
While we've enjoyed spending time with you every month during the prosperity and power hour, we're going to be ending our webinar series next month, and we're going to talk about everything important about embezzlement in one hour. So it's going to be jam packed full of information. We hope you invite your friends.
Get your popcorn ready so we can all have fun on that finale. Don't worry, you're already registered. So if you know somebody who isn't, please let them know that this will be our final curtain call next week. One thing we don't want you to forget. You mean next month, right?
All right, next month. Sorry. You give me a ride together. I'm so excited to see everybody. What would I say? I did. I'm ready. You want to know why we love spending time with you.
But one of the main things is we want to start seeing people face to face again. So you're going to be seeing members of our prosperity team. We're going to be speaking at live events again. So please join us and come meet us in person. We would really welcome that opportunity.
Follow our website and see where we're going to be appearing. Maybe it's in a city near you. And if you're attending as usual, please don't forget, we're going to send you the link for the C.E. credits. And we want to give a big thank you to Alterra Pario for supporting us doing during our prosperity
power hour for the last one has been over a year, year and a half, Dave. This is episode 19, number 20 next next month. So we're glad you're with us. And join us next month for the final curtain call. Yeah, indeed. And I'm off tomorrow to Kentucky to speak to a group of oral surgeons
and really looking forward to having a live audience. As much as I like being able to reach you guys through the screen, there's just nothing like seeing you face to face. Now, it's a it's a tremendous pleasure to introduce our guest. And his name is Gary Salman. He's the chief executive officer of Black Collin Security.
Gary and I have been friends for probably 10 years. Originally, he was with Carestream about four years ago. He left Carestream and started his own security company. A lot of things I like about Gary, but the most relevant one probably for this is that we're a bit alike in the sense that his company and prosperity are both hyper specialized
on a really narrow problem. And if you've been a long time watcher of ours, one of the things you've heard us say is that your accountant is a generalist and probably is a little bit out of his or her depth when it comes to embezzlement. And I think the message you're going to get from Gary
about your IT person is very similar. You know, they're great at getting your network set up, but when it comes to protecting you against ransomware, and I'm sure Gary will have a lot more specific things to say. But, you know, the the the IT person who looks after your other needs may be out of their depth.
Gary and his company exist really for one narrow mission. Everything I'll mention about Gary is he comes from a dental family. His dad's an oral surgeon, you know, grew up around dentistry like like all of us at Prosper and it lives and breathes it. So it is it is my tremendous pleasure to welcome Gary Salman to our presentation.
And with that, Gary, let's see if we can let you take it away. All right. All right. You have a screen share icon there for us. Yeah, we will do it. Do it. Let's see. It's there we go.
Yeah, screen looks good. Take it. We're good. Yeah. All right. Well, now is my proper start. Sorry for jumping the gun on everyone, but here we go. So welcome, everyone. Completely honored to be presenting to this extremely large crowd tonight.
So thank you, Prosper and for this opportunity. I'm going to make this real, right? So all the information that I may be presenting to you is our information. This is based on cases we've worked, not things we found on the Internet or rumors or things that sound good, right? These are these are real world situations.
So the goal here is I don't want this to be scary, right? A lot of times I'll lecture and doctors will blow me aside and like, wow, you really scared me. That's not the goal here. The goal here is to provide you with enough information. So as a practice administrator, right, as the owner of the practice,
you can make good business decisions. Because so many of your colleagues that have been victimized by ransomware, they say pretty much the exact same thing to us. If I had only known, I would have done something different. So I'm going to go through kind of the real world problems and our goal here is to help you with solutions, right?
So that's that's what we're going to talk about. We're going to talk about problems and solutions. I'm also going to give you a good idea of what these criminals are actually doing. All right, so I'm going to talk about a couple of really interesting cases today. We're going to talk about a takeover of an orthodontic practices,
cameras and music system. Now, this was not a ransomware attack, but if you talk to the orthodontist, that was the victim of this, she feels like she was completely violated because they watched everything she did in her practice and they messed with her and I'll go through that case. I'm going to talk to you about a ransomware attack against the GP practice
to provide a single location that initiated in the practitioner's home and move to the practice and then a couple of others. We are currently working a ransomware case right now by a threat group called Conti, C-O-N-T-I. Conti is a very, very active threat group that targets health care, right? They target other industries as well, but they're going after health care hard.
This is a GP practice and they got hit a couple of weeks ago and the ransom demand, $550,000. GP practice, OK? So this is no joke what's going on right now. Now, full disclosure, not every single dental practice that gets hit has a ransom demand that high, but they're averaging around 50 grand
for a GP practice and closer to 100,000 for a specialty practice. And that's based on the amount of data. So what's ransomware? Ransomware is a form of malicious code that is delivered to your network in typically one of two ways. First is through a phishing expedition or spear phishing
where someone in your practice could be a doctor, could be someone sitting at your front desk, opens an email and they think the email is legit. It's coming from my colleague right down the street. It's got to be legit, says her name. They click on a link.
They open an attachment and the ransomware code downloads into the system. And then it starts encrypting or locking all the files. And once it's done, a ransom demand will pop up on the screen telling you, hey, you've been hit by a Conti ransomware, right? Or whatever ransomware group and they'll tell you how to contact them. And then sometimes they'll tell you right on the screen how much they want.
Other times you have to go to the dark web to find out how much to pay them. All right, the second way that ransomware ends up on your system. And we see a lot of this is through a direct hacking event where the hackers find vulnerabilities on the doctor's network through their firewall, through devices. They exploit them using their hacking tools.
They get on to the network. They exploit other machines. And then they actually just install the ransomware code, right? Just like your IT person was installing a piece of software for you. And the ransomware code will execute in a couple of seconds and start encrypting right away.
And sometimes in many of these attacks, it'll encrypt every machine on your network and servers in a matter of seconds, right? And so much data. Sometimes it might take longer. Sometimes it could take a couple of hours. But typically they're going to do this at night, typically on a Friday,
you know, Friday night into Saturday morning. They'll do it before a big holiday. And then you walk in and find skull and crossbones all over your network. All right. So one thing I want you to understand is that a data breach is a problem, right?
I think that's obvious. But here's an issue that the HIPAA rules clearly state that a ransomware attack is a data breach. So many practitioners have been hit by ransomware and their IT company comes in and just makes it all disappear and restores the data from a backup.
But here's the problem in 75 percent of the cases. And this is you can look this up as public information. And this is also our statistics. 75 percent of ransomware attacks result in the theft of your patient data. We see this over and over again. So what happens here is your IT company is like,
oh, don't worry about this, doctor, I got you covered. They don't realize that all your patient data has been stolen and is going to be auctioned off on the dark web. That puts you in a very, very bad place from a HIPAA compliance standpoint. So there's something which we're going to talk a little bit about
some more, which is called basically triple or even quadruple extortion, which basically means this when the hackers break into your network, they steal all your patient data and they will do this without you knowing your IT company in most cases will have absolutely no idea that it's going on. And there's no alarm bells that can typically go off to tell you that this is occurring. Then they encrypt your data with ransomware.
Then if you refuse to contact them, they will then take one to 10 percent of all your patient data and put it on the dark web and they'll even send you an email like, hey, you don't believe me, hit this URL and go to my dark web website and you'll see your patient records, photographs, x-rays, health history forms for sale. So the last thing they're doing, and we saw this for the first time
a couple of weeks ago by Conti, they start contacting your data. So if you refuse to pay the ransomware because your IT company just restored from a backup, they will start contacting patients. They will start contacting your employees. We sell this in a GP practice. So let's talk about supply chain attacks.
I think most people six months ago, if you said, hey, you know what a supply chain attack is? Most people are like, I don't know. I don't know. They disrupt the supply of toilet paper because of COVID, right? That's the first kind of supply chain attack anyone really heard of. However, ransomware and these threat groups,
they have an incredible ability to disrupt our supply chains. So I think that one that was the biggest wake up for our country was the colonial pipeline. Then we had the meat distribution, which ended up not being as bad as a lot of people predicted. But here's something to think about. Look at these two threat groups, dark side ransomware and our evil.
I will tell you for a fact that our evil has hit thousands of dental practices. They also are notorious for attacking I.T. companies. When we first started working with our evil for obviously the wrong reasons, trying to get people's data recovered, almost every single attack that they executed was against an I.T. company. And they took the I.T.
company's computers and then attack all their clients. You heard that if you joined a little early, you heard that news broadcast, right? Where they were talking about an I.T. company being hit. So you have a Denver, Colorado event. You have the Wisconsin event. You have one down in the Maryland, Virginia area, down in Texas,
where they all targeted these dental I.T. companies and took them out. And typically they hit every single dental practice like the one in Denver. They hit over 100 dental practices and thousands of computers and servers were all encrypted with ransomware. These hackers, they don't care if you are a single mom and pop practice with six computers or a Fortune 500 company generating
billions of dollars, they take everyone out. All right, so that's what's going on and they don't care if you're health care. There are some threat groups that say they won't target health care. I will tell you for a fact, I've seen them hit dental practices. Paul Farillo is one of the top attorneys in the country on cyber threats. I did a whole podcast and video with him the other day.
And he talks a lot about what I'm talking about now, not as technical, but more from the legal perspective. But this is a post he put up on LinkedIn just recently and he talks about this. Business leaders have a responsibility to strengthen their cyber security defenses to protect the American public and our economy. No company large or small, safe from ransomware.
This is a huge, huge problem that we see in the dental space. The I.T. companies as great as they are and we work with hundreds of them across the country. They'll tell practices, oh, you're fine. You don't have to worry about this. We have your back.
Have you ever had a problem before, right? And you're like, oh, OK, that sounds good. I'm fine. You can't think that way anymore. So I'll pose a question to you. How confident at this exact moment are you that your anti-virus software stops ransomware?
If you have a notepad, start writing this stuff down. How confident are you that your data is backed up properly? This is a huge problem right now and I'll explain why. And how do you know your system is not currently compromised? We go into some situations where clients sign up for preventative services.
We get our tools on there and right away we know we have a problem. OK, their systems already been compromised. So here's kind of the little secret that you probably don't know. Most anti-virus software is ineffective against ransomware. OK, here's the second crazy secret. When the hackers get into your system in almost every case,
you know what they do, they shut your anti-virus software off. Why? Because they know that's a defensive mechanism that the computer has to potentially try and stop what they're doing. We do forensic investigations and in a majority of these cases, when we do the investigation, we'll see to the exact fraction of a second the moment that the hackers turned off the anti-virus system
software on these systems. Another big problem, we get calls all over the country. Hey, we got ransomware, we need your help, but we have a backup. We're like, OK, great. But in the back of our mind, we know one of three things are going to happen. One, they have a valid backup.
Two, they only have a partial backup that someone made a mistake. Or three, which we're seeing a lot of right now, the hackers destroy the backups. I am talking about cloud and local backups. I've had heated discussions with IT companies like that's not even possible. OK, it absolutely is.
There are tools that these hackers can deploy on your networks that steal usernames, passwords, and they understand how you backup, where you backup, and guess what they want? They want you to pay. So what do you think they're going to do? They're going to sit on your network and destroy all your backups,
then hit you with ransomware. Why? Because it's going to force you to pay. Now, not every case goes that way, full disclosure, but a high percentage of these cases that we're dealing with now. Right in the last couple of months, this wasn't really prevalent last year, the backups are gone.
So one of the things that I really want to reiterate here is that this is a team effort in order to secure your practice, your livelihood and your patience. It is a combination of your IT company and your practice and a cybersecurity firm working together to secure your environment. And we'll explain why that's the case in a few minutes.
But this is this is how businesses run nowadays. When you look outside the dental space in medical and financials, right? And, you know, many small and medium businesses, it's a team effort. So here is literally the biggest problem we see. We talk to practitioners that haven't been victims. And then obviously we deal with hundreds of ransomware cases.
And a majority of these ransomware cases, the doctors say, I really thought my IT company had me. I even had a conversation, right? We've had scenarios where the practitioners have brought in the CEO of their IT company, sat them down and be like, hey, we just got a letter from our malpractice company saying
we got to step up our game and engage with a cybersecurity company. And the owner of the IT company is like, I got you covered. We're good. I'm an engineer. I've been building computers for 20 years. I know this stuff. Oh, doctor, have you ever had a problem before? No, no, we've been OK. All right, you're fine.
And then weeks later, they turn around and they're a victim and they call a guy back and like, how did this happen? You just literally told me this wasn't going to happen. So everyone has what I like to call Mike their IT guy. And like I said, IT companies are fabulous, right? They play a very, very important role with keeping a practice
up and running, providing you with equipment. But they are generalists. Just like in health care, there are general practitioners and there are specialists. There are cardiologists and cardiothoracic surgeons. There are general dentists and there are ortho ortho surgeons, orthodontists, oral surgeons, perios, pediatrics, right?
You get it. And each of those specialties plays a very, very different role just because you know computers and build computers and set up networks doesn't mean you're a security expert, right? And typically what we see is the IT company say, oh, no, what we have guys and women that understand how to do security are covered.
And as a doctor, you don't know to ask a question, which is, OK, what are their certifications? Do they have CISSP, right? What did each CISPP, what do they have? Can you be a dentist without going to dental school? Can you be a physician without going to medical school? No.
But any IT company can hang a shingle on their website and say, we do cybersecurity and you as the practice owners, like, I got that. OK, so here's kind of a typical statement that I see. This is posted on a very popular Facebook website. And it basically is talking about a doctor who posted a note saying, hey, I'm concerned about security.
Can you help me out? So one of the CEOs of an IT company wrote, we have plans of all sizes to address the ransomware issue. They line up with the HIPAA requirements you want to see manage firewall, anti ransomware software back up in disaster recovery and encrypted email. OK, I don't really know what anti ransomware software is.
I'm in the security business. All right, that doesn't make really any sense. But in theory, it sounds good, right? I'm not really sure what encrypted email has to do with protecting you from a ransomware attack. I can't see a correlation there. But to the untrained person or the owner or administrative practice,
you're like, that sounds great. I'm good. Sign me up. All right, we'll talk about why that's a failure. So I want you to understand that outages last a long time. OK, on average, in a dental practice, you will literally shutter your doors for 10 days because typically the hackers will take out every single computer on the network.
And in many cases, you have to rebuild every workstation. If your IT company just comes in and kind of erases some stuff and puts your computers back online, ultimately, the hackers are probably still in the system and will come back and potentially hit you again. But most practices are down for 10 days.
Yes, we have some cases that they're down for two or three days. We have cases where they're down for three weeks because of the complexity and the nature of the attack. This is just a rough estimate based on our numbers and our dealings with these ransomware cases. A single provider, single office GP practice
is looking at just under one hundred and seventy thousand dollars to deal with a ransomware attack. That's what it costs right now. Obviously, if you don't have to pay an extortion fee or if you're able to recover your data, it could be less. But there's a lot involved here.
You can't forget about the compliance issues you have both at the state and federal level. These have to be investigated by a forensics firm, right? Just having your IT company say, oh, you'll be fine. I'll restore your data. That's the wrong answer, right?
When your data shows up on the dark web and you're like, whoa, if I had known my data was stolen, I would have paid, but it's too late at that point. So what did all these breaches have in common? Well, these are the commonalities between almost every attack we see.
They have an IT person, they have antivirus software, they have firewalls, and they have backups, but they're still hit. Do you honestly believe that these Fortune 500 companies don't have firewalls? But this is a problem.
So many practitioners are like, I have a firewall. I spent a lot of money on it. I was told it's going to stop ransomware. It's not. It may stop certain strains on rare occasions, but it is not effective in terms of stopping ransomware.
It looks cool, it blinks, it plays a really important role from a security perspective. I'm not downplaying it, but too many people are relying on antivirus and firewalls. So I want to take a minute here, and I want you to kind of jot down,
based on this list, what you know or what you think you have in your practice. And this is a really important exercise. There's a lot of people, owners of practices, partners, administrators, they're responsible in the end for the confidentiality of the patient records,
and you should know what security is in place at your practice. All right, so you have a firewall, and guess what guys and ladies, just because you have a modem from your internet provider doesn't mean you have a firewall.
Some cases, the doctor's like, oh, well, we have a firewall. We get in there, take a look like, no, you don't have a firewall, you have a modem. Some modems have firewall capabilities and some don't. But you need to have a dedicated firewall.
Talk to your IT company if you don't. Antivirus software, secure email, cloud backups, local backups, multi-factor authentication, things like that. All right, so here's typically the security layers and who provides what.
Your IT company is gonna provide your firewall, antivirus, your secure backups, and secure email. There's some possible overlap. There's some new technology out there called Endpoint Detection and Response, which we don't have a lot of time to talk about tonight,
so I'm not gonna get into it. They will also potentially provide multi-factor authentication, but these are technologies that a cyber firm can also provide. G through K, that's what cybersecurity companies specialize in, and these are must haves.
If you wanna secure a network and you're missing G through K, if you don't have all these components, you're eventually gonna get hit. I sit on the panels with some of the largest security folks from the largest hospital system,
largest security folks, from the security folks from the largest hospital systems across the US that's often monitored by government agencies, and we discuss this all the time, right, about how important it is to have G through K, and the reality is if you don't have some of these things
like penetration testing, which we'll talk about, the hackers will do it for you and you'll be on the wrong end of that equation. So let's talk about some of the facts. After an attack, a hundred percent recovery may not be possible in the short term.
What do we mean by that? Think about for a second all the systems you have. It's no longer just practice management software and digital radiography. Now we're adding in 3D, intraoral scanners, text messaging, appointment and reminders,
time card systems, voiceover IP telephones, cameras, remote access. A lot of these things are kind of bandated together, and all of a sudden all the systems have to be rebuilt, software's got to be reinstalled, and you're like, oh my gosh, we're two weeks into it
and we still can't do appointment confirmations, right? We still can't get our electronic claims out. So downtime's really your biggest financial impact. Think about this, if you have to shut your doors for two weeks, because that's what happens, none of your computers work.
And in fact, most of the time they're actually damaged, right? Not physically, but the operating systems are damaged. You have to be rebuilt. You can't schedule, can't reschedule. Sometimes the phone systems don't work. What do you do?
And then you haven't collected any money for two weeks. You haven't filed claims. You haven't sent bills out. All of a sudden that two weeks becomes four weeks and you haven't collected a penny. So the hits keep coming.
And understand that there's a huge difference between an IT company and a cyber company in terms of what they do and what they provide. That's the mindset that we have to kind of change. So how do we fight back? Well, as crazy and scary as all of this is,
you absolutely can fight back. You have to be willing to do something. You have to step up and say, you know what? I don't want to be that doctor that was just on the news. If you saw the news story before the webinar started, you got to build strong resilient systems, right?
The firewall and antivirus model, it doesn't work anymore. It doesn't cut it, right? You have to be able to understand the threats and address it. Cyber firms do this 24 seven. They're constantly working to battle these threat groups.
They see the damage and the capabilities of these operations and understand this. You're up against threat groups from China, from Russia, especially Russia. Some of these threat groups will generate half a billion dollars a year in ransom.
You don't think they have some of the best technology out there. Do you really believe that the IT, right? And your firewall and your antivirus is going to protect you? No.
You got to step up the game here. You got to do something above and beyond the typical protocols that are out there. All right, so I talked to you about Conti. Conti is a extremely active threat group, right? I constantly go to these dark websites
and I found it down a practice. This is real world and guess what? They didn't put the nice little black rectangles to cover up the name of the practice, right? But you can see, my apologies, you can see here, they released some of the data.
They're pictures, they're bank statements, they're HR files, patient records. That's what these threat groups publish. We did a ortho breach out in Utah. The threat group said that they stole all of the doctor's data.
The doctor didn't believe it. We asked for proof that the criminal stole the data. They sent us a one gigabyte file of all the data they stole. They stole approximately three terabytes. And when we opened up these files in front of the doctor,
he was horrified. This is an actual image that the hacker sent back to us from this ortho practice. Got child involved, thousands of them. All right, so David, I think it'd be a great opportunity for your team and myself to kind of start talking
about these real world cases. So I'm gonna go through some postmortems here and share with you what is actually going on. So if you guys wanna pop back on, we can do that. So as they're joining, I'll kind of kick this off. So one of the problems that we often see
is practices don't understand where they're vulnerable. That is also known as their attack surface. Where can hackers get into the network? It's not always what you think. It's not always right through your firewall or directly to a computer that's potentially exposed
or has a vulnerability. Could be from someone's home. It could be from a consultant. Could be from a third party, software vendor, imaging, IT company. So one of the things, David, just like you do
with some of the services you offer, you have to help your client understand where they have risk. So one of the big things here is how many practices have standard operating procedures in terms of how to deal with certain things
like backups, passwords, things like that. So a cybersecurity assessment is critical. This is where a cyber firm is gonna come in, ask about a hundred questions and help you understand where you have risk. How do you backup?
Where do you backup? Is your data encrypted? How do you remote into this network or are you using multi-factor authentication? About a hundred questions similar to those. And then recommendations can be made
to harden your network and reduce that attack surface. So in David's world, I'm sure he does things like that to help practitioners mitigate their chances of being a victim of financial fraud. So David, anything you wanna talk about regarding that? Well, I will start by saying
I think this is unquestionably the most frightening presentation I've ever watched. Sorry, Gary, I didn't mean to catch you with your mouth full. No, no problem. But wow, you know, if you are in the audience and this doesn't have your undivided attention,
you know, there's something wrong with the way you're wired emotionally. This is just beyond frightening. And what I'm glad, Gary, is that you have said to people, you know, you don't have to sit there passively and wait for this to roll over you
and write your $170,000 in checks to the ransom company and your attorney and all those things, you know, there are things you can do about it. So, Gary, you've mentioned early on that ransomware into these targeted healthcare companies
or companies in the healthcare world. I think I know the answer, but in case I don't, can you tell me why that is? Yeah, because it's pretty straightforward. The reason is they know the doctors or the healthcare entity,
there's a high probability that they're gonna pay, right? Because if they steal their patient data, in most cases, what doctor is gonna say, I don't care, publish all the patient data for my practice, all the health history forms, the X-rays, the pre, the post-op images, who cares?
Right, I even met a doctor that said that, right? And we do a ton of eighth cases. So the hackers know the value of this data. They steal a bunch of spreadsheets from a corporation, maybe some HR files, eh, that's not great. That's a heck of a lot different
than stealing people's health history forms, you know, lab reports, things like that. So I will tell you that in a majority of the cases we deal with, the doctor either opts or has no choice but to make the ransomware payment, right, we never ever want that to happen.
But the reality is, David, it's a business decision, right? The business decision is, can't afford to have, you know, if you're a GP, a couple of thousand records posted, if you're a specialist, tens of thousands, I mean, we have practices that literally have 750 to a million patient records
as part of their dental practice, because they're a large group. Could you imagine the damage that's done? Probably can't even get enough, you know, we could, but the insurance premiums to protect from something like that is astronomical, you know?
So, I mean, that's why they're going after these healthcare groups. The hackers do is they'll go on their dark web forms and they'll talk about it. Oh, I just knocked over this dental practice, this dental practice, they just paid me 100,000.
I got 50,000, it took me two hours worth of work. You know, I'm driving a Ferrari now, literally, right? I mean, that's the crazy part. If you look at some of these takedowns and these threat groups, they have $100, $200,000 cars sitting outside the front of their houses.
That's how much money they're generating. So that's the reason they're targeting healthcare. They know the risk. They read literally in this Conti group that we just are finishing up, they literally told us in a chat session
that if you don't pay us, we know the United States laws and you will have the Office for Civil Rights investigating you because we're gonna publish your data. I mean, they're not stupid people, right? They know how to generate the money. So, Gary, I have a question.
I've heard some IT people say do not pay the ransom because you don't get your data back and if you get it back, the data is scrambled so it's not readable or usable within your system. No one is that true. And then number two, if you do pay the ransom,
do you specialize in embezzlement? I can't believe I'm asking this question. Do you have any assurance that they won't keep a copy of that data and publish it at a different time? So all great questions. So our experience has been to date and I will knock on wood.
We've never had a scenario where we couldn't get all the doctor's data back. We had one case where some Comdim images were damaged as part of the encryption process during the attack but every case we've worked, we've been able to get all the data back.
Now, sometimes it's a tremendous amount of work, right? It's not this magic, hey, pay them and press a button and all the data just reappears. There's sometimes a lot of putting the data back together but luckily knock on wood, we haven't had that issue.
We've also never had an issue where we paid and we didn't get the data back. We've had some scares where we paid on a Friday and who knows what they were doing on Saturday and Sunday. They went radio silent and then Monday at 10 o'clock at night we would get the keys to unlock the data.
That's rough. The doctors would literally wrote $100,000, $70,000, $50,000 check out of their personal account. And they're like, where's my money? Where's my return, right? Where are my keys to unlock this data?
It's a rough exercise and extremely, extremely stressful. So was there a third question that I missed? Just the second part of that question is how can you ever be assured that they don't keep a copy of it? They're criminals, right?
And I think you were laughing because you knew the answer. They're criminals, right? There's no, there is no guarantees. It is a little weird because they, I will say a majority of them are,
what I will say, honorable criminals, if that's even real. But conceptually, they know that they have a reputation. They know that everyone talks about this. So if they start ripping people off, they know that there's a less of a likelihood
that they will get paid in the future. So typically if they say they're going to do something, they will do it. And the most ridiculous statement that I could probably make is that most of these threat groups
literally have some of the best customer service. If we buy the keys and something doesn't work, we will message them on the dark web and sometimes within a couple of minutes, they will pop on, be like, fixed it for you, try this. They're like, wow, that was impressive, right?
They're criminals though. I don't care about them, right? They're horrible people. But this is the world that they operate in, right? It's what I like to say, it's a legitimate, legitimate business, right?
They are literally running a criminal business and they know that customer service is part of what they have to do in order to be successful. It makes no logical sense, right? I work law enforcement. And one of the things that I always say is,
imagine me responding to a break-in at someone's house and I pull up and I see a tractor trailer getting filled up with all the belongings of this family. The family walks down to me and they're like, hey officer, you gotta arrest those people. And I'm like, yeah, I can't do that.
How much cash do you have? And they're like, what do you mean how much cash do I have? Well, let me go talk to the criminals and see what they want. And then I go talk to the criminals loading up all of their belongings like, hey, give us 50 grand,
we'll move all their stuff back into their house. I have to go back to the homeowners, be like, you got $50,000 in your safe that you can give these people, they will move everything back in. Literally that's what's going on right now, right?
And they're very difficult to track and very difficult to catch. So that's another issue. Okay. I have a question for you, Gary. Sure.
So, they hack everything, they get access, they have the control. Where typically, how do you typically pay the ransom? Like how do you see practice owners settling the score, I guess you could say? Because they're not gonna meet these people in person,
like think about kidnapping ransom, okay, let's do cash exchange. What's the most common exchange and how does that happen? Yeah. Well, conceptually to your point,
it's almost like that, you take the money, you drop it somewhere, they pick it up and then they give you something back which are the decryption codes or the keys really. Wow. Yeah.
So one of the ways that this works is through cryptocurrency, right? So the process is this, the practice agrees to pay them whatever it is. Let's just say for argument's sake, $75,000. The practice will transfer us through a wire, $75,000.
We will convert it to cryptocurrency. It could be Bitcoin, right? There are other different cryptos that hackers are using but most of them are using Bitcoin. And then we have to transfer it to the criminals but here's the catch, that could be illegal, okay?
So I've come across many IT companies and many doctors who have just made the payment themselves I'm like, who'd you send that money to? Are they on a watch list? Are they considered a nation state? Did you literally just pay terrorists?
And the doctors like, I had no idea I'm a dentist. I just had to get my data back, right? Or they say, well, my IT guy didn't talk to me about that. So there are very, very special background checks that have to be done on these digital wallets, right? These crypto wallets prior to sending them money.
All of a sudden you're like, I'm just trying to get my patient data back and now you're in the middle of a federal investigation as you transferred money to Iran, right? Or another nation state. So that's why I'm saying you gotta understand
this is a very specialized science that's going on right now. And the compliance, both at the state and federal levels are huge. And there's a lot to lose here. The problem that we see Amber in many of these cases
practices are the second they get hit all they care about is I need to treat patients again and I'm not downplaying that. That's our number one focus. We know we need to get your practice back up and running but if it is not done properly
the long-term consequences financially from a compliance standpoint and leave, I'm sorry, financially and then from a compliance standpoint are pretty significant, right? So it has to be done properly. So I have another question.
How many of the hackers do you see that are not based in the US? I mean, I know that's a hard estimate but do you see a lot of them are from other countries or what demographics do you see them typically based out of? So we've never come across a hacking group
that is US based, they're not. The last case that I can think of was I think the Twitter hacks where they locked up the FBI locked up someone from Florida and from England where they got into some very high profile people's Twitter accounts.
That's not really a ransomware case that's more of a cyber event. I don't know based on all my intelligence I don't know of any hacking group that operates inside of the US borders but to answer your question directly
it's mostly coming from Russia. Those are just the facts, China as well. What we typically see is Russia is involved heavily in the ransomware business generating billions of dollars. China seems to be mostly involved in data theft the theft of intellectual property
from businesses and corporations. They operate differently. In the end, do they share some information maybe? So that's typically, I mean, Iran's there in North Korea but typically it's coming out of Russia. Okay, I'm really enjoying this discussion.
Just a couple of reminders to the audience. First of all, if you have a question please use the Q&A not the chat to ask a question. The people who are bringing their questions forward to Gary can't see the chat, they can only see the Q&A and if you have stuck a question in chat
just copy and paste it back into Q&A and we'll make sure that we get an answer. So just don't forget that the chat and Q&A are there for different purposes. The other thing that I wanna talk about and I'd love to hear Gary's feedback on this.
Traditionally people have relied on a good backup. In other words, there was a time I think evolutionarily Gary when what ransomware did was encrypt your doubt. And if you were prepared to walk away from that encrypted data
you really didn't feel a need to pay the ransomware. So if you had a good backup you just kind of thumbed your nose at these people and said screw you, I'll just restore from backup. And it sounds like the folks doing the ransomware on that basis have kind of elevated their game
and now they're going a step or two further and a good backup is no longer the cure-all for this. Right, yeah. Look backups to your point backups are critical. I tell every client have a good cloud backup have a good local backup.
Now I'm talking about a disconnected backup. And this is a heated discussion I get into with a lot of IT companies because I'll tell our clients listen I need you to thank old school, right? You remember the days doctor
where you would unplug a little hard drive or a backup disk or even a tape if you're been around for a while you take that tape or backup device throw it in your backpack or your bag and walk home with it every night.
That was your entire livelihood in your bag, right? Then the cloud came and everyone's like, ah, who needs local backups anymore? Let's just push all your data to the cloud. Everyone's like, hey, let's go to the cloud. Sounds great, easy.
I don't have to worry about bringing home this horrible hard drive every day. Then guess what started happening, right? The hackers started gaining access to these cloud technologies. The other problem David
which we haven't talked about is this how many practices have actually tried to download their cloud data? Yeah. Have you asked your IT company to download all of your patient records,
your practice management software, your attachments and all of your 2D and 3D images and show you that your system functions? Because a lot of times the IT company is like, oh well, the 3D images were too big so we didn't back them up.
Well, guess what? All your 3D images are encrypted to ransomware you're probably gonna pay now, right? Here's the next catch to that problem. How long does it take to download your data? If you have 3D imaging, right?
Combine imaging, intraoral 3D imaging through, you know, intraoral scanner that takes STL files. Those data sets, David are huge, huge. Terabytes and terabytes of data if you've had them for a couple of years.
How long do you think that's gonna take to download from the cloud? We, yeah, absolutely. So what do you do? Often you can't do anything until all your data comes back.
So, you know, that's another challenge. And I get it, there's some technologies that can assist with certain things like this but you gotta have this disconnected backup, right? It's called cold storage. So now we're bringing back this concept
and that's where I started with, hey, go out and get a high-speed solid state drive, right, not the old school spinning ones, you know, they're all chip-based, get a couple of those, have your IT company, encrypt them to protect them, right?
We've talked about this, but the theft of those devices is a breach also. Encrypt them, so only you have the password being the doctor administrator. And then each night, back up all your data, right? Now, some practices may have so much data,
they may not be able to back up all the 3D images, at least do that once a week. So when the worst, worst case scenario, your systems hit, right? Your cloud's data is taken out, you can literally go to your dining room table
and take that hard drive off and be like, this is what may save me, right? The catch still is, if they stole your data, what are you gonna do? Are you not going to pay or are you going to pay? That's a decision tree that your attorney
and your practice is gonna have to make, right? Because there's ramifications for either decision, legal compliance issues, and then the other side is financial, right? So, yeah, this cold storage is hot, you know, even large Fortune 500 companies,
they're going to cold storage, literally a backup that's disconnected from the network. Yeah, so. But where I was going with this was, again, I think some people think and some people have heard from their IT company
that, you know, as long as you have backup perfection, you're safe against ransomware. You know, if you have a backup that's 100% perfect, you're safe. And what I've seen lately, and you reinforced it tonight with something you said,
is that the companies doing this have up their game and the way that they do that is they put your information online or they, you know, they convince you that your information is compromised. In other words, having the perfect backup
gets your systems functioning again, but it doesn't deal with the fact that some adversarial party has pretty valuable data. And in one of our sessions that we did last month, in fact, one of the things I was talking about was the value of data.
And a working credit card number, you know, if somebody has your credit card number, the street value, that's about $5. If they have a sort of a patient's healthcare record with insurance information, date of birth, social security number, that kind of stuff,
the value of that record is about $50. Exactly, yep, that's the number we see. Yeah, so, you know, this has evolved past, we're just gonna lock up your data and you're gonna pay us so that you can access it again to we're gonna take your data
and if you don't wanna pay us, we're gonna do something with it that's gonna hurt you. Yeah, and that's the challenge. No matter what your primary focus should be, I never want a threat actor to get into my system. Yeah, okay, that's rule number one.
You need to up your defenses. Let me give you a couple of examples, some real-world stories here. So everyone can really understand what's going on here. We recently finished up a case about three months ago. This was a pediatric and ortho practice,
two locations in Southern California. The practice called us, they had heard about us, they said, hey, both of our locations are fully encrypted with ransomware, they hit our servers, every workstation has a skull and crossbones on it. So we get in there, we immediately recognize
the threat group, we explain to the doctor right away that there's a very, very high likelihood that all of this data has been stolen for both locations. And he's like, yeah, I don't really think that happens. And we said, all right, we'll go down that road when the time is right.
When my security guys got in there, we immediately called a time out, because guess what we found? On almost every single computer, they had installed three different types of screen sharing applications.
You know, like those go to my PC, log me in, splash top. Now, I will say that's the first time we've seen them install three different types. But when we started really critically thinking about it, our security team were like, this is almost genius because an untrained person, regular IT company,
they're like, oh wait, this isn't our screen sharing application delete. And they may have, they may miss the secondary or tertiary screen sharing applications. What's wrong with screen sharing applications? Well, there's a lot wrong.
First, the firewalls and antivirus software, they don't typically block them. Why? They're legit programs, right? That your computer looks at it as legitimate. It's just been installed by a criminal.
The second thing is it goes right through your firewall. It opens up a port. It allows in traffic to come in, traffic to go out. So you know what the hackers do? They sit there from their desktop. They click an icon.
They just logged into Dr. Mary Smith's computer, right? Her laptop. In this case, they had access to every single computer. We're talking about about 40 computers. And when I explained this to the doctor, he's like, well, what about my laptop?
I said, yeah, we found it on yours also. So he said, they were watching me read my emails in every website I went to. I said, unfortunately, yes. You know, and that's when the panic started to set in. Because he knows, he's like, I send emails with my referrals.
So let me ask you this. Does encrypted email protect you from that type of environment? No, I mean, from that type of attack, I should say no. Because the data's on your screen decrypted. So they're just watching your screen.
They sit back and watch. Guess what else do they do? They figure out online banking. Online banking, so that was a huge problem. One of the files that these criminals took was an HR file with every one of their employees,
name, date of birth, social security number, home address. So now the doctor had to go out and get identity theft, which is not super expensive, I get that. And you're talking 25, 30 employees, but the stress for those employees, he said it was off the wall.
They were upset for days, because they felt like they were violated. And they're mad at the doctor because they really thought that he or she had the duty to protect his information and they didn't. Yeah, they feel almost let down, betrayed.
And it's tough. This is a very, very emotional thing. Why? It's a personal attack. You feel victimized. You feel like you can't control it.
And I tell them, as you said, from a family of doctors on type A, like you wanna control everything, right? And you're that way too, David. I know for a fact, right? You wanna control everything.
And now you're like, someone has just controlled every aspect of my life. And it's horrible. I mean, this dental practice, we just finished up in Connecticut, they broke into her home machine.
They encrypted her home computer with all of her photographs from her children. She had to pay about $7,000 to get all of her photographs from when her children were born to about age eight because she didn't have a backup, okay? Not pointing fingers,
but she's like, I can't lose those pictures. They're gone forever, right? And they used her computer to attack her office. So not only did she get hit personally, she got hit professionally. So now she had an answer to her partner,
like, I'm gonna have to own up to this and admit that this was my mistake, right? They were down for two weeks, David. They couldn't treat patients. They went out and they bought laptops. They started with a blank database.
They hooked up a periapical sensor, but then the patient's like, you just took an X-ray on me two weeks ago and you can't take another X-ray on me. Where's my previous X-ray? You know the path that, you know,
people will go down in these types of events. She literally called me on a Sunday night and says, I think, you know, early 40s, she said, I think I have to go to the emergency room. I feel like I'm having a heart attack over this. You know, and my heart bled.
I'm like, I'll stay on the phone with you. I'll talk to you through the whole thing. You know, it's not gonna be as bad as you think. We'll get you through this, you know? But this is how close, you know, and emotional these types of things,
you know, get to business owners. So, yeah. Harry, we have a ton of questions under Q and A. Do you wanna start knocking this out and answering some questions for me? Absolutely.
Just before we do, India, for one second, I just wanna draw a couple of parallels here between what happens to people in cyber attack and what happens to people when they get the financial equivalent, which is embezzlement. And, you know, that feeling of violation
that Gary mentioned, Wendy and Amber know this really well. That's, you know, that's something that people feel from embezzlement. And they, you know, they equally feel it from cyber attack. And the other thing is, and Gary, I think you framed this nicely.
You know, when you're at the point where you see the skull and crossbones on your computer, what you have to do then is make the best of a series of bad choices. And by far and away, everybody's best place they can be is to organize their lives and their businesses
so that they never get to that point. You know, and it's just like we say about embezzlement. You know, if you can set up your systems properly and Amber works extensively with clients in that area so that you don't get stolen from, that's a lot less painful than dealing with it
after the fact. So, you know, when I introduced Gary at the beginning I said, we have a lot in common and as this conversation goes on I'm seeing even more of it. Sorry, Wendy, let's get to those questions
but I just wanted to make those observations before we did. Okay, great. Yeah, I love that you made those parallels. Here's a good one. What is the number one task a practice owner
should look at when back in the office tomorrow? It's like, number one, top on your list, what should they do? I think they have to evaluate their tax surface, right? Because it's hard to say what the number one risk for practice A could be very different for practice B
but we can break it down to a couple of things. One of the ways practices get hit is through phishing emails, right? As I described, employees receive an email. It looks like the orthodontist down the street looks like an x-ray, they click on it
or it looks like it's from Amazon, they click and next thing they know, skull and crossbones. So, you can beat phishing emails by training your staff, right? So, cybersecurity awareness training is critical. It is required under federal law
for your healthcare provider. Every doctor probably knows they have to train on OSHA, right? Can't have an assistant get stuck with a need and be like, oh, OSHA what? I don't even, I've never heard of OSHA.
That doesn't fly, right? From a compliance standpoint. But a majority of practices, I'll probably say 80% of practices have no idea that they're required to train. So, if you wanna help reduce your risk,
search out training platforms, right? Cyber firms offer it, where they can access learning management systems to learn how they can identify these types of threats. What I hear doctors often say is, you know what? I'm gonna go back and just tell my staff
not to click on anything. Yeah, that's, I mean, that's useless. First, just shut your practice down because you won't get x-rays, can't take your referrals, you can't send stuff back to your specialist. Like that doesn't work, but you gotta educate,
you gotta empower your team, right? So, that's something that they can really do. The second thing is, talk to your IT company, right? Understand, hey, what are you guys doing for me? And you remember that long list that I showed you before? I would be willing to bet I nailed it, right?
The very first four items is what a majority of practices are being provided with. And it's not enough, it doesn't work anymore, you know? You gotta think, this isn't 2016 anymore, right? This is 2021, those are important aspects of security, but that's not the end all to be all.
So, have an understanding of what security is in place, then search out specialists to harden your security. Okay, someone also asked, how can I protect from incoming attacks or is there any preventative measures I can execute or use?
You just answered that, correct? The fish and grain staff at the email? So, I think there's two parts to this, right? There's the email-based attacks, but there's the direct hacking events where hackers will scan the firewall,
they'll look for vulnerabilities on computers and devices, right? That requires a whole different set of software and skills to look for those vulnerabilities. That's typically what's provided by a cyber firm, right? They will launch cyber attacks against the firewalls,
they will have ethical hackers attack the firewalls, software attack the computers on the inside of the network, looking for these vulnerabilities that hackers will exploit. I think the best analogy, Wendy, probably the easiest way to explain this,
and David, you know, and you did it on the previous presentation, it's kind of the analysis of your own home, right? You're like, you can say to yourself, oh, my home's like Fort Knox, right? I got the best deadbolt on here,
my windows are secure, and then an expert comes by and like, oh, you think that windows secure? Watch this, right? They come with a little bar pop, the windows open, and 10 seconds later, they're in the first floor of your house.
You're like, well, how did that happen? I just, you know, upgraded my security. So conceptually, that's what cyber firms do. They've looked for these holes in the networks that hackers exploit, and then they work with the IT company
to patch those holes, right? We're not talking about just patching software, it's a much more complex task than that, but you have to look at all the devices on your network, right? Use sophisticated software and human intellect
to determine where they're vulnerable and then harden those devices. That's how you protect from these inbound attacks. So training, vulnerability management, penetration testing by certified ethical hackers, that's how you do this.
So I know you had mentioned that they can access the system from other vulnerable devices that aren't directly software related. Can you give some examples of that? Would that be, you know, like, I know you talked about the video cameras,
but what are some other advices? One person wants to know like, guests, patients can get on like guest Wi-Fi, is that a vulnerability? Okay, so good question. So let's talk about that,
because I think that's a really, really good question. It's something that practices can kind of do on their own or their help with their IT company. If you have a wireless network within your practice, right, understand that that wireless network is an extension of your wired network, okay?
So if a patient comes in and pops open a laptop, for instance, and connects to your business Wi-Fi, they are literally connected to the same network that all your office computers are running on. Now, if they set up guest Wi-Fi and create what's called network segmentation,
where the practice runs on this part of the network, and the patients run on this part of the network and there's no way for the traffic to cross, that's relatively good security for Wi-Fi, because you don't ever want them to have access to any devices.
Keep in mind, if you have Wi-Fi, most Wi-Fi devices nowadays can be cracked. That's the reality of it, unless it's running the brand new protocol. Literally, a person can sit in a car or in an office next to you, pick up your Wi-Fi signal,
and potentially gain access to your network. Now, they have to have some skills, right? This isn't typically, you know, average Joe doing this to be fully transparent. You got to have this, you also have to have this network segmentation.
So have a separate guest Wi-Fi that has no ability to transact to the business network, right? Send information back and forth. So you talk to your IT company and say, hey, I want you to segment my guest Wi-Fi
from my business Wi-Fi. And they shouldn't know how to do that. Many firewalls will allow you to do that. Okay, someone asked actually twice. Okay. This is very important to someone.
What do you think of white listing software that stops executable code from ever running without your permission? I think that's gonna be a pretty technical answer. So, fasten your seat belts, ladies. Yeah, I'm not sure I want to dig deep into that,
to be honest on this call, but look, white listing, I'll talk generally because I think this will help. White listing is a powerful technique. So let me give you an example of white listing. Your firewall, right?
If you have someone connecting from the outside world, let's say you have a practice manager at home, right? And he or she wants to connect to the office or a doctor. What you can do is you can take the IP address of that doctor's home or that practice administrator's home, right?
They're modem. You can load it in the firewall and you can white list it, right? So only people coming from those IP addresses can technically get into the firewall. That's an effective tool, right?
You can also then specify certain software applications that can only run on the network. So there are some capabilities, but what I struggle with with a lot of businesses and practices is they hang their hat on one thing. Like my IT company is just gonna white list
these software applications and anything else, that's not gonna run. What happens if the hackers get in and gain administrative access to that machine and shut that off, you're done. It's no different than a burglar coming in
and potentially clipping the phone line, shutting your power off on your house and they kick the front door and there's no cameras, there's no alarm, all right? So we have to think layered security, right? And this is everything David kind of talks about,
both from an embezzlement perspective, right? And even your last presentation talked about from a physical perspective, you gotta think multi-layers. If you're gonna rely on one or two layers for security, you're ultimately gonna fail.
It's no different than you going out and having your IT company sell you the best piece of anti ransomware technology, throwing it on your network and be like, hands are clean, I've washed my hands of this whole problem, I'm good to go
and finding out it wasn't quite as good as you thought it was, right? So yes, look, whitelisting's an effective methodology but it is not the end all to deal. It is part of a security defense. So very good question.
So someone whoever asked that is pretty effective. I know they're talking about. Okay, what would you estimate a cybersecurity budget to be for cybersecurity insurance, IT, cold backups and associated maintenance updates, et cetera for best practices for a single location practice?
So that's a really hard question to answer because there are so many variables there, how many computers, how much data, things like that. So from, I can give you some rough ideas from a cybersecurity perspective, if you budgeted $6, $7,000 a year on the high end,
I'm talking like an average practice for say 12 to 14 computers, average GP practice, right? That number would provide you with very significant security. Okay, vulnerability management, pen testing, training, assessments, things like that,
pretty much the core of what you need. Backups, they can be all over the map. There are backup solutions that you can buy yourself for 40 bucks a month, which I don't really recommend. I really recommend you talk to your IT vendor and get a good quality backup solution from them.
It depends on the amount of data. Do you have a combi machine? Do you have an STL, an integral camera that generates STL files, right? Those file sets become huge and many of these backup solutions
you pay per gigabyte or terabyte of data. Those backups can run from your IT vendor 50 to hundreds or more per month depending on how much data you have. Patch management, patch management is important. That's where your IT company
tries to keep your computers up to date. That should be part of your plan from your IT company, right? That's not an option. You have to make sure that your computers are getting patched. That's typically part of some type of level
of service that your IT company is gonna offer. I would say at an absolute minimum you wanna have a level of service from your IT company and that offers patch management. But look, that could be a couple of hundred bucks a month and up depending on how many computers you have.
So they're all in maybe just rough math, 10, $12,000 a year for that. Depending, obviously it's variable based on some of the things that I've said, so. Okay, and this is kind of a tricky question. How can I secure the devices that my staff carry
from external attacks that potentially could have access to my network? Ah, great question. So remember the first question I answered about guest Wi-Fi? That's how you do it. Your staff and really even the doctors,
their phones, their mobile devices, their tablets, their laptops, their watches, smart devices in your practice like a smart TV, a thermostat, anything that is internet accessible should connect to the guest Wi-Fi on a segmented or it's also called VLAN.
They should connect to that. They should not connect to the business network. So that's how you beat that. Can hackers access your data through a copy machine, fax machine, thermostat, or other devices like that that have IP addresses in your office?
Can they get that through that? So great question. So we're really talking about IoT, which is a phrase that's been around for a while now, internet of things. We're talking, just like you said,
a smart television and IP-based multifunctional printer, copy or scanner, you name it, cameras, voice over IP, telephone systems. So what I'll say is that many of these devices are internet facing, meaning you can gain access directly
from the outside world. And what happens is without segmentation, this network segmentation we've been talking a lot about, they can potentially gain access to a device and use that device as a launching pad against other devices on the network.
Probably one of the two most famous hacking stories are in Vegas, four or five years ago, you can Google this, you'll find it, where hackers gain access to a thermostat in a fish tank at a casino and use that operating system
that control that thermostat to attack the network, right? Public information, right? So perfect example. The other one is the target, the target department stores. You know how they hack that system?
They access the HVAC, the heating and ventilation control system, and who the heck would think that that's gonna be methodology to attack servers storing billions of dollars of information and data. But so these devices are vulnerable.
The best way to do it once again is really to do the segmentation. Keep these devices off, keep them patched. When you see on your television, your smart TV, hey, we have a new piece of software, would you like to run the update?
The answer is absolutely, right? Many companies come out with patches for their devices, not only to add new functionality and features, but to patch security vulnerabilities, right? So that's why going back to the previous question, that's why it's important to engage with your IT company
on a patch management process. It is not, once again, the end all to be all, just patching your computers will not secure you, but it helps as a security strategy. It's part of your security strategy. Here's another one.
We've been using Threat Locker for the past few months with our clients, with your dentist and haven't had any malware attacks. Any opinions on that system used with software like InterceptX and as SOFA, Spirewall? Right.
So I won't just out of respect for the companies, I don't typically talk about specific products but I'll speak in general terms. Some of these technologies that were just referenced are designed to potentially intercept ransomware, stop ransomware, detect ransomware if it's executed.
They're used as once again, a multi-layered defense to harden the network. These are good technologies, right? But once again, the most important part is this multi-layered approach, which is don't let anyone get in the network to begin with
right through this vulnerability management, pen testing, training. But if they do, let's hope you have additional layers of security to potentially block this, right? So some of these technologies that are out there are called EDR and point detection response,
which has starting to become a little old school. The next generation is called XDR, extended detection and response. This type of technology uses artificial intelligence to detect hackers on your network, right? To potentially stop ransomware.
But even the most advanced artificial intelligence software, it will not stop everything, right? So that's the failure point, right? Because what happens is, we forget about all the other security measures in place. We let the criminals come into our house
and we hope our dogs gonna wake up and bite them and chase them out of the house. But criminals are smart. They will buy the same software that the IT companies were throwing on these networks and try and defeat them, right?
But look, we are proponents of this software. We do believe that EDR, XDR software is an important part of a security posture, as well as some of these next generation firewalls and some of the technologies that they provide. But you gotta think critically about this stuff.
You think these multi-billion dollar companies don't have this stuff on their networks too? They do, right? So everything can be defeated, right? It's just, what does your attack surface look like? How are you minimizing that attack surface
to keep them out? And look, hackers are typically opportunists. If they feel like they're gonna have to spend too much time to getting interpatient data, they will move on to the next system, right? And that's a fact.
So try keep, point number one, and I keep saying the same thing over because a lot of people miss this, is do things to prevent them from getting into your network to begin with, right? And then layer on these additional security measures.
So that's how I'll generalize that statement without giving my personal opinion on, a professional opinion on specific products. All right. Well, Gary, thank you. We're at a time here
and questions are still coming in and I'm sorry that we didn't get to them all. What I'll invite you to do though with your questions is reach out to Gary and contact information is there on the screen. So if we didn't answer your question
and I do see that we have a little bit of a backlog of questions, Gary, I'm sure would be happy to answer them for you and have a conversation about how you can not be a victim of this. Gary, I wanna thank you very much.
This was just, just terrific information. You know, it's a subject I've always had some interest in and I still learned a heck of a lot tonight. So very tremendous presentation and everything that I thought it would be. I'd also like to thank my three co-hosts,
Wendy and Amber on camera. And we've been together on these for a whole lot of time. And I can't ever say too much about how terrific they are to work with. And also our third camera shy team member
whose name is Sheila O'Driscoll and Sheila runs the chat for us. We should bring her on next month, I think. Let's do. Yeah, we should. Okay, we voted and it's gonna happen.
And speaking of next month, September 23rd is our final session in this series. So this will be webinar number 20 for us. And, oh my gosh, there's Sheila. There she is. Hi, Sheila.
It will be our wrap up webinar. We're gonna have lots of new things. We'll have some giveaways. We'll likely have some prosperity team members join us. So I'd like to thank everybody for joining us and we look forward to seeing you in just over a month.
Thanks everybody and we'll talk to you soon. Bye. Thanks, Gary. You're welcome. My pleasure. Thank you.
Thank you, Gary. Bye. Thanks for listening to the Dental Practice Owners Podcast brought to you by Prosperident. You can contact Prosperident through its website, www.prosperident.com,
or by calling 888-398-2327. If you have questions about this podcast, if you would like to discuss your practice or there is a topic you would like to see in a future podcast, we would love to hear from you. Amber, Wendy and David will be back soon
with another episode.
[0:00] You are listening to the Dental Practice Owner's Podcast brought to you by Prosperident. From our unique perspective as dentistry's embezzlement experts, Prosperident's team can bring you the information that is important to practice owners. The Dental Practice Owner's Podcast brings you strategies, tools, and tips that you can use and dentistry's thought leaders as guests. So sit back, relax, and listen to Prosperident's Amber Webber, Wendy Askins, and David Harris.
[0:31] Talk about the issues that matter to you.
[0:41] Hello. Oh, is it done? Hello, dental family. Welcome this evening to our Prosperident Power Hour on Wendy Askins, one of your hosts from Texas. We also have Amber Webber, a co-host from Texas, David Harris, Prosperident, CEO from Halifax, Canada, and we are so honored to have Gary Solomon here with us this evening from Black Talent Cybersecurity. Cybersecurity is like way
[1:13] over my head, but it's something I'm very interested in and I'm very afraid of it, honestly, and Gary's going to lay it all out for us in an easy, simple manner to understand so we can learn how to protect ourselves. We also have Sheila O'Driscoll on our chat with us this evening. So if you want to chat us up and make comments that are relevant to the subject matter, please feel free to do that.
[1:40] If you want to submit a question, we ask that you use the Q and A button at the bottom of your screen so that question comes directly to us and we can get Gary to answer that for you. Yeah, we're ready to start. All right, well, thank you so much and honor to be here. Let's go ahead and get our presentation going.
[2:00] Just one second, Gary, you're one slide ahead of us, buddy. All right, no problem. It's good to be enthusiastic, but we're not there yet, man. Well, we are excited that our audience is joining us again. We're getting ready for our final curtain call while we've enjoyed spending time with you every month during the
[2:20] prosperity and power hour. We're going to be ending our webinar series next month and we're going to talk about everything important about embezzlement in one hour. So it's going to be jam packed full of information. We hope you invite your friends. It's your popcorn ready so we can all have fun on that finale.
[2:40] Don't worry, you're already registered. So if you know somebody who isn't, please let them know that this will be our final curtain call next week. One thing we don't want you to forget. You mean next month, right? All right, next month.
[2:53] Sorry. You gave me a written answer. I'm sorry to see everybody. What would I say? I'm good. I'm ready.
[3:02] You want to know why we love spending time with you. But one of the main things is we want to start seeing people face to face again. So you're going to be seeing members of our prosperity team. We're going to be speaking at live events again. So please join us and come meet us in person. We would really welcome that opportunity.
[3:19] Follow our website and see where we're going to be appearing. Maybe it's in a city near you. And if you're attending as usual, please don't forget. We're going to send you the link for the C.E. credits. And we want to give a big thank you to Altura Perio for supporting us doing during our prosperity power hour for the last was been over a year,
[3:40] year and a half, Dave. This is episode 19, number 20 next month. So we're glad you're with us and join us next month for the final curtain call. Yeah, indeed. And I'm off tomorrow to Kentucky to speak to a group of oral surgeons and really looking forward to having a live audience as much as I like
[4:03] being able to reach you guys through the screen. There's just nothing like seeing you face to face. Now, it's a it's a tremendous pleasure to introduce our guest. And his name is Gary Salman. He's the chief executive officer of Black Talent Security. Gary and I have been friends for probably 10 years.
[4:22] Originally, he was with CareStream about four years ago. He left CareStream and started his own security company. A lot of things I like about Gary, but the most relevant one probably for this is that we're a bit alike in the sense that his company and prosperity are both hyper specialized on a really narrow problem. And if you've been a long time watcher of ours,
[4:49] one of the things you've heard us say is that your accountant is a generalist and probably is a little bit out of his or her depth when it comes to embezzlement. And I think the message you're going to get from Gary about your IT person is very similar. You know, they're great at getting your network set up. But when it comes to protecting you against ransomware,
[5:10] and I'm sure Gary will have a lot more specific things to say. But, you know, the the the IT person who looks after your other needs may be out of their depth. Gary and his company exist really for one narrow mission. Everything I'll mention about Gary is he comes from a dental family, his dad's an oral surgeon, you know, grew up around dentistry.
[5:33] Like like all of us at Prosper and it lives and breathes it. So it is it is my tremendous pleasure to welcome Gary Salomon to our presentation. And with that, Gary, let's see if we can let you take it away. All right. All right, you have a screen share icon there for us. Yeah, we will do it. Do it. Let's see. It's.
[6:00] Here we go.
[6:04] All right. Yeah, screen looks good. All right, we're good. Yeah. All right. Well, now is my proper start. Sorry for jumping the gun on everyone. But here we go.
[6:16] So welcome, everyone. Completely honored to be presenting to this extremely large crowd tonight. So thank you, Prosper and for this opportunity. I'm going to make this real, right? So all the information that I may be presenting to you is our information. This is based on cases we've worked
[6:33] not things we found on the Internet or rumors or things that sound good, right? These are these are real world situations. So the goal here is I don't want this to be scary, right? A lot of times I'll lecture and doctors will blow me aside and like, wow, you really scared me. That's not the goal here.
[6:53] The goal here is to provide you with enough information. So as a practice administrator, right? As the owner of the practice, you can make good business decisions because so many of your colleagues that have been victimized by ransomware, they say pretty much the exact same thing to us. If I had only known, I would have done something different.
[7:14] So I'm going to go through kind of the real world problems and our goal here is to help you with solutions, right? So that's that's what we're going to talk about. We're going to talk about problems and solutions. I'm also going to give you a good idea of what these criminals are actually doing. All right, so I'm going to talk about a couple of really interesting cases today.
[7:36] We're going to talk about a takeover of an orthodontic practices, cameras and music system. Now, this was not a ransomware attack, but if you talk to the orthodontist, that was the victim of this, she feels like she was completely violated because they watched everything she did in her practice and they messed with her. And I'll go through that case.
[7:57] I'm going to talk to you about a ransomware attack against the GP practice to provide a single location that initiated in the practitioner's home and move to the practice and then a couple of others. We are currently working a ransomware case right now by a threat group called Conti, C-O-N-T-I. Conti is a very, very active threat group that targets health care, right?
[8:23] They target other industries as well, but they're going after health care hard. This is a GP practice and they got hit a couple of weeks ago and the ransom demand, $550,000. GP practice, OK? So this is no joke what's going on right now. Now, full disclosure, not every single dental practice that gets hit
[8:44] has a ransom demand that high, but they're averaging around 50 grand for a GP practice and closer to 100,000 for a specialty practice. And that's based on the amount of data. So what's ransomware? Ransomware is a form of malicious code that is delivered to your network in typically one of two ways.
[9:02] First is through a phishing expedition or spear phishing where someone in your practice could be a doctor, could be someone sitting at your front desk, opens an email and they think the email is legit. It's coming from my colleague right down the street. It's got to be legit, says her name.
[9:18] They click on a link, they open an attachment and the ransomware code downloads into the system and then it starts encrypting or locking all the files. And once it's done, a ransom demand will pop up on the screen telling you, hey, you've been hit by a Conti ransomware or whatever ransomware group and they'll tell you how to contact them.
[9:39] And then sometimes they'll tell you right on the screen how much they want. Other times you have to go to the dark web to find out how much to pay them. Right. The second way that ransomware ends up on your system. And we see a lot of this is through a direct hacking event where the hackers find vulnerabilities on the doctor's network
[9:55] through their firewall, through devices. They exploit them using their hacking tools. They get on to the network. They exploit other machines. And then they actually just install the ransomware code, right? Just like your IT person was installing a piece of software for you.
[10:09] And the ransomware code will execute in a couple of seconds and start encrypting right away. And sometimes in many of these attacks, it'll encrypt every machine on your network and servers in a matter of seconds, right? And so much data.
[10:24] Sometimes it might take longer. Sometimes it could take a couple of hours. But typically they're going to do this at night. Typically on a Friday, you know, Friday night into Saturday morning, they'll do it before a big holiday. And then you walk in and find skull and crossbones all over your network.
[10:40] All right. So one thing I want you to understand is that a data breach is a problem, right? I think that's obvious. But here's an issue that the HIPAA rules clearly state that a ransomware attack is a data breach.
[10:58] So many practitioners have been hit by ransomware and their IT company comes in and just makes it all disappear and restores the data from a backup. But here's the problem in 75 percent of the cases. And this is you can look this up as public information. And this is also our statistics.
[11:16] 75 percent of ransomware attacks result in the theft of your patient data. We see this over and over again. So what happens here is your IT company is like, Oh, don't worry about this doctor. I got you covered. They don't realize that all your patient data has been stolen
[11:31] and is going to be auctioned off on the dark web. That puts you in a very, very bad place from a HIPAA compliance standpoint. So there's something which we're going to talk a little bit about some more, which is called basically triple or even quadruple extortion, which basically means this when the hackers break into your network, they steal all your patient data and they will do this without you knowing.
[11:55] Your IT company, in most cases, will have absolutely no idea that it's going on. And there's no alarm bells that can typically go off to tell you that this is occurring. Then they encrypt your data with ransomware. Then if you refuse to contact them, they will then take one to 10 percent of all your patient data and put it on the dark web.
[12:14] And they'll even send you an email like, hey, you don't believe me? Ah, hit this URL and go to my dark web website and you'll see your patient records, photographs, x-rays, health history forms for sale. Right. So the last thing they're doing, and we saw this for the first time a couple of weeks ago by Conti, they start contacting your data.
[12:34] So if you refuse to pay the ransomware because your IT company just restored from a backup, they will start contacting patients. They will start contacting your employees. We sell this in a GP practice. So let's talk about supply chain attacks. I think most people six months ago, if you said, hey,
[12:53] you know what a supply chain attack is? Most people are like, I don't know. I don't know. They disrupt the supply of toilet paper because of COVID, right? That's the first kind of supply chain attack anyone really heard of. However, ransomware and these threat groups, they have an incredible ability to disrupt our supply chains.
[13:13] So I think that one that was the biggest wake up for our country was the colonial pipeline. Then we had the meat distribution, which ended up not being as bad as a lot of people predicted. But here's something to think about. Look at these two threat groups, dark side ransomware and our evil. I will tell you for a fact that our evil has hit thousands of dental practices. They also are notorious for attacking IT companies.
[13:38] When we first started working with our evil for obviously the wrong reasons, trying to get people's data recovered, almost every single attack that they executed was against an IT company. And they took the IT company's computers and then attack all their clients. You heard that if you joined a little early, you heard that news broadcast, right? Where they were talking about an IT company being hit.
[13:59] So you have a Denver, Colorado event. You have the Wisconsin event. You have one down in the Maryland, Virginia area, down in Texas, where they all targeted these dental IT companies and took them out. And typically they hit every single dental practice, like the one in Denver. They hit over a hundred dental practices and thousands of computers
[14:17] and servers were all encrypted with ransomware. These hackers, they don't care if you are a single mom and pop practice with six computers or a Fortune 500 company generating billions of dollars. They take everyone out, right? So that's what's going on and they don't care if you're healthcare. There are some correct groups that say they won't target healthcare.
[14:39] I will tell you for a fact, I've seen them hit dental practices. Paul Farillo is one of the top attorneys in the country on cyber threats. I did a whole podcast and video with him the other day. And he talks a lot about what I'm talking about now, not as technical, but more from the legal perspective. But this is a post he put up on LinkedIn just recently and he talks about this.
[15:07] Business leaders have a responsibility to strengthen their cyber security defenses to protect the American public and our economy. No company, large or small, safe from ransomware. This is a huge, huge problem that we see in the dental space. The IT companies, as great as they are, and we work with hundreds of them across the country, they'll tell practices, oh, you're fine.
[15:26] You don't have to worry about this. We have your back. Have you ever had a problem before? Right? And you're like, oh, okay, that sounds good. I'm fine.
[15:34] You can't think that way anymore. So I'll pose a question to you. How confident at this exact moment are you that your antivirus software stops ransomware? If you have a notepad, start writing this stuff down. How confident are you that your data is backed up properly?
[15:54] This is a huge problem right now and I'll explain why. And how do you know your system's not currently compromised? We go into some situations where clients sign up for preventative services. We get our tools on there and right away we know we have a problem. Okay, their systems are already been compromised. So here's kind of the little secret that you probably don't know.
[16:13] Most antivirus software is ineffective against ransomware. Okay, here's the second crazy secret. When the hackers get into your system in almost every case, you know what they do? They shut your antivirus software off. Why?
[16:28] Because they know that's a defensive mechanism that the computer has to potentially try and stop what they're doing. We do forensic investigations and in the majority of these cases, when we do the investigation, we'll see to the exact fraction of a second the moment that the hackers turned off the antivirus system software on these systems.
[16:47] Another big problem, we get calls all over the country. Hey, we got hit with ransomware. We need your help, but we have a backup. We're like, okay, great. But in the back of our mind, we know one of three things are going to happen. One, they have a valid backup.
[17:01] Two, they only have a partial backup because someone made a mistake. Or three, which we're seeing a lot of right now, the hackers destroy the backups. I am talking about cloud and local backups. I've had heated discussions with IT companies. They're like, that's not even possible. Okay, it absolutely is.
[17:18] There are tools that these hackers can deploy on your networks that steal usernames, passwords. And they understand how you back up, where you back up, and guess what they want? They want you to pay. So what do you think they're going to do? They're going to sit on your network and destroy all your backups,
[17:32] then hit you with ransomware. Why? Because it's going to force you to pay. Now, not every case goes that way, full disclosure, but a high percentage of these cases that we're dealing with now. Right in the last couple of months, this wasn't really prevalent last year. The backups are gone.
[17:48] So one of the things that I really want to reiterate here is that this is a team effort. In order to secure your practice, your livelihood and your patients, it is a combination of your IT company and your practice and a cybersecurity firm working together to secure your environment. And we'll explain why that's the case in a few minutes.
[18:10] But this is how businesses run nowadays. When you look outside the dental space in medical and financials, right, in many small and medium businesses, it's a team effort. So here is literally the biggest problem we see. We talk to practitioners that haven't been victims. And then obviously we deal with hundreds of ransomware cases.
[18:34] And a majority of these ransomware cases, the doctors say, I really fought my IT company had me. I even had a conversation, right? We've had scenarios where the practitioners have brought in the CEO of their IT company, sat them down and be like, hey, we just got a letter from our malpractice company saying,
[18:53] we got to step up our game, engage with a cybersecurity company. And the owner of the IT company is like, I got you covered. We're good. I'm an engineer. I've been building computers for 20 years. I know this stuff. Oh, Doctor, have you ever had a problem before? No, no, we've been OK. All right, you're fine.
[19:08] And then weeks later, they turn around and they're a victim and they call a guy back and like, how did this happen? You just literally told me this wasn't going to happen. So everyone has what I like to call Mike, their IT guy. And and like I said, IT companies are fabulous, right? They play a very, very important role with keeping your practice
[19:25] up and running, providing you with equipment, but they are generalists. Just like in health care, there are general practitioners and their specialists. There are cardiologists and cardiothoracic surgeons. There are general dentists and there are ortho ortho surgeons, orthodontists, oral surgeons, perios, pediatrics, right? You get it.
[19:46] And each of those specialties plays a very, very different role. Just because you know computers and build computers and set up networks doesn't mean you're a security expert, right? And typically what we see is the IT company say, oh, no, what we have guys and women that understand how to do security are covered. And as a doctor, you don't know to ask a question,
[20:07] which is, OK, what are their certifications? Do they have CISSP, right? What did each CISPP? What do they have? Can you be a dentist without going to dental school? Can you be a physician without going to medical school?
[20:23] No, but any IT company can hang a shingle on their website and say, we do cybersecurity and you as the practice owners, like, I got that. OK, so here's kind of a typical statement that I see. This is posted on a very popular Facebook website. And it basically is talking about a doctor who posted a note saying, hey, I'm concerned about security.
[20:46] Can you help me out? So one of the CEOs of an IT company wrote, we have plans of all sizes to address the ransomware issue. They line up with the HIPAA requirements you want to see manage firewall anti ransomware software back up in disaster recovering encrypted email.
[21:01] OK, I don't really know what anti ransomware software is. I'm in the security business. All right, that doesn't make really any sense. But in theory, it sounds good, right? I'm not really sure what encrypted email has to do with protecting you from a ransomware attack.
[21:16] I can't see a correlation there, but to the untrained person or the owner or administrator practice, you're like, that sounds great. I'm good. Sign me up, right? We'll talk about why that's a failure. So I want you to understand that outages last a long time, OK? On average, in a dental practice, you will literally shutter your doors
[21:37] for 10 days because typically the hackers will take out every single computer on the network and in many cases, you have to rebuild every workstation. If your IT company just comes in and kind of erases some stuff and puts your computers back online, ultimately the hackers are probably still in the system and will come back and potentially hit you again. But most practices are down for 10 days.
[22:00] Yes, we have some cases that they're down for two or three days. We have cases where they're down for three weeks because of the complexity and the nature of the attack. This is just a rough estimate based on our numbers and our dealings with these ransomware cases, a single provider, single office GP practice is looking at just under one hundred and seventy thousand dollars
[22:20] to deal with a ransomware attack. That's what it costs right now. Obviously, if you don't have to pay an extortion fee or if you're able to recover your data, it could be less. But there's a lot involved here. You can't forget about the compliance issues
[22:35] you have both at the state and federal level. These have to be investigated by a forensics firm, right? Just having your IT company say, oh, you'll be fine. I'll restore your data. That's the wrong answer, right? When your data shows up on the dark web and you're like, whoa,
[22:47] if I had known my data was stolen, I would have paid, but it's too late at that point. So what did all these breaches have in common? Well, these are the commonalities between almost every attack we see. They have an IT person, they have anti-virus software.
[23:01] They have firewalls and they have backups. But they're still hit. Do you honestly believe that these Fortune 500 companies don't have firewalls? But this is a problem. So many practitioners are like, I got a firewall.
[23:13] I spent a lot of money on it. I was told it's going to stop ransomware. It's not. It may stop certain strains on rare occasions, but it is not effective in terms of stopping ransomware. It looks cool.
[23:27] It blinks. It plays a really important role from a security perspective. I'm not downplaying it, but too many people are relying on anti-virus and firewalls. So I want to take a minute here
[23:37] and I want you to kind of jot down based on this list what you know or what you think you have in your practice. This is a really important exercise because a lot of people, owners of practices, partners, administrators, they're responsible in the end
[23:55] for the confidentiality of the patient records. You should know what security is in place at your practice. All right, so do you have a firewall? And guess what, guys and ladies, just because you have a modem from your internet provider doesn't mean you have a firewall.
[24:11] Some cases, the doctor's like, oh, well, we have a firewall. We get in there, take a look like, no, you don't have a firewall, you have a modem. Some modems have firewall capabilities and some don't. But you need to have a dedicated firewall. Talk to your IT company if you don't.
[24:25] Anti-virus software, secure email, cloud backups, local backups, multi-factor authentication, things like that. All right, so here's typically the security layers and who provides what. Your IT company is gonna provide your firewall,
[24:39] anti-virus, your secure backups and secure email. There's some possible overlap. There's some new technology out there called endpoint detection and response, which we don't have a lot of time to talk about tonight so I'm not gonna get into it.
[24:55] They will also potentially provide multi-factor authentication but these are technologies that a cyber firm can also provide. G through K, that's what cybersecurity companies specialize in and these are must haves, right? If you want to secure a network
[25:08] and you're missing G through K, right? If you don't have all these components, you're eventually gonna get hit. I sit on the panels with some of the largest security folks from the largest hospital systems, largest security folks.
[25:19] From the security folks from the largest hospital systems across the U.S. That's often monitored by government agencies and we discuss this all the time, right? About how important it is to have G through K and the reality is if you don't have some of these things
[25:36] like penetration testing, which we'll talk about, the hackers will do it for you and you'll be on the wrong end of that equation. So let's talk about some of the facts. After an attack, 100% recovery may not be possible in the short term.
[25:49] What do we mean by that? Think about for a second all the systems you have. It's no longer just practice management software and digital radiography. Now we're adding in 3D, intraoral scanners, text messaging,
[26:03] appointment and reminders, time card systems, voiceover IP telephones, cameras, remote access. A lot of these things are kind of bandated together. And all of a sudden all the systems have to be rebuilt. Software's got to be reinstalled
[26:21] and you're like, oh my gosh, we're two weeks into it and we still can't do appointment confirmations, right? We still can't get our electronic claims out. So downtime's really your biggest financial impact. Think about this, if you have to shut your doors for two weeks, because that's what happens,
[26:36] none of your computers work. And in fact, most of the time they're actually damaged, right? Not physically, but the operating systems are damaged. You have to be rebuilt. You can't schedule, can't reschedule.
[26:47] Sometimes the phone systems don't work. What do you do? And then you haven't collected any money for two weeks. You haven't filed claims, you haven't sent bills out. All of a sudden that two weeks becomes four weeks and you haven't collected a penny.
[26:59] So the hits keep coming. And understand that there's a huge difference between an IT company and a cyber company in terms of what they do and what they provide. That's the mindset that we have to kind of change. So how do we fight back?
[27:12] Well, as crazy and scary as all of this is, you absolutely can fight back. You have to be willing to do something. You have to step up and say, you know what? I don't wanna be that doctor that was just on the news. If you saw the news story before the webinar started,
[27:28] you gotta build strong resilient systems, right? The firewall and antivirus model, it doesn't work anymore, doesn't cut it, right? You have to be able to understand the threats and address it. Cyber firms do this 24 seven.
[27:40] They're constantly working to battle these threat groups. They see the damage and the capabilities of these operations and understand this. You're up against threat groups from China, from Russia, especially Russia. Some of these threat groups will generate
[27:56] half a billion dollars a year in ransom. You don't think they have some of the best technology out there. You really believe that the IT, right? You're in your firewall and your antivirus is gonna protect you.
[28:08] No, you gotta step up the game here. You gotta do something above and beyond the typical protocols that are out there. All right, so I talked to you about Conti. Conti is a extremely active threat group, right? I would, I constantly go to these dark websites
[28:28] and I found a demo practice. This is real world and guess what? They didn't put the nice little black rectangles to cover up the name of the practice, right? But you can see, my apologies, you can see here, they released some of the data.
[28:39] They're pictures, they're bank statements, they're HR files, patient records, that's what these threat groups publish. We did an ortho breach out in Utah. They, threat group said that they stole all of the doctor's data.
[28:55] The doctor didn't believe it. We asked for proof that the criminal stole the data. They sent us a one gigabyte file of all the data they stole. They stole approximately three terabytes. And when we opened up this file
[29:07] or these files in front of the doctor, he was horrified. This is an actual image that the hacker sent back to us from this ortho practice, that child involved, thousands of them. All right, so David, I think it'd be a great opportunity
[29:23] for your team and myself to kind of start talking about these real world cases. So I'm gonna go through some postmortems here and share with you what is actually going on. So if you guys wanna pop back on, we can do that.
[29:38] So as they're joining, I'll kind of kick this off. So one of the problems that we often see is practices don't understand where they're vulnerable. That is also known as their attack surface. Where can hackers get into the network? It's not always what you think.
[30:03] It's not always right through your firewall or directly to a computer that's potentially exposed or has a vulnerability. Could be from someone's home. It could be from a consultant. Could be from a third party,
[30:16] software vendor, imaging, IT company. So one of the things, David, just like you do with some of the services you offer, you have to help your client understand where they have risk. So one of the big things here is
[30:32] how many practices have standard operating procedures in terms of how to deal with certain things like backups, passwords, things like that. So a cybersecurity assessment is critical. This is where a cyber firm is gonna come in, ask about a hundred questions
[30:54] and help you understand where you have risk. How do you backup? Where do you backup? Is your data encrypted? How do you remote into this network or are you using multi-factor authentication?
[31:04] About a hundred questions similar to those. And then recommendations can be made to harden your network and reduce that attack surface. So in David's world, I'm sure he does things like that to help practitioners mitigate their chances of being a victim of financial fraud.
[31:24] So David, anything you wanna talk about regarding that? Well, I will start by saying, I think this is unquestionably the most frightening presentation I've ever watched. Sorry, Gary, I didn't mean to catch you with your mouth full. No, no problem.
[31:38] But wow, you know, if you are in the audience and this doesn't have your undivided attention, you know, there's something wrong with the way you're wired emotionally. This is just beyond frightening. And what I'm glad, Gary,
[31:56] is that you have said to people, you know, you don't have to sit there passively and wait for this to roll over you and write your $170,000 in checks to the ransom company and your attorney and all those things, you know,
[32:10] there are things you can do about it. So Gary, you've mentioned early on that ransomware entities targeted healthcare companies or companies in the healthcare world. I think I know the answer, but in case I don't,
[32:30] can you tell me why that is? Yeah, because it's pretty straightforward. The reason is they know the doctors or the healthcare entity. There's a high probability that they're gonna pay, right? Because if they steal their patient data,
[32:45] in most cases, what doctor is gonna say, I don't care, publish all the patient data for my practice, all the health history forms, the X-rays, the pre, the post-op images, who cares? Right, I haven't met a doctor that's said that, right? And we do a ton of eighth cases.
[33:00] So the hackers know the value of this data. They steal a bunch of spreadsheets from a corporation, maybe some HR files, eh, that's not great. That's a heck of a lot different than stealing people's health history forms, you know, lab reports, things like that.
[33:16] So I will tell you that in a majority of the cases we deal with, the doctor either opts or has no choice but to make the ransomware payment, right, we never ever want that to happen. But the reality is, David, it's a business decision, right? The business decision is, you can't afford to have,
[33:36] you know, if you're a GP, a couple thousand records posted, if you're a specialist, tens of thousands, I mean, we have practices that literally have 750 to a million patient records as part of their dental practice because they're a large group.
[33:48] Could you imagine the damage that's done? Probably can't even get enough, you know, well you could, but the insurance premiums to protect from something like that is astronomical, you know? So I mean, that's why they're going after these healthcare groups.
[33:59] The hackers do is they'll go on their dark web forms and they'll talk about it. Oh, I just knocked over this dental practice, this dental practice, they just paid me 100,000. I got 50,000, it took me two hours worth of work. You know, I'm driving a Ferrari now, literally, right?
[34:11] I mean, that's the crazy part. If you look at some of these takedowns of these threat groups, they have hundred, $200,000 cars sitting outside the front of their houses. That's how much money they're generating. So that's the reason they're targeting healthcare.
[34:22] They know the risk. They read literally in this Conti group that we just are finishing up. They literally told us in a chat session that if you don't pay us, we know the United States laws and you will have the Office for Civil Rights
[34:39] investigating you because we're gonna publish your data. I mean, they're not stupid people, right? They know how to generate the money. So Gary, I have a question. I've heard some IT people say do not pay the ransom because you don't get your data back.
[34:59] And if you get it back, the data is scrambled so it's not readable or usable within your system. No one is that true. And then number two, if you do pay the ransom, do you, I specialize in embezzlement. I can't believe I'm asking this question.
[35:16] Do you have any assurance that they won't keep a copy of that data and publish it at a different time? So all great questions. So our experience has been to date and I will knock on wood.
[35:30] We've never had a scenario where we couldn't get all the doctor's data back. We had one case where some combi images were damaged as part of the encryption process during the attack. But every case we've worked, we've been able to get all the data back.
[35:44] Now, sometimes it's a tremendous amount of work, right? It's not this magic, hey, pay them and press a button and all the data just reappears. There's sometimes a lot of putting the data back together, but luckily, knock on wood, we haven't had that issue.
[35:57] We've also never had an issue where we paid and we didn't get the data back. We've had some, you know, scares where we paid on a Friday and who knows what they were doing on Saturday and Sunday. They went radio silent and then Monday at 10 o'clock
[36:13] at night, we would get the keys to unlock the data. That's rough, you know, the doctors would literally wrote a $100,000, $70,000, $50,000 check out of their personal accounts and they're like, where's my money? Where's my return, right?
[36:26] Where are my keys to unlock this data? It's a rough exercise and extremely, extremely stressful. So was there a third question that I missed? Just the second part of that question is how can you ever be assured that they don't keep a copy of it?
[36:43] They're criminals, right? And I think you were laughing because you knew the answer, they're criminals, right? There's no guarantees. It is a little weird because they, I will say a majority of them are what I will say,
[37:00] honorable criminals, if that's even real. But conceptually, they know that they have a reputation. They know that everyone talks about this. So if they start ripping people off, they know that there's a less of a likelihood that they will get paid in the future.
[37:16] So typically, if they say they're going to do something, they will do it. And the most ridiculous statement that I could probably make is that most of these threat groups literally have some of the best customer service. If we buy the keys and something doesn't work,
[37:32] we will message them on the dark web. And sometimes within a couple of minutes, they will pop on, be like, fixed it for you, try this. They're like, wow, that was impressive, right? They're criminals though, like I don't care about them, right? They're horrible people.
[37:46] But this is the world that they operate in, right? It's what I like to say, it's a legitimate business, right? They are literally running a criminal business and they know that customer service is part of what they have to do in order to be successful. It makes no logical sense, right?
[38:03] I work law enforcement. And one of the things that I always say is, imagine me responding to a break-in at someone's house. And I pull up and I see a tractor trailer getting filled up with all the belongings of this family. The family walks down to me and they're like,
[38:19] hey, oh, sir, you gotta, you gotta arrest those people. And I'm like, yeah, I can't do that. How much cash do you have? And they're like, what do you mean how much cash do I have? Well, let me go talk to the criminals and see what they want. And then I go talk to the criminals
[38:31] loading up all of their belongings, like, hey, give us 50 grand, we'll move all their stuff back into their house. I have to go back to the homeowners, be like, you got $50,000 in your safe that you can give these people,
[38:40] they will move everything back in. Literally that's what's going on right now, right? And they're very difficult to track and very difficult to catch. So that's another issue. Okay.
[38:50] I have a question for you, Gary. Sure. So they hack everything, they get access, they have the control. Where typically, how do you typically pay the ransom? Like how do you see practice owners
[39:04] settling the score, I guess you could say? Because they're not gonna meet these people in person, think about kidnapping or ransom, okay, let's do cash exchange. What's the most common exchange and how does that happen?
[39:18] Well, conceptually, to your point, it's almost like that, you take the money, you drop it somewhere, they pick it up, and then they give you something back, which are the decryption codes or the keys really. Wow.
[39:31] Yeah, so one of the ways that this works is through cryptocurrency, right? So the process is this, the practice agrees to pay them whatever it is, let's just say for argument's sake, $75,000. The practice will transfer us through a wire, $75,000.
[39:53] We will convert it to cryptocurrency. It could be Bitcoin, right? There are other different cryptos that the hacker is using, but most of them are using Bitcoin. And then we have to transfer to the criminals, but here's the catch, that could be illegal, okay?
[40:07] So I've come across many IT companies and many doctors who have just made the payment themselves. I'm like, who'd you just send that money to? Are they on a watch list? Are they considered a nation state? Did you literally just pay terrorists?
[40:23] And the doctors like, I have no idea I'm a dentist, I just had to get my data back, right? Or they say, well, my IT guy didn't talk to me about that. So there are very, very special background checks that have to be done on these digital wallets, these crypto wallets prior to sending them money.
[40:40] All of a sudden you're like, I'm just trying to get my patient data back and now you're in the middle of a federal investigation because you transferred money to Iran, right? Or another nation state. So that's why I'm saying you gotta understand
[40:52] this is a very specialized science that's going on right now. And the compliance, both at the state and federal levels are huge. And there's a lot to lose here. The problem that we see, Amber, in many of these cases,
[41:05] practices are the second they get hit, all they care about is I need to treat patients again. And I'm not downplaying that. That's our number one focus. We know we need to get your practice back up and running, but if it is not done properly,
[41:17] the long-term consequences financially from a compliance standpoint and leave, I'm sorry, financially and then from a compliance standpoint are pretty significant, right? So it has to be done properly. So I have another question.
[41:30] How many of the hackers do you see that are not based in the US? I mean, I know that's a hard estimate, but do you see a lot of them are from other countries or what demographics do you see them typically based out of? So we've never come across a hacking group
[41:50] that is US-based. They're not. The last case that I can think of was I think the Twitter hacks where they locked up, the FBI locked up someone from Florida and from England
[42:01] where they got into some very high profile people's Twitter accounts. That's not really a ransomware case. That's more of a cyber event. I don't know, based on all my intelligence, I don't know of any hacking group
[42:13] that operates inside of the US borders, but to answer your question directly, it's mostly coming from Russia. Those are just the facts, China as well. What we typically see is Russia is involved heavily in the ransomware business generating billions of dollars.
[42:30] China seems to be mostly involved in data theft, the theft of intellectual property from businesses and corporations. They operate differently. In the end, do they share some information? Maybe.
[42:44] So that's typically, I ran there in North Korea, but typically it's coming out of Russia. Okay, I'm really enjoying this discussion. Just a couple of reminders to the audience. First of all, if you have a question, please use the Q&A, not the chat to ask a question.
[43:01] The people who are bringing their questions forward to Gary can't see the chat. They can only see the Q&A. And if you have stuck a question in chat, just copy and paste it back into Q&A and we'll make sure that we get an answer.
[43:16] So just don't forget that the chat and Q&A are for different purposes. The other thing that I wanna talk about, I'd love to hear Gary's feedback on this. Traditionally, people have relied on a good backup. In other words, there was a time, I think,
[43:33] evolutionarily Gary, when what ransomware did was encrypt your data. And if you were prepared to walk away from that encrypted data, you really didn't feel a need to pay the ransomware. So if you had a good backup,
[43:47] you just kind of thumbed your nose at these people and said, screw you, I'll just restore from backup. And it sounds like the folks doing the ransomware, on that basis have kind of elevated their game and now they're going a step or two further. And that a good backup is no longer the cure-all for this.
[44:06] Right, yeah. Look, backups, to your point, backups are critical. I tell every client, have a good cloud backup, have a good local backup. Now I'm talking about a disconnected backup. And this is a heated discussion I get into
[44:19] with a lot of IT companies because I'll tell our clients, listen, I need you to thank old school, right? You remember the days, doctor, where you would unplug a little hard drive or a backup disk or even a tape
[44:30] if you've been around for a while. You take that tape or backup device, throw it in your backpack or your bag and walk home with it every night. That was your entire livelihood in your bag, right? Then the cloud came and everyone's like,
[44:43] ah, who needs local backups anymore? Let's just push all your data to the cloud. And everyone's like, hey, let's go to the cloud. Sounds great, easy. I don't have to worry about bringing home this horrible hard drive every day.
[44:55] Then guess what started happening, right? The hackers started gaining access to these cloud technologies. The other problem David, which we haven't talked about is this, how many practices have actually tried
[45:06] to download their cloud data? Yeah. Have you asked your IT company to download all of your patient records, your practice management software, your attachments and all of your 2D and 3D images
[45:17] and show you that your system functions? Because a lot of times the IT company's like, oh, well, the 3D images were too big so we didn't back them up. Well, guess what? All your 3D images are encrypted to ransomware.
[45:30] You're probably gonna pay now, right? Here's the next catch to that problem. How long does it take to download your data? If you have 3D imaging, right? Combim imaging, intraoral 3D imaging through intraoral scanner that takes STL files.
[45:46] Those data sets, David, are huge, huge. Terabytes and terabytes of data if you've had them for a couple of years. How long do you think that's gonna take to download from the cloud? Yeah, absolutely.
[46:00] So what do you do? Often you can't do anything until all your data comes back. So that's another challenge. And I get it, there's some technologies that can assist with certain things like this but you gotta have this disconnected backup, right?
[46:14] It's called cold storage. So now we're bringing back this concept and that's where I started with, hey, go out and get a high speed solid state drive, not the old school spinning ones, that are all chip based, get a couple of those.
[46:27] Have your IT company encrypt them to protect them, right? We've talked about this, but the theft of those devices is a breach also, encrypt them. So only you have the password being the doctor administrator and then each night, back up all your data, right? Now, some practices may have so much data,
[46:44] they may not be able to back up all the 3D images, but at least do that once a week. So when the worst, worst case scenario, your systems hit, right? Your clouds, data is taken out. You can literally go to your dining room table
[46:55] and take that hard drive off and be like, this is what may save me, right? But the catch still is, if they stole your data, what are you gonna do? Are you not going to pay or are you going to pay? That's a decision tree that your attorney
[47:07] and your practice is gonna have to make, right? Because there's ramifications for either decision, legal compliance issues, and then the other side is financial, right? So yeah, this cold storage is hot. Even large Fortune 500 companies,
[47:21] they're going to cold storage. Literally a backup that's disconnected from the network. Yeah, but where I was going with this was again, I think some people think and some people have heard from their IT company that as long as you have backup perfection,
[47:37] you're safe against ransomware. If you have a backup that's 100% perfect, you're safe. And what I've seen lately and you reinforced it tonight with something you said is that the companies doing this have up their game and the way that they do that is
[47:54] they put your information online or they convince you that your information is compromised. In other words, having the perfect backup gets your systems functioning again, but it doesn't deal with the fact that some adversarial party has pretty valuable data.
[48:09] And in one of our sessions that we did last month, in fact, one of the things I was talking about was the value of data and a working credit card number. If somebody has your credit card number, the street value, that's about $5. If they have a sort of a patient's healthcare record
[48:31] with insurance information, date of birth, social security number, that kind of stuff, the value of that record is about $50. Exactly, yep, that's the number we see. Yeah, so this has evolved past, we're just gonna lock up your data
[48:45] and you're gonna pay us so that you can access it again to we're gonna take your data and if you don't wanna pass, we're gonna do something with it that's gonna hurt you. Yeah, and that's the challenge, no matter what your primary focus should be,
[49:02] I never want a threat actor to get into my system. Yeah, okay, that's rule number one, you need to up your defenses. Let me give you a couple examples, some real-world stories here so everyone can really understand what's going on here.
[49:17] We recently finished up a case about three months ago, this was a pediatric and ortho practice, two locations in Southern California. The practice called us, they had heard about us, they said, hey, both our locations are fully encrypted with ransomware, they hit our servers,
[49:32] every workstation has a skull and crossbones on it. So we get in there, we immediately recognize the threat group, we explain to the doctor right away that there's a very, very high likelihood that all of this data has been stolen for both locations.
[49:46] And he's like, yeah, I don't really think that happens. And we said, all right, we'll go down that road when the time is right. When my security guys got in there, we immediately called a time out, because guess what we found?
[49:59] On almost every single computer, they had installed three different types of screen sharing applications, like those go to my PC, log me in, splash top. Now, I will say that's the first time we've seen them install three different types,
[50:14] but when we started really critically thinking about it, our security team were like, this is almost genius, because an untrained person, regular IT company be like, oh wait, this is an R screen sharing application delete. And they may have, they may miss the second, right? The secondary or tertiary screen sharing application.
[50:32] What's wrong with screen sharing applications? Well, there's a lot wrong. First, the firewalls and antivirus software, they don't typically block them, why? They're legit programs, right? Your computer looks at it as legitimate,
[50:46] it's just been installed by a criminal. The second thing is it goes right through your firewall, right? It opens up a port, it allows traffic to come in, traffic to go out. So you know what the hackers do? They sit there from their desktop, they click an icon,
[50:59] they just logged into Dr. Mary Smith's computer, right? Her laptop. In this case, they had access to every single computer. We're talking about 40 computers. And when I explained this to the doctor, he's like, well, what about my laptop?
[51:11] I said, yeah, we found it on yours also. So he said, they were watching me read my emails in every website I went to. I said, unfortunately, yes. And that's when the panic started to set in. Because he knows, he's like, I send emails with my referrals.
[51:26] So let me ask you this, does encrypted email protect you from that type of environment? No, I mean, from that type of attack, I should say no. Because the data's on your screen decrypted. So they're just watching your screen. They sit back and watch.
[51:38] Guess what else do they do? They figure out. Yeah, online banking. Online banking. So that was a huge problem. One of the files that these criminals took was an HR file
[51:48] with every one of their employees name, date of birth, social security number, home address. So now the doctor had to go out and get identity theft. Which is not super expensive, I get that. And you're talking 25, 30 employees. But the stress, right?
[52:04] For those employees, he said it was off the wall. They were upset for these. Because they felt like they were violated. And they're mad at the doctor because they really thought that he or she had the duty to protect this information and they didn't.
[52:18] Yeah, they feel almost let down, betrayed. And it's tough. This is a very, very emotional thing. Why? It's a personal attack. You feel victimized.
[52:28] You feel like you can't control it. And I come, as you said, from a family of doctors on type A, like you want to control everything, right? And you're that way too, David. I know for a fact, right? You want to control everything.
[52:38] And now you're like, someone has just controlled every aspect of my life. And it's horrible. I mean, this dental practice we just finished up in Connecticut, they broke into her home machine. They encrypted her home computer with all of her photographs
[52:51] from her children. She had to pay about $7,000 to get all of her photographs from when her children were born to about age eight because she didn't have a backup, right? Not pointing fingers. But she's like, I can't lose those pictures.
[53:05] They're gone forever, right? And they used her computer to attack her office. So not only did she get hit personally, she got hit professionally. So now she had to answer to her partner, like, I'm gonna have to own up to this
[53:16] and admit that this was my mistake, right? They were down for two weeks, David. They couldn't treat patients. They went out and they bought laptops. They started with a blank database. They hooked up a periapical sensor.
[53:29] But then the patient's like, you just took an X around me two weeks ago and you can't take another X around me. Where's my previous X, right? You know the path that people will go down in these types of events.
[53:38] She literally called me on a Sunday night and says, I think early 40s, she said, I think I have to go to the emergency room. I feel like I'm having a heart attack over this. And my heart bled. I'm like, I'll stay on the phone with you.
[53:50] I'll talk to you through the whole thing. It's not gonna be as bad as you think. We'll get you through this. But this is how close and emotional these types of things get to business owners. So, yeah.
[54:02] We have a ton of questions under Q&A. Do you wanna start knocking this out and answering some questions for me? Absolutely. Just before we do any, for one second, I just wanna draw a couple of parallels here
[54:15] between what happens to people in cyber attack and what happens to people when they get the financial equivalent, which is embezzlement. And that feeling of violation that Gary mentioned Wendy and Amber know this really well.
[54:30] That's something that people feel from embezzlement and they equally feel it from cyber attack. And the other thing is, and Gary, I think you framed this nicely. When you're at the point where you see the skull and crossbones on your computer,
[54:45] what you have to do then is make the best of a series of bad choices. And by far and away, everybody's best place they can be is to organize their lives and their businesses so that they never get to that point.
[54:59] But it's just like we say about embezzlement. If you can set up your systems properly and Amber works extensively with clients in that area so that you don't get stolen from, that's a lot less painful than dealing with it after the fact.
[55:15] So when I introduced Gary at the beginning, I said, we have a lot in common and as this conversation goes on, I'm seeing even more of it. Sorry, Wendy, let's get to those questions, but I just wanted to make those observations
[55:27] before we did. Okay, great. I love that you made those parallels. Here's a good one. What is the number one task a practice owner should look at when back in the office tomorrow?
[55:41] Besides, number one, top on your list, what should they do? I think they have to evaluate their tax surface, right? Because it's hard to say what the number one risk for practice A could be very different for practice B, but we can break it down to a couple of things. One of the ways practices get hit
[56:01] is through phishing emails, right? As I described, employees receive an email, it looks like the orthodontist down the street, looks like an X-ray, they click on it, or it looks like it's from Amazon, they click, and next thing they know, skull and crossbones.
[56:16] So you can beat phishing emails by training your staff, right? So cybersecurity awareness training is critical. It is required under federal law for your healthcare provider. Every doctor probably knows they have to train on OSHA, right?
[56:33] Can't have an assistant get stuck with the need and be like, oh, OSHA, what? I don't even, I've never heard of OSHA. That doesn't fly, right, from a compliance standpoint. But a majority of practices, I'll probably say 80% of practices have no idea
[56:45] that they're required to train. So if you want to help reduce your risk, search out training platforms, right? Cyber firms offer it, you know, where they can access learning management systems to learn, how they can identify these types of threats.
[57:00] What I hear doctors often say is, you know what? I'm gonna go back and just tell my staff not to click on anything. Yeah, that's, I mean, that's useless. First, just shut your practice down because you won't get X-rays, can't take your referrals,
[57:12] you can't send stuff back to your specialists. Like that doesn't work, but you gotta educate, you gotta empower your team, right? So that's something that they can really do. The second thing is talk to your IT company, right? Understand, hey, what are you guys doing for me?
[57:27] And you remember that long list that I showed you before? I would be willing to bet I nailed it, right? The very first four items is what a majority of practices are being provided with. And it's not enough. It doesn't work anymore, you know?
[57:39] You gotta think, this isn't, right? This isn't 2016 anymore, right? This is 2021, those are important aspects of security, but that's not the end all to be all. So, you know, have an understanding of what security is in place,
[57:51] then search out specialists to harden your security. Okay, someone also asked, how can I protect from incoming attacks or is there any preventative measures I can execute or use? You just answered that, correct? The brain staff with the email?
[58:07] So there's two, I think there's two parts to this, right? There's the email-based attacks, but there's the direct hacking events where hackers will scan the firewall, they'll look for vulnerabilities on computers and devices, right?
[58:20] That requires a whole different set of software and skills to look for those vulnerabilities. That's typically what's provided by a cyber firm, right? They will launch cyber attacks against the firewalls, they will have ethical hackers attack the firewalls, software attack the computers on the inside of the network,
[58:36] looking for these vulnerabilities that hackers will exploit. I think the best analogy, Wendy, it's probably the easiest way to explain this and David, you know, and you did it on the previous presentation.
[58:47] It's kind of the analysis of your own home, right? You're like, you can say to yourself, oh, my home's like Fort Knox, right? I got the best deadbolt on here, my windows are secure, and then an expert comes by and like, oh, you think that windows secure?
[59:00] Watch this, right? They come with a little bar pop, the windows open, and 10 seconds later, they're in the first floor of your house. You're like, well, how did that happen? I just, you know, upgraded my security.
[59:10] So conceptually, that's what cyber firms do. They look for these holes in the networks that hackers exploit, and then they work with the IT company to patch those holes, right? We're not talking about just patching software,
[59:23] it's a much more complex task than that, but you have to look at all the devices on your network, right, use sophisticated software and human intellect to determine where they're vulnerable and then harden those devices. That's how you protect from these inbound attacks.
[59:36] So training, vulnerability management, penetration testing by, you know, certified ethical hackers, that's how you do this. So I know you had mentioned that they can access the system from other vulnerable devices that aren't directly, you know, software related.
[59:53] Can you give some examples of that? Would that be, you know, like, I know you talked about the video cameras, but what are some other advices? One person wants to know like, guests, patients can get on like guest wifi,
[1:00:06] is that a vulnerability? Okay, so good question. So let's talk about that, because I think that's a really, really good question. It's something that practices can kind of do on their own or their help with their IT company.
[1:00:15] If you have a wireless network within your practice, right, understand that that wireless network is an extension of your wired network, okay? So if a patient comes in and pops open a laptop, for instance, and connects to your business wifi, they are literally connected to the same network
[1:00:34] that all your office computers are running on. Now, if they set up guest wifi and create what's called network segmentation where the practice runs on this part of the network and the patients run on this part of the network and there's no way for the traffic to cross,
[1:00:51] that's relatively good security for wifi because you don't ever want them to have access to any devices. Keep in mind, if you have wifi, most wifi devices nowadays can be cracked. That's the reality of it,
[1:01:04] unless it's running a brand new protocol. Literally a person can sit in a car or in an office next to you, pick up your wifi signal and potentially gain access to your network. Now, they have to have some skills, right?
[1:01:15] This isn't typically average Joe doing this to be fully transparent. You gotta have this also, you also have to have this network segmentation. So have a separate guest wifi that has no ability to transact
[1:01:29] to the business network, right? Send information back to work. So you talk to your IT company and say, hey, I want you to segment my guest wifi from my business wifi and they shouldn't know how to do that.
[1:01:41] Many firewalls will allow you to do that. Okay, someone asked actually twice, this is very important to someone. What do you think of whitelisting software that stops executable code from ever running without your permission?
[1:02:02] I think that's gonna be a pretty technical answer. So fasten your seat belts, ladies. Yeah, I'm not sure I wanna dig deep into that to be honest on this call, but look whitelisting, I'll talk generally because I think this will help.
[1:02:17] Whitelisting is a powerful technique. So let me give you an example of whitelisting. Your firewall, right? If you have someone connecting from the outside world, let's say you have a practice manager at home, right? And he or she wants to connect to the office or a doctor.
[1:02:32] What you can do is you can take the IP address of that doctor's home or that practice administrator's home, right? They're modem. You can load it in the firewall and you can whitelist it, right? So only people coming from those IP addresses
[1:02:45] can technically get into the firewall. That's an effective tool, right? You can also then specify certain software applications that can only run on the network. So there are some capabilities, but what I struggle with
[1:03:01] with a lot of businesses and practices is they hang their hat on one thing. Like my IT company is just gonna whitelist these software applications and anything else, that's not gonna run. What happens if the hackers get in
[1:03:16] and gain administrative access to that machine and shut that off? You're done. It's no different than a burglar coming in and potentially clipping the phone line, shutting your power off on your house
[1:03:25] and they kick the front door and there's no cameras, there's no alarm, all right? So we have to think layered security, right? And this is everything David kind of talks about, both from an embezzlement perspective, right? And your last presentation talked about
[1:03:38] from a physical perspective, you gotta think multi-layers. If you're gonna rely on one or two layers for security, you're ultimately gonna fail. It's no different than you going out and having your IT company sell you the best piece
[1:03:52] of anti ransomware technology, throwing it on your network and be like, hands are clean, I've washed my hands of this whole problem, I'm good to go and finding out it wasn't quite as good as you thought it was, right?
[1:04:03] So yes, look, whitelisting is an effective methodology but it is not the end all to deal. It is part of a security defense. So very good question. So someone whoever asked that is pretty effective. They know what they're talking about.
[1:04:15] Okay, what would you estimate a cybersecurity budget to be for cybersecurity insurance, IT, cold backups and associated maintenance updates, et cetera for best practices for a single location practice? So that's a really hard question to answer
[1:04:37] because there are so many variables there, how many computers, how much data, things like that. So from, I can give you some rough ideas from a cybersecurity perspective, if you budgeted $6,000, $7,000 a year on the high end, I'm talking like an average practice
[1:04:56] for say 12 to 14 computers, average GP practice, right? That number would provide you with very significant security, okay? Vulnerability management, pen testing, training, assessments, things like that. Pretty much the core of what you need.
[1:05:12] Backups, they can be all over the map. There are backup solutions that you can buy yourself for 40 bucks a month, which I don't really recommend. I really recommend you talk to your IT vendor and get a good quality backup solution from them. It depends on the amount of data.
[1:05:26] Do you have a cone beam machine? Do you have an STL, an integral camera that generates STL files, right? Those file sets become huge and many of these backup solutions you pay per, gigabyte or terabyte of data.
[1:05:39] Those backups can run from your IT vendor, 50 to hundreds or more per month, depending on how much data you have. Patch management, patch management is important. That's where your IT company tries to keep your computers up to date.
[1:05:52] That should be part of your plan from your IT company. That's not an option. You have to make sure that your computers are getting patched. That's typically part of some type of level of service that your IT company is gonna offer.
[1:06:05] I would say at an absolute minimum, you wanna have a level of service from your IT company that offers patch management. So, but you know, look, that could be a couple of hundred bucks a month and up depending on how many computers you have.
[1:06:17] So, you know, all in maybe just rough math, 10, $12,000 a year for that. Depending obviously it's variable based on some of the things that I've said. So. Okay, and this is kind of a tricky question.
[1:06:33] How can I secure the devices that my staff carry from external attacks that potentially could have access to my network? Ah, great question. So, remember the first question I answered about guest Wi-Fi?
[1:06:48] That's how you do it. Your staff and really even the doctors, their phones, their mobile devices, their tablets, their laptops, their watches, smart devices in your practice like a smart TV, a thermostat, anything that is internet accessible
[1:07:03] should connect to the guest Wi-Fi on a segmented or it's also called VLAN. They should connect to that. They should not connect to the business network. So, that's how you beat that. Can hackers access your data
[1:07:17] through a copy machine, fax machine, thermostat or other devices like that that have IP addresses in your office? Can they get that through that? So, great question. So, we're really talking about IoT,
[1:07:31] which is a phrase that's been around for a while now, internet of things. We're talking just like you said, a smart television and IP based multifunctional printer, copy or scanner, you name it. Cameras, voice over IP, telephone systems.
[1:07:46] So, what I'll say is that many of these devices are internet facing, meaning you can gain access directly from the outside world. And what happens is without segmentation, this network segmentation we've been talking a lot about, they can potentially gain access to a device
[1:08:03] and use that device as a launching pad against other devices on the network. Probably one of the two most famous hacking stories are in Vegas four or five years ago, you can Google this, you'll find it, where hackers gained access to a thermostat
[1:08:18] in a fish tank at a casino and use that operating system that controlled that thermostat to attack the network, right? Public information, right? So perfect example. The other one is the target, right?
[1:08:32] The target department stores, you know how they hack that system? They access the HVAC, the heating and ventilation control system and who the heck would think that that's gonna be methodology to attack servers
[1:08:43] storing billions of dollars of information and data. But so these devices are vulnerable. The best way to do it once again is really to do this segmentation. Keep these devices off, keep them patched. When you see on your television, your smart TV,
[1:08:57] hey, we have a new piece of software, would you like to run the update? The answer is absolutely, right? Many companies come out with patches for their devices, not only to add new functionality and features, but to patch security vulnerabilities, right?
[1:09:12] So that's why going back to the previous question, that's why it's important to engage with your IT company on a patch management process. It is not once again the end all to be all, just patching your computers will not secure you, but it helps as a security strategy,
[1:09:27] it's part of your security strategy. Okay. Here's another one. We've been using Threat Locker for the past few months with our clients, with your dentist and haven't had any malware attacks.
[1:09:41] Any opinions on that system used with software like Intercept X and as SOFA Spirewall? Right. So I won't just out of respect for the companies, I don't typically talk about specific products, but I'll speak in general terms.
[1:09:59] Some of these technologies that were just referenced are designed to potentially intercept ransomware, stop ransomware, detect ransomware if it's executed, they're used as once again, a multi-layered defense to harden the network. These are good technologies, right?
[1:10:17] But once again, the most important part is this multi-layered approach, which is don't let anyone get in the network to begin with, right, through this vulnerability management, pen testing, training, but if they do, let's hope you have additional layers of security
[1:10:30] to potentially block this, right? So some of these technologies that are out there are called EDR endpoint detection response, which has starting to become a little old school. The next generation is called XDR, extended detection and response.
[1:10:44] This type of technology uses artificial intelligence to detect hackers on your network, to potentially stop ransomware, but even the most advanced artificial intelligence software, it will not stop everything, right?
[1:10:57] So that's the failure point, right? Because what happens is, we forget about all the other security measures in place, we let the criminals come into our house and we hope our dog's gonna wake up and bite them and chase them out of the house,
[1:11:09] but criminals are smart, they will buy the same software that the IT companies were throwing on these networks and try and defeat them, right? But look, we are proponents of this software. We do believe that EDR XDR software
[1:11:22] is an important part of a security posture, as well as some of these next generation firewalls and some of the technologies that they provide, but you gotta think critically about this stuff. You think these multi-billion dollar companies don't have this stuff on their networks too, they do,
[1:11:36] right? So everything can be defeated, right? It's just, what does your attack surface look like? How are you minimizing that attack surface to keep them out? And look, hackers are typically opportunists.
[1:11:48] If they feel like they're gonna have to spend too much time to getting interpatient data, they will move on to the next system, right? And that's a fact. So try key, point number one, and I keep saying the same thing over
[1:11:58] because a lot of people miss this is, do things to prevent them from getting into your network to begin with, right? And then layer on these additional security measures. So that's how I'll generalize that statement without giving my personal opinion on it,
[1:12:12] professional opinion on specific products. All right, well, Gary, thank you. We're at a time here and questions are still coming in and I'm sorry that we didn't get to them all. What I'll invite you to do though with your questions is reach out to Gary and contact information
[1:12:27] is there on the screen. So if we didn't answer your question and I do see that we have a little bit of a backlog of questions, Gary, I'm sure would be happy to answer them for you and have a conversation about how you can
[1:12:42] not be a victim of this. Gary, I want to thank you very much. This was just terrific information. It's a subject I've always had some interest in and I still learned a heck of a lot tonight. So very tremendous presentation
[1:12:59] and everything that I thought it would be. I'd also like to thank my three co-hosts, Wendy and Amber on camera. And we've been together on these for a whole lot of time and I can't ever say too much about how terrific they are to work with.
[1:13:19] And also our third camera shy team member whose name is Sheila O'Driscoll and Sheila runs the chat for us. We should bring her on next month, I think. Let's do, let's do. Yeah, we should.
[1:13:32] Okay, we voted and it's gonna happen. And speaking of next month, September 23rd is our final session in this series. So this will be webinar number 20 for us. And oh my gosh, there's Sheila. There she is, there's Sheila.
[1:13:48] It will be our wrap up webinar. We're gonna have lots of new things. We'll have some giveaways. We'll likely have some prosperity team members join us. So I'd like to thank everybody for joining us and we look forward to seeing you in just over a month.
[1:14:03] Thanks everybody and we'll talk to you soon. Bye, bye, thanks Gary. You're welcome, my pleasure, thank you. Thank you Gary. Bye. Thanks for listening to the Dental Practice Owners Podcast
[1:14:18] brought to you by Prosperident. You can contact Prosperident through its website, www.prosperident.com or by calling 888-398-2327. If you have questions about this podcast, if you would like to discuss your practice
[1:14:35] or there is a topic you would like to see in a future podcast, we would love to hear from you. Amber, Wendy and David will be back soon with another episode.