By Paul Murphy VP, Sales at Black Talon Security
It’s no secret that cyberattacks launched against healthcare providers are at an all-time high. According to statistics provided by the FBI, healthcare has become the #1 target for criminal hacking groups. These attacks, however, are not just limited to providers. Companies in the healthcare space and those who sell products and services into the dental community have become major targets for criminal organizations.
Attacks against companies like Change Healthcare and Delta Dental of California were major events and the ripple effects of these attacks were felt by most. Were any healthcare providers not affected in some way by the Change attack? Someone else’s data breach quickly became “Your” problem. Many providers had to quickly pivot to alternative sources or completely lost the ability to submit insurance claims, causing a lot of fear, uncertainty and financial hardship. What does this mean for DSO organizations and the staff who are responsible for making purchasing decisions or who are involved in the vetting process for companies they engage with?
It’s time to add some layers to your vetting process. Don’t be afraid to ask questions about what security that organization has in place. Ask for proof and validation of robust security from any organization who you are considering welcoming into your environment. A “HIPAA Certified” seal or emblem on a website is not a good example of proof. Do not allow someone else’s data breach to become your data breach!
JW Oliver is the Co-Founder and Visionary for SupportDDS / ZimWorX, a dental outsourcing company that assists practices all over the world with RCM, appointment confirmation, hygiene re-care and a long list of other services. The company specializes in helping practice owners find the best possible employees for their businesses while improving productivity and efficiency and removing the hassle of recruiting, onboarding, HR, payroll and benefits.
Excerpts from a conversation with JW Oliver, CEO of SupportDDS / ZimWorX:
Paul: JW, we first connected in 2021 when you contacted Black Talon Security about wanting to investigate 3rd party cybersecurity companies to add an effective layer of cybersecurity at SupportDDS. What led you to that investigation?
JW: As someone who has been in the dental business for 35+ years, I found it eye opening, when I started SupportDDS, how much emphasis and importance was being put on HIPAA Compliance and cybersecurity when it came to patient records. As founder of a company who is operating call centers overseas, I felt that it was even more important for us to have a robust preventative security solution in place, and I wanted someone who were not only experts in cybersecurity but someone who knows the dental industry or at least one who specializes in protecting healthcare organizations.
Paul: You employ a high number of talented IT professions in your call centers in Zimbabwe, Costa Rica and Zambia. What led to you wanting to work with a 3rd party instead of relying on your existing technical team members?
JW: I don’t believe in unicorns—or I don’t think that you can have a unicorn who is great at traditional IT work like managing and maintaining networks and ensuring systems stay up and running while implementing and managing a robust cybersecurity plan. Cybersecurity specialists have a different skill set, and I wanted to work with someone who was completely immersed and focused on security. We chose to work with Black Talon because of their reputation in the dental community. If a prospective client is concerned about our call centers being overseas, I like being able to tell them that our centers are protected by Black Talon.
Paul: It feels like we’re reading news stories almost every day about healthcare organizations or companies who support the healthcare industry being hit by devastating attacks. As the CEO of a company in this space, do these stories keep you up at night?
JW: Of course. It is crazy what is happening to some of these companies and facilities. As someone who runs a company that serves and supports such a niche market, I know we cannot afford to be hit by one of these attacks, and we certainly can’t be the access point or the delivery source of anything malicious. Separate from that, our clients depend on us to be available to them. Over 3,000 practices depend on us and rely heavily on their SupportDDS team members to help keep their offices running smoothly. We cannot be taken down by a cyberattack.
Paul: Are you and/or other members of the SupportDDS C-Suite utilizing our EAGLEi dashboard to track how your organization is trending overall from a cybersecurity standpoint?
JW: Every day. We regularly put eyes on the dashboard every morning. We want to see the work that our overseas IT teams are doing and—no offense—but I want to track the work that Black Talon is putting in to improve our security position. I do like that, as a non-technical person, I can understand whether we’re in a more secure position today than we were yesterday because of how the data is fed to us via the dashboard. If we see us trending in the wrong direction, we want a fast answer as to why that’s occurring and what needs to be done to improve our posture.
Our HR and IT teams loves having the ability to track the staff’s cybersecurity training progress and track the phishing attempts that you’re targeting our people with to help us identify if any of our team members need more training. I trust our team and I trust Black Talon, but I still want to verify since so much is at stake. A favorite saying of mine is “delegation without investigation is simply relegation.”
Paul: That’s a great quote, JW! We’re happy to be working with such a dedicated company who is filling such a tremendous need in the dental community, and of course we love how passionate you are about cybersecurity.
🚨Recent notable healthcare cyber incidents:
Dental Specialists of Minnesota, PLLC, which does business as The Dental Specialists, recently experienced a data breach that may have compromised the security of some patients’ information. The breach was detected on January 23, 2024, when the Minnesota dental practice became aware of unauthorized activity in several employee email accounts. The company specified in an online data breach notice that only its Microsoft 365 cloud environment was affected, not its internal network or patient records database.
An investigation revealed that the potentially exposed information included names, demographic details, medical information, health insurance data, dates of birth, and, for some individuals, Social Security numbers, driver’s license numbers, and financial account information. A total of 38,442 individuals were affected by the Dental Specialists data breach, according to a report submitted to the U.S. Department of Health and Human Services. After a review completed on June 10, 2024, notifications were sent to the impacted patients.
Gramercy Surgery Center data breach affects over 50,000 patients. On August 9, 2024, Gramercy Surgery Center, Inc. filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after discovering that it was the target of a recent cyberattack. In this notice, Gramercy Surgery Center explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, addresses, Social Security numbers, dates of birth, driver’s license or state identification card numbers, medical record numbers, treatment information, and health insurance information. The Gramercy Surgery Center data breach was only recently announced, and more information is expected in the near future.
Kinsler Family Dentistry has learned of a data security incident that may have impacted data belonging to current and former patients. On or around June 6, 2024, Kinsler became aware of unusual activity that disrupted access to certain systems. Upon discovering this activity, Kinsler immediately took steps to secure its network and launched an investigation with the assistance of independent cybersecurity experts. The investigation determined that on or about June 6, 2024 an unauthorized actor accessed and acquired certain files stored in its network, some of which contained personal information and personal health information.
After a thorough review of those files, on July 19, 2024, Kinsler determined that current and former patient information may have been impacted. Based on the investigation, the personal and protected health information involved in the incident varied by individual but may have included patient name, Social Security number, date of birth, insurance number, and dental treatment and/or medical history information.
Dental Cyber Watch is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry and a proud partner of Group Dentistry Now. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy. To evaluate your group’s current security posture visit www.blacktalonsecurity.com.