Written by Gary Salman, CEO of Black Talon Security.
Would your DSO pass a cyber due diligence audit for an acquisition or additional funding? In the event of a breach, can your executives articulate that they were doing everything possible to prevent an attack from happening? Is your Board confident that you have a real cybersecurity compliance solution in place?
Over the past two years, we have seen a significant increase in ransomware attacks launched against DSOs. In almost every case, these attacks have led to the organization having to close most—if not all—of their office locations for an average of 10–14 business days. These practices are forced to temporarily shut down due to their inability to access patient records, take radiographs, file insurance, etc. The cost of the loss of business continuity alone is staggering. In 2022 we saw the first-ever, class-action lawsuits brought against DSOs (costing millions of dollars to resolve) following the disclosure to patients that their valuable data had been potentially compromised. The bottom line is that these attacks are completely debilitating and extremely expensive. Ask any executive who has been part of a cyberattack what the experience was like, and they will always say the same thing, “It was the worst experience of my entire career.”
Now let’s discuss where DSOs are most vulnerable and how all organizations can better protect themselves. Black Talon is excited to share a glimpse into a new “first of its kind Compliance and Security Tool” designed specifically for DSOs. This new tool is for C-Suite, IT resources (internal or external), HR, and practice level management.
Better protection starts with a change in mindset and a change of approach. Cybersecurity can no longer be viewed as an IT issue—it must be viewed as a compliance and operational issue. DSOs need to focus their attention on compliance, accountability, effective tools/ technologies, and human assets that can help defend the entire organization from an attack. I have had the pleasure of working with DSOs ranging in size from six to hundreds of locations. Regardless of size, the needs of every size DSO from a cybersecurity and compliance perspective are often similar in nature. As you scale your DSO, your security, compliance requirements and attack surface will dramatically increase. Building the correct foundation at the early stages of your DSO is paramount to helping ensure future success.
Let’s start out by identifying where you have risk and the methodologies and technologies available to address this risk. The two primary methodologies hackers use to breach any network are social engineering (i.e., phishing) and technical vulnerabilities within your environment. Let’s start with social engineering. Cybersecurity awareness training is a critical component of a strong cybersecurity plan. By properly training and empowering your doctors and both clinical and non-clinical team members to be able to make smart decisions and identify the various forms of social engineering, you may be able to reduce your risk profile by 60%. This training must be formalized, properly documented, and enforced. In fact, this training should be part of your new employee onboarding process at both the corporate and practice level. An effective cybersecurity training program will empower people to make educated decisions and it must be an on-going process. As a side note, cybersecurity awareness training is also a requirement for HIPAA compliance.
Next, let’s address some of the most overlooked aspects of cybersecurity for DSOs of all sizes — technical vulnerabilities. Any device connected to a network is a potential access point for hackers and is part of your attack surface. These devices include your firewalls, laptops, servers, workstations, image acquisition computers, printers, phone systems, IoT devices, etc. Almost every device on your network has or will have vulnerabilities that hackers leverage to exploit. Also understand that anti-virus software does not identify vulnerabilities. By scanning computers and servers every few hours, you can identify high-risk devices that are susceptible to exploitation and then remediate them. In fact, new software is now available that can identify vulnerabilities and autonomously fix them before hackers find them. Your firewalls should be tested daily to identify potential vulnerabilities. We have seen numerous attacks launched against DSOs at the practice level due to improperly configured firewalls. These attacks resulted in the theft and publishing of all the DSO’s patient data along with ransomware payments exceeding $1 million.
Two other highly effective preventative strategies are:
(1) a complete third-party security assessment performed by a dedicated cybersecurity company on an annual basis and
(2) a network penetration test performed by a human ethical hacker (not a piece of software).
With many of our DSO clients, the managers and executives often believed that their networks were secure because they “trusted” what they were told or assumed that they had effective protection in place. Trust is a great value but, with trust comes verification. It is a best practice to have your network assessed by a third-party so that you, the executive team, owner, or manager of the DSO can make an educated decision about what you consider to be acceptable risk. Ask yourself this question: “Have I ever been shown a report outlining all the devices on our network that currently have vulnerabilities that put us at risk?” If the answer is “No,” you probably don’t have the tools in place that you think you have. Training, vulnerability management, autonomous vulnerability remediation, artificial intelligence-powered Extended Detection and Response (XDR), cybersecurity awareness training, security risk assessments, and penetration testing are all the required components of a true cybersecurity solution. That’s a long list of services that, on paper, may seem overwhelming and both difficult and expensive to implement. Nothing could be further from the truth.
Black Talon’s EAGLEi® platform is a first of its kind security tool designed specifically for DSOs. EAGLEi is a single-pane-of-glass view into your DSO’s entire security posture. It provides instant visibility into your cyber risk so you can make informed decisions about risk and compliance. Your entire executive, HR, and IT teams will have the precise visibility they need to identify and mitigate risk within your organization, all while being delivered by a cybersecurity firm who specializes in healthcare data security. Imagine being able to see which offices are at the highest risk for a breach, which software systems need to be patched, which devices and firewalls are vulnerable to a cyberattack, which employees have completed cybersecurity and HIPAA training and if there are any obsolete operating systems that are not HIPAA compliant. This is the power of the unified cybersecurity platform, EAGLEi. Achieve your compliance and security goals with less manpower and have instant visibility into knowing that you are secure. Be confident that you can pass a cyber due-diligence audit and know that your entire organization is better secured all from a single-pane-of-glass.
DSO Cybersecurity Threats: It’s Not If, But When [Webinar Recording]:
Read other Black Talon articles: