The Group Dentistry Now Show: The Voice Of The DSO Industry – Episode 49

Gary Salman, CEO of Black Talon Security, talks cyber security for DSOs and dental group practices. In just the past 12 months, hackers have successfully attacked thousands of private practice medical and dental providers. Being proactive is the only way to handle your DSO’s cybersecurity going forward. If you want to learn actionable solutions for your DSO, how to avoid becoming a victim, and how to remove the target from your group’s back, this podcast is for you!

After you listen to the podcast, ask your questions or continue the discussion with Gary at 1.800.683.3797.

Our podcast series brings you dental support and emerging dental group practice analysis, conversation, trends, news and events. Listen to leaders in the DSO and emerging dental group space talk about their challenges, successes, and the future of group dentistry.

The Group Dentistry Now Show: The Voice of the DSO Industry has listeners across North & South America, Africa, Australia, Europe, and Asia. If you like our show, click here to leave a ⭐⭐⭐⭐⭐ 5-star review on iTunes!

Choose your favorite listening app below and subscribe today so you don’t miss an episode! Full transcript is also provided below.

Full Transcript:

Bill Neumann:

Hey, I’d like to welcome everybody back to the Group Dentistry Now Show. I am Bill Neumann, and we’re going to talk all things cybersecurity in the DSO and dental space. We have an expert in cybersecurity. His name is Gary Salman. Gary, welcome to the Group Dentistry Now Show.

Gary Salman:

Pleasure. Thank you.

Bill Neumann:

Yeah. Thanks for being here. Sounds like, looking at your bio here, you do quite a bit of speaking. You sound like you’re on a podcast last night talking about cybersecurity to orthodontists.

Gary Salman:

I was for almost an hour and a half long. It was very eyeopening for a lot of people.

Bill Neumann:

There you go. Well, I’m sure this will be eyeopening, as well, for the DSO space. So, Gary is the Chief Executive Officer at Black Talon Security. He actually has his BA in business administration from Muhlenberg College. Also, the co-founder. Gary is dedicated to data security and understanding the latest trends in the dental industry. He has a proven executive management track record and over 30 years of experience in software development and computer IT, and development of one of the first cloud-based healthcare systems. Gary and I were talking a little bit off-camera about he has been around for 30 years, like I have been, and talked a little bit about computers, like the Commodore 64 and some of the older models that maybe a lot of people don’t know of. Anyway. I thought that was interesting.

Bill Neumann:

Gary is a sought after speaker and writer. He’s lectured nationally on cybersecurity threats to over 8,000 individuals, and has trained thousands of practices across the US on how to maintain their best practices in cybersecurity, and has been featured in over 30 national publications and news stories. Gary has over 15 years as an instructor at West Point, and he’s involved in law enforcement. Black Talon has been called in to assist in some of the largest distributed ransomware attacks in US history. Gary is an expert in both preventative measures, as well as breach recovery. So, again, thanks, Gary, for being here today.

Gary Salman:

Absolutely. It’s a pleasure. Thank you.

Bill Neumann:

So, tell us a little bit about Black Talon Security and the cybersecurity that you do there, specifically for the dental industry.

Gary Salman:

Yeah. Absolutely. So, we founded Black Talon Security a little over three years ago, based on demand. The role that I played at a previous company opened my eyes. I was starting to get phone calls and said, “Hey, I’m a group. Our network got hit with ransomware. We’ve been down for five days. What can you do to help us?” I’m like, “That’s not really what we do. I can’t really help you.” I think I started connecting the dots. I’m like, “Wow. I wasn’t really receiving these phone calls before, and now, more than ever, these larger practices are getting hit.”

Gary Salman:

We founded Black Talon, and I think the best way to think about what we do is we’re not a piece of software. We’re a full cybersecurity solution. That’s the differential. Right? Anyone can go out and buy a piece of software, drop it on the network, feel good about what that piece of software does. But that’s a very, very small piece of the puzzle from a cybersecurity perspective. What we do for DSOs and large groups is look at their organization holistically, understand where they have risk by identifying the risk. Right? Running different types of tools, techniques, interviews with their IT departments, and then basically crafting custom security solutions that are effective.

Gary Salman:

So, we do everything from vulnerability management, which analyzes every device on the network to try and figure out how hackers can breach a specific device or devices. We do what’s called penetration testing. So, our ethical hackers will literally hit the DSO’s infrastructure by assuming the role of a criminal, seeing if they can break in, and if we can break in, then we sit down with the IT resource and say, “Hey, here’s how we broke in. Here’s what you need to do to harden your network.” We’re a huge proponent of training. Right? So, if you’re not training your staff, which by the way, is required under HIPAA … You have to do it. If you’re not training your staff on cybersecurity threats, if you don’t have an ongoing program that’s not part of your education, you’re eventually going to get hit.

Gary Salman:

Why? Because you have team members and doctors that are sitting there going click, click, click on everything that comes through on their email, and all it takes is one wrong click, and you turn around and the entire office or your entire infrastructure is encrypted with ransomware. That’s how quickly this stuff can spread. So, we do that. Then we do cybersecurity assessments. Some people call it an audit. What we do there is we really try ad understand what’s called your attack surface. There are so many entry points into networks nowadays. A lot of times, you grow quickly as a DSO, and you don’t even comprehend where you can get hit. You’re focusing on that server or the workstation, but you forgot about all of these remote employees, and this third-party software that’s sitting on these computers, and the IT vendors that are gaining access to your systems.

Gary Salman:

What if any of those third parties become a victim? Then the hackers use their systems to attack your DSO. These are the things you have to think about. If you’re not, you’re presenting your organization with a tremendous amount of risk. So, ultimately, what are we doing? We’re helping you mitigate risk. We’re helping to try and keep your doors open. Right? And patients flowing through the doors versus having to shut your doors for two to three weeks to recover from these attacks.

Bill Neumann:

Hm. So, you touched on ransomware. Let’s talk about trends that you’re seeing when it comes to cyber attacks against any size practice, whether I’ve got three or four locations all the way up to some of the larger DSOs. We’ve seen in the news, some of them actually have been hit.

Gary Salman:

Yeah. Lately there’s been quite a few that have been public, and then you have all the other ones that have kept it quiet.

Bill Neumann:

Right.

Gary Salman:

So, what are the trends? I think this is probably one of the most important things for this podcast, which is it’s not like it was a couple years ago, where the hackers would take out a server or a couple work stations, and then you try and recover. What we’re seeing now is a couple things. First, about 70% of ransomware victims are also victims of data theft. We are actively working multiple cases right now in the dental space where the hackers first breached the network. They remained on the network undetected for at least three weeks. They offloaded all of the data. Literally downloaded their entire patient database, X-rays, HR files, financials, every piece of data on the network. Then they hit them with ransomware.

Gary Salman:

When they hit you with ransomware nowadays, it’s typically 100% strike, meaning every device is encrypted, and as part of their initial surveillance on the network, guess what they do? They figure out where you’re backing up, how you back up, and they take out that infrastructure. The reason they do this is it basically guarantees that you’re going to pay them. Right? If you have no recoverable data, and they’ve stolen your data, if you are an executive of a DSO, what would you do? You’re probably going to pay. Over 90% of our clients are forced to pay the ransom because there is no other option. So, this trend of the data theft, the surveillance, is pretty much almost 100%.

Gary Salman:

The other thing that we see is the installation of screensharing software by the hackers. So, when we get into these systems, what we see is literally products like ScreenConnect, and some other ones, installed on every single computer. We’ll talk to the IT company or in-house IT and say, “Hey, do you guys use this product?” They’re like, “No.” We’re like, “All right. It’s on every single one of your computers.” So, what does that translate to? They were sitting there and literally watching every single thing they did, every patient record you opened, every email you sent, every insurance company you logged into. That’s a problem.

Gary Salman:

We’re dealing with a smaller DSO data breach right now out on the West Coast. When we got in there and started analyzing some of the malicious code that was installed by the hackers, our security engineer said, “Hey, you’ve got to look at this.” This piece of malicious code not only installed a screensharing application, it also installed two others. One was a keylogger. Right? So, as Mary logs into their insurance company to look at claims, it stole her credentials. The other one was a password cracking tool. So, any stored passwords on the network were potentially vulnerable. This is no joke, what’s going on right now. Right? The level of sophistication is unbelievable.

Gary Salman:

You have to understand who you’re up against. You’re up against criminal operations, typically from Russia or China, that are generating hundreds of millions of dollars. One of the organizations that typically targets the dental space is a group called Sodinokibi out of Russia. They’ve publicly come out and said last year, they generated 500 million dollars in ransomware payments. Okay? So, think about that. They can afford to hire the best programmers. Right? They have literally tech support when their tool to unlock the files doesn’t work properly. They run what I call a legitimate illegitimate operation. Right? It’s a criminal operation, but they have customer service, they follow through when stuff doesn’t work. You just can’t make this stuff up.

Gary Salman:

So, that’s a primary trend. The other thing that you have to be cognizant of is the data theft. So, after they steal the data, they will publish it to a dark website called a shaming website. These are publicly accessible. If you know how to get to the dark web, you can get on these sites. They will show you every single business, company, healthcare entity that they’ve hit, and they will present you with one to 10% of all the data they stole. So, you can do this right now. You can find dental practice data on these shaming websites. I lecture on this. You click on the name of the practice. Then it’ll show you hundreds of files. You click on the file. Up pops a photograph of the patient. Up pops a health history form, an EOB, a driver’s license, a scanned insurance card. It’s all there for the public to view.

Gary Salman:

They do this for a primary reason. The reason is that they want to prove to the practice, “You want to mess with us? Go for it. You don’t want to pay the ransom, pay the extortion fee? Come look at this website, and then you can make a decision of what you want to do. Because if you opt not to pay, we’ll auction off 100% of your data.” That’s what happens. We’re dealing right now with a practice that had their data stolen, and they were asking $150,000 not to auction off their data, which is a lot of money for most sized organizations, on top of all the other fees. So, you figure this group’s a quarter million dollars into it. That doesn’t even include any type of compliance or legal issues that they’re going to have.

Bill Neumann:

You talked a little bit about entry points. There are multiple entry points, and there’s also multiple types of cybersecurity risks. Maybe you can touch on a little bit, how do they get in, potentially?

Gary Salman:

Right.

Bill Neumann:

What are the types of risks? It’s just not ransomware. It’s just not like, “Hey, pay us $10,000 or $150,000, and it goes away.” They already have that data. Right?

Gary Salman:

Right.

Bill Neumann:

So, even if they open things back up, the data’s still out there.

Gary Salman:

So, the data’s out there. You’ve got to understand that when these networks get hit, you pretty much have to destroy your whole network. Right? You’ve got to wipe the whole network out, rebuild every computer by reinstalling the operating systems, your practice management software, your imaging. Because the computers are infected. They’ve been compromised. If you don’t do that, you could turn the network back on and two weeks later, it starts all over again. So, you’ve got to think from a business operational standpoint. What would that mean to your business? If you literally had to close your DSO for two to three weeks to rebuild your network, maybe even longer?

Gary Salman:

Then ask yourself, “Could we even do that? If I have thousands of computers in our environment, could I rebuild all those computers and servers in short order?” It’s a situation, an exercise, you have to start thinking about. So, that’s a problem. You’ve got to have a plan. I think a lot of organizations think they have a plan, which is, “Hey, we’ll recover from backups. We’re in the cloud,” or, “We have multiple backups, and we back up into the cloud.” But when you find out all your local backups are destroyed, and then they erased your cloud data, which we see all the time, what are you going to do? So, I think that’s a challenge. I think you had another question?

Bill Neumann:

Well, yeah. You talked a little bit about entry points.

Gary Salman:

Entry points.

Bill Neumann:

So, we hear about phishing attacks through email. So, that’s something that I think most people are familiar with, whether they still do it or not.

Gary Salman:

They do.

Bill Neumann:

But also, you talked about network breaches. So, that’s really something a bit different.

Gary Salman:

Yeah. So, let’s cover those. Let’s talk about the entry points. So, you nailed it. Phishing is a huge problem, phishing and spear phishing, also known as social engineering, where they’re trying to trick individuals within the organization to give something up. It could be the giving up of their username and password. It could be the transfer of funds. So, we can talk about that in some of the stories that we’ve seen firsthand. It could be the enticement of a click. Right? Clicking on a link that results in the downloading of malicious code. That ultimately results in the execution of a ransomware attack.

Gary Salman:

Click risk is a big issue. Right? What I hear a lot of the executives say at DSOs is, “Well, we’ve talked to our staff about that. Our IT guys have sent emails out warning about phishing emails.” That’s not cybersecurity awareness training. That’s like, “Hey, a little bit of a heads up here. Eh, just be aware, and don’t start clicking on stuff.” That doesn’t work. Right? That’s not training. That’s not education. The team’s like, “Eh, whatever. I’m fine. I’m smart. I’m good.” Then all of a sudden, you turn around and you’re down for two or three weeks, and the financial impact is unbelievable. Do the back of the napkin math, how much each one of your practices generates per day. Multiply it by 15 days, and the math is ugly.

Gary Salman:

So, training your staff and testing them, that’s critical. Right? So, one of the things that our organization does is launch simulating phishing attacks against every single employee, and doctor, and executive to see if they’re clicking on things they shouldn’t. Then what we do is we use it for positive reinforcement, not negative, and we say, “Hey, listen. Unfortunately, you clicked on this link. Here’s a little training video you should watch, and acknowledge that you’ve watched it.” It’s very, very effective to do that. The other entry point is a hacking incident. Right? I think most individuals who are not very tech savvy, and we see this a lot in the C-suite, except for maybe a CIO, CTO, or CSO. They don’t understand that hacking is a very significant problem right now, in terms of direct attacks against the network versus phishing.

Gary Salman:

Most people are like, “Well, they’re going to phish us, and that’s how they get in.” I will tell you that a lot of the breaches that we’ve been called into, it wasn’t a phishing attack. Sure. Those exist. But it was a direct hack on the firewall, on a server, on a device in the group. That type of risk had never been identified. So, what we often see is that these IT vendors will install firewalls and technology, but they’re not tested for vulnerabilities. Right? Basically the best way to explain a vulnerability is to compare it to your home. Right? So, at your house, you have doors, you have windows. Some people have a little lock on their door that they turn on the handle. It’s a $15 Home Depot lock. A criminal comes by and gives it a little kick, and the door flies open. Or, they just leave their windows open, and the criminals come by and lift the windows up and crawl into your window.

Gary Salman:

Conceptually, the same thing applies to all the technology in your office. What I tell everyone is this. Everything connected to your network is either vulnerable, has been vulnerable, or will be vulnerable. The reason for this is they have an operating system, that Smart TV, that thermostat, your security cameras, your voiceover IP telephones, and then, obviously, your laptops and tablets and servers. These are all targets. If you’re not implementing a stringent vulnerability management solution, where you’re using very sophisticated software to analyze these devices, you’re going to get hit. Do you know what? Because the hackers are going to do it. Right? They’re going to scan your network. If you ever pulled your firewall logs, you will see your network is constantly getting pounded. Every couple minutes, someone’s hitting it. Right?

Gary Salman:

The firewall is doing what it’s supposed to be doing, if it’s configured properly. But at some point, an exposure occurs to a device inside the office, or more likely, the firewall is not configured, or an IT person made a mistake and opened up a port on the firewall and forgot to close it, and you get hit. So, a vulnerability management solution scans these devices in realtime and says, “Hey, Black Talon. I’ve got a problem here. I got a vulnerability on my machine. It’s a high risk it can be exploited. What do you want to do?” Right? Our security guys will analyze it and then reach out to the DSO, either directly if they have internal IT, or if they have external IT, reach out to them, be like, “Hey, I need you to log in to office 15, workstation number seven. You’ve got to apply this technique to eliminate that vulnerability.”

Gary Salman:

So, if you’re an executive, an owner of a DSO, and you’re not getting monthly vulnerability reports from a cybersecurity firm, if you’re not getting realtime alerts, eventually you’re going to have a problem. Right? What we see, Bill, is when we do these breach responses … It’s really called incident response. We start scouring the network for hacking tools. You know what we find? Vulnerability management scanners. Right? So, the hackers will deploy the same technology that we use on these networks, and within minutes, expose all the devices that they can exploit. So, that’s a huge problem. What vulnerability management does is A, tries to prevent someone from getting in. So, we make sure all the windows and doors are locked. Then B, if they do manage to get into a device, a computer, for instance, we box them in. Right?

Gary Salman:

We limit their ability to move around the network, because what the hackers do is when they get on that machine, they’re going to deploy software, hacking tools, that try and figure out what the network looks like, what devices are on it, what other tools they can run to exploit it. If we basically lock the network down in a way, it’s like every door they try and hit, they just get blocked. It’s very effective. It’s not the end all to be all, but it is a very effective layer of security. I will tell you very few DSOs that we’ve ever come across have any type of vulnerability management plan in place. They simply think, “Hey, let’s patch these computers, and we’re good.” It just doesn’t work that way, because so many computers miss patches, team members decline the patches, as you know. “I don’t need that update. I don’t need this update. I haven’t updated in four weeks. I’m going to ignore that.” That’s just how it works. Right?

Gary Salman:

I was on this podcast last night, and one of the doctors admitted it. He’s like, “Yeah. I see that. I just hit ignore.” After I explained this to him, he’s like, “Yeah. I guess I’ll never hit ignore again.” So, this is a way that the hackers get in, exploit these vulnerabilities. The other big one is third party risk. I would say most of you have now heard of a company called Solar Winds. Right? Solar Winds was part of this massive breach back in Q four of last year, where, supposedly, hackers from Russia gained access to the Solar Winds software, created what’s called basically a poison pill, which means they modified their code, and then the Solar Winds software connected to 18,000 businesses and 40 government agencies downloaded their malicious code into all of these machines.

Gary Salman:

Why? Because this is what’s called a remote management tool. I will be willing to bet close to 100% of everyone that’s listening to this podcast has a remote management tool in their office. That’s how their internal or external IT resources support them. It allows them to push patches, to connect to these computers. So, what happens here is a lot of these IT companies, which is a third party, they have no true cybersecurity in place themself. They take the position of, “Oh! We’re an IT company. We’re good. We can protect ourselves. We do this all day long for 20 years.” But they’re not being independently checked by another third party, I.E. an independent cybersecurity firm.

Gary Salman:

So, what happens is this IT company becomes the entry point. Right? So, there are threat groups … Sodinokibi is one of them … that target IT companies in the US. They break into the IT company, then use their remote management tool to attack every single one of their clients. So, it’s like a hand grenade. They gain access to 300 of their clients. They pull the pin on the hand grenade. They throw it. It strikes every single computer and server in their environment. Then they walk away. They just wait for the millions of dollars to pour in. The problem here is … Think about this. If you’re using external IT, when that type of strike occurs, they’re not showing up at your offices. Right? Because they literally have 300, 500 clients calling them saying, “Hey, we’re encrypted with ransomware.” Then do the math. The average practice has about a dozen computers. So, you’re talking 3,000 to 4,000 computers that are fully destroyed with ransomware. How are they going to rebuild those? It’s not possible.

Gary Salman:

Some of these IT companies literally go out of business. They can’t recover from that. So, understanding third party risk. So, if you’re a DSO, one of the things you have to do is go back to any of these vendors that have access to your system and say, “I need a document from you showing that you’re being audited on a monthly basis by a third party cybersecurity firm.” They can provide an executive summary, just saying, “Hey, I’m ABC Cybersecurity Firm. I audit ABC IT. Here’s what we do for them, and they’re passing.” Ask for that. If your IT vendor is not willing to produce that document, you really need to consider potentially moving to a different IT company. Because what that IT company is telling you is they don’t care. They don’t understand what’s really going on in the world right now, and how they are a target. Versus an IT company that’s like, “Yeah, look. We know what’s going on here. We have an audit done every month. Here, Mr./Mrs. Executive. Here, Doctor. Here’s proof that we’re doing this.”

Gary Salman:

You have to understand third party risk, and you have to mitigate it. Because here’s the deal. This is your patient data. Even if that IT company, that cloud provider, whatever it might be, is the reason why your patient data was compromised, you still own the breach. That’s how the law is written. They’re your patients. They’re your records. Right? Then the question is did you ever analyze your third party risk? Did you do anything to try and prevent this? You know how lawyers get with this type of stuff. They’re going to start pointing fingers really quickly and say, “Hey, you’re a big operation. How did you not know about this? You didn’t ask your IT vendor for proof they have cybersecurity in place?” Things spiral out of control really quick.

Gary Salman:

Those are the primary risks. Phishing, a direct hacking event, and third party. There’s some other ones that we could talk about, like insider attacks. We don’t see that too often in the dental space, where employees are specifically hired by that organization in order to steal information. We see that more at hospitals and things like that.

Bill Neumann:

It’s probably important to touch on, since you mentioned third party. Let’s just highlight, again, what you were talking about, because there is a big difference between an IT company and a cybersecurity company. Right?

Gary Salman:

Right.

Bill Neumann:

So, a DSO may say, “Well, we have IT covered already.”

Gary Salman:

Right.

Bill Neumann:

But it’s not cybersecurity.

Gary Salman:

Huge differential. Huge differential. It’s just like in medicine. Right? The best analogy I have for you, Bill, is this. You go to your internist for your annual physical exam. Doctor sits you on the table, listens to your heart, and she says, “Hey, listen. I think you’ve got a problem with your heart valve here. Guess what? I just built a new operatory right next door. I’m going to walk you over there, we’re going to put some general anesthesia, hook you up, and I’ll just do the valve replacement today, right here.” You’re like, “Whoa! Don’t I need to go to a cardiothoracic surgeon for that?” “Nah. I’ve got you covered. We’re good. I watched a video.” Right?

Gary Salman:

Believe it or not, this is what’s going on in the IT space. You have IT companies now that literally hang a shingle on their door, “We do cybersecurity.” I’m dealing with this with a DSO up in New England right now, because their IT vendor is like, “Hey, we do security.” So, I told one of the executives, I said, “Go back to them and ask them for credentials. Ask them for the certifications of these individuals that are providing security to your group.” He came back. He’s like, “You were right.” He was like, “They don’t have any.” I said, “That’s the problem.” Right? They go out and buy a piece of software, and they resell it to you and say, “Hey, John. I’ve got you covered. See that piece of software? That’s the most advanced software out there.” It doesn’t typically work. But you don’t know what questions to ask. You trust their response.

Gary Salman:

So, really, the differential is this. IT companies play a very important role. We work with hundreds across the country, and there are some really, really strong, good ones out there. But their job is to provide IT support. They configure your network. They keep it up and running. They bring in new technology, and they support you when devices are down. They provide basic security through firewalls and antivirus software. A cybersecurity company will basically come in, first, analyze where you have risk in your operations, and ask very important questions like, “Hey, what’s the most important part of your organization? What needs to be protected the most,” so we understand their mindset, and then we start having conversations like, “Okay, well, here’s what we can do to protect you.” Because as the size of the organization grows, the types of security measures that have to be put in place are proportional. Right?

Gary Salman:

We’re not going to take a DSO with 100 locations and provide the same security to them as we would with a DSO that has, say, half a dozen, because we can’t do that. It doesn’t work financially. So, the cyber firms will come in, analyze all this, and then use highly credentialed individuals. Right? So, we have individuals in our organization that have what are called a CISSP, C-I-S-S-P. We have others that are HCISPP. These are legit board certifications given by nonprofit organizations. Many of these certifications require you to be in security for 10 years before you can even sit to take the exam. It’s a very, very difficult test to pass. Literally the book is like this. Right? I think it’s 600 pages long that you have to go through and understand.

Gary Salman:

That’s the big differential. Right? You have to understand that there’s a big difference between people who pretend to do security and people who do it 24/7 and have credentials behind their names, just like doctors who go and get board certified, and go through dental school, and medical school, versus, “Hey, I watched a video and I have a scalpel. I can do surgery. I’m good.” Right? That’s the issue right now that we see in this space. The big problem is you can’t have your IT company checking their own security. Right? It’s like you saying to your bookkeeper, “Hey, I need you to audit this and make sure everything’s okay.” Who would do that? You would go to your accountant and be like, “Hey, we have a bookkeeper. I need you to make sure that he or she is doing the right thing, and make sure we don’t have a problem here.” You probably know what I’m talking about. Right? Any type of theft or impropriety things going on.

Gary Salman:

So, that’s really, really important because you can’t have … The expression we use is, “You can’t have the fox guarding the henhouse.” Many of these IT companies are building the same networks today as they did years ago. Same technology, same pieces of software, telling clients, “Hey, you’re fine.” I think one of the most eyeopening statements I have ever heard, I was on a briefing with a government agency. We were doing a round table discussion. There were executives from the largest hospital systems across the US on this call. There was about 30 of us on this call. One of the agents said this. He said, “Here’s the problem in our world right now. You have vendors who don’t understand the capabilities of their software.” Right? Meaning off-the-shelf security or backup solutions. “Improperly advising their clients on the technology, and making promises that they can’t deliver on.”

Gary Salman:

So, you have executives who are like, “Oh, we just bought a $10,000 backup solution. It’s ransomware-proof.” Okay. That might be the case. Does that mean that a hacker can’t gain access and erase it? “Well, I never thought about that.” This is what’s happening right now. Right? You have vendors who are supplying this technology, over-promising and under-delivering, and then the owners of these organizations and DSOs, they feel good. They’re like, “Hey, we’re doing the right thing here.” But in the end, you have to have an overall solution. You have to have a strategy for cyber. You can’t take off-the-shelf software, throw it on your network, and pretend everything’s going to be fine. I will tell you that in almost all of the cases we investigate and do a forensics analysis of the attack, you know what the hackers do? They shut down all the computers’ defenses.

Gary Salman:

They shut down the antivirus software. Right? They shut down other technologies that these computers have in place to try and prevent the installation of this malicious code. Sometimes you’ll see them attempt it 50, 75 times, and eventually, the hackers get it, and the computer’s defenseless. Then the ransomware code gets installed, and it’s all over. So, I think that’s something that everyone needs to think about is, “Hey, I can’t have the fox guarding the henhouse. I need an independent third party analyzing this network, constantly hitting it to make sure I’m keeping my windows locked and my doors locked.” That’s what you need to do. That’s part of running a business nowadays. If you look at the medical space, Bill, this is the norm. Right? There are many large physicians’ groups, medium-sized physicians groups, almost all the hospitals. They’ll have in-house IT, but they almost always have external cyber. Right?

Bill Neumann:

Okay.

Gary Salman:

That’s how it works in the dental space. We don’t see that that much. But that’s what has to happen.

Bill Neumann:

So, that’s a great lead in to this next question. So, from a sophistication level standpoint, the dental industry, emerging groups, DSOs of all sizes, you’re really seeing that maybe the industry is lagging behind a little bit at other healthcare verticals, on the cybersecurity side of things.

Gary Salman:

Absolutely. To put it into perspective, think of it this way. In the medical space, if you’re a vendor, and you go to a medium, large physicians group or a hospital, and you’re like, “Hey, we have these great new med pumps, these vital monitors, this imaging equipment. You guys interested?” “Sure.” “Okay, well, before you can come to our facility, I need to see the reports on the cybersecurity audit of these devices, because I’m not hooking one of those things up to my network.” So, what I’ll say to every DSO right now is have you ever done that? Can any of your vendors actually provide that type of information?

Gary Salman:

I have deep roots into imaging and software in the dental space. I don’t know of any vendors that are doing that right now in the dental space. These are the things that have to happen. So, to your point, lagging behind, sure. We’re years behind in the dental space, from a security perspective. We’re too trusting. That’s ultimately a problem. Right? Because when things go sideways, as I alluded to before, you own it. Regardless of who caused it, you own it. You’re going to have to deal with the breach. It’s your patient records.

Bill Neumann:

So, I probably know the answer to this question now, but would you say that most DSOs are more reactive than proactive? There’s a breach, and then what do we do now? I mean, what are you seeing?

Gary Salman:

Yeah. I mean, I think that’s exactly what’s going on in the dental space as a whole. I think what happens is people look at it and say, “We just can’t spend anymore money on technology.” Right? Then if you compare the small amount of money you have to spend on cyber versus the unbelievable amount of money you’re going to spend on a breach, it doesn’t equate. Right? You can’t even put that in a spreadsheet and pretend that’s going to make sense. That’s a problem. Until you are actually a victim of this, and realize the short, medium, and longterm damage this does to your organization, it often doesn’t compute. Right? Or, you’re not digging in deep enough and you’re trusting, I should say, what you’re being told. Right?

Gary Salman:

So, if you’re an executive of one of these organizations, and you’re being told, “Hey, our IT company does this. We have some security in place,” and you turn your back and be like, “We’re fine,” it’s not going to work. As an executive of the organization, you need to know exactly what is being done from a security perspective. I’m not saying you have to know from a technical perspective, but you have to know what’s going on. Because when it goes sideways, you’re going to have to answer those questions, especially if you’re owned, or there’s investors in your organization. You’re going to have to answer to a board. You’re going to have to answer to the owners, to the partners, and explain why you didn’t know that you didn’t have security in place, or why you thought you had security in place, but you actually didn’t.

Gary Salman:

So, those are the types of things that you can take away from this presentation and say, “All right. I’m going to spend hours digging into this, and I want people to answer these questions.”  They are reactive. To answer your initial question, almost everything we see in our incident response part of our business, it’s all reactive. There was basically nothing in place, or more likely, they thought there was something in place that was going to protect them. There was a small group, a couple offices, out in Denver, Colorado, specialists. Their malpractice carrier had sent them a letter about two weeks prior to their attack. It said to them, “You need to sit down with your IT vendor and understand what they’re doing to protect their infrastructure, and what they’re doing to protect you.”

Gary Salman:

They called the owner of the company in. He sat down with them. He literally said, “I’m an engineer. I know how to do all this stuff. You guys are totally fine. You have state-of-the-art security.” Fast forward two weeks, they got hit. Right? I remember sitting down. There were six doctors in the office, multiple administrators for this practice, and they were literally in tears. They’re like, “We tried to do the right thing. We assumed we were fine. We trusted this individual. Now our offices are closed.” They were down for two full weeks recovering, and then it took weeks to get back up. It’s a huge problem. Right?

Gary Salman:

So, there’s your perfect example of being reactive and not truly understanding what was in place, not understanding the landscape, and saying, “All right. That’s cool. You’re doing our technology. You’re great.” They said he was a really good IT company. Right? Him and his company were really good. But when it came to security, it was lapsed. It was lagging. When we did our tests on the network, we’re like, “Whoa. This is not a good situation. You guys had major holes in your network, and that’s one of the reasons you got hit.” So, I think you have to move from a reactive phase to a proactive, preventative phase in your organization. You speak to anyone in law enforcement that specializes in cyber, they all say the same thing. “You’re going to get hit.” All right? It’s just a matter of time, whether it’s this year or next year, you’re absolutely going to get hit, unless you’re implementing advanced security in your operation.

Bill Neumann:

Yeah. So, Gary, here’s a couple other things. I have all these questions come to mind. Right?

Gary Salman:

Sure.

Bill Neumann:

You start to peel back the onion and you go, “My goodness.” We talked a little bit off camera earlier about a lot of these DSOs, whether they’re large or whether they’re emerging, they’re acquiring practices. So, as you acquire these practices, they’re using different practice management software. So, there’s vulnerability, potentially, at the practice level, and it might be different because of the systems that they’re using.

Gary Salman:

So, it’s a huge problem. Right? So, we’re working with a couple DSOs, and most are in growth mode. Right? They’re acquiring, acquiring, acquiring, gobbling up practices left and right. Then you realize, “Oh, well, they have five different practice management softwares. They have five different IT vendors. They’re using different imaging equipment. Some of the equipment is old, antiquated. They have outdated operating systems. They’re bringing this into their environment.” Depending on how their network’s configured, that one practice could present risk to all of the other offices. Right? How do you know, when you acquire a practice, that there’s not an active attack going on right now?

Gary Salman:

So, one of the things that is very prevalent in the mergers and acquisitions in the business world is due diligence from a cyber perspective. Right? A cyber company comes in, does analysis of the network, provides the PE, venture capital company, and says, “Hey, here’s what we uncovered. Here’s the potential risk. Here’s a risk score. We ran tools to determine whether or not there’s been a potential breach.” Now you can make good decisions on that acquisition. But going back to your original question, it’s a big problem. Right? Because you bring these networks in and introduce them into these bigger environments. If you don’t immediately analyze that office, understand where they have risk, that one office could impact your entire organization overnight.

Gary Salman:

So, it’s definitely an issue that I don’t see a lot of DSOs addressing, and I think they should. Because what happens is all of a sudden, “Hey! We’ve got 20 new offices we have to onboard,” and they’re dealing with HR, and financials, and marketing, and onboarding, and processes and procedures, and endless spreadsheets on how to make sure we optimize our investment. The last thing is technology. That’s a problem.

Bill Neumann:

Yeah. Yeah. Absolutely. They’re focused on the next 20 that they’re going to acquire.

Gary Salman:

Exactly.

Bill Neumann:

I would almost venture to say … You mentioned it earlier. From an investment standpoint, if you’re looking to eventually have a private equity investor, or you have one already, I mean, I would say that you increase the value of the business by being more secure with cybersecurity. Right

Gary Salman:

Yeah.

Bill Neumann:

I mean, it just makes sense that an investor, especially one that maybe has investments in other healthcare verticals, that are more knowledgeable, that are less reactive and more proactive when it comes to cybersecurity, is already expecting this to be in place.

Gary Salman:

Yeah. Absolutely. We did a huge test on a DSO. They had 200 locations. They had internal IT folks. They’re like, “No. We’re secure. We’re good.” They did hire us, so they did the right thing, and we did testing on the network. Then when the reports came back, they were like, “Wow. This is not what we had expected. This is a lot worse. We thought we were doing a really good job at locking down our network.” That’s the difference. Right? They were relying on hardware and software to secure their environment, but they hadn’t done a penetration test on all their offices. That’s what the hackers do. They’re pen testing your networks, whether or not you want to believe it.

Gary Salman:

Until you equal or try and get one step above them, you’re not going to win the game. That’s why this stuff is so important nowadays. The other thing we see with DSOs that are in quick acquisition mode is their vendors can’t keep up. So, they have one or two IT companies, and all of a sudden, you’re like, “Hey, here’s 200, 300 more computers you have to support.” They’re like, “We don’t even have enough people. We can’t hire people fast enough to keep up with your growth.” Guess what happens? Mistakes get made. Networks aren’t configured properly. Firewall settings are missed. Then you become a victim. You know it happens in your organization when you are maxing out your team members, your employees. Mistakes start getting made.

Gary Salman:

The same thing happens with these vendors. Right? This stuff’s not getting configured properly. They leave gaping holes in these networks. Then you turn around and you’re like, “How the heck did this happen?” When you do a root cause analysis, you realize, “Okay, well, this vendor could not keep up with our group.” It’s an issue.

Bill Neumann:

Well, Gary, I think we’ve probably made some people rather nervous with this podcast, but that’s not necessarily a bad thing.

Gary Salman:

Yep.

Bill Neumann:

This will be the last question.

Gary Salman:

Sure.

Bill Neumann:

If somebody, the DSOs, the emerging groups that are listening, “Hey, we really need to figure out where we want. We thought maybe IT was doing something right. We thought cybersecurity was … we were secure, and maybe we’re not,” is there some type of audit process that you all do first? What would be a next logical step for somebody that goes, “Ugh, I’m not sure where we stand?”

Gary Salman:

Right. So, absolutely. One of the things that can be done is basically an initial assessment. Think of it as an initial exam on a patient, where we’re come in, we’ll do a risk analysis, a risk assessment. We can apply some of our technology to the network to try and figure out where you are from a security perspective. So, we can give them a risk score and tell them, “Hey, look. You’re doing really well,” or, “You’re not doing great. Here are the reasons why.” Then based on that analysis, you can make good, educated decisions. Because the reality is you can throw a lot of money at this problem. It may or may not solve the solution. No one wants to throw good money after bad. I see that happening sometimes as people start throwing all this technology at a problem. Guess what? They don’t know what the real problem is.

Gary Salman:

So, we typically say, for these types of organizations, DSOs, it’s good to do this initial assessment, and then sit down with the decision makers and say, “Hey, here are our findings. Here are our recommendations. This is what you need to do if you really want to implement a security solution, versus throwing some off-the-shelf software on your computers and pretending it’s going to work.”

That’s what we recommend. It’s highly effective. If you go into the business world, and you deal with corporations, that’s exactly what they do. Right? That’s where they start.

Bill Neumann:

That’s great. Well, this has been an eye-opening conversation, for sure, Gary.

Gary Salman:

Sure.

Bill Neumann:

We really appreciate it. We have Gary’s contact information at the end of this podcast, if you want to reach out to him and his team, and find out where you all stand from a cybersecurity perspective. Gary Salman, really appreciate it. He’s the CEO and the founder of Black Talon Security. Thanks for joining us today.

Gary Salman:

Got it.

Bill Neumann:

Really appreciate it.

Gary Salman:

Perfect. Thank you so much. Great talking to you.

Bill Neumann:

Yep. Good talking to you, as well. Thanks, everybody, for listening and watching the Group Dentistry Now Show. Until next time, I’m Bill Neumann.