Cybersecurity for OMS Practices

Preventive measures are necessary to protect against ransomware attacks. Cybersecurity awareness and training can prepare OMS practices against potential threats. Gary Salman, Black Talon Security CEO, discusses current trends in cyberattacks and how OMSs can keep their businesses and patient data safe.
Cybersecurity for OMS Practices
Featured Speaker:
Gary Salman
As the CEO and co-founder of Black Talon Security, Gary Salman is dedicated to data security and understanding the latest industry trends, particularly as they relate to dentistry. He has decades of experience in software development and computer IT and developed one of the first cloud-based healthcare systems. As a sought-after speaker and writer, Gary also lectures nationally on cybersecurity and its impact on healthcare. He has lectured and trained tens of thousands of practices across the U.S. on cybersecurity best practices and has been featured in numerous national and B2B news stories in the medical, dental, legal and financial press. 

Learn more about Gary Salman
Transcription:
Cybersecurity for OMS Practices

Bill Klaproth (Host): This is an AAOMS On the Go podcast. I'm Bill Klaproth. With me is Gary Salman. He is the CEO of Black Talon Security, LLC. Gary is a frequent AAOMS annual meeting speaker and webinar presenter. He has also contributed to the Practice Management Notes column in the AAOMS Today member magazine. Gary, most recently presented the AAOMS webinar, Cybersecurity, What's the Cost of Doing Nothing. And on this podcast, we'll be talking about cybersecurity for OMS practices. Gary, welcome.

Gary Salman (Guest): Oh, pleasure to be here. Thanks for including me.

Host: Absolutely. This is such a big topic and I'm so happy to talk to you about this. So first off, let's get into it. How do cyber attacks occur at OMS practices?

Guest: Great question. So we see two primary attack methodologies that these threat actors or hackers are using. The first is known as social engineering. This is where the hackers will send an email to the practice. It could be Mary or Steve at the front desk, or the doctor, and it's requesting them to do something or give up something. So in terms of doing something, it might be a link to a malicious website. It could be an attachment that contains malicious code, and the action of clicking on those links or opening those attachments, results in the downloading of malicious code into the network. And from that point forward, the hackers often gain access to the environment, and that's when they start stealing patient data.

They start deploying their hacking tools to gain access to the machines and then ultimately they deploy their ransomware code, which, you know, encrypts or locks all of the computers and data on those machines. They are then presented with some type of ransom note. And after they see the ransom note, the event's kind of over, meaning the attack's over. And then from that point forward, they go into a recovery. So that's the social engineering component.

There is also the direct hacking component, which basically means the hackers scan the network. They find vulnerable firewalls, vulnerable devices, software, and just like you see in the movies, they sit there and they chip away on those types of devices until they breach.

And once they're in, they typically gain a foothold into the environment, just like the social engineering component that I just described. They will then deploy their malicious code and malicious tools and start once again with stealing the data, encrypting the data, and then holding you hostage, through a ransom payment.

Host: So it comes over as something simple and innocuous, click here looking for something. And if you're not really looking for that or thinking about it, you click, they're in. Is that right?

Guest: Exactly. So a good example of that is we've dealt with numerous OMS practices who have received emails from their referring dentist and the referring dentist had their email system compromised and the hackers saw that in previous email communications, the GP was sending an email to the oral surgeon, maybe, Hey, I'm referring a new patient to you, or here's some x-rays. And what happens is the OMS practice sees this email. It's from an individual or a practice that they recognize. They lower their guard because they assume, why would the general practice attack my practice? And they see an attachment that looks like something that's very familiar to the practice, like an X-ray or a PDF file. And a hackers will often change the name of that document to mimic what they would normally send as a safe attachment.

So Stacy at the front desk looks at this and it says, Smith, John Panorex.exe instead of Panorex jpg, which is an image file, and she quickly clicks on that EXE file, and 10 minutes later everyone's under a ransomware attack. It's literally that simplistic. And what we often see is the hackers will in fact, leverage email attacks to attack other victims, just because when we see an email address and we know or trust that person, inherently, we lower our guard, right? We don't say that person, my friend, my referral, my colleague is gonna attack me, so I'm not so worried about this.

Host: So when we think of hacking, we think of financial. They're looking for something, they're trying to extract money from us. But there's different types of damage, right that a cyber attack causes. It's not just financial. It can be a reputational or, or personal or really a psychological, right. It can really affect how a business runs. Oh my God, we got, we got attacked, we got hacked. Is that right? Can you talk about that?

Guest: All of the above? For most of these attacks that involve ransomware, it's an operational issue. What I want the doctors to think about is if they walk into their office and all of their machines are encrypted with ransomware, they basically don't have a network anymore. Every computer is done, right. It's been compromised. The hackers, distributed their malicious code to all these machines. Often the computers don't even function properly. The hackers have put back doors into the machines. They've installed screen sharing apps, so they're watching everything everyone's doing. And the computers just don't really work. So they can't take x-rays. They can't take 3D images. They can't access their patient records. They often can't even get on the internet to look at their cloud technology.

This process from a recovery standpoint, is going to result in the practice being down for about 10 business days. It doesn't matter if you're a small OMS practice with 8-10 computers or a large group with hundreds. It is the same process to get those practices back online. And it's typically about a 10 day turnaround period. But also understand, prior to that period of time, the hackers most likely stole most or all of the practice's data. So what's going to now happen is the practice is going to be forced into a situation where they have to negotiate with the hackers in order to prevent the hackers from publicizing or releasing all of the patient data they stole.

So even for an OMS practice that has viable backups that the hackers didn't destroy, the attorneys, in most cases, will advise the OMS practice to pay the ransom demand, this extortion fee in order to mitigate risk, or at least reduce risk. Because they will say, Hey, listen, what are you going to do if 10,000 patient records are published on the dark web? We all know it's a disaster, right? Now we have class action lawsuits, we have compliance issues, we have all these other things related to that release of the patient data. So I think the big misunderstanding that a lot of OMS practices have is they are relying on some type of backup to save them from a ransomware event. And because 75% of these ransomware cases result in the theft of the patient data, you're still going to have to pay their ransom in order to prevent the release. And I think that's the big issue that I see when I talk to a lot of oral surgeons, like, oh, we have backups all over the place, so if we get hit, I don't need to really worry about paying the ransom.

I'm like, well, what are you going to do, doctor, when they steal all your data? Your legal counsel's going to tell you, you probably have to pay to prevent the release. So I think that's a mindset issue that we're trying to change here. Then you have the stress, to your point, right? You have this emotional impact. My office is down. I can't access patient records. Am I going to be able to ever recover from this? What is the community? I'm operating in a small or medium size community here. This is going to spread like wildfire throughout the community that my system, you know, was hacked and my patient data was exposed. It's not a great place to be from a reputational standpoint. And then you have the issue of emergencies and dealing with patients who are supposed to be coming into your practice for treatment and you can't treat them, can't access their medical records. You can't take x-rays. So you're basically down and out, because of these types of events. So you have the financial impact, which can be huge.

You have a reputational impact, and then you have the legal issues associated with these breaches, which can be pretty significant depending on what state you're in, the state regulations and laws. And then you obviously have HIPAA laws that you have to deal with. So those are the three things that we typically see practices struggling with. And then from an emotional standpoint, doctors will often say to us, am I ever going to get out of this, right? Am I going to be dealing with this for years? And sometimes the answer's yes. You know, if you're in a nasty compliance situation because your data was compromised, an investigation by the federal government could take 18 months or two years.

So you're going to live with that every day, dealing with investigators and documents and attorneys that are going to need information from you, request you do things, et cetera. And it's a burden on many doctors that go through these types of events.

Host: Yeah. Wow. That's a lot. That's scary just hearing you talk about that, Gary. Oh my gosh. And, and it affects, all areas of the practice, including mentally thinking about this as well. Oh my God, you feel like I've been violated, like somebody just robbed you on the street. It's, it covers so many different areas. And as you talk about this, I think there's probably a lot of common misconceptions OMS practices may have about cybersecurity. A common myth might be, it's not going to happen to me. That happens to everybody else. Doesn't happen to me. Right. Can you talk about the common, like that, common misconceptions an OMS practice may have about cybersecurity?

Guest: Right. So I think you nailed one of the biggest ones. Doctors will often say, well man, I'm just a small OMS practice in Boca Raton, Florida. How are the hackers from Russia ever going to target me? And it's a logical thought. I get it. I don't believe that hackers are Google searching OMS practice in Boca Raton and targeting them directly. But I do believe that a lot of these practices are hit by accident. Meaning, the hackers scan the internet looking for these vulnerable firewalls, looking for these exposed devices. They happen to be associated with an OMS practice. The hacker systems light up, oh target found, an IP address in Boca Raton. Then they start hammering at that firewall and they get in and they're realizing, Hey, I, I, I hit the pot of gold, I hit a healthcare entity, right? Because they know almost all healthcare entities pay the ransom.

So many of these victims, OMS practices are victims by accident, right. Kind of like a spray and pray concept where they were just in the wrong place at the wrong time. Their technology wasn't configured properly. And then there's targeted attacks. We talked about these email breaches where a GP practice gets hit and there's 30 or 40 other doctors in the area that they refer back and forth to. And now this hacker targets those 30 or 40 practices through email campaigns and five practices fall victim. So that definitely does occur.

I think the other big misperception is my IT guy can take care of this and has me protected. I've even had conversations with them and they assure me we have the right technology in place. Just like in the medical space, there are generalists and there are specialists, right? The oral surgeons are not going out and doing cosmetics per se. They're not doing fillings in caries and things like that. The GPs aren't doing orthognathic surgery, these complex surgeries, right? Everyone kind of knows, for the most part, their swim lane. And what happens in the IT space is you have doctors who are very smart individuals starting to ask good questions of the IT company, and because they're a trusted entity, the doctor will say something like, Hey, I just listened to this podcast through AAOMS and I was told that I need to have my security game increased because I don't want to get hit by ransomware and they're like, oh, doctor, don't worry. We have antivirus software on your computers and you have a state-of-the-art firewall. You're fine. Now to most surgeons, they're going to be like, all right, sounds good. I asked the question, I got the answer I wanted to hear, so I'm good.

The issue here though is there's a big difference between folks that do IT work and folks that do cybersecurity; a different level of credentialing, a different level of tool sets and knowledge. And the big mistake that we are seeing in the security world right now is practices, small businesses are relying specifically on tools to detect these attacks and then report back to the IT vendor. So all these tools that these IT companies are deploying are designed to notify the IT company and the practice after something happened, a piece of malware has entered the network. Hackers are deploying malicious code or hacking tools. So hopefully these antivirus software applications, this artificial intelligence is alerting someone. And then you have to take action.

However, this is like saying, you know what, I'm going to leave the front door of my house open, and if an intruder comes in, my golden retriever is going to bite them, right? My security cameras are going to pick them up. Or my spouse is going to call 9-1-1 and the police are going to show up. But this person's already entered your house. And I think that's a huge mistake.

What cybersecurity companies do is they specialize in helping the business lock their doors and windows so that intruder doesn't get in. But if that fails because nothing's a hundred percent, then yes, there's some very, very powerful technologies out there that can detect the intrusion and potentially autonomously fight back. But the other thing practices need to think about is, this true third party or transparency concept, which is, you can have a conversation with your IT company and they say, Hey, yeah, we got you secured. You're fine. Don't worry about it. But how do you validate that? Right?

What types of reports is the IT company providing back to the practice saying here are all the things that are not secure and here are the ways we can secure them. Here are your vulnerabilities. Here are the technologies we recommend. We just don't see that in the OMS space. I've never, ever had an oral tell me, oh yes, my IT company on a monthly basis tells me all of my security risks, and all of my security vulnerabilities. It's just not something we see in this size healthcare space.

So what cyber companies come in and do is they say, all right, listen. That's great. Your IT company is telling you that. Here's the proof. Here's the data. Yes, your firewall is secure. Or guess what? Maybe you believed your firewall is secure, but here's the data proving that it's not. That's great you have a hundred computers on your network, or 10 computers on your network, whatever size OMS practice you are. But here are the computers that are susceptible to a ransomware attack or a cyber event, and here's how it gets fixed.

So we really push this concept of trust by verify. Because we understand that the practices do in fact have really good working relationships with their IT folks, but they need to start understanding you need a third party to come in and validate whether that security is functional, is in place and the types of tools that we have from a technology perspective and the ability to find these vulnerabilities typically far exceed what the IT company has in place.

Host: So having that third party come in and validate your internal security is very important. That's basically what you're saying, is you need that third set of eyes on there, if you will, making sure that you are protected from potential hackers.

Guest: That's exactly right.

Host: So when it comes to that, I mean that totally makes sense; what are the new tactics that are being used by hackers then, or current trends in cyber attacks that you are seeing? Cause they probably know this as well, so they're always trying to come up with ways to backdoor in, is that right?

Guest: Absolutely. This is the cat and mouse game, right? It's best analogy I can come up with is the United States builds a state-of-the-art stealth fighter. Right. Russia, China can't detect these planes flying over their airspace and they go in undetected and out undetected. Great, cool technology. Two years from now, Russia's like, Hmm. I think I have a way of detecting the stealth fighter. They build a new radar system. They can detect our fighters. Now the US has to go back and change their paint on their planes. So, this is exactly the way the hacking community works is we look at events and we're like, oh, I cannot believe that they figured out this way to get into the system, genius.

So now what we're going to do is we're going to re-engineer some of our security protocols to try and prevent that type of intrusion. So, we deploy that and now these systems are right and tight, everything's locked down. And then in six months we're like, oh, they figured out a way to, to get around that security. So it is in fact a very significant cat and mouse game that we play, and it is an evolution. Every week, you know, we're changing our protocols, per se, to try and prevent these intrusions. But to answer your question, the end of q4. So let's call it November, December of 2022, we received a call from an OMS practice that was hit with ransomware. And when we got onto the network, we saw that there were some very sophisticated tools using artificial intelligence in this environment. And our security guys were like, wait, that's interesting. How did they get around these tools? Because they deployed ransomware. And this AI should have at least triggered maybe a little late or maybe on time, but trigger an alert the IT company or someone that this event was going on.

So when we started talking to the IT company, we're like, Hey, can we see the log files and can we understand why you guys didn't get alerted to this ransomware attack? Because this piece of software you have on it is actually pretty decent. So we look at it and there was no indicators that the software detected this attack. So when the security guys started digging in in a little bit more detail, they realized that unfortunately, the hackers had devised a methodology of ripping out the AI technology and once the AI threat detection technology was removed, the hackers launched the ransomware code.

So in concept, they disabled the video cameras and the alarm system on the house and then went and burglarized the house and there was nothing to trigger an alert to the police, indicating that this event had occurred. So, a very unfortunate type of event, because this type of technology was supposed to prevent that from actually occurring. Like you technically couldn't remove the software without a specific tool and password to do it, but they unfortunately figured out a way to bypass that. And just a couple days later, FBI, Homeland Security came out with a bulletin warning it appears that hackers are able to bypass some of the security technology and disable the computer's defenses and then deploy their ransomware.

So that's a trend that we're starting to see more and more of, where these computers are having some of this technology removed, stripped out, and then the attacks occur. But let's understand how that's occurring. That's occurring because there are vulnerabilities in the firewalls or the computers that were undetected by the IT company allowed the intruders to gain access to the machines, analyze the types of security that were in place on the machines, and then systematically rip it out.

So the thought here goes back to what you and I talked about was how do we prevent someone from getting in to begin with? And that is so important and that's where I would say probably 99% of OMS practices are not focusing in on. How do I keep my doors locked so someone doesn't break in to begin with? Versus reactive systems that trigger in the event that someone does break in.

Host: So let's talk about that and cat and mouse indeed, as you described. And someone might be thinking, well, why? Why are these hackers so persistent? This is big money, and they don't care if they ruin you or not. Is that right?

Guest: They don't. Absolutely.

Host: And they will do what they have to do to try to rip you off. So, let's talk about some things that an OMS can do to build a ransomware resilient practice.

Guest: So, let's address that one point in terms of cost. Some of these ransom demands for OMS practices are now starting at a quarter of a million dollars for a small OMS practice and ratcheting up to millions. We have to throw that out there. The days of it being like $5,000 are long gone.

What can we do to build a ransomware resilient practice? So let's look at a couple key components to that. The first is training. You have to train all of your doctors and all of your team members on how to identify threats that present through phone calls, but more importantly, emails. So how do you prevent someone from clicking on a malicious link, clicking on or opening a malicious attachment? Now, if they're not trained, they're going to do it. That's just how it is. But through training platforms like learning management software systems, cloud-based training platforms, you can educate your doctors and team members on these types of threats. So it'll show them, Hey, this is an email that tries to get you to enter your username and password to your vpn, to your computer.

You know, it's your email system, right? These are the things that you would do to try and identify it, and then obviously not fall victim to it. So I think training is so important and what most OMSs don't realize, it's actually required under federal law. It's part of being HIPAA compliant. You have to train everyone in your practice on cyber threats. That can be followed up with simulated phishing. So cyber companies can send emails that look legit, but are designed to try and trick people into clicking on things. And then through that type of testing, like real world testing, the individuals can then be tracked.

This is great. Mary at the front desk has identified 10 phishing emails and she's never clicked on it, but Dave at the front desk has clicked on the last three. He needs some more training. So it's a good methodology for looking at your training program and determining how effective it is or isolating individuals that are just high risk for the practice.

The next thing you need to do for a ransomware resilient practice is identify these open doors and windows that we've been talking about, these software vulnerabilities, these hardware vulnerabilities that hackers are actively exploiting. The only way you can do that is through a active vulnerability management program. This is very, very specific software. It is not antivirus software, that is able to look at all the computers in your network and say, here are all the problems with these computers, what the risk is, related to each vulnerability and then fixing them.

For instance, a company like ours has access to some very powerful software that can now identify what's wrong with the computer and almost instantly fix it. Versus just saying to someone, hey, you have a vulnerability on your computer, go fix it. So this is really enterprise level software that started in, say, the Fortune 500 world and now it is available to help small businesses just like an OMS practice, resolve their issues. So identifying the vulnerabilities and then autonomously fixing them. That's where we're at in 2023.

The next thing that they need to do is invest in artificial intelligence, technology. So, AI antivirus software is where it's at. In fact, for most OMS practices, if they purchase cyber coverage, additional coverage to prevent to pay out in the event of a cyber event, these insurance carriers are specifically asking for technology called extended detection and response or endpoint detection and response.

These types of technologies use artificial intelligence to detect malicious code, behaviors of hackers in the environment, and then can use AI to autonomously fight back and alert security engineers like us that the network is under attack. In fact, most practices will not be able to get cyber coverage without this AI technology in their environment. So it does replace your current antivirus, but you have to be here. This is the type of technology that has to go on your network. Common forms of this technology are products like Sentinel One, CrowdStrike, Carbon Black. These are the products that the insurance carriers are typically either asking or requiring practices to have.

Multifactor authentication. That's where the website or the application you go to log into, sends you a five or six digit SMS text message. Or an app pops up on your phone and says, are you trying to log into Chase Bank from, New York, New York? And you're like, yeah, I just entered my username, password. Go ahead and authenticate me. These types of technologies will block many forms of attacks where they're attacking websites or applications or VPNs.

Obviously, nothing is a hundred percent. But insurance carriers are also requiring this technology. So turn on MFA wherever you can. Every financial institution, you should never, ever be running email in your OMS practice that does not have MFA turned on because believe it or not, sometimes breaches in email systems are worse than breaches of a local area network.

The next thing you should do is work with a password management tool, right? These are tools that create unique passwords for every website and every application you use, and what it does is it creates a really long, strong password and manages them for you, and it stores them in a vault. And this vault is then protected by a unique password that you create. So when you go to visit a website, Chase Bank, American Express, or email, whatever it might be, the vault will open up, you'll punch in your password, and then it'll insert the username and password into that website for you.

It's also a very powerful tool for managing employee's access to systems. So Stacy, at the front desk accesses Blue Cross Blue Shield, Delta Dental, Oxford, and she has all those usernames and passwords to those websites. You terminate her or she quits. How do you get those passwords back from her? Bad situation. Those are some of the things that practices should be implementing at the most basic level.

And there's a reason why Bill, these insurance carriers are asking you to implement these because they look at previous claims, ransomware events, and they say, wow, if this practice had just turned on MFA, we wouldn't have just paid out a million dollars. Right. Or if they had vulnerability scanning and they knew that their firewall was not properly configured, we wouldn't have just paid out $600,000. So they're not willing to take these risks anymore for a thousand dollars cyber premium.

Host: Right. And you said this is kind of at the most basic, practices should be doing this, right?

Guest: Yeah. Many of these things are basic. And then you look at some more advanced things like penetration testing, where an ethical hacker attempts to break into the network using the same tools and techniques that cyber criminals are using. It's a very effective methodology to determine the security of your environment. And practices really have to be doing this now, in order to maintain basic security standards.

Host: Gary, as we wrap up, anything else you want to add when we are talking about cybersecurity for OMS practices?

Guest: I think the biggest thing that I want to communicate is the practices needs to take a stance. This is your livelihood. This is your business, these are your patients, and you can't just be passive or submissive about security anymore. And just for lack of a better phrase or word, hope for the best. You have to actively search for the risks associated with these computers, ie the vulnerabilities, the people, and address them. You talk to OMSs that have had breaches and most of them will say something like this, this is the worst thing I've ever gone through in my life. I actually didn't know if I was going to have a practice after this. So, as much of this conversation has been scary per se, the reality is just like the insurance carriers, when they look at this data, we look at this data and I will say almost every single ransomware attack we've dealt with in the OMS space, and we've done a lot of them, they were preventable. And I think that's the key. Just like for many healthcare issues, diseases, et cetera, many of these diseases are preventable with taking care of your body et cetera. Eating, exercising. The same thing applies with the cyber world. Look at some of these technologies that are available to protect your practice. And the reality is a lot of this stuff is not expensive anymore. It is something that every OMS practice should be able to implement in their, business.

Host: It's just a part of, uh, keeping yourself protected and that peace of mind as well, knowing that you are protected instead of, eh, that's not gonna happen to me. And if it does, like you said, you have had OMSs wondering this is, am I gonna get my practice back? This is the worst thing I've ever gone through. So to give yourself peace of mind, make sure you're doing these basic things that Gary talked about, and then, you know, having that third party in there as well, making sure everything is, uh, up and running.

And then a third party then also would be a company that would say, Hey, we're seeing the hackers do this. We gotta do this now. Right. That's the benefit of a third party company coming in and evaluating your security processes.

Guest: Absolutely. Right. If you look at what we do, we're actively engaged with hacking events so we can take that knowledge, that experience, and apply it, moving forward. Most IT companies don't get involved with that, so they don't often know how these networks are actually being breached and they're using the same technology they've been using for years. And everyone's like, all right, we're fine. We'll be okay. Don't worry about it. Just unfortunately, we need to think differently.

Host: Right. That is the key. Think differently. But as you said, most of these attacks can be prevented, so if you do your due diligence right up front, you can protect yourself. So Gary, thank you so much for your time. This has really been fascinating and eye-opening, so thank you again.

Guest: Absolutely. It's my pleasure. Thank you very much.

Host: And once again, that's Gary Salman. For more information, visit aamos.org and to listen to the AAOMS webinar on the topic of cyber security, visit aaoms.org/ceonline that's aaoms.org/ceonline. And if you enjoyed this podcast, please share it on your social media and make sure you subscribe so you don't miss an episode. Thanks for listening.