Bill Klaproth (Host): This is an AAOMS On the Go podcast. I'm Bill Klaproth, and I'm pleased to welcome with me today Gary Salman, the CEO of Black Talon Security, LLC. Gary is a frequent AAOMS speaker and webinar presenter, and Gary was a guest on a past episode of this podcast series. Make sure you check it out. And Gary is here with us again today to provide an update on the current cybersecurity threats to oral and maxillofacial surgery practices with a focus on social engineering. Gary, welcome.

Gary Salman: Thank you so much. Honored to be here today.

Host: Yeah, great to have you. I love talking with you. So first off, can you tell us what is social engineering and how are cyber attackers using it against oral and maxillofacial surgery practices?

Gary Salman: Right. Social engineering has been around forever. You think back in the days of the magazine salesman coming to your door, you write him a check for 25 bucks and you never get your magazines, right? So in concept, it's morphed into the technical landscape, and it's conducted typically through email, through phone calls, through text messaging, multitude of modalities.

But typically, what happens is it starts with an email, right? And the email comes in and it appears to be coming maybe from the GP down the street, your orthodontic friend, a national association, asking you to do something, such as like clicking on a link, opening an attachment, or giving up something. So when we talk about giving up something, we're typically talking about giving up information like your username and password. And in many of these social engineering attacks, when the email appears to originate from someone you know or trust, what do we naturally do?

Host: Open it.

Gary Salman: Yeah, we open it, right? We lower our guard. We're like, "Oh, this is Dr. Michelle down the street. Like, she's not going to send me a malicious attachment." Like I literally got a call from a good friend, an oral surgeon the other day. She's like, "I did it. And I was like, "Well, what do you mean you did it?" She's like, "I fell for it." And luckily, it ended up being not a bad situation. They were trying to get her username and password. But GP practice right down the street from her got hit and the hackers used her email account to attack the oral surgeon.

So, this is real stuff. So in a nutshell, social engineering is trickery, right? You have a threat actor, a bad actor that is sending you an email, sending you a text message, trying to get you to do something. And often what we're seeing now is what is actually called spear phishing, right? Because regular phishing is like an email from Best Buy or Amazon or American Express. And a lot of people are cognizant of that. They're like, "Oh, this is just another stupid best buy scam." But when it comes from someone you know or trust, and they're targeting specific individuals within your practice, that's typically known as spear phishing, right? They're going after a specific individual.

So, spear phishing attacks, unfortunately, are often successful. Because it goes back to what I said before, you lower your guard when you know that person versus some random name and some random email address. And the way these occur is the hackers actually break into these email accounts. So if you're being spear-phished, you're the receiver of this spear phishing attack, you're looking at the email from the real person's email account. It's not a fake Gmail account or fake email. It'll say like drmarysmith at smiledentalsofconnecticut dot com.

Host: And that's the real deal.

Gary Salman: It's the real deal, right? And then, once again, people are trained like, "Oh, that's really her email address." So, they lower their guard again and they're like, "Okay, I'll open this attachment," and that deploys the payload, and hits them with ransomware or it harvests their usernames and passwords, things like that.

Host: So, the cybercriminals will pretend to be someone from the OMS practice trying to get something from a consumer? Is that right?

Gary Salman: So, it can go in a multitude of ways. I think the way that I see it most frequently is they're coming from the outside in. So, for instance, the oral surgeon is working with a vendor, an attorney, an accountant, a referral. Those email accounts are compromised. Then, the hackers send emails from those compromised email accounts to the oral surgeon, and the oral surgeon's like, "Oh, that's my accountant. So, of course I'm going to open that end-of-the-year tax statement." And boom, they get hit. They download a payload, or they give up information.

Host: And then, they're in.

Gary Salman: They're in. It's that simple. And typically, what happens is once they're in, they deploy a screen sharing application, right? So, many oral surgeons use screen sharing apps to remote into their system, to look at health history forms, to write prescriptions, et cetera. So, the hackers use the exact same technology. They'll deploy a remote screen sharing session on your computer. And then, sitting over in Russia, they'll click on that little icon and then, boom, they're remoted into your practice, and now they have full control over your computer. And unfortunately, a lot of doctors have what's called administrative access, which means once I'm logged into that machine, I can do whatever I want on the network. I can install programs, I can access data, I can steal data, and there's no alarm bells that are going to go off.

Host: Oh boy. So, is this what makes healthcare practices, especially OMS surgery offices, a prime target for cybercriminals? Because once they're in, then they can also access the patient database too?

Gary Salman: That's right. And that's the core problem, right? Regulated industries, you know – obviously OMS being regulated by HIPAA and financial sectors and other heavily regulated industries – you have major compliance and regulatory issues that you have to consider. So, the second an unauthorized person gains access to a healthcare network, i.e., an OMS office, it's a breach. The network's been breached by definition. And once they're in, then typically, kind of to your point, what they often do, I'll say in a high 90% of the cases, the hackers will find the data on the network, so the patient database, right? The imaging, the attachments, financials, everything...

Host: Social Security numbers, payment information from the patients...

Gary Salman: Right. And then, they'll just download it. And then, they go and they extort the doctor like, "Hey, I got into your network and here's a sample of what I stole from you." And almost every law firm will now say, "Listen, maybe you have backups, maybe you don't. But you're going to have to pay the ransom demand because we can't risk the hackers selling this data on the dark web," right? And now, you have bigger issues where all of a sudden your data's out there.

Now if you look at OMS practices, their databases are huge, right? Compared to like general dentists and some other types of practices. Some of the multi-location OMS practices, they have more patients in their database than regional hospitals, right? Hundreds of thousands of records. I mean, we have OMS practices that have over a million patients in their database, so that's the problem with these types of attacks and they're easily executed. But getting back to your original point, healthcare is in fact the number one targeted sector.

If you look at the FBI's Internet Crime Report, you can Google this from 2023, the number one targeted sector by threat actors is healthcare, right? Everyone's like, "Oh, it's got to be the financial sector" or the, you know, government or weapons manufacturers, banking, things like that. It's not anymore, because the hackers know that this is the pot of gold.

Host: So, what are some of the most common cybersecurity mistakes that an OMS practice would do that would leave them vulnerable to an attack?

Gary Salman: Yeah. So, well, specific to social engineering, the lack of training, right? That there's two primary ways you protect your OMS practice from social engineering-based cyber attacks. The first is cybersecurity awareness training. Now, a lot of OMS practices don't realize this is required under federal law. Just like you have to train on OSHA, you have to train on cyber. And if you have a breach and the Office for Civil Rights comes and investigates and you can't prove you trained, you have a compliance issue now, right? Regulatory issues.

So, what are we talking about training? It has to be a formalized program, right? Typically, cyber companies – there's other resources out there – put together content to educate and empower the doctors, team members about the various forms of social engineering, right? Phishing, spear phishing, vishing (which is voice calls), smishing, which is SMS text messages, right? Almost everyone's received what looks like Chase Bank text message. There should be little quizzes incorporated. You know, the employee watching it should interact with it so they don't just press play, go out to lunch, and come back and take a quiz. So, training is still the number one way of detecting and preventing social engineering-based attacks, and I'll give you an example in a minute of how effective this is.

The second way is technology. We're leveraging some amazing – and everyone is using the word AI, I get it – but there is some amazing AI-based email security tools out there that every email that comes into your inbox is read by the AI, it analyzes the attachments, it analyzes the links, and it says, "Whoa, whoa, whoa, we know maybe from an event that occurred two minutes ago that this is in fact a spear phishing email happening to another practice, or this is a malicious link, or this is pointing to a malicious website," and it will literally rip the email out of your inbox. It will then search all of the other employees' and doctors' email boxes looking for the same email and rip them out. So within a fraction of a second, it can stop this type of event. And it does work globally per se. So, you know, with hundreds of thousands of email boxes out there. Unless you're just unlucky and happen to be the first one, it usually will find it somewhere else and rip it out of everyone's email box. So, very impressive technology. You have to have what's called a domain email, so you can't have like oralsurgeryassociatesoftexas at gmail dot com. I'm sorry if that's a real practice name. But in concept, you have to have Dr. Smith at the real domain name. So, it's Microsoft 365 or Google Workspace. Those are the two best ways to defend against social engineering.

Host: Wow, that's really interesting. We are learning a lot here. There's spear phishing, phishing, vishing, and smishing.

Gary Salman: Yes.

Host: This is crazy.

Gary Salman: Yeah, and there's other things like catfishing, we're not going to get into, but...

Host: Oh, my gosh. So what are some immediate steps that practices can take to protect themselves from social engineering attacks?

Gary Salman: So, definitely training. That's number one. Creating an awareness around that. The leaders of the practice – the doctors, the practice administrator – they have to be hyperfocused on this as well. Because if you think about it, your team follows what you do, right? If you tell them, "Hey, don't open this stuff," you know, don't go on non-work-related websites, and they walk by your computer, and you're doing this, what do you think your employees are going to do? I tell all the doctors the same thing, like have to lead accordingly. So, I think that's really important. So, implement a formalized training program. It has to be documented, right? Implement this AI technology. That's how you beat almost all of this.

Host: Okay. And what about things like multifactor authentication that we hear in our own personal lives and changing passwords regularly. That kind of stuff, does that help too?

Gary Salman: So, MFA is probably the number one deterrent for account takeovers, right? That's where I send you, Bill, for instance, an email and I pretend to be Microsoft saying, "Hey, can you reset your username and reset your password really?" And you're like, "Oh, I guess it's that 60-day timeframe. Let me reset my password." You enter your current password. You give it to me as the hacker. Now, I get into your account. Now, here's the catch to your point. If you had MFA enabled, you would see a little note pop up on your screen. You're like, "What the heck? I'm not trying to access my email from China right now."

Host: Right.

Gary Salman: And you would lock it. Unfortunately, so many practitioners are not enabling MFA because, you know, as they say, it's inconvenient. But you know what? It's really inconvenient when 20,000 emails get compromised. And here's what I tell every doctor. I said, "Take five seconds, 10 seconds, think about every email in your email box. Would you want someone to read them?"

Host: Okay. Give me that multifactor authentication right now.

Gary Salman: Yeah, turn that on right now. Exactly. And look, there are apps now that pop up on your cell phone and, within one second, you press a button and you're in. Like, it's that simple. And I would argue that you could probably block 98% of the attacks.

Host: So, the little annoyance is worth it.

Gary Salman: Oh yeah.

Host: Compared to the $500,000 ransom that you have to pay, right? Or whatever it is, I don't know what the number is, Gary. It probably or it could be hundreds of thousands.

Gary Salman: Hundreds of thousands often, right? Because they know what they have. They know they have what I call the pot of gold, which is all these patient records. And emails sometimes are more damaging than patient records.

Host: I mean, that can stop a practice in its tracks, right?

Gary Salman: For sure. We had a victim contact us, an OMS practice in the Northeast, just recently to your point, been in practice for almost 20 years, used the same email account. His email account got compromised. They started sending emails to the employees in the practice, asking them for information. Then, emails started going out to referrals and then it’s to patients. And when we got into the email account to start the investigation, ready? There's over 100,000 emails in the email, because they didn't purge anything, they retained all of it. So then, legal counsel is now involved, insurance carrier is involved. You have hundreds, a hundred thousand-ish patients that have to be notified by mail, that their electronic protected health information was potentially compromised – all over an email account, right?

So, sometimes, we're always focusing on, "Hey, it's our server, it's our network, it's our cloud system." But I think you know, you bring up a really good topic here, let's talk about what's in our email and how we protect it, because that's often unguarded, and people are like, "Oh, no one's ever going to guess my password," right? Ugh. You know how many times I've seen accounts breached, and it's like a really long password? But they got caught, they gave the hacker their password, or they authenticated someone in.

Host: Wow. That's amazing. Amazing. So from you, the cybersecurity expert to an OMS, what are the key takeaways or lessons to be learned?

Gary Salman: Okay. So, a couple key things. One, ongoing training, right? Hyper focus on training and awareness.

Two, you nailed it, MFA has to be enabled on every single account, right? I hear some doctors say, "Well, we don't allow cell phones in the office." Okay, there's other technologies you can use, or you set up a device that just is enabled for MFA that sits next to that person. There are really cool little security keys. They look like a USB. You pop it in the computer. And when you log into your email, it asks you to authenticate, and you touch the key, and it logs you in. So, there is a lot of technology. This is used throughout healthcare. We understand like it's not always convenient. So, I think that's absolutely critical.

You must have domain email accounts. Please stop using free email accounts. It's a huge problem. And I also say, do you want your personal lives and your practice lives intertwined? You don't, right? Because if that account is compromised, now regulators start requesting documentation from those emails, you start getting involved with class action lawsuits against your practice, all of that stuff is going to become discoverable. You don't want that. So, separate business life from personal life. Be smart, right? I say this all the time, most of these cases, the doctors are always saying like, "Oh my God, I'm so attentive to this. But I was like so late to leave the office and I had to run to get my kid and I didn't pay attention and I clicked on something." That's typically what happens, right? You have folks that are trained and have good intentions, but it's that split-second poor decision that results in hundreds of thousands of dollars of losses and a lot of pain for a year or so.

Host: So, I can see when you say training, just as simple as for office staff, do not click on an attachment.

Gary Salman: Yeah. So, the process really should be a formalized training program. So, just like you can watch videos for sexual harassment training, OSHA, things like that, there are dedicated training modules for cyber training. And they'll cover some of the topics we discussed, the phishing and the spear phishing. And they'll show real examples. And then they'll engage the trainees, say, "Hey. How do you know that this is a phishing or spear phishing email? A, B, C, or D, pick one. What is it?" And it gets them thinking. And most importantly, it creates a process, right? Because just like for surgery, the doctors go through a process. Every time they do a specific type of surgery, they're going through all these steps to execute on the surgery. You have to do the same thing when you're interacting with email or a person on the phone, like you can't just go from A to Z and expect not to have a problem.

Host: Right. Well, this has been fascinating and very eye-opening. Before we wrap up, anything else you want to add, Gary?

Gary Salman: I would say that one of the biggest mistakes that I see from a security perspective, I know, you know, we talked a little bit about this is there should be a very clear separation between IT and cybersecurity, right? So, IT companies should be doing IT work, and cybersecurity companies should be doing the cyber. So, there's checks and balances, right? So if you said to your IT company right now, "Hey, are we secure? Are we doing well?" You know what their response is? "Of course we are, doctor. Everything's great." How many IT companies have gone to the oral surgeon and said, "Oh, listen, here are all the problems with our network. Here are all of our security holes. This is the poor job we're doing from a security perspective"? We just don't see that. And what you're starting to actually see now is a lot of the top law firms in the country that specialize in healthcare and data security, they are now pushing this concept, right? Separation of duties, right? IT fixes stuff, sets up computers, keeps the practice running. Security comes in and does the checks and balances and implements the more advanced, because what they're seeing is they're realizing that these practices are getting hit. And in the end, you know who's accountable? The practice, right? The government doesn't care that the IT company didn't set the network up properly or configure it. The class action lawsuits don't care. They're going to go after the practice, not the IT company.

So anyway, what I always say, the phrase that I coined is like: You can't work off of feelings anymore. Right? And that's what a lot of doctors do. They'll be dismissive and they'll be like, "No, I'm fine. I'm being told I'm fine." I'm like, where's the data to support that? Can you tell me if your firewalls are configured? "Hey doctor, how many vulnerabilities do you have on your computers? Do you know that number?" I'm not asking you to know the technical aspect of it, but do you know that number? And the answer a majority of time is, "I don't." Right? So now, I said, "You're working off of feelings now." Like, you need KPIs – key performance indicators – to show you how you're doing from a security perspective, right? And security companies and folks that specialize in this provide that type of data. So, it is good to have like these swim lanes or this division of labor.

Host: That's really good insight. Don't necessarily depend on your IT department for your security. Absolutely. Well, Gary, this has been great. Thank you so much for your time.

Gary Salman: It’s an honor as always. Thank you.

Host: Yeah, thanks for stopping by. Once again, that is Gary Salman, the CEO of Black Talon Security, LLC. And AAOMS members can visit AAOMS.org/Cybersecurity for more information. And to listen to the AAOMS webinar on the topic of cybersecurity that Gary did, visit AAOMS.org/CEonline. That's AAOMS.org/CEonline.

And as always, if you enjoyed this podcast, please share it – valuable information on this podcast. Please share it on your social media and make sure you subscribe so you don't miss an episode. Thanks for listening.