Black Talon CEO Gary Salman on why you aren’t doing enough to safeguard your orthodontic practice’s data from ransomware
In far too many situations, orthodontists learn about the importance of cybersecurity after a cyber/ransomware attack. Lessons on the intricacies of the occlusion are not typically accompanied by tales of bad actors demanding $50K in exchange for the release of “kidnapped” financial information.
Unfortunately, these nightmare scenarios are all too real, and Gary Salman, CEO of Black Talon Security, is increasingly working with orthodontic practices. Black Talon Security, which received the American Association of Orthodontists (AAO) endorsement last year, counsels people who thought they were doing enough to safeguard their data, only to find out that a dedicated IT division was not enough. Orthodontic Products sat down with Salman to get a cold dose of knowledge about the diabolical world of hacking, ransomware, and outright theft of data.
Orthodontic Products: How did you come to work with the AAO?
Gary Salman: That came about because of mutual clients. We were starting to see more and more orthodontic practices hit by cyber attacks and ransomware attacks. The clients asked; Why aren’t we learning about this? Why isn’t someone educating us? Why are we finding out the hard way?
I reached out to the AAO and said, ‘This is a hot issue, and a lot of your members are being impacted by cyber attacks, and some of them are being impacted pretty significantly.’ We had a discussion about how both organizations could work together and help to educate members, but also provide solutions to protect practices from cyber attacks.
OP: How prevalent are cyber attacks and ransomware attacks becoming?
Salman: Billions of dollars are being siphoned from health care systems and other entities—because the criminals literally hold you hostage. They say, ‘We have all your data, so pay us $50,000 or $100,000 and we will give you the keys to unlock your data—or have a good day, and you’re done.”
OP: Can the encryption installed by the criminals be defeated and/or broken?
Salman: A lot of practices need to understand that the encryption mechanisms are algorithms that these criminals are using, and they are unbreakable. Even a supercomputer owned by the government can’t crack the encryption. Practitioners can’t just call up someone and ask, ‘Can we get our data back?’ If it’s a more recent strain of ransomware, the answer is no, and you’re going to have to pay.
OP: How do these ransom payments get made?
Salman: A cyber company can facilitate that and help you. You’re going to have to acquire dollars and it has to get converted into a crypto currency, like Bitcoin, and that gets transferred to the hackers. The hackers accept that money, and then send you an unlock code to unlock your files—and then you run this unlock tool, and it basically starts bringing your files back online. It’s pretty crazy.
We call this ransomware 2.0. Years ago, they would steal your data, or they would just hit you with ransomware. Most of the major threat groups that are targeting healthcare are now stealing the data first, and then encrypting all of the files. So you’re often presented with two ransom notes. The first one says, ‘If you want your data back, pay us $50,000.’ The second note says, ‘Oh by the way, here’s a picture of all the data we took from you, here are some of your x-rays, here are some of your photographs, your payroll documents, your bank statements. We have it all and we need another $50,000.’
OP: What if you don’t pay?
Salman: If you don’t pay, they’re going to start auctioning this data off on the dark web. There is literally dental practice data out on the dark web for sale right now. They’ve now realized that there is value also in the data. If you’re an orthodontist and all your data is out there, what are you going to do? You’re most likely going to pay. You don’t want that data released.
OP: Is it safe to say this could happen to all kinds of healthcare providers?
Salman: Healthcare is the number one targeted sector right now out of any industry. So yes, whether you’re an orthodontist, oral surgeon, cardiologist, physician group, hospital—everyone’s getting targeted right now.
OP: Why is the healthcare sector the number one target?
Salman: There’s a tremendous amount of valuable information in these databases—patient demographics such as first, middle, and last name, address, city, state, zip, date of birth, phone number, social security number, driver’s license, insurance—all things that are important for identity theft. Hackers who are using this information for identity theft look at it as the perfect database. It has all the information. The other reason is the value of the data. Even if they don’t take it when the hackers hit your system, with ransomware they encrypt an ortho practice, and then what is the practice going to do?
OP: In the case of hackers who encrypt data, thus making it impossible for orthodontists to access, why can’t providers simply rely on backups?
Salman: Typically the hackers destroy the backups. They potentially gain access to the cloud systems, and when a practice realizes that they have no data available, they’re going to pay the ransom. That’s what the criminals are realizing as well. If you’re an average business, and your computers are encrypted, maybe you can continue to run your business another way. But when you hit an ortho practice, and all of the records are encrypted—x-rays, photographs, scheduler, accounts receivable—everything is encrypted with ransomware; and you can’t recover it from a backup, you have no choice. You’re going to pay.
OP: Do hackers see orthodontists, and other medical professionals as easy targets?
Salman: What hackers are realizing now is that this is a target-rich environment, and typically the practitioners will make the payment, or if they have insurance, the insurance companies will pay.
OP: What are the HIPAA ramifications of these attacks?
Salman: HIPAA requires your records to be available. So if at any point a patient comes back and says, ‘I need a copy of my cat scan, my x-ray, my treatment plan’ and you say, ‘We don’t have that anymore because our files were encrypted with ransomware 3 years ago, and we weren’t able to recover it,” you now have a major HIPAA issue at stake because records have to be available for patients at any point. So that’s another challenge, and an attorney would tell the client in most cases you have to have availability of your records. And if you want availability of records, the only way to have them is to pay the ransom, and you’re going to have to pay the ransom.
OP: How aware are orthodontists about this threat?
Salman: What do most practitioners say when asked, ‘What are you doing for cybersecurity?’ They will say, ‘My IT vendor takes care of that. I have a firewall and I have antivirus and I’m told I’m protected.’
OP: How accurate is that?
Salman: That’s basically totally false. If that were the case, there’d be no breaches. Almost every business has a firewall and antivirus software. Fortune 100 companies have the best firewalls and antivirus software. You think they’re not getting hit? Of course they are.
OP: What should orthodontists be doing to protect themselves?
Salman: You must implement a multi-layered approach, which is a firewall, antivirus, and then the types of solutions that a cyber security company can offer to really have a hardened network. In the end, hackers are usually opportunists. Whether or not you want to believe it, they’re scanning your network. They can scan millions of IP addresses on the internet in hours.
If they scan your network and come across a vulnerability, they’re going to start picking away, and they’re going to try and get in. You need a network that has mitigated high-risk vulnerabilities. To use the analogy of a house, you don’t want the door wide open, the window wide open, and the alarm system off. If you’ve locked it down, they’re going to move on to the next network because there’s too many victims out there. They know they’re going to find someone, so instead of spending days trying to get into your network to take your data, they’re going to find another network, find the vulnerabilities, and attack them.
I see that all the time when I work with victims of cyber attacks. They almost always ask, ‘Why me? Why did they come after my practice when there’s a hospital down the street and physicians’ group with 90 doctors?’ They came after you because you didn’t have proper security in place, and you’re an easy target. They know they could take out five or six easy targets and have a bigger reward than taking out one large one. It’s a matter of time and money. OP