Protecting Your Practice From Cybersecurity Threats

Alison Werner (00:10)
Hello and welcome to the Orthodontic Products podcast. I’m your host, Alison Werner. On today’s episode, I’m joined by Gary Salman, CEO and co-founder of Black Talon Security to talk about cybersecurity in the dental space. Cyber attacks like ransomware attacks are more common than ever. Not only are large hospital systems getting hit, but so are small private dental practices.

So I wanted to talk to Gary to get some perspective on where the threat level is today and more importantly, what you can do in your practice to protect your business and your patients’ data if you’re not already doing so. Gary, thanks for joining me.

Gary Salman, CEO (00:41)
Pleasure to be here. Thank you, Alison.

Alison Werner (00:43)
So to get started, can you give our audience kind of the current threat assessment for the dental space, especially for private practices?

Gary Salman, CEO (00:50)
Yeah, look, I think you nailed it. I think a lot of practitioners say, this is only happening to the hospitals, the large DSOs. But the more and more you talk to people, you realize, you know, they have friends, colleagues, you know, practice right down the street that have been hit. And it is a systemic issue. And one of the things that I tell all doctors is the hackers don’t care what size organization you are. In fact, they often know that these smaller health care entities like dental practices, small medical groups, plastic surgeons, you name it.

Alison Werner (00:55)
Mm-hmm.

Gary Salman, CEO (01:19)
they’re kind of easy pickings, right? Because they’re not gonna have the same types of defensive technologies as a larger medical group or large healthcare system. So unfortunately, we do see hundreds of dental practices of all sizes and specialties being hit in a multitude of ways, ransomware, email intrusions, various forms of extortion. And I think typically what happens is they get hit in one of two ways. They either are the victim of social engineering,

Alison Werner (01:21)
Hmm.

Mm-hmm.

Gary Salman, CEO (01:48)
where Mary at the front desk clicks on a link that she thinks from the referral down the street, or hackers exploit vulnerabilities on the computers like the servers, the workstations, the firewalls, and literally hack their way in. So this is a real problem. In terms of the extent, the big problem right now is the ransom demands. The days of a $5,000 or $10,000 ransom demand is way gone. We haven’t seen that in years. I will tell you for most,

Alison Werner (01:51)
Yeah.

Okay.

Mm-hmm.

Okay.

Gary Salman, CEO (02:17)
Dental practices, orthodontic practices, the ransom demands are typically six figures and up. Yeah, no, it’s no joke. We just did one for an orthodontic group a couple months ago and their ransom demand was $750,000 for a two-location orthodontic group.

Alison Werner (02:22)
Wow.

Okay.

Mm-hmm.

Okay, so what does that look like for a practice that gets hit? What are they seeing that tells them they’re a victim?

Gary Salman, CEO (02:44)
Yeah, so typically there’s one or two tells that they’re going to see. One, it’s very obvious. There’s a ransom note on the screen. It’s got a skull and crossbones like we’ve hit you with ransomware, pay us or else. And then sometimes it’s not so obvious. There may be like a little text file on a desktop. And typically the first indication is their software doesn’t work or they can’t access the cloud.

Alison Werner (02:55)
Okay.

Mmm.

Gary Salman, CEO (03:07)
you know, or imaging doesn’t load. And then the IT company will log in and be like, it looks like you got hit with ransomware. We’re seeing encrypted or locked files all across your environment. And then that’s usually a clear indication that it’s game over per se and game on for the hackers.

Alison Werner (03:18)
Mm-hmm.

Okay. And is that being caused by someone opening an email and clicking on a link or going to a site and clicking on a link? Is that how that’s typically happening?

Gary Salman, CEO (03:34)
So the data that we have and a lot of companies that do incident response, which are like breach companies like ours that specialize in these investigations, as well as the law firms and the insurance carriers, they’ll tell you between 60 and 70 percent of all ransomware cases are employee initiated, right? To your point, they’re Google searching something and they click on a malicious download for an update to QuickBooks, for instance, or they get an email that is coming from maybe someone they know, someone they trust.

Alison Werner (03:53)
Mmm.

okay.

Gary Salman, CEO (04:04)
an accountant, attorney, referring practice, like that, and Mary at the front desk clicks on that link, it downloads a malicious payload, and two weeks later they have a ransomware event. So let’s just say 65 % will split the difference. The other 30ish % is through what’s called vulnerability exploitation. And what a vulnerability is, very simply, it’s a defect in a piece of software or hardware.

Alison Werner (04:20)
Okay, okay.

Gary Salman, CEO (04:31)
that hackers have created and hackers have created a hacking tool that exploits that vulnerability. So for instance, a vulnerability on a firewall, right? Your firewall has software on it. The software was coded by a human. Humans make coding mistakes. So hackers find these coding mistakes and then they build a tool and they run this tool against the firewall and the firewall is like, come on in, I don’t need a username and password. And next thing you know, five minutes later, the hackers are on your server.

Alison Werner (04:37)
Mm-hmm.

Mm-hmm.

Okay.

Gary Salman, CEO (04:59)
And it sounds so simplistic, but unfortunately, this is actually what’s happening. The same thing can happen with computers. You can have a vulnerability in Adobe, in Chrome, in Microsoft Word, in Windows 11, or server operating system. And hackers will get on those devices, exploit those vulnerabilities, and gain access to the environment. Or you visit a website, say, through Google Chrome, and that website has been infected with a piece of malicious code.

Alison Werner (05:00)
Okay.

Okay.

Yeah.

Mm-hmm.

Gary Salman, CEO (05:27)
that looks for the defect in Google Chrome. And when you visit that website, that server attacks your computer and you’re hit. And it goes right through your firewall. A lot of people are like, I have a firewall, it’ll stop. And then I just say, we have to think logically here, because if firewall stopped all these attacks, we wouldn’t even be having these conversations. And I think a lot of doctors have this really significant false sense of security.

Alison Werner (05:30)
Okay.

Mm-hmm.

Mm-hmm.

Right, right.

Gary Salman, CEO (05:53)
that hey, I have a firewall, my IT company just sold me this latest generation of them, I just spent $700 on it, I have anti-virus software, so I’m good. The reality is everyone has that, and the hackers still get through.

Alison Werner (06:07)
Okay, so once the hacker has gotten through, then what are they looking at? What is that communication? And if they pay the ransom, do they get their data back? Or is there a way around that? What happens?

Gary Salman, CEO (06:14)
Mm.

Yeah, so great questions. So typically the way it works is when a hacker gets into your network, they will persist on the network for typically two to four weeks, which means they sit there, they observe everything you’re doing in your practice, they’re watching the screens, they’re watching everything all of your employees are doing. And during that timeframe, they are siphoning off all of your data. And antivirus software is not designed to detect these types of things.

Right, the hacker deploys like a screen sharing application, like a lot of people know things like Splashtop or Log Me In or Go To My PC. Anti-virus software is typically not going to stop that. And when these hackers move around the network, they’ll gather all of your data and then, you know, at two o’clock in the morning, they’ll just, you know, download your practice management software, your imaging software, your HR files, your QuickBooks. And once they’ve taken all the data and they verify that they have your data,

Alison Werner (07:06)
Okay. Great.

Gary Salman, CEO (07:12)
then they launch the ransomware attack, right? Because they know once they press that button to launch the attack, it’s game over because you’re going to walk in and know you’ve been attacked. But they leverage that time, that two week time to go undetected to do a lot of damage. Some of the other things they’ll do is they will look for your backups. So I hear a lot of doctors like, we have all these backups. We’ve done incident response cases where the hackers have found their way into the backups and also destroyed the backups. You know, they want to win.

Alison Werner (07:14)
Okay.

Mm.

Wow.

Yeah.

Gary Salman, CEO (07:41)
They want to get paid. want their $750,000. So you have that. You also have email intrusions. So we now see plenty of cases where they get into the doctor’s email. And I want you to kind of think of this logically. Think about when you log into your email, say Gmail, whatever it might be. After you enter your username and password on your computer, let’s say you do that today, in a week from now,

Alison Werner (07:51)
huh.

Gary Salman, CEO (08:08)
Does your email system typically ask you to reenter your username and password? Often it doesn’t. It drops a token on your computer, says, I trust Alison’s computer. We don’t need to ask Alison for her password again. Amazon is another great example. We all know that. Log in to Amazon today and in 30 days, you don’t need to put your password in again. It’s trusted on your computer. So when the hackers get these screen sharing apps on your computers, they’ll just go to your browser, type in gmail.com or they’ll look at your browsing history to see what email you use and

Alison Werner (08:13)
right now.

Mm-hmm

Right.

Gary Salman, CEO (08:37)
your email just opens. So now they have full access to your email. Then what they start doing is they’ll email that oral surgeon down the street, that accountant, that supplier, and they’ll socially engineer them and get them to give up something or click on a link. And now you have another victim because of your attack. But it makes sense, right? In a sick kind of way. But from a criminal’s mindset, it’s the perfect thing. I’m going to assume the role of Alison. Everyone trusts Alison. when

Alison Werner (09:04)
Right.

Gary Salman, CEO (09:05)
Alison’s friends and colleagues open an email from her, they’re going to click on the link from her. And that’s what happens here. And then you have bank intrusions. They’re gaining access to people’s bank accounts because now think about this, right? I’m not trying to make everyone sick here. But here’s the concept. If I’m in Alison’s email, right, and I go to the bank and I say, forgot my password, where does the banking software typically send you your password? Your email. And then you just log in.

Alison Werner (09:21)
He went, I’m getting nervous.

huh.

to the email. Great.

Gary Salman, CEO (09:34)
and then they execute wire transfers. So we’ve seen the full scope of this. And the same thing applies for a cloud practice management, especially in the ortho space with a heavy adoption of cloud. What do a lot of doctors and staff do with their usernames and passwords in their browser?

Alison Werner (09:45)
Yeah.

They just save it and have it default open. Yeah.

Gary Salman, CEO (09:54)
Exactly. Yep. So you open abccloudsoftware.com and Google Chrome’s like, boop, pops your username and password right into the browser and they log into your software. So, you know, a lot of practices are like, my God, I never thought of that happening, but it’s the most simplistic thing. And we’ve seen it over and over again. You know, we’ll call, right, on behalf of the practice that’s been a victim, we’ll call the cloud provider, the EMR, the practice manager, like, no, no, no.

Alison Werner (10:13)
man.

Mm-hmm.

Gary Salman, CEO (10:21)
It’s fine. We haven’t had any intrusions. And then we’re like, look at the log files. And then like, all right, someone logged in Saturday morning at 2 a.m. Right. And the doctor’s like, yeah, that’s not us. You know, but it came from Mary’s computer. So I what I always tell doctors is you have to think differently. It’s not so straightforward anymore. It’s not like, you know, well, I’m never going to give up my username and password and I have a firewall and I have antivirus or

Alison Werner (10:33)
Right.

Right.

Gary Salman, CEO (10:48)
I’m done with all this and I move all my data to the cloud and that’s that company’s problem. It’s not though. So you asked another interesting question, is assuming we have to pay the ransom, right? And what most doctors have to understand is that over 90 % of all intrusions into these dental practices result in the theft of their data, whether it’s cloud or their own server, right? It’s a hard pill to swallow, but it’s the truth. And what happens is

Alison Werner (10:52)
Right.

Yeah.

Gary Salman, CEO (11:17)
The threat actors will say, you have to pay us because we stole your data. And the doctor’s like, I don’t really think they stole the data. I talked to my IT company. They don’t see any movement in the firewall. And then I’ll say, listen, if I watch a two hour YouTube video, it’s going to use more data than me stealing your practice management software. That’s the reality of it. You can’t just look at your firewall and say they didn’t get my data. But a lot of people want to convince the doctors, right, as an IT company, like we protected you, you’re fine.

Then what happens is the threat actors be like, you don’t believe me that I stole your data? You know what? I’m going to publish 10 % of your records and I’ll put photographs of your children, your health history forms, panoramic, cephs photographs, all up on the dark web. Here’s a link. Go look for yourself if you don’t believe me. And we’ll navigate to that website with the doctors. And they’re like, my god, those are my patients. And it’s viewable by anyone that knows how to access these sites, these auction sites.

So typically what happens from that point forward is the law firm that is working with the victim will recommend to the doctor in many cases, listen, we got a problem here. Even if you have a viable backup or even if your system is still functioning in the cloud, if we don’t get this data removed, you’re gonna have class action lawsuits. You’re gonna have all these people saying, wait, you have the option to pay the ransom?

You had the option of paying the ransom, you didn’t do it, and now my children’s identities are stolen because you didn’t make that decision. And it’s a really tough position to be in. No one wants to pay these criminals. I have 20 years of law enforcement experience. Do you think I want to empower these criminals? No. But sometimes for the business, for the practice, it’s the only option. And I will tell you that most of the time, I’ve only ever seen it once in my career, when you pay, the hackers do what they say.

Alison Werner (12:53)
Yeah.

Right, right, yeah, I’ve heard that.

Gary Salman, CEO (13:06)
quote unquote honor amongst thieves. If you pay to get to the crypt or to unlock your files, they’ll give it to you. If you pay for them to destroy the data and not publish it on the dark web, they will destroy it. And they know that if they don’t do that, then they get like a one-star Google review per se and no one’s going to pay them. It’s ridiculous. The world is just ridiculous. Like they people all the time, they look at me like I have five eyes. so it, it,

Alison Werner (13:22)
Right, yeah. Yeah.

Gary Salman, CEO (13:32)
most law firms that operate in the healthcare space, the data privacy space, they will advise the client, like, probably don’t have an option except to pay.

Alison Werner (13:41)
All right, so then, because I’ve heard a lot about how the cloud is safer. What does a practice do to protect themselves in this situation? Because it seems like there’s so many vulnerabilities. So what are best practices at this point?

Gary Salman, CEO (13:58)
So you said something that’s interesting. You assume the cloud is safer. And I think that is a good assumption. The challenge with the cloud and what a lot of people don’t realize is the cloud is a data center that has servers that you just connect to these servers. So the assumption is that company that you put your trust in is doing the correct thing to secure those servers. look what happened to change healthcare. There’s a hundred percent cloud. There’s a good example and a lot of other.

Alison Werner (14:03)
Mm-hmm.

Mm-hmm.

Right, yes. Yeah.

Gary Salman, CEO (14:25)
You know, I’ve seen quite a few dental cloud systems breached. I’m a huge proponent of the cloud. I think it’s great technology. I’m not against it. But I think doctors who just say I’m in the cloud, I’m good, that’s a mistake. a couple of things to think about to answer your question. One, you have to address the risk within your own practices. And I think what happens in the dental space, and I come from a long line of family members who have been in the dental space, dentists and doctors by nature

Alison Werner (14:32)
Yeah.

Mm-hmm.

Gary Salman, CEO (14:55)
are very trusting. So what happens is they listen to a podcast like this and they run back to their IT company and they’re like, my God, I can’t get ransomware. And the IT company like, you’re fine, don’t worry about it. And they go back to treating their patients. You can’t run a practice like that. It’s just like, I think the best analogy is if the doctor went to their practice administrator and be like, hey, how are we doing in 2024 over 2023? And the practice administrator is like, we’re better.

Alison Werner (14:56)
Yeah.

Okay.

Gary Salman, CEO (15:24)
Where the doctors say, what does that mean? Are we up like 5 % or are we up 20 %? Like, where are we? But when it comes to security, because it’s more of like, it’s a more complex animal, most doctors, when they hear you’re okay from a security perspective, that’s good enough. They’re hearing what they want to hear. So one of the things that I say is you no longer can do security through feelings. You have to do it through data. And one of the most important things, and this is a systemic,

Alison Werner (15:24)
Right. Yeah. Mm-hmm. Yeah.

you

Okay.

Gary Salman, CEO (15:54)
change in the medical space, in the financial sector, and for most businesses, most organizations outside of dental have shifted to dedicated firms. So they have their IT resources doing IT, and then you have cybersecurity companies doing cybersecurity because they specialize in this, just like an orthodontist is a specialist, same concept, right? Because what we’ve found is that most IT companies

Alison Werner (15:59)
Mm-hmm.

Okay. Yeah.

Gary Salman, CEO (16:22)
focus 90 % of their time on making sure the computers work. That’s what they focus on. And they don’t typically have the individuals inside of those organizations that specialize in security. So what they do is they just throw tools. They’re like, we bought this tool. We bought this tool. The tools aren’t configured properly. They’re not managed properly. They set the wrong expectations with the doctor in terms of what they’re capable of doing.

Alison Werner (16:26)
Mm-hmm. Yeah.

Right.

Mm-hmm.

Okay.

Gary Salman, CEO (16:45)
To kind of validate what I’m saying here is I lecture with a lot of the largest law firms in the country that specialize in healthcare. And they’re all saying the same thing, guys, stop. You have to separate security from IT because the IT company is not going to come to you and say, doctor, we suck at security. Right? Here are all the problems that we created with your network. Right? You need a third party to say, hey, here are problems with the network. Here’s how to fix them. Right? And it’s got to be monitored by a third party. It’s the whole audit concept. You can’t audit yourself on this stuff.

Alison Werner (16:51)
Mm-hmm. Mm-hmm.

Yeah, okay. Right.

Mm-hmm. Mm-hmm.

Yeah. Okay.

Gary Salman, CEO (17:15)
So I think that’s a systemic problem right now that in the DSO space, the DSOs are starting to realize, whoa, whoa, whoa, we’ve made a mistake here. We’re starting to separate security and IT because they are two very different animals. It’s like I always say in the dental space, if you needed orthognathic surgery, would the general dentist do the orthognathic surgery or the oral surgeon do it? And anyone in this space will say, of course, the oral surgeon is going to do that. Or if you’re a cardiologist,

Alison Werner (17:41)
Mm-hmm, right.

Gary Salman, CEO (17:43)
Would you go to the cardiologist for open heart surgery or would you go to the cardiothoracic surgeon? They’re both heart doctors, but they do very different things. Same thing in the tech space. So I think this is the first challenge that dentists have to overcome. And then in terms of actual defensive and offensive technologies that everyone should be utilizing, I think it’s very straightforward. There’s a recipe for this now. First of all, security is not a single solution.

Alison Werner (17:48)
Mm-hmm.

Right.

Gary Salman, CEO (18:11)
And I see that a lot of times. The doctors are sold this new firewall and told, hey, you won’t have a ransomware attack. I’m not sure there’s really many firewalls that’s going to stop every ransomware attack. It doesn’t exist. It’s not that I’m not sure it doesn’t even exist, right? Because a multi-billion dollar company would buy it and we wouldn’t hear about multi-billion dollar companies being taken down. So let’s talk about defensive technologies, right? Defensive technologies are reacting when something bad is happening.

Alison Werner (18:17)
Mm-hmm.

Yeah. Yeah.

Right, yeah. Yeah.

Gary Salman, CEO (18:38)
So the typical defensive technology is your antivirus software. Something has landed on your computer. It’s a piece of malicious code. Someone clicked on a link. Someone’s doing something malicious on your computer, trying to install something. And now you’re relying on that antivirus software to hopefully detect it, which we know there’s no 100 % viable solution that finds everything. And then is it going to stop it in time or the hacker is going to be able to execute their attack before the software can even react and fight back?

Defensive technology, so they have to be AI based. The two leaders in the industry right now that are really what I would call like top shelf or tier one is CrowdStrike, which I think most people know because they had that issue and they brought down Delta Airlines and all these other companies. And then the other is a product called Sentinel One. Sentinel One is a product we use. These guys are like Mercedes and BMW, like really, really strong products. These products should be in your environment.

Alison Werner (19:18)
Mm-hmm.

that’s right, okay. Okay.

Gary Salman, CEO (19:37)
The problem that I see with a lot of the managed service providers and IT companies is they don’t configure them properly or there’s too much noise. They turn back the capabilities of the software and the hackers then take advantage of it. Yeah, they dialed it back. They turned off the capabilities of some of the features and hackers got in. The other issue is for most ortho practices and dental practices, your IT company does not work 24-7.

Alison Werner (19:50)
exploit that. Okay, yeah.

Gary Salman, CEO (20:07)
So the hackers almost always hit at night, after midnight, or most likely on the weekends. So these software applications may be alerting, hey, I’m under attack and people are just not in the office, you know, or they’re not at home in front of their computers, meaning the IT folks and the network gets hit. So it needs to be what’s called managed detection response where people are gonna, humans are gonna respond 24 seven. So Sentinel One CrowdStrike and managed by a company that watches it 24 seven. Another good.

Alison Werner (20:10)
Okay. Okay.

Right.

Gary Salman, CEO (20:36)
Defensive technology is the firewall, right? You need to make sure your firewall is up to date with the latest generation. So talk to your IT company. Like any technology, these become obsolete after four or five years. And if you’re not replacing that technology, you’re just leaving holes in your environment. So that’s a good technology. Email security is something that I’m really pushing lately. This is software that sits in your email.

Alison Werner (20:39)
Mm-hmm.

Mm-hmm.

Okay.

Okay.

Yeah.

Gary Salman, CEO (21:04)
It has to be corporate email. can’t be like, add Gmail. It needs to be like, at smileortho.com. And what it does is it uses AI to read your emails, to look at the links, and it determines whether this email is malicious. So email security is really important. And what it’ll do is if it determines that the email is malicious, it rips it out of the inbox so Mary can’t click on something. It’s not even there for her to act on.

Alison Werner (21:07)
Okay. Yeah. Okay.

Mm-hmm.

Okay.

Gary Salman, CEO (21:28)
Then you have offensive technologies. And I will tell you probably 95 % of all dental practices, ortho, et cetera, do not have this technology. The first is vulnerability management. So there are some very powerful tools that cyber companies use that scan the computers and firewalls looking for vulnerabilities. And once it detects them, it can fix them automatically. So if it finds like, Google Chrome is out of data on your computer, the software can detect the problem.

and say, I have a patch for that and actually fix the computer automatically so that way Mary doesn’t go to a website that’s infected and she gets hit. You have to scan your computers every four hours for vulnerabilities. You have to scan your firewalls daily. What I see a lot of doctors like, we had our IT company do a vulnerability scan. I’m like, okay, when did they do that? They’re like, they do that once a year. I’m like, just take that money, put it in the fireplace and put a match to it, whatever you spent on that, because it’s useless. It’s out of date a day later.

Alison Werner (22:04)
Okay. Okay.

okay.

Gary Salman, CEO (22:25)
Vulnerability scans. But look, this was the standard six or seven years ago, right? You know, that businesses could have a scan done once a quarter, you know, typically once a year was even back then wasn’t quite enough, but now it’s daily. Like that’s how quickly the threats have evolved. Vulnerability scans are really important. And another thing that you really need to do is what’s called a penetration test. This is where an outside firm that employs ethical hackers

Alison Werner (22:34)
Okay. Yeah.

Okay. Okay.

Gary Salman, CEO (22:52)
will assume the role of a cyber criminal actually try and break into your practice. And if they’re successful, then a meeting would be held between the three parties, the IT company, the practice, and the cyber company explaining, hey, here are the results of the pen test. Here’s what we could have done from a data theft perspective or ransomware perspective, and here’s how to fix it. You should be doing this twice per year. That’s really becoming the quote unquote standard of care now. And especially on the firewalls, it’s not very expensive anymore.

Alison Werner (22:56)
Mm, okay.

Mm-hmm.

wow. Okay.

Okay.

Gary Salman, CEO (23:21)
So, know, that’s, and look, from a regulatory and compliance perspective, if you’re a million dollar a year practice and you don’t spend some money on security to do stuff like this and you have an event, know, Office for Civil Rights may come to you and be like, you’ve got to be kidding me. Like you generate all this money and you have all these patients, patient records, and you didn’t even use, you know, what’s considered best practices to protect the data. It’s not going to look good in their eyes, right? Because they’re going to look at your revenue.

Alison Werner (23:46)
Yeah, right.

Gary Salman, CEO (23:47)
Right. they’re like, you’re a $300,000 a year. I get it. This may be a little expensive. You’re a million dollar specialty practice, a $5 million specialty practice. didn’t do this. Like shame on you. training, right? is important. So as we said, around 30 to 40 % of all, sorry, I misspoke, around 60 to 70 % of all attacks are the result of people.

Alison Werner (23:52)
Yeah.

Yeah.

Uh-huh.

Yeah.

Gary Salman, CEO (24:14)
So cybersecurity awareness training is very powerful. It educates you, right? It teaches your doctors and your staff on all the different types of scams that are out there. And that way your staff reads that email, they’re like, whoa, this is definitely a scam. I learned about this. not clicking on that link, right? Or they’re gonna question it. They’re gonna call that practice. Hey, did you really send this to me? This looks weird. And then you’re like, yeah, I don’t know what you’re talking about. I haven’t sent you an email in three days, right? So impersonating them or broken to their email.

Alison Werner (24:23)
Mm-hmm.

Yeah. Yeah.

Mm-hmm.

Right.

Right.

Gary Salman, CEO (24:43)
Training is required under federal law for ortho practices, dental practices.

it has to be documented. It can’t be like, we sat and had pizza one day and I told my team not to click on things, right? So there are training platforms that cybersecurity companies have, compliance companies have that actually teach the doctors and staff about these scams and it documents when they took the training, what they got on their quiz, and it does simulated phishing, so it actually send.

the practice and their employees simulated emails to see if they’re clicking on things that they shouldn’t. So that’s another offensive technology that is highly effective, very cost effective also, and it’s productive. works really well.

Alison Werner (25:25)
So it seems like a practice almost needs to have like a schedule for the year of a checklist of the things they’re going through to make sure they’re doing this on a daily, on a monthly, on a quarterly, on a yearly level. Yeah, okay.

Gary Salman, CEO (25:39)
For sure. absolutely. And onboarding, right? You hire a new employee. Hey, before you use computer, you’re doing your sexual harassment training, right? You’re doing your patient engagement training. You’re doing your cyber and HIPAA training. I mean, that’s how most of our clients work.

Alison Werner (25:44)
Right.

Mm-hmm.

Mm-hmm.

Just a really general question, because you mentioned there that for a lot of this stuff, the software, the offensive, you need it attached to a corporate email account. What if someone is going into their Gmail account or Yahoo account in a browser while on their work computer? What can happen there? Is there a vulnerability?

Gary Salman, CEO (26:15)
Yeah, great question. There is, right? So one of the things that our clients do is they have policies and procedures. So for healthcare, you’re really required under law to have a policy that says you cannot use a work computer for anything but work, right? Open personal email, going banking, online banking, shopping, Google searching, like that’s all off limits.

Alison Werner (26:38)
Mm-hmm.

Gary Salman, CEO (26:42)
And employees are technically supposed to sign that policy and acknowledge that they’re not allowed to do that. That’s really important from a regulatory perspective, because if an employee does that and it causes a breach and you don’t have a policy and procedure, when the government investigates you, it’s going to be a huge problem. The flip side is, right, Mary signed that policy and procedure that she understood she wouldn’t do that. She does it and causes a breach.

Alison Werner (26:42)
Okay.

Mm-hmm.

Gary Salman, CEO (27:11)
The government’s gonna say, doctor, look, you tried to do the right thing. You had the procedure in place. You can’t control, ultimately, what a person does. We’re probably not gonna have a problem. We’re not even gonna have a discussion anymore. Dramatic difference between those two types of events. So, one of the things I’ve said for a year, seven years, like, look, the government, for the most part, is not finding dental practices for breaches.

Alison Werner (27:16)
Right.

Okay.

Mm-hmm.

Gary Salman, CEO (27:39)
And unfortunately, two weeks ago, we saw a perio group with just a couple doctors get fined a quarter of a million dollars because they didn’t have this HIPAA risk assessment and policies and procedures in place. And the government went back six years prior to the event and like you can’t produce a single document for six years. Boom. the lawyers negotiated it down. It started at a range from the 250,000 to 750,000 and then they negotiated down.

Alison Werner (28:00)
Mm-hmm.

Mm-hmm.

Gary Salman, CEO (28:06)
So here’s a small little group. Like if they got hit with 750 grand, like that could have been, you know, game changing for them, unfortunately. So we have, you know, not only to deal with criminals, but we have to comply with federal and state regulations too, which I think a lot of doctors don’t think about.

Alison Werner (28:08)
Yeah.

Yeah.

Okay, so, right, so because they’re probably assuming they pay the ransom, they’re done, but potentially they’re looking at an investigation as well. Okay. Okay.

Gary Salman, CEO (28:29)
they absolutely will have an investigation. Yeah, yeah. mean, when you have a ransomware attack, under federal law, a ransomware attack is a breach, right? Now, if you can prove that they didn’t access your patient records or steal your records, you may not have a reportable event. But if your records were compromised, you have to notify the federal government, OCR, Office for Civil Rights, and they will post your name to a public website, letting everyone that looks at that website know you’ve been breached.

Alison Werner (28:35)
Mm-hmm.

Mm-hmm. Mm-hmm.

Yeah.

Yeah, okay.

Gary Salman, CEO (28:57)
And look, the class action attorneys look at those sites. And then the next thing you know, if you are a patient of smile or of Orlando, Florida, right, you could be part of a class action lawsuit, contact the lawyers at this number. And then they start finding all these patients that want to join the class action is really, really unfortunate because now you’re punishing the victims and that’s just not right. Yeah.

Alison Werner (29:01)
Yeah.

Right.

Yikes. Yeah.

Right, yeah, exactly. Okay. Well, before we wrap up, so we’ve talked a lot about ransomware. You mentioned earlier there’s some other things that are out there that are a threat. Can you talk a little bit about what you see as maybe the top three under ransomware?

Gary Salman, CEO (29:35)
Okay, top three, great question. Email intrusion. Email intrusion is greater than ransomware in terms of the number of cases that we do. This is where an employee’s email account is compromised or a doctor’s email account is compromised. It can be the result of clicking on a link and it is often the result of credential harvesting where they get an email, you know, looks like it’s from Google or Microsoft. You got to reset your password and the doctor just

punches his or her username in and gives the hackers their access information. Now, here’s what I say to every doctor. I’m sure we’ve all read an email that we don’t want exposed. All this patient was the biggest pain in the a. I don’t even want them. How did you refer them to me or how could you? And we say stupid things. We all do it as humans. And now hackers have access to all this email and all of sudden you’re like, uh-oh, we got a problem here. Not only do I have a compliance issue,

Alison Werner (30:08)
Okay.

Yeah.

Yeah, yeah, yeah.

Gary Salman, CEO (30:33)
I got a huge reputational issue if this email gets published. What I tell every doctor is don’t ever send an email that you don’t want published on the front of the New York Times. It’s that simple, right? And the other challenge is, especially doctors who have been in practice for a long time and are specialists, the sheer volume of emails regarding patients from the referrals is unbelievable, right? So we did an email breach for an oral surgeon.

Alison Werner (30:35)
Right.

okay.

Gary Salman, CEO (31:02)
And over a 15 year period, there were over 100,000 emails related to patient care. And the hackers got them all. And he’s got a major, major problem right now. And I said to one of my colleagues, I’m like, you know what? It would have been better off if I had a ransomware attack in this case because, you know, and he admitted it. And he said things about his employees to a consultant that was trying to help with employees. That’s not a good situation. So I think everyone gets that.

Alison Werner (31:07)
wow.

Right. Right.

Gary Salman, CEO (31:29)
The way you can protect that is A, you have to turn on multi-factor authentication. Never ever use email without MFA turned on. B, always separate your personal emails from your work emails. And unfortunately, a lot of doctors have had that AOL account or that Gmail account for 15, 20 years and they family emails coming in, they have friends sending them stuff, and then they have communications with patients and doctors. That all gets out. That’s a bad situation. So email intrusion.

Alison Werner (31:29)
Okay.

Yeah.

Okay.

Gary Salman, CEO (31:58)
really, really important also to defend against. There’s the email security. We already talked about that. So I think that and then the other thing people have to understand is when you sign up for like Microsoft 360 email and your IP company turns that on like, Hey Dr. Mary, you’ve got email now. You know what? There’s hundreds of security controls in the Microsoft environment that have to be configured properly. And a lot of times the IT companies don’t know that and they just turn this stuff on and then

Alison Werner (31:59)
Mm-hmm.

Yeah. Yeah.

Yeah.

Gary Salman, CEO (32:25)
month, a year, two years later, there was a breach and it was 100 % preventable. you know, we got to, right. This is the problem with any of this technology. Everyone thinks it’s like take it out of the box and use it and it’s cheap. Like that just doesn’t work. It’s like, hey, I just bought a hundred thousand dollar car, right. Someone gets in the car, slams the gas and they spin out and crash. Like, you don’t know to drive the car. Like it doesn’t work that way. The next thing is payroll fraud. This is another biggie.

Alison Werner (32:33)
Right.

Yeah.

Right.

Yeah, exactly.

Gary Salman, CEO (32:53)
So the way this attack works is the threat actor will do research on your practice. They’ll go to your website, they’ll look at the names of the doctors, they’ll find the name of the practice administrator, and then they’ll make some assumptions. Like most practices use like ADP or paychecks or QuickBooks, and then they’ll find the name of a doctor or an employee, they’ll send that practice administrator or doctor an email saying, hey, you know, I just wanted to let you know, let me backtrack. They assume the role of a.

Alison Werner (32:54)
Okay.

Right. Mm-hmm.

Gary Salman, CEO (33:21)
of an employee, right, they’ll create an email address that says Mary Stein, which is a front desk person. They’ll send the doctor, the administrator an email and the email says Mary Stein. It says, hey, I want to let you know, doctor, I’ve changed my bank account information and here’s my new direct deposit info. And they’ll actually fill out the ADP form, right? Scan it in and send it. And then the person who’s in charge of payroll will go into ADP or paychecks or QuickBooks, make the changes for direct deposit, run payroll, and then

Alison Werner (33:27)
Yeah.

Gary Salman, CEO (33:50)
That employee comes in like, doctor, I didn’t get paid on Friday. What’s going on? The doctor’s like, no, I ran payroll. Here’s the verification. And I got your email and I even changed your ACH. Maybe you gave me the wrong info. She’s like, what are you talking about? I haven’t changed my bank account. I never sent that email. And some employees will go a month before they look at their bank statements and that money’s, you’re not getting that back. Right. And so that’s a big issue. Easily, that’s one of the most easy things to defend against.

Alison Werner (34:09)
Mm-hmm. Right, right.

Gary Salman, CEO (34:18)
You go to that employee and be like, hey, I got this email. That’s it. Did you send it or didn’t you? And is this right? You have to have a human conversation. mean, I know everyone wants to do everything electronically, but have a conversation. The last one is wire fraud. I wouldn’t say that this is as prevalent as ransomware and emails, but the dollars can be massive. So we had a case where an oral surgeon sold their practice to a DSO and

Alison Werner (34:19)
Ask. Yeah. Right. Absolutely. Yeah.

Okay.

Gary Salman, CEO (34:48)
Right before the wire was sent by the DSO to the oral surgeon, the DSO received an email that purported to be from the surgeon saying, hey, I just spoke to my accountant and he wants me to set up a new bank account just for this transaction.

So the DSO, instead of calling the doctor and be like, hey, did you send this email? They wire $2 million. And look, I don’t quite understand the story here, but the doctor expected the money on Monday and by Friday, she’s like, I never got it. And at that point, was too late. The money was gone to a foreign country. Couldn’t recoup it. Now you have the law firm involved. You have the seller. You have the buyer. Who’s at fault? Where did the email, whose email got hacked?

Alison Werner (35:11)
You

Yeah. Mm-hmm.

Gary Salman, CEO (35:34)
and the hackers were following this transaction. Believe it or not, this is more common than people realize. So it’s so simple. Whether you’re real estate, buying real estate, paying large bills, call the person that sent you that wiring information and be like, hey, I’m going to the bank now or I’m going online. Tell me the ADA, which is the routing number and confirm the account number over the phone, person to person. And then you can do this, which is interesting for larger transactions, send $1.

Alison Werner (35:41)
Uh-huh.

Mm-hmm. Yeah.

Right.

Mm-hmm. Mm-hmm.

Gary Salman, CEO (36:04)
send $1, yeah, test transaction, gonna send you $1. When you verify that’s in your bank account, call me back and let’s talk. And then, right, while we’re on the phone, I’ll send the remaining $500,000. So little things like this make a huge difference because a lot of the cyber coverage doesn’t offer high limits on this stuff. It’s very often that it’ll max at 250. And we’ve seen…

Alison Werner (36:04)
to test it, yeah. Right.

Great.

Yeah.

Mm-hmm.

Gary Salman, CEO (36:31)
ortho practices lose a lot of money. went to go buy a building and they lost all their money because someone intercepted email communications and changed the wiring information. You’re not getting it back unless you can get a hold of the FBI within 24 hours, then you could get it back.

Alison Werner (36:40)
Okay. Okay.

Okay, okay, okay. And so that stuff, somebody’s been sitting in your email for a while probably at that point. Okay, okay.

Gary Salman, CEO (36:53)
For sure. Yeah, yeah. So watching the transaction, watching your email, things like that, or it could be on the receiver’s end you’re working with, a real estate agent, for instance, an attorney for the closing, sale of a practice, purchase of a building, things like that. And they’ll strike just at the right time. It could be at four o’clock in the afternoon on a Friday. They’re like, great. Everyone’s going to be out. The attorneys aren’t going to look at this. I’m going send this. They’re going to wire it. No one’s going to know until Monday or Tuesday.

Alison Werner (36:58)
Mm-hmm.

Mm Yeah. Right.

Yeah.

Mm-hmm. Mm-hmm.

Gary Salman, CEO (37:20)
And Monday is going to come and they’re just going say, it’s over the weekend. The banks don’t do anything. So let’s just give it until Tuesday and it’s too late. It’s gone.

Alison Werner (37:27)
Yeah. Yeah. Okay. Okay. So the thing to keep in mind is these people are patient. They will wait and find a moment, whether it’s the ransomware or it’s this.

Gary Salman, CEO (37:35)
yeah. They always have time. Yeah, no, you’re 100 % right. They always have time on their hands.

Alison Werner (37:45)
Okay, well, Gary, it has been an absolute pleasure, although a little scary, a little overwhelming, but we will talk to you again soon to maybe go a little bit further or answer some questions as we get them. But yeah, I think so. yeah. I, yeah. Mm-hmm. Yeah.

Gary Salman, CEO (37:49)
So good.

But you can do something. think that’s the statement here. That’s a positive takeaway. And a lot of doctors don’t know that this is out there, so they don’t even know how to address it. They become a victim and then they find out how to fix and prevent it. That’s not right either.

Alison Werner (38:13)
Right. Well, and I think what you said there, everything you kind of outlined during this conversation is as long as they have a plan and know the things they have to check off, whether it’s daily, weekly, quarterly, yearly, to make sure they’re following those best practices and their staff are following those best practices, then it is doable. know, OK, great. Well, thank you so much, Gary. If anybody wants to reach out to you at Black Talon, how should they do that?

Gary Salman, CEO (38:32)
Exactly. Yep. You got it. You got it.

Sure, blacktalontsecurity.com. Check us out there. You can hit me on email, gary at blacktalontsecurity.com, and then find me on LinkedIn. I have thousands of doctors that follow me on LinkedIn. We are constantly posting really good content there. Many things you can do yourself to protect yourself, and it’s cybersecurity month right now, so we’re posting lots of content. But whatever works for your listeners.

Alison Werner (39:04)
All right, well, great. Thank you so much, Gary. I really appreciate it. Take care.

Gary Salman, CEO (39:06)
Got it. Later.