Surviving a Cyberattack: The Harsh Reality of an Orthodontic Data Breach

Alison Werner (00:06)
Hello.

And welcome to the orthodontic products podcast. I’m your host, Alison Werner. In this episode, Gary Salmon, CEO of Black Talent Security is back with us. At the recent AAO annual session in Orlando, I caught a panel Gary participated in that was focused on cybercrime in orthodontic practices. And we’re taking some time today to recap that discussion. We so often talk about how to prevent a cyber attack, but today we are looking at what happens when you actually experience a breach. We discussed the reality of ransomware attacks, including the

of Dr. Kenneth Webb, an orthodontist whose practice was compromised several years ago. Gary also shares insights from their fellow panelists, FBI agent Timothy Callinan and healthcare attorney Brittany Cambre touching on both the law enforcement and legal realities of a data breach. We also get into why cloud-based systems aren’t a foolproof solution and the practical steps you need to take immediately if your network is ever targeted. With cybersecurity attacks now more common than malpractice claims in the orthodontic

industry. It’s a very relevant topic for the moment. Here’s our conversation.

Alison Werner (01:14)
Gary, thank you so much for joining me.

Gary Salman (01:15)
Yeah,

it’s my pleasure. Thanks for having me.

Alison Werner (01:19)
Yeah, so at the AAO annual session, I was able to catch your panel. And for those who didn’t attend, why was it important for the four of you to be on that panel to offer your different perspectives?

Gary Salman (01:33)
Yeah, look, I think it was an amazing panel. You had ⁓ Dr. Ken Webb, orthodontist, ⁓ multi-location group, who was the victim of a ransomware attack a couple of years ago. You had a supervisory special agent, Tim Callinan ⁓ from the FBI’s field office in Florida, who specialized in cybersecurity. So you got to see and kind of hear the real world, what’s actually happening out there, who’s attacking us, why are they attacking us.

Alison Werner (01:43)
Mm-hmm.

Gary Salman (02:02)
what’s the FBI doing? So you got to hear his perspective. I thought he was awesome. And then we had ⁓ Brittany Cambre, who is an attorney who specializes in data breaches in healthcare. So she’s a data privacy counsel. So she brought a really interesting perspective from a legal compliance and regulatory ⁓ perspective that I think most healthcare providers have never even

Alison Werner (02:07)
Yeah.

Gary Salman (02:32)
begin to fathom, right? They don’t realize how bad it actually can be. It’s not just about pressing a button and recovering backups. It’s all of the aftermath of the event.

Alison Werner (02:32)
Mm-hmm.

Yeah, no, definitely. You and I have talked before, and you’ve written for us before, often we really focus on how to prevent the attack. So it was really interesting to hear Dr. Webb’s story of his attack. Can you kind of talk about his story? Because you do know it, because you were part of the recovery.

Gary Salman (03:01)
Yeah, so it was a couple of years ago. ⁓ And basically he walked into his office on a Saturday morning and discovered that his computers were not functional. In fact, it turns out that every single computer except for one had a ransom note on it and that the hackers had gained access to all of their locations. Some of the practices were running traditional what’s called on-prem practice management software.

You have your own server and your own orthodontic software on it. And he had another office that was running cloud that he had recently migrated to, but all the systems were taken down ⁓ in this ransomware event. So the computers weren’t even really functional. And plus they were infected with malware and the hackers had remote access to them. So it was a big problem. And he basically reached out to an IT friend of his.

who said, hey, you know, reach out to Black Town Security, you know, because this is a significant event that has to be handled properly. It’s not really an IT issue anymore. It’s a compliance and legal issue that has to be dealt with appropriately. So he had actually reached out to us, got in contact with me over ⁓ on a Saturday, and we started the investigation to his ransomware attack, which when we got in there, we realized, you know, it was bad. You know, he basically

didn’t have a single machine that wasn’t impacted. Like all the files were locked or encrypted and he couldn’t get at any of his existing data. So you’re talking practice management software, two dimensional images, three dimensional images. Everything was completely locked by the hackers and you know, they were demanding a significant amount of money to provide the decryption codes to unlock all of his data. So that’s basically what we walked into.

Alison Werner (04:50)
Yeah.

Okay. And it’s not necessarily that Dr. Webb was targeted specifically because he’s an orthodontist. I think it was the FBI agent who was saying that, you know, these hackers aren’t looking for orthodontists. It’s just you sometimes get caught up because of your location or your IP address. Can you talk a little bit about that?

Gary Salman (05:14)
Yeah, so we’ve investigated hundreds of cases, ransomware and other types of intrusions, doing digital forensics and things like that. you’re pretty much spot on. What we find a lot of times is what the hackers will do is they’ll scan the internet. They’ll scan millions of IP addresses. And your IP address is like your phone number, right? It’s a unique ⁓ internet number associated with the modem at your office. Or if you have multiple locations, each office will have a unique IP address.

Alison Werner (05:19)
Mm-hmm.

Gary Salman (05:43)
And what happens is the hackers will scan all of these IP addresses and they’ll run basically hacking tools against these IP addresses and they’ll just sit back and wait. So if they want to target Boston or New York or some rural community in the middle of Kansas, they can often do that by looking at blocks of IP addresses. And they just sit back and wait for their tools to say, hey, I found something. I found an open door at this IP address. And basically an alert goes off on the hacker system.

Alison Werner (05:52)
Mm-hmm.

Gary Salman (06:13)
And then they start digging in. They’re like, OK, I got an IP address. What’s behind this IP address? look at this modem or look at this firewall. OK, let me take a tool out of my toolkit and see if I can break into that modem or that firewall. look at this. They have a version of the firewall software that has a vulnerability. If I run this tool against that vulnerability, that firewall is now going to say to me, come on in. I don’t need a username and password. They’ve exploited the weakness on that device.

Alison Werner (06:38)
Mm-hmm.

Gary Salman (06:41)
And then they typically land inside the network and they start gathering information off the computers. And they’re like, my God, look at this. We hit a healthcare entity. Look at all these patient records. Look at these, you know, pieces of information that obviously are very valuable to this business. And then typically what they do is they start stealing all the data, right? And no alarm bells are going off. This is almost every single victim that we deal with. The hackers have walked away with some or all of their patient data.

including many practices that were 100 % cloud-based. And you and I can talk about that. And no alarm bells went off. The IT company was never notified that, hey, a hacker’s stealing all of the data. And then after they steal the data, sometimes they just drop the ransom note and say, hey, I stole all your data. Contact me on the dark web here. I want $3 million. Or you may walk into what Dr. Webb had, which is all the computers are encrypted and your computers just don’t work anymore.

Alison Werner (07:14)
Yeah.

Mm-hmm.

Yeah.

Gary Salman (07:38)
So yes, you are absolutely right. ⁓ Sometimes we see practices that are in the vicinity of military installations, defense contractors, government agencies, things like that. And the hackers know that, hey, IP addresses in this area of Maryland or Virginia or New York, Or Rhode Island where there’s a lot of defense contractors, like we’re going to scan those. Maybe we’ll hit a government agency or a contractor and boom.

Alison Werner (08:00)
Yeah.

Right.

Gary Salman (08:08)
You just happen to be in orthodontic practice stuck in the middle. So I truly believe, based on our analysis, that that often happens. But sure, there are targeted attacks. We’ve seen it in most of the health care spaces where hackers will get mailing lists of groups of orthodontists or oral surgeons and send out phishing emails trying to target some of those individuals. Or the attack starts at a GP’s office.

Alison Werner (08:09)
Thank you.

Yeah.

Nothing.

Gary Salman (08:38)
through their email system and then propagates to all the other dentists in the area that they ⁓ communicate with. And that malicious code is delivered from one email account to another. So sure, yeah, look, I mean, there’s lots of ways that this stuff happens, but I believe for most ortho practices, it’s a random unfortunate event.

Alison Werner (08:46)
Yeah.

Yeah, yeah. Okay, so back to what do you do after you walk in and see that message like Dr. Webb’s associate did and then he came in and saw it himself. What do you, let’s start with, he made a phone call and the reason he knew who at least had an idea who to call is because he had served on a task force with someone who he knew was kind of in this field and who was able to lead him to you. But for someone who doesn’t have that background, let’s start with,

Who do you call, but then also physically what do you do? Because there was something that you said ⁓ you advised Dr. Webb to do, and that was to get off the internet.

Gary Salman (09:39)
Yeah, look, first thing you really want to do if you really suspect that your network is under attack and look, a lot of times it’s very obvious. There’s a ransom note on the screen and it says you’ve been hacked by, you know, killing ransomware, for instance, that’s just one hacking group. OK, there’s a bad situation going on in your practice. So what I always advise is the first thing you do is don’t turn your computers off because if you turn them off, you can actually lose some evidence like digital forensics type evidence.

Alison Werner (09:56)
Mm-hmm.

Mm-hmm.

Gary Salman (10:08)
The

best course of action is to pull the internet connection. So unplug your modem or power off the modem or power off your firewall. Then what you want to do is from a couple of computers, open up your browser and try and go to a website like Google or CNN.com or Fox News.com and kind of see if you can connect to the internet. And it says, you you get an error message that you can’t connect. OK, you’re off the internet. Like that’s a good indication.

If you have multiple locations and those offices are connected together through like a VPN over the Internet, there’s a high likelihood that the threat actors may have gained access to your other locations as well. And I’d also recommend that you may want to do that. That’s like emergency. The other thing you can do is you can also contact your IT company and say, can you block all Internet traffic coming in and out of my firewall?

Alison Werner (10:40)
Mm.

Gary Salman (10:59)
So instead of actually like physically unplugging it, they’re shutting off all the internet connections at the firewall. And usually they can still gain access to the firewall and manage it. So that’s, that’s kind of option two, but a lot of times these attacks happen over the weekend and you can’t get a hold of your IT company. So pulling the plug is, definitely step one. ⁓ Step two would definitely be to reach out to your IT company and let them know, Hey, you know, assuming they’re available and it’s during normal hours, Hey, we have an event here. This is what’s going on.

Alison Werner (11:13)
Right. Yeah.

Yeah.

Gary Salman (11:29)
and give them a heads up. They may have ⁓ some tools available to do a little bit more research and they may be able to look into their antivirus software and see some things as well. ⁓ And then the next thing I always say to do is call like a tactical timeout or tactical pause. Like understand that this is kind of ground zero and the actions you take or don’t take from this point forward.

can often dictate whether you have a significant event or a catastrophic event. And the next thing you want to do is once you kind of take that pause, you want to start engaging experts in this field. Hence the reason we kind of had that panel. And I hope most orthodontists at this point have cyber insurance. So the next call you’re going to want to make is to your cyber insurance carrier. ⁓ So pro tip, don’t leave your insurance policy on your network

Alison Werner (12:14)
Mm-hmm.

Yeah.

Yeah.

Gary Salman (12:28)
Right, hackers

will literally search for your insurance policies. And if they find that you have a million dollar cyber liability policy, guess how much the ransom demand is going to start at a million dollars.

Alison Werner (12:36)
⁓ huh.

Yeah, that was

a really fascinating tip or just thing that you guys were talking about that they would actually go search for it on the files.

Gary Salman (12:47)
Yeah,

they have what are called scripts that run on the network looking for keywords like cyber policy, insurance policy, financials, HR, all these things that they consider to be high value grabs, meaning they take them and pull them off your network. The other problem that we’ve seen ⁓ quite a few times is they encrypt all the files and the doctor’s like, man, my…

Alison Werner (12:55)
⁓

Gary Salman (13:12)
My insurance policy is on my network, but it’s encrypted and I can’t open it. I don’t even know who my carrier is. Now, where do you even start? You know, especially if it’s on the weekend and you can’t look at who your policy is, like there’s hundreds of insurance carriers out there. So I always say have a hard copy at your house, right? At the office, right? Make sure if you’re going on vacation, your practice manager administrator knows where that document is. So God forbid there’s an event while you’re away.

Alison Werner (13:21)
Yeah.

Yeah, right.

Gary Salman (13:40)
that person can run with it. definitely kind of a good pro tip there. So make contact with the carrier, let them know that you believe you have a cyber event at your practice and this is what they see. And typically the agent will start a claim or the agent may gave you an 800 number directly to that carrier. A lot of the bigger carriers have basically 24 seven ⁓ cyber response. So you’ll get

you know, someone from the carrier that can provide some basic guidance. They will also then reach out to a law firm. They’ll reach out to an incident response company like us to build the team to help you recover. Don’t touch your network. Don’t do anything. I always say something that’s really critical here, which is the IT companies want to just help the doctor recover. But if you make that mistake and they erase all the forensics data,

Alison Werner (14:25)
Mm-hmm.

Mm-hmm.

Gary Salman (14:35)
you’ll be the doctor and the practice will be forced into a mandatory reporting under HIPAA because they can’t prove that data was or wasn’t taken. So yes, everyone wants to get back up and running as quickly as possible. And we understand that your practice is hard down and you can’t do anything. But if you make a mistake now and you compromise the integrity of the investigation, what could have been a couple hundred thousand dollar event will turn into a multi-million dollar event in class action lawsuits.

Alison Werner (14:42)
Right. Right.

Mm-hmm.

Mm-hmm.

Yeah,

you guys specifically used the words treated as a crime scene. So don’t touch the evidence. And then you guys did talk about how that can determine whether you do have to do federal reporting for HIPAA violations. Can you talk a little bit about that?

Gary Salman (15:08)
Absolutely.

Yeah, so under HIPAA, when you have a ransomware attack or probably just about any type of cyber event, it is considered a breach until you can prove that it wasn’t. So in the case of Dr. Webb’s event, he was down for multiple weeks, Because he had such, he had every computer impacted and we had to recover the data and things like that. But often the hackers, I’ll say over 90 % of the time, the hackers will

steal some or all of your data. And the second that data is either opened and looked at by a hacker, or they steal your patient records from your server or from your cloud practice management solution, you basically are forced into a reportable event. But if it’s unknown, like, hey, the hackers aren’t saying that they stole the data, we’re just not quite sure, a digital forensics investigation can then help determine, the hackers open data?

What was the extent of the data they looked at? Or did they grab files off the network and exfiltrate them or steal them? And based on the investigation, sometimes you can get to a place where the attorneys and the client and the incident response company have a high confidence that no patient records were ⁓ accessed or stolen. And other times, like, look, guys, we found a file that the hackers created that has your entire practice management software in it.

And all of your patient records are there, and they took it. You have no choice. You’re forced into a mandatory reporting. Or the hackers send us a link, and we can see all the data they stole on their servers, on the hackers dark web website. So a lot of times, that’s what they do, because they know if they steal your data, you’re going to most likely pay them. It’s not the right answer, and no one’s ever suggesting you pay criminals. But unfortunately, sometimes there’s no choice. ⁓

So yeah, if that investigation is not conducted properly, then by default, the law says you have a mandatory reporting requirement, both often at the state and federal level, depending on where you live in the country.

Alison Werner (17:21)
Okay.

Yeah. I want to go back to the insurance, calling your insurance first, because what came up in the panel was the fact that sometimes your insurance company isn’t available on the weekend. ⁓

And so if this does happen, I think it was the attorney that was on the panel, she said it was OK to call your personal attorney because then at least everything is under privilege for anything that happens next. And sometimes they can direct you to somebody else to call if you’re looking for who to call at this point.

Gary Salman (17:53)
Great.

Yeah, so it’s really important that everything is done underprivilege and understand this. And I think she mentioned it. Any conversations that the practice has with their IT vendor, whether it’s an email or potential text messages, guess what? That becomes discoverable in a class action lawsuit. So it is a huge problem and this is why… ⁓

Alison Werner (18:07)
Mm-hmm.

Gary Salman (18:20)
The insurance carriers bring in a law firm and they bring in a separate entity to do the investigation. They pretty much never allow the IT company, whether it’s internal or external to the organization to conduct the investigation because ⁓ as you heard Brittany say, almost every ransomware attack that’s occurring in healthcare right now, the practice, regardless of size, whether you’re a single doctor, mom and pop ortho practice or a large group, you will be served with a class action lawsuit.

Period. I see it all the time. I mean, is typically, depending on the hacking group and how much data they’ve made public, we’ve seen dental groups that have been served with a lawsuit three days after their initial attack was executed. So they have law firms now that ⁓ all they do is they mine the dark web and various data leak sites. And the second they see a health care entity, they will.

Alison Werner (18:53)
Yeah.

Gary Salman (19:16)
immediately try and find one patient from that practice and then serve them with a class action lawsuit. So I think practices don’t realize this and orthodontists are always saying, well, I just have a CEPH or I have a photograph. Like what the heck are the hackers going to do with that? Government doesn’t care. The state doesn’t care. It’s all protected confidential information. and the criminals know this and the class action attorneys know this. So

You know, lot of practice like, well, we’ll just recover our data from backups, you know, or we’re in the cloud. Who cares? I’ll just rebuild my computers. And then five days later, they’re served with a class action lawsuit for $5 million. And I’m like, what the heck is this about? It’s very, very sad, right? And, know, you never want to be on the receiving end of that, obviously, but this is just where we are right now.

Alison Werner (19:50)
Yeah.

Yeah. Yeah.

Mm-hmm. Mm-hmm.

Yeah. Let’s talk about the cloud, because I think there’s a lot of thought that like, I’m safe if I’m on the cloud, or I have a backup on the cloud. Can you talk about how you’re not necessarily safe, or that’s not always the solution?

Gary Salman (20:23)
Yeah.

So it’s a great discussion, right? I’m a huge advocate of the cloud. I built one of the very first cloud technologies in the late 90s for the healthcare and dental space. ⁓ So we all have to understand that there’s pros and cons with any technology that’s out there. ⁓ Unfortunately, what I see too often in the dental space

Alison Werner (20:29)
Right.

Gary Salman (20:45)
this type of conversation. Okay, so I’ll be Dr. Jones, the

Alison Werner (20:48)
Thank

Gary Salman (20:50)
and I meet with a cloud ortho software and I’m like, hey,

So I’m really worried about cybersecurity. I want to move all my orthodontic data off of my server and put it in your cloud. And then the sales rep is like, yeah, no problem. We do all the security for you. You don’t even have to worry about security on your computers anymore. You may not even need an IT company anymore, doctor. Doesn’t that sound great? Just think about how much money you’re going to save.

Alison Werner (21:04)
Thank

Mm-hmm.

Yeah.

Gary Salman (21:18)
So that opens a massive can of worms instantly. So you heard Brittany say it, even if you move your data into the cloud on someone else’s servers, if there’s a breach, the doctor is still responsible. That’s how the HIPAA laws are written. Now there may be some contracts that address who’s responsible and what the potential limitation of liability may be.

Alison Werner (21:29)
Mm-hmm.

Right.

Okay.

Gary Salman (21:42)
all another discussion. But I think a lot of practices, if you told them that, they’d be like,

What do you mean? If that company that I hire gets breached, it’s still my fault? Well, under HIPAA, pretty much so. That’s how the law is written. So what happens here is a multitude of failures. The practice all of a sudden is like, get that data out of here. OK, now it’s in someone else’s hands. I don’t have to worry about it. Maybe I don’t need an IT company anymore, or maybe I back down on services from them and I don’t have to worry about security. And here’s what I’ve seen over and over again.

Alison Werner (21:53)
Yeah.

Gary Salman (22:18)
⁓ The hackers gain access to the orthodontic practice. They install screen sharing applications on all the computers. So basically they remote into the machines at will. So they sit in Russia, they click on an icon and five seconds later they’re connected to, you know, smile orthodontics and Sally’s computer at the front desk. And when Sally walks away, they take full control of that machine as if the hacker from Russia is sitting at Sally’s desk. It’s that simple.

Alison Werner (22:22)
Mm-hmm.

Mm-hmm

Gary Salman (22:47)
Then they open the browser. They look at the browsing history. look at this abcorthocloud.com. They click on that link as the hacker. ABC OrthoCloud opens up. Maybe Sally just walked away from her computer a few minutes ago and conceptually the software allows her to automatically log in or she’s using the password manager in the browser and the browser inserts the username password. And now as the hacker, they’ve gained access to your cloud software.

Alison Werner (22:57)
Mm-hmm.

Bye.

Gary Salman (23:17)
Odds are they’re probably not too familiar with it, but it’s not too hard to figure out menu systems and patient exports and data exports. my experience shows that typically within about 30 minutes, they’re able to find how to export all of your patient records and their treatment history out of your software into a PDF file, save it on the desktop, and then the hacker just grabs that PDF file off the desktop. And now they took 10,000 patients from your orthodontic cloud software.

I mean, it’s literally that simple. Like if I was a bad guy and I got a screen sharing app on a practice’s ⁓ computer, I would have fun all day long, you know, gaining access to that stuff. look, it’s a huge misunderstanding. It’s a lot of, I think it’s on both sides. I think you have sales reps that don’t understand security, right? And then you have doctors on the same side.

Alison Werner (23:55)
Yeah.

Mm-hmm.

Yeah.

Gary Salman (24:14)
They hear what they want to hear. ⁓ the rep’s telling me it’s secure. It must be secure. They’re HIPAA compliant. Like I hear that every day. Well, I’m buying the software. They said it’s HIPAA compliant. Okay, Doc, what does that actually mean to you? I don’t know. I’m just the orthodontist. Okay, look, I hear you, right? I’m not an orthodontist and I know basics about orthodontics, but I’m a security expert, right? So we all have different roles.

Alison Werner (24:33)
Yeah.

Gary Salman (24:38)
But we have to get to a point where we learn how to ask the right questions or hire people I can ask the right questions for you. Because my experience, just like Dr. Webb had and hundreds of other ortho practices I’ve experienced, when this thing goes boom, it’s really bad. I mean, we have seen practices literally go out of business because they can’t survive the financial fallout. It is so heartbreaking to see these dentists and specialists lose everything they work with. And this isn’t scare tactics in any way. This is the reality.

Alison Werner (24:59)
Okay.

Gary Salman (25:07)
you know, some practices don’t have enough insurance and they get served with class actions. They don’t have enough coverage to pay for the attorneys and, God forbid they lose the class action. You know, the practice is done, you know, it’s really, really sad. And that, you know, that’s why I think you getting this message out, you know, orthodontists have to realize like, I’m not immune to this just because I’m an ortho versus, you know, cardiothoracic, you know, surgery practice.

Alison Werner (25:17)
Right. Yeah. Yeah.

Yeah,

no, listening to you guys just talk about how just random it is really made it, you know, that much more unsettling to realize that there’s, if you’re not already doing something to at least protect yourself. If you’re not, then this could be, there’s nothing to nothing that makes you special. Basically. Yeah, you’re just as much as risk is everywhere.

Gary Salman (25:55)
Nothing that makes you special. You know, if a group of hackers…

I’m sorry, go ahead.

Alison Werner (26:01)
You’re just as much risk as anybody else.

Gary Salman (26:06)
Absolutely. Look, the hackers communicate in dark web chat rooms, and they talk about, I just hit an oral surgery practice. I just hit ⁓ an orthodontic practice. They paid out a million dollars. OK, so where do you think a hacker may go next? Well, let me go on to ChatGPT and ask it for a list of orthodontists in the Atlanta area that I could potentially target. OK, here are the.

Alison Werner (26:11)
Mm-hmm.

Gary Salman (26:34)
the list of the practices with links. Let me click on their link to their website. look at this. There’s an info at abcorthodontics.com. Let me send a phishing email there and see if someone at the practice clicks on it. Look, the information nowadays is so readily available that anyone that has malicious intent and has half an hour can easily research targets and get a whole list of them. I you can ask these these

large language models give me every orthodontic practice within 50 miles of Atlanta, Georgia. And it’s going to come back with a list. yes, going back to what we said, sometimes it’s random, but also if they want to target, it’s very easily done nowadays.

Alison Werner (27:09)
Yeah.

Yeah. Well, are there any tips you would want to leave with the audience for just you would call it, think, have a breach plan. How should they start preparing that breach plan for if this does happen?

Gary Salman (27:31)
Yeah, so under HIPAA, you have to have an incident response plan breach plan, right? And basically what it’s saying is if this happens, then do this. ⁓ Look, in all honesty, you can go to Gemini or you can go to chat GPT and say, hey, can you help me build an incident response plan for my practice? And it can ask you a bunch of questions. You can fill in some information and it can generate a plan.

Alison Werner (27:41)
Mm-hmm.

Mm-hmm.

Mm-hmm.

Gary Salman (28:00)
I would highly advise you don’t put anything confidential in there, but it can help generate a plan for your practice. And then you can tweak things and kind of make it your own. I think that’s really important. But to be a little more specific, like some of the things we even talked about, like, pull the plug, right? Everyone in the practice has to know that. The staff has to know certain things like, hey, if I see the mouse moving and the screen’s changing and it’s not me,

Alison Werner (28:20)
Mm-hmm.

Gary Salman (28:30)
there’s a high likelihood the network’s under attack and then I must do this. So that’s part of an incident response plan, have something in there. So I think that that’s really important. Have the name of a cyber company that does incident response like ours or another one that specializes in healthcare. To your point, you may not be able to get ahold of anyone on the weekend. So if you reach out to a company like ours, we can recommend legal counsel that can represent you over the weekend and maybe…

Alison Werner (28:35)
Yeah.

Yeah.

Gary Salman (28:57)
You know, even if it’s passed off to another law firm from your insurance carrier on Monday or Tuesday. But you heard Dr. Webb’s story. took days, even during the weekdays. What do you say? was like Saturday until Thursday, if I remember correctly, before. Yeah.

Alison Werner (29:00)
Thank you.

Yeah.

And ⁓ it was a holiday weekend. was

Martin Luther King weekend. So he hit on a Saturday, couldn’t talk to his insurance until Tuesday, they, no, left a message on Tuesday, didn’t get a response till like Thursday or Friday.

Gary Salman (29:20)
Yep. Exactly.

So he was really smart and his partner was really smart. They’re like, we can’t wait anymore. We’re going to lose so much money by being down for four or five days that we’ll pay whatever we need to pay right now to get back up and running. And their insurance carrier was awesome. They let us continue. And they agreed to use the attorney that we recommended. So that worked out perfect for him.

Alison Werner (29:26)
Okay.

Mm-hmm.

Gary Salman (29:45)
That’s not

always the case to be totally transparent. Sometimes the insurance carriers will boot the lawyer out, will boot the incident response company out and bring their own people in. But at least you’re a couple days ahead. And we explain that to all victims, hey, this is a possibility. You have to just make a business decision. Are we going to jump on this right now and work all day Saturday and Sunday to try and get 48 hours ahead of this thing? Or are we going to wait until the insurance carrier calls you back and you’re going to be hard down during that period of time?

Look, some practices are like, well, I just want my carrier to get involved first. And others like, we’re too busy to be down an extra two days. So I think that’s really important. Look, and I think that the biggest advice that I can give anyone is not only having an incident response plan, but understand that regardless of how good you feel your IT resources are, they are not specialists in cybersecurity. And I think

The mindset for most health care providers, I see this in dental and we do a ton in medical also is, well, my IT guys are awesome. They really do a good job at keep my network up and running and fixing broken things. So if they’re good at that, they have to understand cybersecurity as well. That’s not the case, right? It’s a very different specialized discipline. And I think the best example I have, especially in the healthcare spaces, and I said this on stage, so I’ll say it again.

Alison Werner (30:49)
Mm-hmm.

Yeah, right.

Mm-hmm.

Gary Salman (31:12)
Is

a cardiologist the same thing as a cardiothoracic surgeon? No, they’re not. They do very different things, but they’re both in health care and they both treat the heart. You know, one’s going to crack your chest and one’s going to detect, you know, a problem with your valve. So, you know, I see the same thing in the, in the healthcare space and the, the, interesting part is that every single ransomware attack we’ve done, and as I alluded to, we’ve done hundreds of these cyber events. Everyone’s had an IT company. Everyone’s had for the most part, what they deem to be.

Alison Werner (31:21)
Yeah.

Great.

Yeah.

Gary Salman (31:42)
a good IT company that’s just not what they do. And most of them don’t support the network 24-7. These things go boom after hours and over the weekend, right? Because the hackers know that most businesses, especially in healthcare, dental, you’re not doing orthodontics at 3 a.m. in the morning. There’s no one there that’s gonna be looking at computers seeing that they’re under attack. ⁓ And then the other thing, if you wanna do a gut check,

Alison Werner (32:02)
Right.

Gary Salman (32:10)
you know, of your of yourself and your practice. I ask a very simple question of everyone I lecture to, which is, Doctor, have you ever sat down with your IT company and the IT company pushed a piece of paper in front of you and said, Hey, Dr. Mary, these are all the security holes in the network that we built and secure for you.

And the tens of thousands of people that I’ve lectured to over the years, I’ve only got a couple of hand raises where I’ve asked people like, hey, raise your hand if this is the case. And if you’re an orthodontist and your IT company has never showed you where you have all of your security vulnerabilities, then by default, they don’t have the visibility into the security of your your network and where they where you have holes. But most importantly, you’re responsible for knowing that. Right. I’ve had.

Ransomware attacks where the IT vendor literally said to us, well, I know Dr. Smith. He’s super cheap. He would never buy a new firewall. And then you tell Dr. Smith that and he’s like, what the heck did he say? Are you kidding me? You think I wouldn’t have spent $500 on a new firewall to prevent an event like this? So you have these IT resources that are making these business decisions for doctors and it never ends well. If the doctor’s like, you know what? I don’t want to buy a new firewall. I have insurance. I don’t care. Okay.

Alison Werner (33:22)
Yeah.

Gary Salman (33:26)
You knew and you made a of this decision. either were on the right side or the wrong side of that decision. ⁓ So every orthodontist has to start taking cyber seriously because ⁓ this will destroy your practice. And there are way more cyber events in orthodontics than there are malpractice claims. That’s the reality of it. So everyone’s trying to defend against

Alison Werner (33:27)
Yeah.

Mm.

Gary Salman (33:53)
you know, malpractice and prevent an event like that. But how many people are taking cyber seriously where that’s that’s what’s going to happen, you know, especially the advent of AI moving so quickly. Everyone’s everyone in in the medical world right now and the business world is scrambling to figure out how are we going to defend against these AI based attacks. And just because you’re an ortho practice or a general dentist or, you know, pediatric dentists, it doesn’t mean you’re immune from these attacks. And look, the reality is there.

Alison Werner (33:55)
Right.

Right.

Mm-hmm.

Yeah.

Mm-hmm. Yeah. Yeah.

Gary Salman (34:23)
The IT companies are trying to defend the same way they did last year against modern threats. It’s not working.

Alison Werner (34:27)
Right.

Yeah. Well, Gary, I really appreciate you taking the time to kind of recap what you all have said on the panel. It was really informative. And I think, like you said, there’s more cybersecurity attacks now than there are malpractice claims in the ortho industry. So this is very relevant for the moment. So thank you so much. I appreciate it. Thanks.

Gary Salman (34:48)
Of course, it’s my pleasure. Thank you.