The Group Dentistry Now Show: The Voice of the DSO Industry – Episode 132

Gary Salman, CEO of Black Talon Security joins the Group Dentistry Now Show with attorneys, Virgil Ochoa & Sean Buckley of Dykema to discuss dental group practice and DSO cybersecurity in 2023.

The panel handles topics such as:

  • The recent rise in DSO cyber attacks
  • Overlooked cybersecurity elements in a dental group
  • What events lead to a cyber attack?
  • Potential consequences
  • Compliance issues
  • Cybersecurity due diligence before acquisitions
  • Much more

To schedule a demo with Black Talon Security visit – https://bit.ly/46D0qTs
You can also visit their website – https://www.blacktalonsecurity.com/

To attend the 10th annual Dykema DSO in Denver, CO July 19th – 21st visit – https://bit.ly/44EoZxI and use code GDNOW_23 to save $150.

If you like our podcast, please give us a ⭐⭐⭐⭐⭐ review on iTunes https://apple.co/2Nejsfa and a Thumbs Up on YouTube.

Our podcast series brings you dental support organization and emerging dental group practice analysis, conversation, trends, news and events. Listen to leaders in the DSO and emerging dental group space talk about their challenges, successes, and the future of group dentistry. The Group Dentistry Now Show: The Voice of the DSO Industry has listeners across North & South America, Australia, Europe, and Asia. If you like our show, tell a friend or a colleague.

Choose your favorite listening app below and subscribe today so you don’t miss an episode! Full transcript is also provided below. 

Full Transcript:

Bill Neumann:

Welcome everyone to the Group Dentistry Now show. I’m Bill Neumann, and as always, we appreciate you listening in, whether it’s on Google, Spotify, or Apple, thanks for listening in. We’re excited to have, we actually have three guests on today. One who has come back to the podcast, I think this is his second time on the podcast, and he’s also done some webinars in the past with us. So first off, thanks to Black Talon Security for sponsoring this podcast and thank you to the CEO, Gary Salman for coming back on the podcast.

Gary Salman:

My pleasure.

Bill Neumann:

Good to see you, Gary.

Gary Salman:

Honor to be here.

Bill Neumann:

Yeah, glad to have you back. And we have two guests that are new to the podcast, but if you’ve gone to the Dykema’s DSO conference in the past you probably have seen them, either in the audience or up on stage or both. But we have Virgil Ochoa, and we have Sean Buckley, both members of Dykema. So Virgil and Sean, thanks for being here.

Virgil Ochoa:

Thank you. I appreciate it.

Bill Neumann:

Great to have you here. We’re going to get a lot of great insight from all three guests on what’s going on in the DSO space specific to cybersecurity. There’s a lot of news out there, I’d say. Recently it seems to have ramped up quite a bit and we’ll talk about maybe the reasons why and then how DSOs and emerging groups can address that. And some of the ramifications to some of these cyber attacks that have been pretty profound and widespread.

So first off, Gary, why don’t you, for the folks that have not listened into the podcast, don’t know much about Black Talon Security, a little bit about you and then also Black Talon.

Gary Salman:

Sure. So I’m Gary Salman. I’m the CEO and co-founder of Black Talon Security. I’ve been in the dental technology space for about 30 years. Actually built one of the very first practice management systems for the oral surgery space. And then the late ’90s, I actually built the first cloud technology, dental, before anyone even knew what the word cloud was. So I had 1000s of users running practice management system off of servers here in New York where our corporate office is. And that was kind of my first segue into the real cyber world where there was no ransomware and there weren’t the sophisticated attacks we see today, but there were still intrusions into environments. And that was my first wake up call to cyber when our system was attacked. But the attack was stopped before any patient data was accessed.

It was an attacker out of actually Fort Lauderdale, Florida. The FBI got involved and actually made an arrest. That was kind of, I alluded to, a big wake-up call for us. We realized we had millions of patient records in the system and if that had been compromised, it could have been a major issue for our organization. And I’ve been interested in cyber ever since.

We spot up Black Talon in 2017, out of what I perceived to be a need. I was receiving lots and lots of phone calls from victims in the dental industry saying, “Hey, my practice got hit with ransomware, can you help me?” The company I was at wasn’t really positioned to do much, and I just said, you know what? Based on my experience in the cyber world and technology and working with all these practices, maybe we could actually do something to prevent these events from occurring. And that’s basically how Black Talon was formed.

Currently we support about 1100 dental practices and DSOs across the US. We also support industries other than dental, legal, financial, manufacturing. We have random businesses. We do security for a very large power grid up in Alaska, things like that. And we really focus on preventative services. How do we identify the risks associated with a network or within a network and implement preventative measures to try and prevent an intrusion into the network? Often results in ransomware. But the biggest issue we see, and we’re going to really get into this today, is the theft of the patient data. In almost all these breaches, the data is stolen and that’s a big problem.

Black Talon also does incident response. So we’ve worked 100s of ransomware and cyber events where the networks have been hit, compromised, data’s been stolen, these practices are typically down for a couple of weeks and we help those businesses and practices recover from these types of cyber events. So that’s kind of our background. So thank you.

Bill Neumann:

Thanks Gary. Virgil, little bit about your background and maybe talk about Dykema and their role in the DSO industry.

Virgil Ochoa:

So Dykema is one of these large law firms that kind of covers all aspects of the legal field, whether it’s insurance or litigation or real estate, employee benefits, any sort of area, the law firm covers it. But what’s unique about our group is we specialize in working with professionals, buying, selling practices and working with the groups that are PD backed. So our group spends a lot of time working with dentists, doctors, vets, ophthalmologists, and other professionals.

What I do, is I work primarily on the M&A side. So doctors, dentists who are selling their practice are affiliating with PE groups and that’s pretty much what I do all of my time. We also have a regulatory team, so if there’s issues relating to board complaints or any sort of other issues, we can address them. But what’s really neat about our group is, like I said, we have all the practice areas within Dykema, but all the specialists work within the dental group.

So any dentist that has a unique issue, we have somebody that’s probably seen it before. Dykema represents clients in all the states and a bunch of PE groups, a bunch of DSOs. I’m hesitant to ever say the number because it changes day to day, but it’s a lot.

Bill Neumann:

Thanks Virgil and Sean, talk about your role at Dykema.

Sean Buckley:

Yeah, so your partner here at Dykema, I am in our corporate group and focus largely on data security, privacy and healthcare space. So to reiterate what Virgil said, 400 plus attorneys, kind of really you need something, somewhere in a state, we’re going to have it. But the complexity of some of the deals and the novelty of some of the things that some of these DSO clients bring to us, whether they’re actual DSOs or platforms or new ways for delivery of provision of healthcare, are really exciting to work on and to see what those are. And one, to help mitigate risks, both to them, but also to some of the healthcare clients as well.

Bill Neumann:

Thanks, Sean. So let’s get into some of the questions here, and I brought it up earlier, but it does seem that recently, the past four or five months, there’s been a rise in breaches, cyber breaches specifically in the dental industry, some DSO, some maybe individual practices. Gary, is there, first off, am I explaining that right? Is there a rise and then if so, why is this occurring?

Gary Salman:

Yeah, look, I think a lot of these breaches over the last few months have made national news. It started off as post in dental group saying, “Hey, our practice is down. The rumors we got hit by a cyber event.” And the next thing you see, it’s on national news and spreading like wildfire. I think there’s a couple items that are contributing to the rise. The first is the rapid growth of the DSs. We see it all the time. We work with DSOs with 10 locations and just shy of 300. And what happens with a lot of these DSOs, is they’re moving so quickly, they’re acquiring practices, they’re often bringing in technology, some of it may be antiquated. They’re working with lots of different managed service providers who are all doing security different ways.

And then the big thing right now is there’s no visibility into that. So I talk with a lot of DSO executives and I say, “What are you doing for cybersecurity?” And most of the time I get a smirk, like, “I don’t really know. I’m not a technical person.” And I get that. But the challenge here is at an executive level, you have to know what you’re doing from a security perspective because when these things go sideways on you, they go really bad. You look at some of these DSOs that have been hit over the last few months. Some of them have been reported being down for four weeks. These are some really, really big organizations.

So you have this issue with rapid growth and the inability to gain control of the security of the environment. A lack of standardization is another big issue with, let’s say a DSO has 30 locations and there’s 30 different types of cyber solutions involved in those solutions. Some are good, some might be extremely poor. So that’s an issue.

I also believe that the hacking community has a concept of the size of these organizations and are starting to target them because they know the value of taking down a DSO, that generates millions of dollars, some of them per month. Some of them obviously generate hundreds of millions of dollars per year. They know that they’re going to pay the ransom because they don’t typically have a choice.

So sure, we would’ve said a year or two ago, I don’t actually believe these organizations are being targeted, but as this stuff hits mainstream media, you know for a fact that the hackers are looking at these publications, it’s all over the internet. Any IT related website or security website is talking about the attack in the healthcare space, the attacks I should say. So they’re following the money. And the hackers also know that most of these DSOs have pretty significant insurance policies and with insurance policies are typically, big dollars. So the hackers know if they hit some of these entities, they could be looking at multi-million dollar ransom payments.

So I think you have to look at it from multiple angles, and I truly believe that the hackers are doing it the same way. They’re saying, “Hey, where’s the dollars? How do I get to them?” And a lot of them are finding pretty easy entry points into these networks.

Bill Neumann:

So it sounds like, and my next question you may have already answered, which is, are DSOs sitting targets? So it almost sounds like in some cases they are, just because of the hackers are aware of the insurance policies, the fact that these are big organizations, they have a lot of data and they know that they’re probably going to pay the ransom. What are some elements that DSOs aren’t addressing when it comes to cybersecurity? I mean, it’s a really interesting question and I think a point in time because I know Gary, when we had you on probably a couple of years ago, you felt like it was very reactive. Everybody was very reactive, there wasn’t many proactive measures in place. Do you see that changing or do you still see this reactiveness to things?

Gary Salman:

I think it’s all over the map, to be frank. I’m still talking with DSOs that have no cybersecurity awareness program in place. DSOs with 500 plus employees, who don’t educate their employees, their doctors, on the various forms of cyber threats, like phishing and spear phishing and all these different social engineering scams. And this is a major problem because when an employee gives up their credentials to the VPN, to the network, to their cloud technology, to HR and payroll systems, you don’t have to be an overly… It doesn’t have to be a very complex attack in order to get into these networks. When you’ve given a hacker your username and password, they just log in as you, right? We’re not talking a highly sophisticated event.

So the lack of just basic security measures like training, is disheartening. And I think that a lot of times this is overlooked by the DSOs because just either at an executive level, they assume it’s being done by the managed service providers that are servicing their practices. Or they’re just, for lack of a better word, busy and focusing on acquisitions and growing their EBITDA and things like that.

So I do believe that that is definitely a big problem right now, a lack of training. And then, the other issue is visibility into their risk. So another question that I typically ask when meeting with DSOs is, “What visibility you have into your, what’s called a attack surface?” Which basically is kind of a fancy phrase for, “Where are you going to get hit? Do you know you’re going to get hit there? And what mitigating controls do you have in place to try and prevent that?” And what I typically hear is, “Well, we have firewalls, we have some antivirus software, we’re using some AI technology to identify if someone does breach the network or if malicious code somehow gets into our environment.” And I said, “Okay, that’s all good, but what do you have for offensive capabilities?” And then I kind of get that look like, well, what do you mean offense? [inaudible 00:14:45].

So I think DSOs are focusing on how do I react to an event? What alarm bells are going to go off if someone breaks into my network? And I argue that you’re missing a majority of strong cybersecurity posture, which is, how do we prevent those tools from even having to trigger? So offensive capabilities are things like cyber training, which helps people identify these types of social engineering scams. And then other technologies like penetration testing, where ethical hackers, good people, try and break into the network to expose the weaknesses in the environment. Even just vulnerability management. I would say most DSOs have no visibility into vulnerabilities on their firewalls, on their workstations, on their servers. And vulnerabilities are basically defects in a piece of software or defect in a piece of hardware that a hacker can exploit to break in. And this is all kind of your attack surface. And if you don’t have visibility into that, how do you defend against it? And that’s a huge challenge right now.

And then you also have remote workers and you have third party vendors and the attack surface just grows and grows and grows. And now everyone’s running around trying to figure out what’s my AI play and how do I integrate AI? And now we’re exposing our data to even more vendors. And that’s okay, right? AI plays a really important role in the dental space and its future growth, but we have to be really careful when it comes to linking all these systems together and giving companies and people access to these environments.

So attack surface analysis is something that I would argue that a majority of DSOs have no visibility into. They don’t actually know where they have risk, and then the executives can’t make risk based decisions to address it. They’re simply relying on someone telling them that they’re secure and we have advanced firewalls and we have advanced antivirus software, so we have nothing to worry about. And then the DSO turns around and they’re a victim.

So I think we have to start looking at cyber using a more holistic approach with not just these defensive technologies, but also these offensive.

Bill Neumann:

Thanks, Gary. Sean and Virgil, what do you advise your clients and what are you seeing out there right now?

Virgil Ochoa:

Yeah, so advising the clients is kind of a broad thing, but before we get to that, I wanted to follow up on a couple of things that Gary just said. One of them was on training and on growth and M&A. And we see this a lot. As a DSO is growing and they’re integrating in new practices, do they take the time to look at the old equipment that they’re buying? Because if you’re buying a dental office that’s been around a while and it’s got a 10 or 15 year old computer or old servers and such like that, they may not be ready to be protected.

And what’s the plan to integrate that in? Even if you have three or six months to replace that equipment, you’ve got a big vulnerability period there. Training is also a huge, huge factor there, when their folks are integrated in and the new practice comes on board the DSO, have they taken steps to make sure that everybody is trained in these security measures?

I mean, we still have groups that have the passwords written down right by the computer. I was in a dental office where I looked over where the receptionist was and they had the passwords written right next to the computer. Well, that’s really great. But those type of things are still big factors and everybody in the M&A process, there’s so many factors that they have to look into, reps and warranties and making sure that you’ve got a team ready to bring them on board. But I think equipment and training are a couple of the items that frequently could be missed.

Bill Neumann:

Thanks, Virgil. Sean?

Sean Buckley:

To reiterate kind of what Virgil said, especially on these DSOs that are taking down practices every single week. There was a big DSO a few years ago that got taken offline for a few weeks because one of the practice groups that they acquired had a vendor software that, once they connected it into their network, allowed some hackers to take down the entire organization, which is quite costly there. So when we go in, whether it’s on the M&A front or whether we’re on proactive counseling and saying, “How do you analyze your risks?” So is it internal risk, external risks?

We talked about employees being negligent, bad fingered, writing their password right there on the screen. But also think about disgruntled employees and insider threats and someone who might be trained to get back at the company, in addition to things such as your network vulnerability.

So one of the easy things to do because outside of a lot of these all have a human component to them, but managing your vendor and supply chain risk. Having a policy of when we’re going to engage a new vendor, what are the things we need to check with that vendor? What are their data security practices? Managing your risks through contract terms and templates and playbooks. Do we have a standard BAA that has certain provisions in it? Do we need an indemnity for certain data security breaches? Because a lot of your vendor contracts are going to be drafted in the favor of the vendor and they’re not going to put a whole lot of obligations or a whole lot of, open themselves to liability.

And so that vendor may not even have insurance, and that’s something you need to check, depending on the size of that vendor. We have a lot of startups in this space and the technology realm, that are doing cool things, but is their house in order? Because their house isn’t in order, it’ll affect yours.

So yeah, engaging with them proactively. Once you have your vendors in there, if you have audit clauses to do a security audit, this vendor has highly sensitive or protected health information, engage a vendor to do an audit [inaudible 00:21:25], “Hey, we’re going to send you a data of security questionnaire, make sure no red flags are going to come up.” And then suggest implementing the incident response plan and procedures in the event a vendor breach happens.

So if you get a call at 3:00 AM, it’s like, “What do we do?” It’s, “Okay. We planned this out, we know what the steps are, we know how we’re going to cut things off from the system. We know who we’re going to call.” And so it’s a playbook that everyone can turn to at the time of that crisis.

Bill Neumann:

Next question, Gary, it’d be interesting and to hear when an event unfolds, can you take us through maybe typical steps? What happens, how does it happen, and then how do you resolve it? And so again, I think the whole idea would be to be proactive versus reactive, but let’s say something happens, take us through those steps.

Gary Salman:

And to Sean’s point, having the playbook to deal with an event like this, an incident response plan is really important. The challenge that we’ve seen is, I don’t think we’ve ever walked into a ransomware case where anyone had a playbook. Everyone was kind of deer in headlights and just relying on us to guide them. And sometimes having a playbook can shorten the event dramatically. But let’s walk through typically what an event looks like.

So hackers will breach the network in one of two primary ways. One is through the social engineering that we talked about, tricking an employee to click on a link, to open an attachment, and that either gives up their credentials or initiates the download of a payload, a piece of malicious code. In either event, the payload or the access to the network gives the hacker a foothold into the environment. So it might be Mary’s front desk computer at Office 37. Now that they have access to that machine, what the hackers will typically do, is they’ll start analyzing the machine. What kind of defensive measures are in place? What antivirus software is on it? What other technologies are on this machine, that may alert someone that I now have a foothold on this machine?

Once they start conducting this analysis, they will then typically run a network map, which will show them every device on that network. And if you have a DSO with an environment where all your offices are connected, sometimes within an hour or two, they’re going to have a full network map of every single computer, server, switch, wifi, you get the idea in that environment. And then typically what they’re going to do is they’re going to run vulnerability scans. Just like a cyber company would, they’re going to run these vulnerability scans to try and figure out their next move. What devices can they exploit through a vulnerability to basically leapfrog through the network? They ultimately want to get to what I like to call the golden ticket, which is the data.

So they’re going to run these vulnerability scans, they’re going to find the machines they can exploit, they’re going to start cracking passwords, they’re potentially going to trick other people into giving up access to their devices. And they may do this for about a two-week period, all while trying to evade detection. And I will tell you, in almost all cases, they are successful.

Once they have this full network map and they’ve exploited the vulnerabilities, they’ve got administrative credentials to the server, the next thing they’ll do is they’ll start downloading the entire data set. They will take gigabytes and terabytes of data off of these networks. And depending on the speed of your internet connection, it sometimes could be hours, it sometimes could be a day. Once they’ve successfully exploited all of that data, that’s when typically they’re going to launch their final phase of the attack, which is the ransomware.

The ransomware attack will typically start encrypting the servers. That’s usually where they start. They pick these high value targets, which are the servers that are either what’s called the domain controller, which kind of manages the whole network, and/or the servers that house patient records, images, 3D, 2D images, et cetera. And once they launch their ransomware attack, the ransomware code starts encrypting or locking all of these files. So within sometimes seconds, that’s how fast these attacks can execute now, within seconds, the server gets hit. Then additional servers get hit, and then it starts spreading out through the environment and all of a sudden, the workstations get hit.

And typically they’re going to execute these attacks early in the morning. We normally see them execute about 1:00 AM when they know no one’s in the office. Why? Because they’ve already analyzed people’s behaviors and understand, hey, this is a dental group, no one’s treating patients or in the office at that hour. Typically, they know managed service providers aren’t monitoring the network. And they’re going to launch this ransomware attack and in minutes, all these machines are going to get taken down.

And the problem here is even though there may be alerting mechanisms in place to let someone know that this is occurring, typically by the time the alert goes out, by the time someone puts hands on keyboards to try and fend off the attack, it’s just over. It’s very similar to a criminal, pulling a pin on a hand grenade and throwing it in and just walking away. That’s what we see. Yes, there is AI technology and some other intrusion detection solutions that can potentially fight back autonomously within fractions of a second. But the biggest risk is really the theft of this patient date, which I’m sure we’re going to talk about in some more detail.

But the challenge here is the aftermath of these events. And you said it Bill, right? These events often shut these DSOs down for weeks, and that’s hit the mainstream news, is some big DSOs were down for two, three, or even four weeks with the inability to do anything, treat patients, schedule, patients run financials, take x-rays. So these attacks are really, really debilitating. And now everyone’s kind of running around like chicken, with their head cut off, trying to figure out, how do we get back up and running? And because of the size of these networks and these environments, it’s not that simple.

We’ve dealt with attacks that have hit 1000s of computers and in a healthcare entity and they, they’re down for a week or two, minimum. Because it’s such a heavy lift in order to get these systems back up and the network’s been completely compromised, you can’t just flip switches and start turning this stuff back on because you run the risk of exposing more patient data, allowing for additional attacks, allowing for the hackers to gain a stronger foothold into the environment if they’re thinking that they’re going to get booted out of this event.

So we have to deal with that. Then you obviously have all the legal and compliance issues that you have to start dealing with on day one. Because of the potential exposure of this data, you have to negotiate with the hackers. Most of the time you have to pay the hackers because they steal the data and they will publish it on the dark web. They have these dark web websites, they call them data leak sites, where they will post the name of the victim that they hit, type of entity they are, the amount they stole. And they’ll often publish a small percentage of the data just to prove that they actually have the data that they claim to have.

So in order to prevent the publishing of the complete data set that they stole, pretty much have to pay them. There’s not an option there. So most law firms, I’m not speaking for Dykema specifically, but most law firms will advise their clients that unfortunately, even if you have viable backups and your servers are back up and running, you still have to pay otherwise, you face future issues from a compliance and legal standpoint, which I’m sure we’re going to cover.

After the payment is made to the hackers, usually in the form of Bitcoin, the hackers then typically follow through.They provide “proof.” I’ll do the air quotes because they’re criminals obviously, but they provide proof that they’ve destroyed all of the stolen data. They will then turn the keys over and the keys are basically the decryption codes to unlock all of the data that’s been encrypted on the victim’s network. And then, from that point forward, it’s recovery and forensics. How do we get these systems back up online? Let’s start looking at this from a forensic standpoint.

Sometimes it’s very obvious, the hackers will literally show us every single file that they stole and they’ll say, “pick any file on this list and we’ll provide it to you.” And you ask them for five files and they provide it. Pretty straightforward. They got all your data, unfortunately. Other times, a full-blown forensics will have to be performed to try to determine, was data stolen? how much data was stolen? Et cetera.

But most of the hacking groups actually now realize that the thefts of the data causes more damage to the victim than the encryption of the data. So some of these hacking groups are actually limiting the amount of machines that they encrypt. And you’re starting to see a transition to heavy data theft and less encryption. And one of the primary reasons for that is hackers know that companies are deploying more sophisticated tools to detect this ransomware code and it will trigger, in some cases, and alert the client and they know that, hey, if we just walk away with all the data, they’re still going to pay anyway. So we’re starting to see big environments that are getting hit. The hackers will only take down the servers and leave the workstations alone, where a year ago, if you had a 1000 computers and you got hit with a ransomware, a 1000 computers would be hit with ransomware. So it’s very interesting to see what they’re doing.

And then the final stages are meetings with law firms like Dykema, going through the forensics, trying to determine is it a reportable event? There’s state issues related to compliance, there’s federal issues related to compliance. And then obviously, there’s medium and long-term consequences of these breaches. So it’s a very, very debilitating process for everyone, from the person sitting at the front desk, all the way up to the CEO and board, because for about a two-week period, no one knows really what the outcome’s going to be, right? You’re being controlled by criminals and you can’t take the control away from them, per se. They’re going to do what they want to do on their terms. And during that period of time, everyone’s wondering, hey, are we going to get through this? How bad is it really going to be? How many millions of dollars is this going to cost us short term? And then, what are the long term ramifications of these issues? Which I’m sure we’re going to talk about. Because the potential of a class action lawsuit is significant.

So I mean, that’s typically what we see. I would say that most victims in the healthcare space are down anywhere from seven days to about 30 days. So that’s very typical, regardless of the size of the network, regardless of what type of technology you have in place to think you’re going to get back up and running quickly, it’s just the norm. You talk to almost anyone that does this, they’ll all tell you it’s a minimum of two weeks to get back up.

I think there’s some other things too. Those debilitating breaches that are bringing your organization down. But there’s some blind spots out there too, for these organizations, that maybe they’ve handed some reigns off to their marketing teams or their website teams or app integration teams and kind of came to a head in December 2022, when HHS, Office of Civil Rights issued that bulletin saying, “Hey, if you are a healthcare organization, you’re using pixels and tracking technologies on your website, you’re potentially collecting protected health information, violating HIIPAA.”

So that was followed up a few months later with the FTC enforcement action against Better Health, [inaudible 00:33:49] that online counseling services saying, “Hey, you have been transferring certain data that you collected online to Facebook for targeting of advertising, without getting consents. You were targeting people based on certain things.” And then the GoodRx action. So it was kind of like bam, bam, bam. And we saw a lot of healthcare entities saying, “Oh, we didn’t realize.” A lot of times we think about a data breach or a reportable event being that hacker, the anonymous with the dark background and everything else. But sometimes it’s like, “Oh, I didn’t realize that our Facebook pixel was tracking when the patient was signing up for an appointment on this and was pulling those fields and we were using that for some other manner, or that certain call tracking technology, did we have appropriate agreements in place?” And so that, in my opinion, kind of a blind spot for a lot of healthcare organizations right now as well.

Bill Neumann:

Really interesting. Well, that leads into the next question, which are really, what are these consequences? So something like this happens and on the legal side of things, talk about the different, how exposed are these organizations? In what different ways?

Gary Salman:

Few different areas here. So HIPAA enforcement. OCR investigates, they can refer a complaint to the DOJ for investigation. Evidence shows non-compliance, they will work to get voluntary compliance, but HIPAA permits OCR to impose a fine for each HIPAA provision that’s violated. So those can range from a $100 to $50,000, depending on the culpability, right? Were you sitting on your hands, you didn’t have really good data protection practices, or were you pretty buttoned up as an organization? Did everything, but still got hit there. So state attorney generals can enforce certain HIPAA violations. But then outside of HIPAA, because everyone in [inaudible 00:36:07], “Oh HIPAA.” But there’s FTC enforcement, that can seek an order to CC from performing any of those kind of allegedly unlawful acts. They could seek civil penalties from 42,000 per offense. And then, a typical FTC consent decree, it can be more onerous than the actual fine itself.

You look at the GoodRx and that FTC order from them and frankly, their business model from what they’re doing, I don’t know if that’s long-term viable anymore because of that FTC consent order. There’s sort of state enforcement actions that can happen, but then you have the liability from potential plaintiffs and those can come. What we see typically is a plaintiff alleging that the breached organization didn’t have an appropriate cybersecurity program in place. So negligence or breach of contract. Or that that organization misrepresented the nature and effectiveness of its cybersecurity program or practices. So if you said in your privacy statement and your policies and your public basing documentation, that you guys are the Fort Knox of data security, but there’s actually a backdoor that you guys just knew about and didn’t close, that’s going to probably cost some claims.

Bill Neumann:

Virgil and Sean, do you see class action lawsuits with DSOs? Is this something that is becoming more common? Do you see it at all?

Sean Buckley:

We do in the industry. We have a cybersecurity response team that also defends these class actions and not only just class action, plaintiff wise, whether or not they have merit, but also we have a regulatory and litigation team that also helps with actions and state enforcement and federal enforcement. And you’re called up in front of the authorities to help there.

Virgil Ochoa:

I think it’s some-

Bill Neumann:

Go ahead, Virgil.

Virgil Ochoa:

Yeah, I was going to say, I hate to say it and it say that you shouldn’t want to use lawyers, but you never want to get here. I mean, you never want to get to these response teams and everything. That’s the biggest thing to remember is a little bit of prevention stops you from ever needing these responses. If you’re calling our response team or our legal team, things have gone horribly wrong. It’s much better to focus on the upfront preventative measures than to rely on us. We’re here, we’ll help you, but you don’t want to be there.

Bill Neumann:

And I think that’s important to go through a couple of things here, and Gary mentioned it earlier, which is it’s not just a potential class action lawsuit or some type of situation where the practices or the entire across all locations could be down for three or four weeks. So sometimes the focus goes to, okay, well there’s been a breach, the exposure there and what’s my potential liability? But then what’s just the cost of being down for two or three or four weeks across multiple locations, that could outweigh the liability risk?

Gary Salman:

The impact against EBITDA is huge. Yeah, I get it. Some of those patients will come back, but there will be patients who opt not to come back and just the closures and all the bills keep coming in. You can’t bill patients, you can’t bill insurance, you can’t process payments, things like that. And all those bills keep coming in and it’s a massive cashflow nightmare, is typically what we see. And Virgil, I know your team’s on the buy side, when you’re have a selling practice that may have experienced a data breach or a potential reportable event, that probably raises some concerns. And I know there’s some, on that M&A side, some considerations that buyers will extract out of the sellers just to make themselves comfortable, that I think are important. And you were touching on.

Virgil Ochoa:

Yeah, that that’s one of the things to consider also is not only do you have the short-term disruption, the long-term reputational harm, but if you are looking at doing the transaction, if you’re looking at selling to somebody, that’s going to come up. And what the buyer’s going to do is say, “Okay, well maybe you fixed it, maybe you didn’t, but regardless, I’m going to knock something off the purchase price because I can. And I’m also going to require you to take some remedial measures because again, I can because of the big impact here.” And one of the other reasons that the buyer may be doing that is the prior breach by an acquired party can affect the buyer’s ability to get cybersecurity insurance and their system.

So I jokingly say they do it because they can, but there’re real concerns there. We’ve had some groups, big groups, giant groups, that were looking at doing it in a big event, selling off their company. And what happened was when the insurance rep, a warranty insurance provider got in there and started looking at it and they said, “Well, do you guys have cybersecurity?” And they said, “Oh, we’re in the process of getting it.” But then they couldn’t get it because of some of the practices that they had affiliated with weren’t up to standards for the whole. So we’ve had entire deals, giant deals, get on hold where now you got to go back and integrate your practice, upgrade everything, get it all in place. So it’s just another disruption.

Gary Salman:

And we often say you don’t want to buy a breach. I mean, because of the long term consequences like we just mentioned, class action lawsuits, there could be ramifications a year or two from now, potentially. I don’t want to speak for you guys, but I guess class action lawsuits could come up at any point if people can claim harm, et cetera. To your point, we did a really interesting case a little less than a year ago, where a PE company acquired a healthcare entity, similar to a dental practice. It wasn’t a dental practice, but they acquired them. The new managed service provider came in, started putting some tools on the network. Their tools started popping hot on some very big, some malicious code. And when we got in there, it was way bigger than that. We were able to prove through forensics, the network was compromised in 2019, so almost four years prior.

And the worst part was that the hackers were selling access to this server and then some of the hackers are using that server to attack other healthcare entities. One of the healthcare entities that was attacked through this doctor’s practice was a hospital. So all of a sudden, that multi-million dollar acquisition of this practice, ended up costing that PE company millions in legal fees and compliance issues.

Now there’s lawsuits starting between all the entities and the hospital because it was never disclosed, that hospital that was hit was shut down for a couple of days because of that attack. Who would think that a little practice sitting in Arizona could be the conduit for an attack against a hospital system? And that’s what it turned out to be. So to your point, gentlemen, this is often way bigger than you think of it being just that outage for a couple of weeks. And cyber due diligence during the acquisition phase is a really important thing to do. Now, how do you know you’re not in breach? And it could have happened a week before you go to close and the malwares on it.

So conducting the cyber due diligence where you put specialized tools on the network to look for these intrusions, conducting a security risk assessment, evaluating their policies and procedures, which I’m sure Dykema’s big on, make sure that those policies and procedures are in place. And all these things that help an organization provide really sound security measures need to be in place during the acquisition phase, or you have to assess the risk and then make a business decision. Are you going to take it on and address it right away. Virgil, you said something really interesting and we see it all the time with these DSOs, they onboard these new acquisitions. It takes weeks or months to get all the security tools in place and during that period of time, they’re on the network. There’s a big exposure for the organization.

Virgil Ochoa:

And another point on the diligence side, whenever you’re going through diligence, if a company, a buyer, isn’t seeing anything, then they’re just going to kind of keep going along. But once they see one problem, they’re going to start looking for other problems, right? Because like Gary was saying, you don’t want to buy a breach, you don’t want to buy a lawsuit. And I think of it like buying a house. If I go in and I buy and I’m looking at buying a house, it looks good. I don’t see anything wrong, okay, fine. But if I start seeing a couple problems, I think to myself, “Well, those weren’t maintained. What else is going on here?” And a DSO acquisition is exactly the same, where we’ve seen it time and time again, they see one little red flag and then they really start digging in and it’s because they’re more suspicious now, and now the diligence process is hyped up.

That’s probably a good thing for the DSO side, but it’s going to be additional costs and additional time for the seller. So again, I’ll harp on it, I’ll keep saying it. Preventative measures, being ready, being all set ahead of time, makes life much easier.

Gary Salman:

Good point.

Bill Neumann:

Wanted to give Gary a chance to talk a little bit about using somebody like Black Talon Security versus maybe, “Hey, we’ve got an internal IT team that that’s handling everything.” Or they think maybe he’s handling everything. So tell us a little bit about the difference between having an external resource like yourself versus that internal team that they may currently have and may think they’re okay.

Gary Salman:

I mean, I think the best analogy is an audit. If you want to do it with a due diligence process, if you want to ferret out the issues related to security in that environment, the internal people probably aren’t going to be as open or even as knowledgeable to provide all that information to, in this case, say the leadership team, the C-suite, or. So when a third party comes in and does all the security testing and analysis and review of the policies and procedures, et cetera, they’re going to provide a true picture of that environment.

What we often see in these DSOs is any of the internal resources may not be capable of providing this type of information, these types of assessments because they don’t have qualified people, credentialed people, et cetera. Then you have people who are in positions, that were hired to do security and what are they going to tell their executives? “Oh, I’m doing a bad job at my job. Here are all the problems with our network.” So I think that’s an issue that we see quite a bit where the CEO of the company says like, “Hey, I talked to my director of IT and he says we’re all bited up.” How many times I hear that? And then we’ll go in there, after some conversations with the C-suite, go in there and then provide valuable data back to the C-suite showing them, “Hey, look, yes, these are things you’re doing really well, but here are all of the deficiencies and areas that are leaving you exposed that you haven’t addressed.” So I think that’s really important as well.

And then it’s this concept of trust but verify. I think we’ve talked about this on previous webinars and when we’ve been on stage together. The trust but verify is really important. Because in the end, it doesn’t matter what your IT teams are telling you from a security perspective, whether they’re internal or external, if there’s a breach, you own it. Even if your MSP comes and tells you, “Hey, we have you completely locked down, you’re totally secure.” And you get a ransomware and this costs you millions of dollars, the MSP’s not going to pay a penny. They’re going to say, “Hey, we did the best job we could.” And the executive teams were basing their security and compliance decisions based on someone that is kind of providing these IT services versus having a third party come in and actually analyze it.

So what does a third party company like us do? Well, we’re going to have a full-time presence on the network. Our security engineers are going to be monitoring the machines for vulnerabilities. These are these entry points into the environment. We’re going to deploy AI technology to look for potential intrusions. We’re going to make sure your policies, your procedures, your business continuity plans, incident response plans are in place. We’re going to do all this third party testing, right? Because there’s no skin in the game. We’re going to tell you exactly what your security posture looks like, whether it’s good, medium or poor. And then obviously, we make recommendations back to the executive team on how to improve things.

And then ultimately, that’s up to them. They get to now make business decisions based on data. And I think that’s a huge issue right now, is a lot of execs are making decisions on feel good answers. And I keep saying the same thing over and over again because I see it firsthand. When these DSOs get breached, they almost always say, “Oh, we were told we were secure.” But they had no data to back it up. And because they had no data, they couldn’t make decisions, purchasing decisions, et cetera, because without the data, they often make poor decisions. And that’s a challenge that we see.

So we come in and prevent these intrusions, and it’s been said multiple times, but in our experience, I would say everyone, except for maybe a couple, all of these intrusions, these ransomware attacks, these data theft, they’re all preventable. And sometimes it’s the stupidest little thing that allowed for the intrusion. An employee had administrative access to the entire environment and they got phished and they gave up their username and password and the hackers had the keys to the kingdom in a few minutes.

So adjusting things like that, or the firewalls weren’t configured properly and the MSP wasn’t checking the firewalls to make sure that they are configured properly, it wasn’t being done by a third party. So you add these exposures, right? Hackers will scan the DSOs firewalls 100s of times per day, and if the hackers find a vulnerability in those firewalls, they’ll sit there and start exploiting them until they get into the environment.

They may have no idea that it’s a Dell group or a DSO, but once they get in and they see healthcare data, they know it’s game on. The hackers have actually said to us in communications, “We know the US laws, we know the HIPAA laws. You have to pay, or we’ll release all the data.” I think a lot of these preventative measures are extremely effective at preventing these breaches, but they do really need to be audited and assessed by a third party in order for the C-suite to have actionable data in order to make business decisions. I think that’s what it’s all about. In the end, I think most of us are on this call are kind of in the risk management business. And by providing this actionable data back to the executive teams, they can then make decisions based on finance, their risk tolerance, things like that.

Bill Neumann:

Thanks Gary. As we wrap this up, I want to give everybody a chance to give us contact information. So Virgil and Sean, well first off, coming up very, very shortly, we’re going to have your 10th annual, I can’t believe it’s 10 years, Dykema DSO conference. And that’s going to be in Denver, July 19th through the 21st. So I know the address. So it’s www.dykemadso.com. If you go there, and if you haven’t registered, you can do that. I have a code for you. You can save $150. It’s GDNNOW. So like group dentistry now, GDNNOW_23, you put that in, you save 150.

But Virgil, if somebody wants to reach out to you specifically, to find out how maybe they can leverage your experience on the ,&A due diligence process specific to the cyber side of things, how can they do that?

Virgil Ochoa:

Yeah, easiest way, give me a call or an email. You can reach me through that Dykema DSO website. Email is Vochoa@dykema.com, and I’m on the Dykema website. Do want to reiterate, 10th conference, DSO conference going on in Denver, Aurora, Colorado. It’s going to be big, folks. It’s going to be a lot of fun. We’ve had drone shows in the past. We’ve got multiple bands, we’ve got some parties going on. We’ve got some great content from some wonderful speakers. We’ve got some great opportunities to connect with PE groups, with other professionals, with other service providers, such as Black Talon. So hope to see you all there.

Bill Neumann:

And Sean, how can they contact you? And I’m sure they’ll see you at the DYMA conference as well?

Sean Buckley:

Potentially. Potentially. Yeah. So Dykema.com, right? It’s our firm’s website. You type it in there, type my name into Google, Sean Buckley, right? You’ll probably find me. But email address is S B-U-C-K-L-E-Y@dykema D-Y-K-E-M-A.com. Yeah, happy to help any way we can.

Bill Neumann:

Thanks Sean. And finally, Gary, tell the audience how they can contact you and find out more about Black Talon Security. You’ll be at the conference as well.

Gary Salman:

I will be, for sure. Blacktalonsecurity.com. Hit is up on the website there. Gary@blacktalonsecurity.com. If you want to email me, I’m an open book, right? I say that on all these conferences. Reach out to me if you have questions, concerns, if you think something is just, doesn’t sound right, look right. This is all about education, taking care of people, so happy to have a conversation as well. But thank you. Appreciate it.

Bill Neumann:

That’s great. And thank you all for being here, Virgil, Sean, and Gary, and thanks everybody for listening in or if you again, happen to be watching us. Thanks for joining the Group Dentistry Now Show. Until next time, I’m Bill Neumann.


Facebooktwitterlinkedinmail