![](https://www.groupdentistrynow.com/wp-content/uploads/2024/10/728x90_DirectToYou.jpg")
Scott Checkoway, CIO of DentalXChange & Gary Salman, CEO of Black Talon Security join the GDN Show. They discuss:
➡Cyber security concerns in the industry
➡Preparation and prevention of a cyber attack
➡Important considerations
➡Best practices for client communication
➡Creating awareness and tools that can help
To learn more about DentalXChange visit – https://www.dentalxchange.com/
To learn more about Black Talon Security visit – https://www.blacktalonsecurity.com/
If you like our podcast, please give us a ⭐⭐⭐⭐⭐ review on iTunes https://apple.co/2Nejsfa and a Thumbs Up on YouTube
Choose your favorite listening app below and subscribe today so you don’t miss an episode! Full transcript is also provided below. See all of our podcasts HERE.
 |
 |
 |
 |
 |
 |
 |
 |
DentalXChange & Black Talon Security Discuss Cybersecurity in 2024. Full Group Dentistry Now DSO Podcast Transcript:
Bill Neumann: Welcome everyone to the Group Dentistry Now Show. I’m Bill Neumann, and we appreciate you watching us today. As always, we have some great guests, great topics, and we have a regular on the show now, Gary Salmon is the CEO of BlackTalent Security. Gary’s going to keep us up to date on what’s going on with cybersecurity in late 2024, any of the changes and some strategies. And for the first time, we have Scott Chekaway. He is the chief information officer at Dental Exchange. So Scott, thanks for being a first timer on here. And Gary, thanks for the return visit.
Bill Neumann: Yeah. Thank you. Thank you, Scott. Scott, why don’t we start with you since maybe a lot of people might not be familiar with you. I had the opportunity at a meeting about a month ago to listen to you present and you’re on a panel. But for the folks that don’t know your backgrounds or what you do at Dental Exchange, can you fill in those blanks there a little bit? What’s your background and talk a little bit about your role at Dental Exchange.
Scott Checkoway: Sure. My background is I’m 30 plus years in the IT industry, the last 25 in IT leadership, the last 20 in healthcare IT, the last six plus as a CIO at some great firms such as MediAnalytics and One Home in Humana. And now I have the privilege of being here at Dental Exchange. really just loving the opportunity to provide insight guidance operationally and IT and security to our dental exchange and DSOs and individuals out there who rely on us for all of their revenue care management needs.
Bill Neumann: Thanks, Scott. Gary, for the two people that might be watching this that don’t know who you are, could you give folks a little bit of background on you and Black Talent Security?
Gary Salman: Yeah, sure. So I’ve been in the dental IT and security space for about 32 years now. I spun up Blacktown Security with a bunch of really smart folks from Wall Street and Fortune 500 companies back in 2017. Fast forward to today, we’d secure about 50,000 devices in a dental space. We also have clients in medical, legal, financial sectors as well. You know, one of the things that we do is not only prevent, you know, intrusions into networks like ransomware, email based attacks, etc. But we are a full incident response company. So we’ve worked hundreds of ransomware cases and other types of intrusions and truly understand what’s actually happening in these types of events for kind of the theoretical stuff that a lot of people are talking about. So we have the ability to do full digital forensics and analyze and negotiate with the hackers, pay the hackers, and fortunately help the victims, fortunately or unfortunately help the victims recover from these types of events. So we see the full scope of these things. And then we take some of the new tactics and techniques that these hackers are using to break into networks and apply them to the preventative side of our business as well.
Bill Neumann: Thanks, Gary. I want to ask you, I’m making a note here about these new tactics and techniques that the hackers are using. I want to find out what those are later. I’m just going to hold that off for now, but that’s going to be very interesting. Scott, cybersecurity concerns that you’re seeing in the dental industry currently, can you talk a little bit about those? I just received yesterday my Change Health notification that some of my personal information has been exposed. We know that happened a while back, but it’s just interesting. now people are starting to get those official notifications. But, you know, as far as concerns in the industry, Scott, what are you hearing from your DSO customers?
Scott Checkoway: Well, in the industry, really, and I touched upon it, Bill, as you know, from the DSO conference we were at, was ransomware as a service is a real thing now, where where you can have just the layman tech person connect with somebody on the dark web and be able to obtain and have ransomware spread out to an organization. In the past, it used to require somebody with a high level of expertise and knowledge and understanding. And now in the dark web, they have call centers and they have people that you can just call in and say, I want to do ransomware on this company. And then they do the profit sharing among thieves, so to speak, where they actually are able to have a group of people behind the scenes now create this stuff and send it out there. And with that, so the aspect of ransomware now has really unfortunately blossomed out there in a way that we really don’t want it to. So it’s requiring all of these companies like Blacktalon, like us, to all really amp up our game to make sure we’re not the next change healthcare. And so our intent and our aspect is continued due diligence every minute of every day. You know, they don’t let up. We can’t let up. We won’t let up. So it’s really just a matter of making sure that we have the best tools, the best abilities, the best people. And it really does take all of that. It takes that village along with partners like Black Talent to make sure that we are moving forward in a way that protects us, protects the industry from ever having this type of event happen again.
Bill Neumann: Gary, any thoughts on this?
Gary Salman: Right, these hacking groups, there’s numerous, 20, 30 big name ones, they have their own branding, their colors, their logos, right, their attack methodologies, but Chris is spot on, right? Years ago, If you weren’t skilled, you weren’t breaking into networks. And now, if you’re trusted by the bad guys, you pay them, call it $10,000 in Bitcoin, and they’ll give you the most advanced hacking tools in the world. And if you attack a company and you get a hit, the parent company that sold you the tools gets, say, 40%, and you get to keep 60%. So it is a major, major problem. And the challenge here is often government agencies within the United States and other foreign agencies find it often difficult to track these people down and bring them to justice. So it is an ever-evolving problem. And we also have to keep in mind, Chris said it really well, it is a 24-7 operation. These hackers are attacking these networks relentlessly. They are just pounding on anything and everything. Sometimes they don’t even pick specific targets. They just kind of spray and pray against firewalls and modems to see what they can hit and get into. Then all of a sudden, when they do get in, they discover, oh, this is a health care system. This is a medical group. This is a dental group. It’s a company that services those industries. And it’s a major problem. And they also adapt, right? So, you know, we’ll talk a little bit more about tactics and techniques of these criminals towards the end of the presentation, but one of the big problems I see is especially with internal IT resources at companies, IT companies that service healthcare orgs, they’re often not adapting quick enough to address or combat these high-level threats. We’re seeing more and more victims coming to fruition, unfortunately, because these attacks are successful. So I would love to talk a little bit about some of the tools and kind of the human intellect that’s needed to defend against these types of advanced threats.
Bill Neumann: Well, let’s talk about maybe how you can prepare for something like this, if there really is a way. Scott, can you talk a little bit about what Dental Exchange is working on
Scott Checkoway: Very much like what Gary was talking about there. It’s an aspect of technology and humans. It’s both in that sense. You have to have good technology. You know, we utilize some of the best tools that are out there in the industry, but you also have to have that diligence amongst your own staff. And so at Dental Exchange, for instance, I talked about it where it’s, you know, diligence every day. We of course do phishing tests, we do education and knowledge sharing and information daily with our staff. And it all starts at the beginning when somebody’s even onboarded where we talk about how security is paramount organization. And if you’re not serious about security, then it’s not the place for you here because we have to be we have to be diligent every day. And so we look at all of these aspects of the tests that we do, we look at the aspect of the technology we utilize, and we make sure that we’re not just looking at prevention as an aspect of being defensive, it’s really an aspect of making sure that we are doing everything we can to be ahead of the curve. And that is, it’s an Again, it’s a 24-7 aspect to make sure that everything we do is hardened. And so, you know, the typical areas that you look at, like penetration tests and various types of pen tests and how often you’re doing them, those are all key in making sure you can’t just, can’t look at it now as an annual exercise. You have to look at this as continual exercises. And it’s almost like muscle memory to making sure that you’re just you’re stretching yourself every day to make sure that you’re looking at everything that you have in your ecosystem. And it can’t just be from the outside in anymore. You have to look from from the inside as well and make sure that you have everything that you can possibly have to protect yourself in various different ways. And so when you think about when you look at this from from a security aspect, you look at it as well from There are DR style tabletop tests and real tests that get performed in the industry. You have to look at the same thing in the security realm now. You have to perform these types of tests against yourself, as well as utilizing good vendor partners to have those tests performed against you as well. So it’s really just, it’s a culmination of all of that to make sure that you’re really as well protected as you can be.
Bill Neumann: So maybe, Gary, you can talk a little bit about this. We’re talking about preparation and being prepared for whatever might happen. What is the partnership look like between Black Talent and Dental Exchange? Can you talk a little bit about how you work together?
Scott Checkoway: Yeah, so we’ve partnered with Black Talent in regards to all the things I just mentioned, doing pen testing and looking at our operation and making sure that it’s not just the security team we have within Dental Exchange to look at this. We look at a trusted partner to make sure that they’re looking at us from both the inside and the outside. And we have had various styles of tests done. We’re looking at various opportunities for them to do different types of tests that aren’t maybe normal. Look at social engineering, look at technology. It’s looking at the whole holistic aspect of our entire organization and what’s the What’s the way that somebody could get in that maybe we’re not thinking about? And so, you know, black talent does this for all of these types of groups all day, every day. And so we looked at a partner like that to say, tell us what we might not be looking at and help us get to that point to make sure we’re we’re paying attention to all of the other areas that may be that aren’t the normal areas. So we’ve been partnering them to do exactly that, make sure that every facet that we’re looking at is identified, protected, and so we feel very, very confident in our approach moving forward.
Gary Salman: I think Scott brings up a really good point here about security. And one of the mistakes that I see in all industries, forget just dental or healthcare, right? It is that organizations often approach security from a single perspective. So I often hear executive teams say, oh, well, we’ve got security covered. We are training all of our employees. Right. And we’re reducing the chances of an employee causing a breach. I’m like, OK, that’s great. But, you know, Scott just mentioned, what about testing the security of your firewalls and devices through penetration testing? And then they’re like, oh, well, we did that, too. OK, that’s great. When did you guys do that? I think that was back in like twenty twenty one. You know, so all of these preventative measures have to be implemented. So training, simulated phishing, you know, where we’re sending emails out to the employees and executive teams to see if they’re clicking on things, downloading things, giving up critical information. That has to be done on an ongoing basis. Penetration testing, where ethical hackers working for a cyber company kind of assume the role of a cyber criminal and try and break into the organization. That’s one form of penetration testing. Another form of penetration testing is when You know, a threat actor, a hacker lands inside the network somehow, and they want to try and exploit the network from the inside, gain access to as much information as possible. And then there’s something called vulnerabilities, which is like a defect, a piece of software or hardware. that a hacker will try and exploit to gain access. So, for instance, if the firewall has a defect in its software, a hacker can run a tool against it and the firewall is like, oh, come on in, Dave. You don’t even need a username and a password. And that’s a huge, huge problem right now. And I find a lot of healthcare organizations, DSOs specifically, don’t actually have any programs in place to address a large percentage of these risks. So it is kind of a systemic problem. And I also think for executive teams, and Scott’s been on these teams himself, and that has probably set the record straight for many of the organizations he worked at, is the executive teams typically don’t understand the true risk, and they hear things like, oh, well, we just upgraded our firewalls. And you know what, we just implemented some new antivirus software, and we are now backing up daily instead of weekly. And a lot of these things sound good in theory, and some of them are important, but overall, what we’re really looking for is a solution. All right, something that looks at every single aspect of where a threat actor can gain a foothold into your network. commonly called like attack surface, like where are you going to get hit? Are the front doors to your office in concept right open? Do you have people working from home that aren’t sitting behind firewalls? Do you have developers that are working on your code in a foreign country and they don’t have their devices properly secured, right? So threat actor gains access to their laptop, poisons the code or uses their laptop to gain access into your servers and production environment. And kind of to Scott’s point, you have to look at every single one of these intrusion spaces, right? These areas that they can actually get into, decide, hey, how much of a risk is this? And then how much resources do we want to put towards those risks to protect them? And now we’re seeing third party risk and fourth party risk with the advent of AI and data sharing. where all of a sudden your data is not in one place anymore. It’s on seven, eight, nine different servers. So you draw kind of this data map of where your data is for your patients or your products, and you realize, whoa, look at our exposure. It’s six or seven times what it used to be. And now we need to think about doing third-party assessments on anyone that touches our data or stores our data. And I find for most DSOs, they have no visibility into that, regardless of size, whether they’re 10 locations or hundreds. They’re not really understanding who has their data, where is it stored, how is it retained, who has access to it. And maybe your DSO avoids a breach, but a third party that stores all your data does have the breach. Obviously, we started off talking about change healthcare as the perfect example. So I think there’s a lot that needs to be done here. And there’s a lot of wide open doors on these networks from either a technology perspective or an operational perspective that need to be addressed. And I think Scott’s concept of looking at all of these possible entry points and addressing them is really spot on. That’s where security is right now. Look back a couple of years ago, maybe 12 months ago, a lot of orgs weren’t even thinking about this.
Bill Neumann: Yeah, that actually leads into It leads it to a great question. And Scott, I’ll ask you about this. The awareness, and I know you wanted to mention something as well, but these DSOs have to be more aware than they were 12 months. So what kind of questions are they asking you and how do you make them feel more comfortable as you continue to work with them? And then again, change really, I think, You know, change has changed the way people look at things that and I think what occurred with Henry Schein as well. I mean, two really large organizations for sure. Go ahead, Scott.
Scott Checkoway: Yeah. So sorry about that. So I one of the things I wanted to add to what Gary was saying is you can’t look at this as a once a year exercise anymore. You know, it a couple of years ago before, really in the last five years plus, you know, it’s been, this whole thing has been blossoming and you can’t just look at this as a check mark and done exercise anymore. You can’t just say, oh, I looked at this and it was, you know, we’ve checked the box and we’re good for the next year. You’ve got to look at this as constant diligence now moving forward. So with that, you know, you’ve got to look at, uh, uh, doing these exercises, not even, you know, not, not even twice a year. You’ve got to look at this in my opinion, uh, often, uh, whether that’s monthly quarterly at minimum to make sure that you are constantly making sure that you have all of your, uh, all of your abilities, uh, uh, focused on, on protection. So, uh, you know, in regards to what, what companies are asking us, they’re, they’re, you know, they’re, Everybody’s got a form of PTSD who is part of the change healthcare type situation. And so we’ve made it clear, we don’t want to be the next change healthcare. And so we’re committed to that in the sense of putting the tools, the technologies, the structure, the processes, the procedures, and the personnel, making sure that it’s that village, that we have all of the capabilities at hand, that we are constantly diligent about what we click on. We talk about it in our all hands within Dental Exchange every month. that we go through phishing test exercises, and we make sure that we’re being diligent in teaching people. We go through Lunch and Learns, and we’re making sure that people are aware of what they should and should not be clicking on. We send out newsletters about it. So it’s really just constant information, diligence, and making sure that people are aware, not just, Gary kind of touched upon it too, it’s not just even at the office, it’s at home. You’ve got to make sure that your home networks are in a good spot. You need to make sure that what you’re providing as tools for the machinery that a work or a company would be sending out has all of the tools necessary that you can make sure that you are safe and secure. It’s this whole ecosystem of making sure that It’s really a knowledge thing. I really feel like there’s this just large gap because you’ve got people who their core competencies, dental or otherwise, you know, they’re focused on helping a patient. They’re not focused on, you know, the technology. That’s where we have to all make sure that we have a knowledge level to everybody about how to be diligent on your computer, how to be diligent at home, how to be diligent in your electronic life, whether it’s a mobile phone or a tablet or whatever it might be. It’s that single point that could occur that could then spread like wildfire. And, and so it’s, it’s really about constant diligence. And really what we’re seeing in a lot of the information back to us is how are we being, how are we making sure we’re checking ourselves? How are we making sure we’re being compliant? How are we making sure that we’re taking all of the necessary steps to not just check a box anymore, but to make sure that we’re keeping our dental data safe, secure, and reliable.
Bill Neumann: Thanks, Scott. That’s actually a great sneg way into something I wanted to ask Gary, which is, you know, you talked about dedicating more resources and time and also personnel. On the DSO and group side of things, let’s talk about the vision of labor. You’ve got IT people, and in a lot of cases, a group may say, well, that’s enough. We have somebody that does this. versus somebody that’s focused on cybersecurity. So, Gary, what are you seeing with groups? Do they realize that they need more resources? What are you kind of seeing out there?
Gary Salman: So, interesting question. What I typically see is as information is passed up the chain, right, so you maybe have a manager of IT, director of IT, CIO, CTO, you know, up to the CEO and even the board private equity companies, what I see typically happening is As that communication moves up the chain, it goes from, hey, we got a major security problem. You know, we’re lacking here, here and here. And by the time it reaches the C-suite and the board, they’re like, we’re covered. We got this all taken care of. I’m hearing from everyone. We’re in a good place. And I think the challenge is for most DSOs is the resources. And if you think about what internal IT teams are doing, external IT teams do, like managed service providers, they are typically fighting fires all day long. This doesn’t work. This cone beam is down. This practice management system isn’t working. I can’t get into my email. And these folks are typically dealing with this all day long. And unfortunately, security becomes secondary. And that’s when we start having problems, right? As Scott and I have been talking about, if you’re not watching this technology 24-7 from a security perspective, performing the tests daily, training your people, looking for weaknesses in software or hardware called vulnerabilities, if this isn’t being done and managed literally on a daily basis, unfortunately the hackers will find you, right? And find your technology and they’ll either breach or attempt So I wouldn’t say it’s the fault of the folks that are working in these roles. The challenge is finding the credentialed security engineers that are 100% focused on this. And you said it really well. There is this concept now called division of labor, and you hear a lot of the top law firms in healthcare talking about the importance of splitting the organizations up, right? Saying like, hey, that’s great you have an IT team, but IT can’t be doing security. Your security team shouldn’t be doing IT. Frankly, these should be separate entities so you have true checks and balances because How often is an IT team going to report up the chain that, I’ll just say it for lack of a better word, they suck or they’re not doing a good job? It’s just human nature not to do that. And this is why companies like Dell Exchange and most corporations now are looking for outside resources to actually do the testing. So they can get, you know, clear transparency into their actual security risk versus, you know, feelings, which unfortunately, a lot of executive teams in the DSO space are making very risky decisions based on feelings versus looking at, you know, actual data, KPIs that help them better understand where they have risk. So I think that’s the challenge that I’m seeing in the DSO space right now. And it’s not just the DSO. We do a lot in medical. I see that there. I see it in law firms and other verticals as well. So as more and more executive teams become familiar with the types of risks that they’re going to have to deal with and the ramifications, you said it best, they’ll change health care, woke a lot of people up, and it absolutely did. That’s what I would say. You got to think about this stuff differently.
Bill Neumann: What about communication with clients? So I’ll kind of ask this to both of you. Do you communicate with your, whether the clients are your patients or the DSOs themselves, how are you communicating to them, maybe the strategies that you’re putting in place? And then if there is a problem, What does that process look like?
Scott Checkoway: Yeah, absolutely. So one of the things we’ve employed is kind of a status page ability where you can see real-time status of our systems and the ability for us to communicate to DSOs and dental clients alike regarding any sort of issue, outage, concern, and On top of that, we have our customer service teams, and they also provide communication through our other portals. So it’s really just about how much communication do you want versus anything else. We’re now in the aspect of going more towards real-time live communication through these technology mediums. And so we have everything interlaced and tied back into our systems. so that way you can know real time what’s actually happening. If something is down, then we have our own incident management process and procedure, and we’re really making sure that that communication gets out through these mediums, whether it’s through the technological medium, or even through a phone call to either, if people are calling in, making sure we’re having automated messages, or being able to call the bigger DSOs and let them know, hey, we’re having this situation, need to let you know about. So it really just, again, it comes back to technology and human, making sure that there’s a way to provide that communication back. And like I said, very excited about the whole aspect of the more real-time aspects of what we can provide in regards to statuses and making sure people really realize, here’s our systems, here’s how everything looks, and you can see that right through a dashboard.
Bill Neumann: Yeah, that’s so important that real-time, you know, we all run into issues, technology issues. to be kind of guessing what’s going on or waiting for an email or trying to reach somebody live. So that’s key. Gary, on the DSO side of things, what are your recommendations and how do you see groups and DSOs communicating to patients? Do they share any of these insights that they’re prepared if something happens? And then If there is a breach, I know there are protocols, but maybe just talk about that a little bit.
Gary Salman: So I haven’t seen really any formalized processes where a DSO would communicate to a patient, hey, these are the things we have from a security perspective. I just don’t think a lot of patients are actually asking that question. Sure, there are people who You know, probably like Scott and I operate in this environment and you may want to ask that question like, hey, what are you doing to protect my data? I think the bigger question and you raised it is what does a DSO do in the event that they have a potential cyber event? And the way these things often unfold is In the first couple hours or the first day, depending on the size of the DSO, the type of technology they’re using, they may not even be 100% sure what’s wrong. Because all of a sudden, servers become unavailable. Data is unavailable. Things aren’t working properly. It’s kind of like, hey, I smell smoke. I see smoke, but I don’t quite see the fire yet. And the systems are down. Maybe it’s a technology issue. Maybe it’s a cyber event. And then typically, you know, within about 24 hours, it starts to become pretty evident that, hey, we have a cyber event. You see encrypted files on our network, which basically means the hackers have locked the files. We see a ransom note. We’ve been receiving phone calls from the hackers, emails. You’ve had a government agency walk into our corporate headquarters saying, hey, you know, I’m from this agency. And by the way, We’ve determined that your network has been compromised because this is what we’re seeing. And then typically what happens from there is the message is going to be very tightly controlled, right? The law firms, whether they’re internal counsel or external counsel, are going to be very careful with what is said or not said in order to help mitigate future litigation compliance and regulatory issues. So often, and you can pick any case, right? Any big company, healthcare organization, typically it’s a slow roll of information from, hey, our network’s down, we’re experiencing issues, you know, we’re not sure when we’re going to get back up. maybe a day or two later, hey, we’re experiencing some type of cyber event. You know, we believe we have it under control. And then, you know, from that point forward, there’s more and more investigation being done by incident response companies to try and determine how bad the event, how systemic is it? So all of our services, all of our workstations, is it localized to, you know, one location, all of our locations, some systems, all systems. So and the larger the organization you are, right, Scott can probably attest to this. I don’t know if he’s actually gone through an event, but he knows from dealing with these from other parties, the larger the organization, the bigger the problem, right? Because you could be dealing with an organization with 100 computers, you could be dealing with an organization that has 50, 60,000 computers, and both those cases, some or all the computers could be impacted. Unfortunately, information, and we saw this with some recent breaches, is slow to roll out. And I would say it’s not always because the company doesn’t want to share it. There may be factors that the general public just can’t know. at this point for various reasons. So I would say one of the most important things is to have a plan. You can’t excel in these types of events if you don’t have a plan in place. And I know, Bill, you kind of said that at the beginning. What’s the plan if we have a cyber event at our DSO or at our organization? How do we handle it? Who do we contact? What are the standard operating procedures? Who do we bring in in the event that this occurred? What insurance carriers do we contact? And we could spend a whole presentation on hours on this topic. But what I find, unfortunately, is most DSOs, I’m talking more like the smaller ones, say, you know, one to 100 locations. Most of them actually don’t have any plans. Right. Their plan is to open a claim with the insurance carrier of the insurance carrier, kind of guide them through it. One of the challenges here is I’d love to hear Scott’s opinion as well. One of the challenges here is you could lose, you know, hours and days because you don’t have a plan. Now you’re waiting for someone to either make up a plan for you or kind of guide you through. the process. So like any type of an emergency, you have to have a plan. If you’re an oral surgery, you know, group and you have an anesthesia emergency, I would be willing to bet your doctors and your team members have planned that emergency. But If you’re, you know, an organization and you don’t have a plan for a cyber event, it’s going to be a challenge. No doubt. I see it all the time. Very few organizations come to us or, you know, law firms that hire us have a, these organizations do not have a plan. And it makes it even more difficult. So I have that. It doesn’t just have to be for cyber event. It could be for natural disaster. It could be for civil unrest. Remember all the riots in major metropolitan cities? We had practices calling us basically saying, hey, they’re destroying offices right next to us. It looks like we’re going to be next. What do we do to save our patient data and network? And they didn’t have any plans in place. Just simple little things are often the difference between an event that might cost you hundreds of thousands of dollars versus So have a plan, disaster and incident response plan so that you can literally pull that plan out and start executing as a leadership team.
Bill Neumann: What about some tools that can help, right? We’ve talked about a lot of the situations, things that can happen. What are some solutions out there, tools that really can assist?
Scott Checkoway: So from our aspect at Dental Exchange, you know, we’re a user of CrowdStrike. And I realize that, you know, that, you know, that has some connotations nowadays, considering what happened. And I’ll state for the record, I’m still a fan. I still think that they are one of the Cadillacs of the industry. And I realize that they’re, you know, I saw some recent reports where people are moving away from them. And I realize that, you know, there’s no aspect of perfection in security. Uh, we’d love for it to be, but, uh, unfortunately, uh, issues do happen. I still believe that they’re one of the best out there. Uh, there’s certainly a lot of good vendors out there for, for antivirus. I still think that they, they do one of the best and, and still believer in them. That’s one aspect of what you have to do. And then for instance, we’re also, we have obtained technology called extra hop that does NDR, XDR, uh, uh, detection and prevention. And so. It’s really a matter of looking at every packet that goes around your network. And whether it’s coming in from the outside or floating around within the inside, you have to look at all of that kind of goes back to what we talked about at the beginning. And so it’s really about looking at the holistic aspect of everything that you have. And again, it’s that due diligence. You know, Gary brought up some great points. It’s about having the plan. I’m a big fan of checklists. I could talk for a long time about those aspects. You know, and it’s no longer just about having a you can have an incident response plan. You can have a DR plan. Everybody’s had those for years. You now have to have a cybersecurity response plan as well. You have to make sure that you pull out the checklist that that’s specific to that type of event. You want to have your incident response prepared and you want to have your DR ready. But what’s your actual cybersecurity plan? You know, think about that. And I say that to the audiences. Think about having some sort of you don’t have to have it in in tremendous, insane detail. But you need to have a cybersecurity plan. What happens in the event of? So The change healthcare thing definitely woke everybody up in regards to this can happen to big or small, but you want to make sure that you’re ready to respond. Just like having a plan at home for that natural disaster, what would you do? Or if you’re in the office and something occurs, what would you do? We all go through that training. So think about the same thing from a cybersecurity response. Gary had asked or talked about or asked me about regarding cybersecurity response from ransomware, I unfortunately have gone through one of these events. So I have that PTSD of going through this many years ago. And, you know, I swore to myself, I never want to have that happen again. So I take all the due diligence and the planning and the aspects of that very seriously to make sure that We’re looking at this from every angle, and that’s why we partner with people. You know, the individual company, you can have the best tools, the best people, but you still need to have a village of people helping you around making sure that all of this is protected. So going with a company like BlackTalent and other good vendor partners, it really does take that village. It’s a group of of people and companies to help you make sure that you’re well protected.
Bill Neumann: Thanks, Scott. Yeah, go ahead. I was just going to say, what are your thoughts on tools and things like that that you’re recommending that you’re providing for these DSOs and group practices and how’s that working?
Gary Salman: Yeah. There are numerous tool sets that I would classify as enterprise tools, right? That you’re seeing in say Fortune 100 companies now that actually have come down in price that should, and I will say really must be used by DSOs. So Scott mentioned CrowdStrike. CrowdStrike’s a great technology, right? They’re the, you know, one of the leaders. There’s technologies like SentinelOne, you know, which is CrowdStrike’s big competitor. So, you know, Lexus, Cadillac, BMW, Mercedes, you pick the flavor of the cars, right? But conceptually, that’s how it’s working. I’m seeing a lot of DSOs running antiquated antivirus software. And keep in mind with antivirus software like CrowdStrike, SentinelOne, any of them, anything can be beat, right? Nothing’s 100% because if there was 100% effective technology, we wouldn’t even be having this discussion. I try and let everyone think about that and process that. Because I think so many organizations are like, hey, we sent it on one, we bought CrowdStrike, we bought Trend Micro, we’re good now. But anything can be deactivated with enough time, resources, knowledge, right? They can disable this technology, they can bypass it. We’re all hoping, we all drink the Kool-Aid, that it can’t be, but we know in some circumstances it can. So that’s one level. And understand that some of these technologies are reacting Once an intrusion has been detected, meaning someone’s already in your building, right? Someone’s got through your window, got through your door, they’re walking around your office in concept, right? Try to draw a parallel here. So these tools are warning, hey, I’m detecting someone in the network, I’m detecting malicious activity, malicious code, things like that. So the thought process is, how do we even try and minimize the chances of that? And another tool set, which we’ve said a couple times is training. I am not going to get into any more detail on that, because I think you have a clear understanding of that. Vulnerability scanning, right? Do I have open doors and windows that a threat actor can leverage to gain access to my network? So think of it as hardening your external perimeter of your building. If you make the external perimeter of the building so difficult to breach, maybe no one’s going to get inside to do damage. Same thing with these vulnerability scanners that are going to check your firewalls, check your computers, your servers, your printers, that smart TV hanging on the wall, and warn you, hey, this device is exposed, this device has a known vulnerability, you know, this device can be potentially compromised by a third actor and gain access to the rest of your network. So vulnerability scanning is very important. Penetration testing, you know, we talked about security risk assessments, right? You know, how many healthcare organizations say they’re HIPAA compliant, you know, want to comply with the regulations that haven’t even done a security risk assessment. So this is not really a technology, more of a process and a procedure, right, that you go through to understand what you’re doing well from a security perspective, where you have some weaknesses, and where you just have some flat out major problems. And that way, the executive teams can make decisions on that security operations center. That’s another really important thing. That’s where Uh, an outside organization is watching your network 24 seven, three or 65 days a year looking for these intrusions. Because what I find with a lot of these antivirus applications is they’re picking up indicators that something’s wrong, but because a human doesn’t know how to use the tools properly or isn’t watching them at Saturday or on Saturday morning at 4 a.m. It’s helpless, right? It’s, it’s, it’s like saying, Hey, someone’s in my house and you’re dialing 911 and 911 doesn’t And so a security operations center can really help with that. And another huge risk that we’re living almost every single day right now is email intrusions. We’re seeing so many DSOs having their email systems compromised. And one of the things that I see there is sometimes these email intrusions are worse than like an intrusion into a server. Because if you think about it, and I want everyone to kind of process this, What’s in your email right now and what would happen if a threat actor is able to download your entire inbox and sent box? Think about the data that’s in there, the confidential information, potentially the patient data, depending on the role within your organization, financial data, data on if you’re a private equity company or a DSO yourself, you know, if you’re potentially going to sell to someone else, how that can impact your organization, other organizations, those emails are compromised. And unfortunately, it’s a cascading or snowball effect when these email systems get compromised. Because what happens is, you know, Mary, the CEO of a DSO has her account hacked, hackers download all of the data, and then they start analyzing and then start sending emails out to people she’s communicated with from her actual email account. And then all of a sudden, the damage is not just internal to that DSO. That DSO’s compromised email account is causing damage to other external organizations as well. You can imagine the consequences of those types of things. So I think implementing very strong email security is very important. And I do see quite a few DSOs that have nothing really in place. They don’t even have multi-factor enabled and enforced on email accounts because people are complaining. I see often the email systems are not configured properly, so threat actors break in and they bolt on these applications and extract all of the emails out of the email system. But there are some really cool technologies out there that can read your emails before you get them, determine if they’re potentially malicious, look at the links, look at the attachments and try and mitigate the likelihood of an intrusion into your email, but it also comes back to training and not giving up your username, giving up your password, or, you know, having your phone light up with multi-factor authentication and someone just pressing, oh, I think that’s me trying to get in, I’ll just authenticate them in and they authenticated the hacker in. So, you know, at a pretty basic level, I think those are the things that need to be in place. And obviously different size organizations have different levels of risk. And as your organization gets bigger, your risk level, your risk profile increases, and the amount of security and technologies that you have to put in place increases proportionally as well.
Bill Neumann: Thanks, Gary. That’s some great insight. As we start to wrap things up here, I’d just like to get final thoughts from both of you. And also, if you wouldn’t mind dropping your email address and best way to get in touch with you in case anybody is interested. I’ll say this before we get to these final thoughts. We’ve got some great content on our website from both Gary’s team at BlackTalent, they do a CyberWatch article every single month. So we’ll drop a link to that. Dental Exchange has some great content as well that they’ve shared with us. And so we’re going to drop those links. But Gary, why don’t we start with you and then Scott, you can kind of finish things up. People want to get in touch with you, find out more about BlackTalent. How do they do so? And any final thoughts?
Gary Salman: Sure. BlackTalentSecurity.com, You can hit us up on the website there. My email is Gary at blacktownsecurity.com. So happy to answer any questions, concerns you may have or run something past me. I’m an open book. I love to share and chat with people about what they’re doing from a security perspective. So please take me up on that. One thing that I say to everyone is you have to start looking at security the same way you look at your financials. Do we make business decisions based on someone saying, hey, we’re doing good this year. We’re up. I’m not quite sure how much we’re up or how much better we’re doing, but guess what, CEO, we’re doing fine. Does anyone run a business that way? I kind of hope not. But I do find, unfortunately, a lot of DSOs are kind of using that concept when they’re making security decisions. So there’s amazing technology available right now. We leverage it that actually analyzes your security, gives you a security risk score, gives you very valuable KPIs, so you understand where you’re secure, where you’re not secure. You know, what is your technology debt, your tech debt look like? You know, how are your people doing from a training perspective? Are your firewalls secure? And then as an executive team, you don’t need to be technical, but you can look at that data and say, wow, look at, look at us benchmarked across, you know, all the other DSOs. We’re doing a great job or we got some major problems, right? Only, only 80% of our people are training. I have huge risk and huge exposure by that 20%, you know, about presenting us with click risk and clicking on links and attachments. So gotta be data focused with security nowadays. A couple of years ago, it wasn’t really even possible, but because of the ability to analyze, you know, so many aspects of your network, you know, using telemetry and analysis, you get a really good clear picture of how you’re doing this. This should be done by a third party, right? Not your internal or external IT. If you want to say thank you, it’s always a pleasure and honor to work with you guys. So thanks for including me on your podcast.
Bill Neumann: Yeah. Thank you, Scott, and to Dental Exchange for bringing Gary on. Scott, if people want to find out more about Dental Exchange or they want to reach out to you, how do they do so? And then final thoughts from you.
Scott Checkoway: Sure. To reach out to Dental Exchange, just www.dentalexchange.com. And to reach me is scheckaway at dentalexchange.com. Happy to talk about any sort of technology security topics with anybody who wants to email me. Gary put it really well. It’s really about that partnership. Whether you’re a small DSO, a large DSO, it doesn’t even matter. whether you’re a dental exchange, whether you’re any sort of of company out there, you need to have your village of people that that your your trusted partners, your advisors, everybody should be looking out for for your best interests. And so you want to make sure that you have have brought in all of the expertise. It’s not just about that internal expertise anymore. So, you know, companies like Black Talon do this every day. And so you want to be looking at them and having them be part of your team in that sense. And so we partner with folks like Blacktalon to make sure that we are well protected. We have great people, great teams inside, but it’s also those trusted vendor partner relationships too that are helping us make sure that we are constantly and consistently being secure, being protected, and making sure that we’re employing the best technologies out there to protect you. I call it, I’ve talked about it before, I talk about a healthy dose of fear and anxiety. It’s not meant to scare you. It’s not meant to keep you up at night. It’s meant to make sure that you are looking at your security just like you would at home, just like you would lock your car or lock your house. you need to make sure that you have all of the security measures at your office, whether you’re at home, whether you’re in a physical office, whether you’re traveling, whether you’re using your mobile phone, whether you’re using a tablet, doesn’t matter. You have to think about it every time you pick up any sort of device or use any sort of device and make sure that you’re really being diligent. That one click could cause a world of problems within your organization. So one of the best pieces of advice I can give people to close this out is take a breath, take a step back before you make any sort of click on anything. Think about what you’re doing and make sure it’s the right thing that you’re doing for your organization. And if you have a question, connect with people like Black Talent, connect with people like myself or connect with whoever your trusted vendor partner is. It’s never a bad thing to take that step back and ask the question before making a click if you’re uncertain. And so Bill, just wanted to say thank you as well. Really appreciate the time and the opportunity to be able to be on this podcast and talk with everybody.
Bill Neumann: Great, great way to finish things off. Great final thoughts. Yeah, take a step back before you click, right? That should be a slogan. All right, well, hey, thank you both. And we will drop the URLs and your email addresses in the show notes and also a link to those articles that we talked about, CyberWatch and the Dental Exchange articles that have been up on our website. Thanks everybody for watching us today. And until next time, this is the Group Dentistry Now Show.
undefined: The Group Dentistry Now Show has listeners across North and South America, Europe, Asia, and Australia. If you like our show, subscribe today and please tell your colleagues about us.
