EDR Cybersecurity Technology: The Good, the Bad and the Limitation

cyber watch

As more and more DSOs look to upgrade their cybersecurity posture, we have been fielding many questions around Endpoint Detection & Response (EDR) technology. Upgrading your traditional antivirus technology to an EDR solution is always a great step in the right direction, but as with most newer technologies, there is too much misinformation and unrealistic expectations about what an effective EDR solution actually does and what its role should be in any security stack.

The Good

Let’s get the technical speak out of the way first and highlight some of the reasons why every organization should already have both an upgrade plan to an endpoint solution in place. EDR is a powerful cybersecurity tool that continuously monitors and analyzes network activities to detect, investigate, and respond to cyber threats. Unlike traditional antivirus software that relies on a “dictionary” of known threats to determine what is potentially malicious, EDR uses advanced analytics and machine-learning algorithms to detect both known and unknown risks. This capability is crucial because it allows EDR to identify previously unknown malware and ransomware.

EDR solutions provide real-time visibility into network behavior, helping to enable faster incident response and remediation. They can isolate infected endpoints, block traffic to and from malicious IP addresses, and roll back to a previous uninfected state when necessary. Additionally, EDR tools offer forensic data about endpoint activities, network connections, and user actions, which helps in conducting root cause analysis and improving future response strategies. With the rise of remote and hybrid work forces, EDR has become increasingly important as it helps security teams defend larger attack surfaces and protect against sophisticated cyber threats.

The Bad?

Too many organizations are being sold on EDR as the “ultimate” preventative cybersecurity tool. These organizations are being lulled into a false sense of security around the effectiveness of EDR and the role it’s designed to play in any security stack. So where does EDR fall short?  Offense. Simply put, EDR is 100% designed to perform only after a hacking group has gained access to your network. Total prevention should always be the goal of any organization or practice.

Prevention is identifying the technical devices across your network that have vulnerabilities and training your team to reduce the risk of a human vulnerability becoming the access point for an attack. Think of EDR as an alarm system on your home. Do you leave your doors/windows unlocked or wide open because you have an alarm system in place? Probably not. An effective preventative security strategy starts with knowing which of your doors and windows are open and closing and locking them.

  • Undetected / un-remediated technical vulnerabilities are responsible for approximately 40% of all ransomware attacks. Every organization should have a robust vulnerability management program in place to prevent cybercriminals from exploiting the open doors and windows that are present on firewalls, computers, and IoT devices. This is one example of a smart and effective offensive. 
  • The successful exploitation of human vulnerabilities is responsible for approximately 60% of all ransomware attacks. Threat actors are now using AI technology to socially engineer team members and tricking them into giving them access to systems. An effective cybersecurity training program that includes ongoing simulated phishing attempts is another great example of effective offense that reduces the risk of your human vulnerabilities being the access point of an attack.

The Limitation of EDR

Let’s stay with the EDR / home security system analogy for a little longer. As the popularity of home alarm systems increased, the response time to these systems decreased. Many police agencies no longer dispatch officers to respond to burglary alarms without any evidence to support that an actual burglary is in process. In these cases, is this home security alarm system still considered to be an effective preventative security measure or are people paying for a false sense of security?

If your organization has deployed EDR and no one is monitoring or responding to alerts from that EDR after-hours, is it effective or is it just providing you with a false sense of security that your data is protected? There’s no definitive answer to that question. Most EDR software is designed to autonomously kill malicious code, and most have the ability to quarantine devices to prevent the spread of malware, but the issue is that they’re not always successful. Through the use of AI, hackers are starting to figure out how to beat some of these defense systems.

The best preventative security tools available today still require the assistance of trained security professionals. A trained human should always be available to immediately respond to all alerts from an EDR tool. An actual person should always be available to determine whether an alert was tied to anything malicious or whether it’s a false alarm. Hackers don’t operate on a 9–5 schedule. When that EDR alerts at 3:00 AM on a Saturday morning, who within your organization is responding to that call for help?

MDR Is Better

MDR (Managed Detection & Response) is an EDR solution that is monitored 24/7/365 by security professionals. EDR on its own is a powerful security tool, but it is one that requires 24/7/365 human alert response to fully function as it should.

Don’t make the mistake of deploying yet another security tool across your network that doesn’t have available humans to assist at all times. And, of course, lock those doors and windows and train your household not to open the door to strangers so that you don’t have to rely on an EDR/ MDR security alarm system to hopefully do its job.

 

cybersecurity


🚨Recent notable healthcare cyber incidents:

Westend Dental, a six-clinic practice in Indiana, has agreed to pay $350,000 and strengthen its cybersecurity and privacy practices following a ransomware attack in October 2020. The attack exposed protected patient information, including treatment plans, dental charts, and insurance details, and left the practice unable to recover the encrypted files. Key allegations include:

  • Failing to notify authorities within the HIPAA-required 60-day window (reporting occurred two years later in 2022).
  • Not conducting a forensic investigation to determine the breach’s full impact.
  • Lacking systems to track access to patient information and failing to recover encrypted data post-attack.

The Indiana Attorney General’s investigation revealed additional HIPAA violations, such as disclosing patient information in response to online reviews. Westend Dental will pay $350,000, improve its data protection protocols, and enhance staff training.

While the practice denies wrongdoing, the settlement awaits judicial approval. This case underscores the importance of robust cybersecurity and timely breach reporting in the dental industry.


Attorneys are investigating a potential class action lawsuit against DAP Health after a data breach exposed sensitive personal and medical information. The breach, detected in July 2024, involved unauthorized access to DAP Health’s email system. Impacted individuals were notified in November 2024. A successful lawsuit could mandate stricter data protection measures at DAP Health. Key Details:

  • Compromised Information: Names, Social Security numbers, health and medical data, financial details, and more were exposed.
  • Affected Population: Patients, employees, and clients of DAP Health and its subsidiary, Borrego Health.
  • Scope of Services: DAP Health, based in Palm Springs, CA, offers a range of healthcare services, including dental, behavioral, and gender-affirming care.

Medusind cybersecurity breach exposes sensitive patient dataOn December 29, 2023, US-based dental and medical billing firm Medusind detected a cyberattack, which exposed sensitive personal, financial, and medical data of over 360,000 customers. Compromised Information:

  • Health insurance details (policy numbers, claims, benefits)
  • Payment data (credit/debit card numbers, bank account details)
  • Medical information (history, prescriptions, record numbers)
  • Government IDs (Social Security numbers, driver’s licenses, passports)
  • Personal data (names, dates of birth, addresses, emails, phone numbers)

The breach highlights a growing trend of cyberattacks targeting US healthcare providers, following significant incidents like the Change Healthcare and Ascension ransomware attacks in 2024. The US Department of Health and Human Services plans updates to HIPAA regulations, emphasizing stronger protections for patients’ protected health information (PHI).


Dental Cyber Watch is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry and a proud partner of Group Dentistry Now. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy. To evaluate your group’s current security posture visit www.blacktalonsecurity.com.

DSO cybersecurity


Have a cybersecurity question or concern that you would
like addressed in future Dental Cyber Watch articles,
please email it to info@groupdentistrynow.com


group dentistry now subscribe

 

 

Facebooktwitterlinkedinmail