DSOPro

Managing Cyber Security for 380 Dental Care Alliance Practices in 22 States

Written by Chris Scott | Aug 5, 2022 1:07:38 PM

DSOPRo: Describe your background and what brought you into dentistry.

I have had a long IT career. I started in 1990 as an independent contractor, doing mostly networking and hardware. I did that until 1999 when I was fortunate to be picked up by General Electric, at GE Appliances. I was their LAN team leader. We supported 350 servers, internationally, for GE Appliances at that point. Then I transitioned into a role at GE Aircraft Engines, which was a Six Sigma Black Belt position. That is their “lean Six Sigma approach,” which is a quality program that they put everybody through who is on track to be an executive leader.

After that I had several manager roles, some in software development, some in data quality, etc. In 2008, I left GE after working in four different divisions to join Humana. As you know, Humana is one of the largest health insurance companies and is an overall wellness company as well, because they are involved in pharmacy and clinical, too. They also have a care delivery arm, which is primary care clinics.

I started in the office-based or distributed-office space support. In 2012, Humana began investing heavily in primary care clinics. I was the IT executive in charge of most of the acquisitions they were involved in back then.

We grew from 7 primary care practices to about 85 within just a few years. In 2018, most of the primary care practices spun off into a separate company, called Conviva Care Solutions and I became the chief information officer (CIO) for that independent organization. We supported more than 100 primary care clinics across 2 states, Florida and Texas. We did so well that in 2021, Humana bought the company back 100%.

I wanted to remain an independent CIO and chief information security officer (CISO) so I began looking for my next opportunity and found a position with Dental Care Alliance (DCA). It was interesting how many similarities there were between the medical and the dental fields, particularly regarding working with doctors, front office personnel, and other staff members. So, I thought it was a perfect fit.

DSOPro: Tell us about the organization and your role. 

We are growing rapidly through affiliation. We have 380 offices in 22 states. When I started, we had 330, so we’ve added 50 in just a little over a year. I am the CIO as well as the CISO. One is more of a traditional CIO role, where you look at the whole of IT and where we’re going from a strategy perspective. A lot of that includes assessing what platforms we are on, what kind of capabilities we need, what kind of support the IT team has for running the business, and things like that. 

The chief information security officer position is more tactical. It focuses on how well patient information and our associates are protected whenever they’re online. We also address how to continue to implement tools and processes to make sure we’re safe. It’s very important because DCA has over 5,000 employees and serves over a million patients per year.


DSOPro: How big of a concern is IT security? Are CIOs and CISOs more common now because everything is digital and stored on computers and clouds?

It’s becoming more common. In big companies, like Fortune 50 companies, the CIO and CISO roles are separate. That’s usually by design, because the organizations are so large and the goals are a bit different between the two.

In private companies or small-to-medium-size enterprises, you see a lot of dual roles, where we’re tasked to do both things. If a person has that capability and experience, it makes a lot of sense.

DSOPro: Describe your responsibilities and your team.

At DCA, the IT team is about 50 people. I have four direct reports. One of them is solely focused on technical services: system administration, help desk functions, or level one and level two technicians to fix problems like that.

Another person is responsible for data. That includes any type of analytics or data warehouse functions that we need in order to provide data to the business. We procure that data and put it in a usable format so the analytics team on the business side can build dashboards. 

The third person we call an IT “conversion manager.” She is in charge of converting legacy practice management platforms to our preferred practice management platforms. Acquisitions likely have one of the mainstream practice management systems, such as Open Dental, Eaglesoft, SoftDent, Dentrix, or Dentrix Ascend. There’s a whole bunch of them out there.

Today, we have 15 different platforms and a strategy to get down to 3. My team’s job is to go to new practices across the United States and convert them from legacy platforms to our preferred platform. It will be a year before we’re done with just the existing offices, which doesn’t include the affiliations.

The fourth person on my team is in charge of new affiliations. At DCA, when we have an agreement with an office or a group to join the DCA family, we don’t just throw them into our regular processes. We have a dedicated group of people that eases them into the DSO structure and how we operate. For the first 90 to 120 days or so, that group acts as their single point of contact for all things IT, so that they don’t have to deal with the larger corporate environment.

SPONSORED

How can DSOs fast forward to growth?

Accelerate growth across your DSO with cloud-based Fuse practice management software, which promotes connectivity and profitability.

 

Currently, 270 of our offices are on the Denticon practice management platform, which we prefer for several reasons. One is that we have a direct API connection into their environment so that every night we can get all the data we need to produce our daily production reports. Another reason is that is has more capabilities than legacy platforms.

DSOPro: What are some examples of the types of data you are gathering?

When you think about the way a dental office runs, you’re mostly concerned with how many patients there are. How many hygiene appointments do you have? What’s the average time for those appointments? How much money are you making you in the office? All that data is easily gathered from Denticon because we have a direct connection to them. Denticon is cloud-based and has a regular web-screen interface. The offices have what we call a “treatment card” within Denticon so they can input all the information about a patient and any kind of dental treatment that patient receives.

The other reason we chose to standardize on Denticon is that the company that owns it also bought a cloud imaging provider. So, now those two things are being integrated together. 

DSOPro: Tell us about the strategy you put together and how it benefits DCA. 

I used this approach at GE as well because they would move you from business to business every couple of years, and you would start fresh every time. I got good at interviewing the business partners to really understand what their needs were.

At DCA, the first thing I did was get in front of all the VPs and senior executives to ask them: what are your pain points? What do you want to see out of IT? What can we do better? And those types of questions. Then I formulated three strategies for the organization. 

The first strategy bullet was system consolidation. How do we get to a smaller number of technologies, so that we can support them better? We talked about going from 15 practice management platforms down to 3 and what to do about the various imaging and telephone platforms. We’re currently going through the process of reducing 20 telephone platforms to 1.

The second strategy was to accelerate our IT security posture. In the past, DCA had struggled with some security policies, procedures, and tools so we just started fresh. I put together a roadmap for the next 2 or 3 years to get us to where we need to go. Ultimately, we want to be “HiTrust certified,” which is the gold standard of IT security.

The last thing was to build our IT team to better support the business. I noticed several positions were absent, so we’ve hired an IT security analyst, several people for the help desk, and a telephone engineer. Now we’ve gone from over 850 open tickets on average to about 190. So, the people working in the businesses can certainly feel the impact.

DSOPro: How are you dealing with vendors, credit card companies, and banks when it comes to security? 

Many of the technologies we have in place today have already been vetted. I’ve instituted a process whereby anyone within the organization who wants to evaluate a software product or potentially do a pilot with a product has to come to us first so that we can vet not only the IT security pieces, but also the architecture.

We evaluate things like how do we connect to the platform? When they transfer data, is it encrypted? When it’s stored, is it encrypted? We ask a ton of questions to make sure that no matter who we contract with, DCA is protected. We’ve probably evaluated 20 different types of software. We get requests every day to evaluate software from an architecture and security standpoint. 

SPONSORED

Guide Your Patients to the Right Care

Overjet helps you drive transformational clinical & operational improvements across your locations — increasing precision, improving patient care, increasing case acceptance rate, delivering actionable insights, and automating administrative tasks & audits.

Sometimes we add an affiliate that has been using a software that we need to vet to ensure that everything meets our standards. Or sometimes it’s something new to the market. For example, we just vetted a company called Sunbit, which does finance for dental offices. 

We also were recently approached by an online reputation vendor that helps get patients in the door and asks them to do evaluations for them. These things happen kind of organically. Division vice presidents and C-level people often want to investigate new products and we’re always right there to help them.

DSOPro: What kind of security threats and data breaches have you had to deal with?

Today, anybody in healthcare is a target. I’m in a PhD program on cybersecurity through Nova Southeastern University in Fort Lauderdale, and I’m doing my dissertation on phishing prevention methods.

The biggest threat across the globe is phishing. More than 3 billion phishing emails are sent around the world each day. When you think about that magnitude, you must have cybersecurity products and processes in place to ensure you’re protected from phishing emails and phishing texts, or any way that a “bad actor” could get into your network.

We have an application called Mimecast, which is an email security software. It lets us know if there’s anything strange within emails that come in from external entities so we can block them and put them in quarantine.

We also employ different tools to look inside our network to see what’s going on. We have a data-loss prevention software called CoSoSys Endpoint Protector that shows us if anything strange is happening on the network. If someone is copying gigs of data to an external source or a cloud drive or something like that, the software flags it and stops it until we can investigate. 

Lastly, we’ve deployed what’s called an “endpoint detection and response” (EDR) software called CrowdStrike. It’s an agent that sits on every endpoint. An “endpoint” is any piece of network equipment, any computer or laptop. It basically tells us what’s going on in that computer and acts as an antivirus and anti-malware product. It also is monitored 24/7 by a security operations center from CrowdStrike. It helps us sleep better at night, knowing that we have a lot of eyes on the network.

DSOPro: Is that all in anticipation of or as a result of having had threats and breaches?

I’ve been in cyber for many, many years and have seen the best-in-class deployments of a lot of these different softwares. When I got here, DCA didn’t have many of them. So, we immediately got approval to buy the data loss prevention (DLP) system, the EDR system, a privileged access management system, and an identity and access management system. All of those things are critical to make sure you’re secure and your employees’ and patients’ data is secure as well.

I think it’s also very important to have a very strong, complex password policy. We had a six-character password. Now we have a 14-character complex password, which is almost impossible to guess.

SPONSORED

Unlock the answers hiding in your data.

Most dental businesses run on outdated spreadsheets filled with stale data. Jarvis Analytics unleashes data deep inside your practice management system to help you grow, drive better decisions and turn today’s toughest challenges into tomorrow’s opportunities.


Recently, we bought a security education training and awareness program that constantly goes out each month and does phishing tests to see how our organization is able to identify and respond to phishing email.

Ransomware has also been one of the biggest threats in the last 5 years. It’s hit every industry. Not just healthcare, I mean everywhere. That’s when someone, “a bad actor” they call them, gets into your network, pulls all of your sensitive data out somewhere, and encrypts it. Then they call and say, “I’ve got the keys to your data. Give me $10 million, or I’ll delete all of it or sell it.” Some very high-profile companies have gotten hit by ransomware in the last several years, including the American Dental Association. So, that is always in the back of our minds and why we put all these tools in place, to make sure that doesn’t happen here.

DSOPro: What kinds of interesting new or emerging technologies are you seeing in the DSO arena? 

In the security space, a lot of it is just knowing which tools to deploy and having enough people on your team to be able to look at all that data and all the logs to make sure everything’s secure. 

Outside of security, all the artificial intelligence platforms being introduced are interesting. We’re doing a pilot in 100 offices with Overjet, which is a fantastic software that may actually catch some things that the naked eye can’t. It is another tool in your tool belt for providing better treatment to patients.

A lot of the DSO vendors are trying to capture as much of the office operations functions as possible. Like the telephone system that we’re implementing, Weave. It’s much more than a telephone system—it does patient reminders, text to pay, missed call texts, and all kinds of other things. I think platform consolidation and functionality consolidation will continue to happen as well.

The reporting and analytic space is also very hot and will continue to be.

We are currently implementing guided biofilm therapy in 50 practices so far, which is a better, easier process for doing hygiene. The overall patient experience is better because it takes much less time than the traditional methods. 

Equipment and technology just continue to get better and better.

More from the Newsletter

 

About Chris Scott 

Chris Scott is a seasoned IT Senior Executive with experience in top Fortune 50 companies as well as small to mid-sized private organizations across multiple industries (DSOs, health insurance, care delivery/primary care practices, retail, manufacturing/supply chain, government, financial). Chris is a strategic partner focused on building IT and IT Security strategies and solutions that are aligned with industry and business goals. He uses his 30+ years of career experience to improve the organizations’ IT and IT Security posture by designing a technology roadmap/strategy and implementation plan to bring positive change to all organizations. Chris can lead any size team and quickly build a game plan to assert positive technology changes in any environment. He has an MBA and is currently working on a PhD.

About Dental Care Alliance

Established in 1991, Dental Care Alliance is a national leader in the dentistry industry, serving as a Dental Service Organization to over 380+ dental practices across 22 states. DCA supports dental providers with a team of nearly 5,000 associates to support more than 3 million annual visits.