Why cyber security is no longer just an IT issue—it’s a compliance and operational issue.
Recovery and Protection from Cyberattacks - What You Need to Know: Part 2
Gary Salman, CEO and co-founder of Black Talon Security, explains what recovering from cyberattacks entails and the steps required to ensure prevention.
You can read Part 1 of this article here, which was published August 2023 in DSOPro.
DSOPro: How long does it typically take for a practice to recover and reopen after a cyberattack?
It’s all over the map in terms of the downtime. In the typical ransomware attack, where the hackers have breached the network, destroyed backups, and deployed their ransomware code across all the computers and servers, those machines are no longer functioning properly. Usually, they become unstable, but more importantly, they’ve been compromised. Hackers now have access and are potentially watching everything going on in those computers. So, the DSO can’t use them anymore because everything they pull up on their screen could potentially be monitored.
Once the ransomware is deployed, a ransom note appears on the screen saying, “We’re the ABC ransomware gang. We’ve hacked your system. Go to this dark web website to chat with us and we’ll tell you how to get your system back online.” It takes about 3 days for a cybersecurity company to scour the network and figure out how bad the event was. They determine if it was localized to a couple machines and a couple servers, or if it’s systemic and 100% of all computers and servers are impacted.
For some of the DSOs hit recently, every location, either regionally or nationally, was taken down. Some DSOs do not have connected networks, but the mid-size to large DSOs typically do.
So, for the first couple of days, we’re collecting forensics data to determine if the attack is a reportable event, meaning that the State Attorney Generals of the states involved, or the Office for Civil Rights, which is the enforcement branch of Health & Human Services that oversees HIPAA, must be notified.
We put together a corrective action plan, which is telling the government the problem and all the things we’re doing to prevent this from happening again. The DSO will then undergo a full investigation, which can take a few months or up to a year and a half. The government will determine whether the DSO was doing what is necessary to comply with the laws to protect patient data or if they were negligent. From a compliance perspective, the ransomware attack is bad enough, but the aftermath from a legal perspective could be a total nightmare.
Meanwhile, the cyber company initiates negotiations with the hackers. They tell us their demands, how much they want, and how they will return the “keys” to unlock your encrypted data. Then a crypto payment must be made; most hackers are paid in Bitcoin. Either the DSO or the insurance company pays the cyber company the ransom, which is then transmitted to the hackers. When the hackers receive it, that triggers the destruction of the data and the release of the keys to unlock the data on the network.
Then, we start rebuilding the network and servers, reinstalling software, and getting systems back online. The bigger you are, the bigger the pain. A small dental group with 10 computers might take a couple of days. For a large DSO with hundreds or thousands of computers that need to be rebuilt, it’s a daunting task. Some DSOs are down for 3 or 4 weeks, because the number of resources required to rebuild these networks and the infrastructure is overwhelming. On average, most healthcare entities are down for a minimum of 10 days—and literally unable to do anything. They can’t access x-rays, do billing or scheduling, or run reports. Many of them can’t even do payroll. Sometimes their phone systems are down. These strikes can be very systemic—think about how interconnected all these systems are.
One of the worst things is that patients keep flowing through the doors because you can’t access your appointment book to see who to cancel. You may have 60 or 70 patients scheduled per day, or thousands, if you’re larger. You also can’t schedule patients who are calling because the system is down. Imagine thousands of patients every day trying to come in for treatment and nothing works.
DSOPro: What can be done to protect a DSO from this happening?
Most of our work is on the prevention side—but it’s not as simple as just installing some software tools and hoping it catches any hacking attempts. Black Talon secures about 34,000 devices in the dental space. We focus on two primary areas, which we define as offensive and defensive capabilities. Hackers typically break into networks by tricking people into giving them access. It’s known as “social engineering,” using phishing, spear phishing, phone calls, and text messages to get people to give up information. Team members may click on links that download malicious code right into the system that executes a ransomware attack. Staff may fall for an email telling them to punch in their username and password to authenticate access to their email or reset their password. And of course, the first question is, what is your current password? Responding to a phishing email may give complete access to the computer or to their email account, and now the hacker masquerades as them and has access to the PMS, digital imaging, email, accounting, payroll, finance, etc. They can cause a tremendous amount of damage in a short amount of time because they have full access to whatever that person had access to.
We address the social engineering component through cybersecurity awareness training, which is actually required under HIPAA. You must train your doctors and teams on various cyberthreats so they can identify phishing and spear phishing emails.
Spear phishing is targeted attacks against individuals. Often hackers go to social media platforms and look up the key individuals within the DSO organization and go after the CEO, CFO, or CTO. They craft and send very creative emails and hope they’re going to click on a malicious link to download a payload or fall for the “give me your username and password” trick. The hackers know these individuals have access to highly valuable information or administrative access to the network. Once a hacker gets administrative access to a network, it’s game over. They’re going to get everything.
Spear phishing can also appear to have come through internally. A hacker could gain access to the CEO’s email and send an email to the CFO saying, “I need you to wire $2.5 million for this new acquisition. Here’s the routing number, the bank name, and the bank account number.” Then the CFO thinks it came from the CEO, has heard they are closing on a big deal, and executes a $2.5 million wire to the hackers. Or they target the CTO—who they know probably has access to all the systems—to gain access to his or her account, which then provides them with a conduit to the entire environment. These types of attacks are extremely common and relatively easy to execute.
Phishing is kind of “spray and pray,” meaning hackers get thousands or even millions of email addresses and send out a more general type of message. But people are becoming smart about that, and hackers realize it’s not as effective as it used to be. Although, now threat actors are using AI to quickly craft phishing attempts that are worded more as a native English speaker would write and with a higher sophistication in the aesthetics of the email, making it more believable for targets to think it’s legitimate.
It is important to send out simulated phishing emails that test the employees’ resilience, to see if they are still clicking on things they shouldn’t be. Simulated phishing emails appear to be legit. The cyber company can detect whether an employee clicked on a link or did something they’re not supposed to. If they did, they get retrained on the mistake they made.SPONSORED
Our training platform is a learning management system. The employees and doctors watch training videos and take tests afterward. The platform periodically sends them reminders to redo their training. We’re also constantly sending out security bulletins and alerts. The DSO has the ability to self-monitor as well. The HR compliance department will want to ensure all employees have done everything they need to do for compliance.
DSOPro: Explain why cyber security can no longer be viewed as just an IT issue, but as a compliance and operational issue.
The cybercrime industry is a $1.5 trillion dollar industry. Unfortunately, the level of software development, strategy, and organization that exists is astounding and promises to evolve rapidly. Just as restorative dentists require the expertise of a dental specialist to treat patients, IT resources require the expertise of a cybersecurity specialist to protect the DSO against modern cyberthreats.
I think that’s a big challenge for DSOs, especially the small and medium ones. When DSOs are hit with ransomware or their email accounts are compromised, their executives often thought their IT resources had this under control. It is a mistake to solely rely on either internal or external IT resources to provide cybersecurity. Often, they don’t understand the regulations around compliance or the advanced types of cyberthreats that DSOs are being impacted with.
Part of a multi-layered security approach is knowing where you’re vulnerable. Adding antivirus software or AI threat detection into your network is a defensive measure, meaning hopefully it’s going to react when something bad is happening. But some hackers can definitely bypass that technology.
A security risk assessment is part of being HIPAA-compliant. It’s required under the law. Offense is simulating attacks against the network through penetration testing and scanning the computers every 4 hours looking for vulnerabilities or a defect hackers can find, exploit, and use to gain access to the network and data.
The technology we’re now using in DSOs tells us what the problem is, what the impact is, and then we fix it for you. Our technology can go to Google, pull down the fix for that vulnerability, and repair that vulnerability autonomously. Think of it as a self-healing network.
We are one of the few companies in the world doing this autonomous remediation and can go from vulnerability identification to fix within minutes or hours. Hackers are taking, on average, 10 days to exploit a vulnerability and break in. So being able to do this in near real-time is extremely powerful and should be part of every DSO’s strategy. I think the very large DSOs get it—and they likely have a cybersecurity strategy in place. I’d argue that a lot of small to mid-level DSOs either don’t have a strategy or they think they do but it will likely fail to protect them when it matters most.
It is critical to consider executive and board level accountability. When a DSO is breached, the CEO, C-suite, and/or the board are ultimately responsible. The executive team needs clear visibility into what their security risk is to make business decisions on how to address it. Not being cyber security aware is a big problem across all industries, not just in the dental space.
DSOPro: Does a cyberattack impact the dental team as well?
In almost every ransomware attack, the doctors and the team are also personally impacted because the HR files, which include banking information, are on the network. Dealing with the fallout of that as well is a huge stressor for the practice owners. Now they must tell their employees their personally identifiable information is completely compromised, and they could be the victim of identity theft.
DSOPro: Any additional advice or trends?
I’m seeing more DSOs adopt the concept of “trust but verify” and the true importance of having an independent cyber company monitor security across their networks. If your IT department set up its own security and is the only one testing it, they can’t self-audit. In most industries, especially the medical space, this doesn’t fly anymore. Many healthcare groups have their own internal IT folks and maybe some internal cyber folks, but all testing and validation is done by an independent, outside firm that will give them a true picture that is not biased.
Another big thing is “cyber due diligence.” DSOs should be doing cyber due diligence when buying a practice because if its systems were breached prior to closing, you own that breach after you close. That could cost you thousands or millions of dollars in the future. Patient records, accounting, and dental equipment and technology are all components of a practice that are evaluated and assessed prior to purchase. We offer the ability to assess the cybersecurity posture and cyber event history of a practice prior to purchase.
Cyber due diligence conducted by a cyber company identifies whether it will be a risky acquisition, or the systems look clean and good to go. Today, private equity companies conduct very rigorous cyber due diligence before acquiring DSOs. If they feel that a DSO does not have proper cyber technology and solutions in place, it may delay the deal, lower the acquisition price, or even cancel the deal altogether because it’s a higher risk.
More from the Newsletter
- Benevis Transforms Dental Care with State-of-the-Art Technology
- Alberta Dental Benefits Administrator Hit by Cyberattack
- Walmart Health Subscribes to Nationwide Use of UptimeHealth Platform
- SoftSmile Announces Partnership with Dental Axess to Expand Market Reach and Enhance Digital Workflow
About Gary Salman
Gary Salman is Chief Executive Officer and co-founder of Black Talon Security, LLC. He is dedicated to data security and understanding the latest trends—particularly as they relate to the dental and healthcare industries. He has decades of experience in software development and computer IT, and he also developed one of the very first cloud-based healthcare systems.
Gary lectures nationally on cybersecurity threats and their impact on the healthcare industry. He has trained thousands of dental practices on how to maintain “best practices” in cybersecurity.
Gary also has over 19 years of experience as an instructor at West Point and in law enforcement. He is also a member of InfraGard, a partnership between the FBI and the private sector to share information and intelligence.
Black Talon Security has been called upon to assist with some of the largest distributed ransomware attacks in U.S. history, resulting in millions in ransom payments and tens of millions in damages to the victims. In every instance, all data was recovered and successfully decrypted. Black Talon Security is an expert in preventative measures as well as incident response, ensuring their clients are well-protected against cyberthreats.
Black Talon Security
Black Talon Security is a dedicated cybersecurity company that goes beyond traditional IT measures to protect your DSO against cyberthreats. Simply deploying threat detection and network monitoring tools is not enough to ensure robust security. Making informed, compliance-based security decisions requires more than just technical solutions. Our highly credentialed security engineers lend their expertise to properly assess and address the ongoing risk levels within your business—lessening the potential of a ransomware attack or data breach.