Welcome to the Group Dentistry Now show, The Voice of the DSO Industry. Kim Larson and Bill Newman talk to industry leaders about their challenges, successes and the future of Group Dentistry. Visit groupdentistrynow.com for more DSO analysis, news and events. Looking for a job or have a job to fill? Visit jointdso.com. We hope you enjoy today's show. Welcome everyone to the Group Dentistry Now show. I'm Bill Newman and as always we appreciate you listening in or watching us on YouTube. As I always say, without a great audience like you, we wouldn't be able to get great guests on our show like the two we have today. Gary Salman, who is the co-founder and CEO of Black Talent Security. You may have seen him on the show a couple of times. I think this is his third time on our show, so welcome back Gary. Appreciate you being here today. Thank you. And we have, for the first time on our show, we have Jill Dunham. She is the director of operations at Allied OMS. Jill, thanks for being here today to talk about this important topic, cybersecurity. Hi. Glad to be here. Thank you. Awesome. So, Jill, if you wouldn't mind a little bit about your background and tell the audience a little bit about Allied OMS. Great. Sure. I've been with one of our founding practices for 19 years and helped to start Allied OMS. We started in 2020 and really grew quickly. We now have, I believe, 42 locations. And it was really started by doctors who had like-minded ideas and wanted to protect the legacy of their practices and really came together with to say we wanted to do something different, and so I think what people realize this isn't too good to be true, and a lot of the doctors really knew each other from residency or somehow in school or just got to know each other. It's really almost been grassroots growth, and so it's grown quickly, and so it's been really special to me. I really believe in it, and so I love my job and operations. I was served as a practice administrator for one of the founding practices, like I mentioned, and so I really feel like I have a heart for the operations of the practices, and love to be a resource for them, and so I really worry about cybersecurity. This is a topic that's near and dear to me, and so I'm excited to talk about this. Yeah, Allied's a really great group, I believe, in it, so. Thanks, Jill. Yeah, we're really excited to get your input on how you and Allied are handling cybersecurity. Mary Salman, for the couple of people, the two people in the audience that haven't met you before or seen the podcast, a little bit about your background, and then tell them about Black talent security. Sure, thanks Bill, it's a pleasure to be here, by the way. So I've been in the dental technology space for over 30 years. I actually started my career in college writing practice management software for the OMS space, so that's how Jill and I got to know one another many years ago. And during that time, I actually built one of the very first cloud-based healthcare systems in the late '90s. That was my real wake-up call to cybersecurity. Back then, there wasn't ransomware, and we weren't experiencing the types of cyber events we experienced today, but cyber intrusions were happening back in the late '90s and early 2000s, and we actually had an attempted intrusion in 2002, and our system was able to stop it. I had it from that point forward, I'd always been interested/obsessed with security, how do we protect this data, how to protect people and their businesses. So fast forward to 2017, I said, "You know what? The healthcare space is hurting really bad from a cyber perspective, you know, practices of all sizes, dental, medical, small groups, large groups are just getting crushed with the ransomware attacks, so I decided to spit out black talent alongside with a couple of folks that I've known for many years, one of our head security engineers came from Wall Street, another one came from Fortune 100 type companies doing security compliance there, and we decided, hey, we need to help small and medium-sized healthcare entities protect themselves from these types of devastating attacks, ransomware, data theft, things like that. So today, fast forward to 2024, we secure about 1700 healthcare entities across the world. We also secure lots of businesses outside of healthcare, banks, financial institutions, accountants, lawyers, manufacturing companies, other software companies, actually quite a few companies that service the dental space. So in our purview, we are responsible for about 46,000 devices in the healthcare space, so we have a very significant footprint, and we service DSOs of all sizes. We have very small DSOs with a couple locations, and we have quite a few of some of the largest DSOs in the United States that are utilizing all of our services. Thanks, Gary. So as we get into the discussion portion of the podcast, and we're halfway through 2024 already, what do things look like in the healthcare space and maybe specifically dental? When it comes to cybersecurity, and maybe how does that differ than 2023, Jill, I don't know if you want to kick it off from your experience and what you're seeing on the OMS side of things. Gosh, I feel like the stakes are higher. We've seen so much on such a big scale, I think with the change healthcare thing that's happened, which I feel like everyone knows about, the volume of attacks are much greater, and I think awareness is increasing as well. I just feel like no one is immune. I just think the volume is huge. Gary, how about you? You're looking kind of in a really high level across the dental industry and in other healthcare verticals. What are you seeing? We're seeing some interesting shifts. The first is a huge increase in email intrusions, so we are now actively seeing the executive teams of DSOs being targeted, and their email accounts being taken over. That's caused interference with deals that's caused significant wire fraud and others' types of fraud within those environments because the hackers actually get into, say, the CEO or the CFO or the CEO's email account, start firing off emails, saying do this, do that, send this, wire this, name this, and all of a sudden it sends the organization to a state of chaos. The other problem is a lot of times the multi-factor authentication codes are being sent to these email accounts, so what happens is it's not just the email account that's being breached. Now they get into bank accounts, and they start wiring money out of the DSOs bank accounts because they set up multi-factor authentication. The code's going to the email, which the hacker is access to, and then they go in and execute hundreds of thousands of dollars or millions of dollars requires, which we've now seen. Email intrusions are a huge problem right now. I would say they are 10 times more prevalent than ransomware, and ransomware is obviously growing. The severity of ransomware, say it every single year, just gets worse, right? It's not going away. It's not decreasing. The only time we saw a drop in ransomware attacks was when the war with Ukraine and Russia kicked off, and they kind of dropped off a cliff, really didn't exist for a few months, but they're back in full force. The government's doing as much as they can to try and take these organizations down, but I say it's very much like terrorism and the drug war, they just come back. They either come back as a new brand, they change their name because their code survives, and they come back and they hit us with a vengeance. The sophistication of the code is very significant, and the other big problem that I'm seeing bill is that a lot of this malware and ransomware is evading antivirus software. A lot of DSOs have what they think to be kind of the cream of the crop or tier one antivirus solutions. Unfortunately, we've seen it firsthand, this is it, on the Internet story, we've seen the hackers evade this antivirus software and encrypt the entire DSOs environment. I think that's one of the things we really need to dig in because the problem that I see right now is most DSOs are playing defense, and they don't have an offensive strategy, and Bill and I will kind of dig into that in a little while and explain really why DSOs need to have an offensive measure. I would say the last thing that we've seen, and I would hope most DSOs are aware of this by now, it's a whole new form of social engineering, fancy word for trickery, scam. And now the hackers are actually calling practices and getting the staff members to do things, right? So, the briefing that I was on a little over a month ago with the FBI, the American Dental Association and the American Association of Oral Maxal Patient Surgeons basically talked about a scam that impacted the plastic surgery market that is now moving into the dental market where hackers actually call it practice, they pretend to be a patient, they convince the staff member to send the hacker an email that contains online patient registration forms, the patient fills them out by hand, and then emails them back to team member at the practice, the team member opens them, he or she clicks on two links and that executes the attack against DSO or practice. So really, really significant change in their attack methodology, and Jill would probably back me up on this, but we know most of the staff members that are answering the phones and scheduling patients, they are helpers, right? They want to be helpful, they want to please the administrators, they want to please the doctors as well as the patients, so often it's kind of, they're kind of an easy target for the hackers to go after, because most staff members, if they're not familiar with this type of scam, they're just going to do it and that's very important. Absolutely. It almost sounds, so it sounds like things have really ramped up and these email attacks are really interesting, so the one thing I think I learned from just that first point is don't have your authentication come to your email, right, that for sure, definitely don't do that. We have, we've been working together since the beginning of the year, we've been Black Talent Security and Group Dentistry now, so we've been kind of highlighting the things that are going on in dental and in the healthcare space in general. So we have a column called CyberWatch Monthly Column and we'll drop links to the past couple of issues of that to make sure that you stay on top of things and it's just amazing the activity that we see as we kind of track some of the news stories and they always lag behind, so there are things and eventually they have to disclose them, so we feel like we're always a little bit behind, but the activity is really ramped up. So CyberWatch will make sure we drop those in the show notes. So sharp increase, but it feels like it's targeting the dental community and, Jill, do you have any thoughts on maybe why that is? Yeah, I do. I really feel like, and this kind of goes on what Gary was saying about the team members wanting to be helpers, I feel like the dental industry is really a trusting industry all the way across, you know, general dentists, oral surgeons, all the specialties who are built on relationships with people and not necessarily advanced in certain technologies in some of the general dentists that a lot of our oral surgery offices work with, they still are slow to come to encrypting emails, and our oral surgery practices have to really work hard with our referring offices to say, "Hey, let's get some encryption on those referrals you're sending over," and so, you know, it's sometimes slow to change and, you know, some other industries, they're already a lot more advanced in some of those areas than the dental world, and so, again, it's built on relationships and trust, and also trusting IT providers. They have an IT person that, you know, they're friends with, or it might be their neighbor, and so, I think we have to say, we want to make sure that there's somebody watching those things rather than trusting the IT person and say, "Oh, I've got it, your IT is good, I've got it safe, I've got all these things covered," and so, we want to make sure that it's based on real data and not just a feeling of trust that everything's just good, and another thing that I was thinking about is, you know, doctors are really trained about risk management from a clinical perspective, and that's really ground into them from, you know, we want to avoid lawsuits, we want to make sure that we're taking good care of patients, and I think also in oral surgery, there's another element, you know, in allied OMS, we have training that's extremely robust, we have such great practices, our teams are excellent at taking care of patients for a sedation standpoint, making sure that they're all really trained on all of our sedation practices, recovery, and emergency protocols, that's something we're really proud of, and so, again, from a risk management standpoint, are we really ready for whatever scenario could happen, but that's, again, a clinical perspective, but I think we need to switch our mindset to what are some of the other risks that we have, and we don't have a risk management mindset from a technical perspective, again, I think we go back to this really trusting mentality of, here's my specialty, I'm going to trust my IT guy on all the IT things, and we're not verifying some of those things, and so, I want to talk about, you know, third party audits, I think we could talk about that, you know, further down in our conversation, but I think we need to think about risk management from all the angles. Yeah, thanks, Joe, and, I mean, obviously, there's a lot of value in those patient records, right, Gary? So, I mean, that would be one obvious reason they would target the industry, and I forget what, I mean, I'm sure you have the value of each patient record, I remember you on a previous podcast, Gary, kind of talking about what, you know, what the value is of each one of those records, but talk a little bit about that and maybe some other reasons. Yeah, look, I think the hacking community is well aware that when they attack a health care entity, they're going to get paid, right, if you look at what most of the leading law firms that specialize in compliance, especially related to health care, when we get on the phone calls with these law firms and we're, you know, in the middle of a ransomware event or theft of patient data, most of the time, what the law firm will advise, not always, they'll say, listen, even if you have a backup, the fact that the hackers have stolen all your data, you need to pay them to make sure that this data is not sold on the dark web released on the dark web used for nefarious purposes doesn't mean that the hackers won't do it, but usually if you pay them, they will honor their word, right, kind of like that otter amongst thieves. So the big problem that I see is really what's called the double extortion methodology, which basically means that not only do they encrypt or lock all of the data on your servers and workstations and cloud technology, they also steal it, right? And now they know, hey, we got you, right? We now know this DSO is going to pay us the $3 million in ransom because we walked away with a million patient records. So that's a huge problem. And then the other thing that we are seeing firsthand is the triple extortion methodology. And basically what happens here is not only do they encrypt your data, steal your data, but now they start contacting your data. Just wrapped up a ransomware event recently where the hackers literally got all the doctor's cell phone numbers, the accountant's phone number, the CEO of the DSO and created an anonymous Google phone number, and every hour on the hour for days, we call those folks demanding that they pay the ransom. And then they started calling the individual practice locations, and then an attack just prior to that, they're actually calling patients. So I think a lot of DSOs and executive teams don't realize how significant of a event these attacks are and how the hackers will always continue to ramp up their methodologies and in order to ensure that they need. So that's a big problem right now. And I hear a lot of executive teams say, well, we're in the cloud or we have multiple backups, so we'll be okay. And I always say that's not the problem. The problem is they're going to get your data. They will persist on your network for weeks until they figure out how to get the data. Whether it's in the cloud, in a cloud EMR system, on your own servers, in Amazon Web services, in Microsoft Azure, right, all the places that DSOs are kind of, I'll do air quotes, kind of like securing or hiding their data, hackers. I see it almost every time, because they know they're not going to get paid most likely if they don't steal your data. So that's a significant challenge right now. Okay, so got this increase in attacks, the attacks are much different, right? We talked about the email intrusions as well this year. So let's talk about some key items that DSOs really of any size, because you talked about it before, Gary. This isn't just for the large groups out there. This is happening to solo practitioners, smaller doctor-owned and doctor-led groups as well. So what should they be aware of when it comes to security in 2024 and, you know, either Jill or Gary, whichever, who wants to start the conversation there? I think you can often fill in, you know, I think Jill actually said already, I mean, she nailed it. You have to be data-driven. You run your practice, your group, your DSO, utilizing data for almost everything you do. But when it comes to security, what I often come across, what I talk to executive teams or owners or groups is this statement, we're fine. I trust my IT folks. They told me we're secure. And then what I always say is where's the data to back that up, right? How do you know you're secure? How do you know how you're doing over time? Are you more secure today than you were six months ago? Are you less secure? If I said to you right now, are you firewalled properly configured? Are there any open vulnerabilities on those computers, servers, laptops, firewalls, devices? These are all questions that you have to have because, you know, an individual like Jill, she has to make data-driven decisions. And by just having an IT resource, whether it's internal or external to the DSO, just tell you that we're good. It doesn't work anymore. Because in the end, the executive teams, right, you know, for instance, Jill and her executive team, they're the ones that are going to have to answer to state and government agencies when there is a breach. So yeah, so Jill, if you want to talk a little bit about, you know, some of the things that you see from your perspective, I think that'd be great. Yeah, I think, you know, to be able to get by and from our financial team, even on expenses or risk, before we had, which allied OMS uses Black Talent just for background, but before we had that, you know, we really didn't have insight into what our gaps were. And I think it's so much better to be doing something than, you know, just guessing. And I think you're never going to have an airtight system where everything's perfect. But, you know, I think how do they say it? I think someone at Black Talent Josh would use an example of a parking garage. Somebody wants to come in and steal something from the cars there. First, they're going to start trying all the doors to see what's unlocked. And I love that example because they may not start breaking windows. First, they're just going to try all the doors and if they find something unlocked, they're going to find something they came for and leave. And so at least lock your car, you know, do something. And I think, you know, we can start with the things that are the worst. And then, and once we resolve that, then do the next thing and the next thing. And then Microsoft may have an update and some things are going to break. And then we started addressing those, you know, that's always a moving target. But with the dashboards that Black Talent has, we have visibility into the things that need correction or computers that need to be upgraded. And then all of a sudden, you know, another operating system starts approaching end of life. And we see that and we can start planning for replacement and things like that. So having visibility allows me to create buy-in with our financial team and start budgeting. And things like that. So we need to have then also training awareness, you know, training is something so important that, you know, the human element to what's happening with ransomware. You can have some really great offensive and defensive software, but when you have people that don't know what they're doing, just like the example that Gary shared about, you know, somebody calling saying, "Hey, can you help me with this and do this or can you remote me into the system because I'm part of your IT company or whatever?" You know, things that happen, you really have to have that training element. And if you don't have your IT company so overwhelmed and they're busy trying to, you know, manage your IT and they're not staying aware of the things out there like a company like Black Talent where they're up to date with what's going on with the FBI and aware of the news and really staying, you know, year to the ground on what's coming. They can, you know, there was one incident that happened. They within 24 hours had recorded a video that of what was happening and kind of gave the scenario. It was a really short clip. They sent it to me and we sent it to all of our practices to say, "Hey, this is a new thing that's coming. Be aware of it so that you know what people might try to do." And it was, you know, something unique. And I would be exhausted trying to think of the different ways that the bad guys would try to, you know, attack us. That's exhausting to think that way. They get so creative. We were able to send it to our practices so they could be on alert. And a bunch of our practices said, "Oh my goodness, this is great." And so it just brought awareness. But anyway, so that dashboard gives us visibility and so we're able to do something and continue having that moving forward progress. So yeah, that's great, Jill. Do you feel that because we've had this turnover in the industry, right? I mean, we talk about this HR crunch. I mean, is that a big issue because you have new people coming in that need to be trained and things are changing so rapidly with cybersecurity? So you kind of focus on training. Like, what does that look like, talent providing training for you? Do you have your own internal training? Is it a combination of the two? I'll speak to that. So it is a combination we like to do internal training and also when there's news that comes out, again, like the one I mentioned, the video that they recorded, or also if there's an event that happens, we leverage that anytime we can to bring awareness. And clinically, I mentioned risk management. We use those to close claim summaries with OMS National Insurance Company or with General Dentistry if Fortress is another big insurance company. If there's a case that happens, share that with the team so they can be aware of something that happened, it's kind of interesting, but you know, you wouldn't know how risk could happen. And so if they're thinking that way, it helps them to be aware. Same thing for cybersecurity. So when something happens, you can leverage those scenarios to as a teaching moment to say, hey, guys, there's a big attack coming around. Let's use this to double down. And I think when you have a manager at a location, they're like, oh my gosh, yes. And we just hired somebody and I forgot, we didn't add them to the list to get that training out for them. So I think it's really good to use those newsworthy moments to send out an alert to everyone across your organization. And then it kind of is a good reminder and it gets attention because otherwise, if you just have like a monthly, hey, don't forget to check your dashboard or something. I think it just makes it a little more exciting, I hate to say, but and it also teaches people in that way. Also, I've had really good feedback and this is good for you to hear Gary. I've had good feedback from our team when they're like, the training's not boring. So that's good to hear, but you know, it's nice to be able to see the dashboard on who has completed it and who hasn't and but it's federally required that people in healthcare take the cybersecurity training and they have proof of it. So it's good. We appreciate it. Yeah, and the black talent always tries to have some fun with the training and you know, the whole, you know, superhero, the honor they kind of have is really cool. We enjoy it. We enjoy it. You're right. You make cybersecurity fun and entertaining, which is good. You were talking about news, Jill. And so a couple of weeks back there was that big FBI warning and they mentioned this focus on OMS. So talk a little bit about that and kind of how you, I'm sure you shared that with your team. But what have you really done is is allied done to really kind of focus on that. Yeah. So and I probably jumped the gun and sharing about that. That was the one that when OMS had a big focus, that was when black talent recorded the video. And so we quickly got that out to our teams to make sure that they were aware of what was going on. And so we sent that out to every practice and we said, share this with your teams. And so that was very short time period from when the announcement happened, black talent recorded the video and made awareness. And from that, we got it out to our teams and we had amazing response across our organization. So I was, I was pretty impressed with the turnaround on that. And so we haven't had any issues at our practices just because they were alerted to it right away. So Gary, what was in this video? Can you talk a little bit about it? Yeah. So that was kind of what I alluded to at the beginning, but that's where a hacker calls up the practice pretending to be a patient and wanting to fill out online patient registration forms and they claim like, hey, your website's not working properly or I'm not computer literate can you just email me the forms so I can fill out my health history and all that. And then the hacker basically wheats a couple of hours, tends to fill out the forms, calls the practice back asked for the same person that they spoke to a few hours ago, emails them the file back that supposed is supposed to contain, you know, their health history and new patient registration forms. And then gets that person to click on a link in the email that they just sent. It directs them to a website that looks like a legitimate file download site called like Dropbox or share file. And then the employee clicks on that second link. And then when they click on that second link, the hackers payload downloads into their system and executes the attack. So basically what you have is you have an employee within them practice executing the attack for the hacker and the hacker does that. Just how to convince that person on the phone to do things or really three things, send them the forms, receive the forms, then click on links. That's how quickly that attack can be executed. And unfortunately this type of attack often evades email filters, email security as well as antivirus. So we talked a lot about training. What specific technologies and tools should DSO or solo practitioner have really to combat these intrusions Gary if you want to kind of kick that off like yeah, what's what's out there? I mean, you obviously can offer support and services, but what should they be doing? Yeah. So I think you really need to think about this from a defensive and offensive perspective. So most practices in DSOs have been running defense for years, right? They have the firewall, they have antivirus software, but how do the gut punch that I think hits most executive teams is every ransomware case we do, guess what they have? They have firewalls. They have antivirus software and all of a sudden like, how did we get ransomware? We have, you know, state-of-the-art firewalls. We were told we have the best antivirus software. We still got it. The hackers can defeat these technologies sometimes extremely easily. Often they are bypassed because they are misconfigured by the IT resources. So from a defensive perspective, you have obviously firewalls, you have antivirus software from an offensive perspective, which you really need to add, and I find that probably 90% of all DSOs, regardless of size, do not have an offensive game. They just have defense. From an offensive perspective, what you need to be doing is first of all, be data-driven. So just like Jill talked about, data doesn't lie. You can't argue with it, right? Your firewall is or isn't configured properly. You have vulnerabilities on your firewalls or you don't have vulnerabilities on your firewalls. Now there's different severities of firewall vulnerabilities, but a vulnerability of firewall is a defect in your outer perimeter, which means that defect could result in a breach. So in order to have a strong offense, you need to test your technologies. So every single day, your firewalls need to be tested by a third party, where they're basically launching cyber attacks against these firewalls to see if they're going to withstand an attack from an hacker. Like, if someone opened ports, it's when misconfigured the firewall, is the software on the firewall vulnerable? Even some of the best firewall companies in the world constantly push patches to their firewall software because hackers figure out a defect in their software. So test your firewalls every single day. The next thing is penetration testing. So I recommend at least twice per year your entire external perimeter, right? All of your firewalls or anything internet facing, there should be an extra penetration test conducted against those firewalls, right? That's done by an ethical hacking team where the ethical hackers assume the role of a cyber criminal and use the same techniques and tactics that a hacker would use, and they try and break into your office. And if they're successful, then a meeting is called with your IT resources, internal extra resources, and changes are made to try and prevent that intrusion. So that's the next strategy. The next tool that I rarely see being used in DSOs is what's called a vulnerability scanner. Think of this as a tool that detects weaknesses in a computer, such as a server, a workstation, a laptop, a tablet, or a printer, a fax machine, IoT devices like that, smart TV hanging on the wall. And what these vulnerability scanners do is they wake up every four hours, they scan the devices for known vulnerabilities, and they report that back to, for instance, our dashboard. Our dashboard would instantly analyze it, warn you of the risk, give it a risk score, and then either automatically fix it, right? So we have technology now that not only identifies the risk, but can fix it, or if you're not utilizing the autonomous remediation, it tells your IT team how to fix it. So the big challenge we're seeing right now is in a seven-day period, hackers can identify vulnerabilities and they can build toolkits to exploit the vulnerability. Typically what happens with these toolkits is the device is like, "Oh, I don't need a password. Come on in." Right? They build a tool that allows the computer to give up access because it has a vulnerability and a piece of hardware or software. So real-time vulnerability scanning is a must-have. I've heard some executives say, "Oh, well, our IT resource is scanner machines once per year." What I say is you're literally burning that money, whatever you spent on that, put it in a fireplace and just light the dollars up, because every day there are tens and sometimes hundreds of new vulnerabilities that come out, so if you're not doing this real-time vulnerability scanning, you're failing. The next thing that you really need to do, and Jill talked about this a lot, is training. You have to do cybersecurity awareness training. It has to be a comprehensive process and training program. You can't be like, "Hey, let's buy pizza and talk about not clicking on things." Required under federal law, as part of being HIPAA compliant. Another good technology, which is a little more of the defensive technology, is you need to leverage AI-based antivirus and threat detection software. Two best products out there right now are Sentinel-1 and CrowdStrike, but most importantly, these need to be monitored 24/7, and they need to be monitored by security engineers. These people should be in the United States. The big challenge that I see with a lot of DSOs is they do go out and buy these types of products. They put them on their network. They're not configured properly. They're not monitored 24/7. The hackers figure out the misconfiguration or able to get around the AI technology still hit your network. Before the AI starts screaming at 2 o'clock in the morning and your IT team, either internal and/or external is sound asleep. Those are some of the things that really, really need to be in place. All of this information has to be passed to a dashboard so that a CEO, a CFO, or even board members can take a look at this data and say, "Okay, we're doing really well," or, "We got some problems." One of the other things is benchmarking yourself. Our platform will actually show you from a security perspective how you compare to thousands of other DSO locations across the U.S., so you can say, "Oh, great, we're below the line. We're doing a really good job," or, "Uh-oh, we're way above the line. Why do we have twice the amount of risk as every other DSO?" Literally, we're doing something wrong here. That's typically the types of technologies that I want to see and cybersecurity experts want to see in these environments. Strong offense, strong defense. Most importantly, you have to separate IT from cybersecurity. The folks doing IT shouldn't be doing cyber, the guys doing and women doing cyber shouldn't be doing IT. It should be done by two different entities, so you get that true transparency. That's what I say to everyone is, "If you're an executive or the one over group, is anyone sat down with you and handed you a piece of paper and just say, 'Here's where we suck?'" Here are all the problems we have with our security. You know what? I'll ask that to a hundred people, and one person will raise their hand, and I even question, like, "Did you have to stay the one I asked or not?" Anyway, I think this is a big, big problem right now, and Bill, I mean, you know some of these attorneys, and you probably heard them speak as well. Most of them are starting to really advise their clients that you have to have a separate company for security because you have to be held accountable by someone else versus your internal people or your managed service providers. That leads into a question for Jill about separating IT from cybersecurity because I think you're right, Gary. You mentioned this in past podcasts where, "Hey, we've got an IT department, so we're good. We've got that handled," but Jill, you've separated out IT from cybersecurity. When did you do that, and how's that working out for you? What kind of take us through that process? Yeah, pretty early on, we engaged Black Talent, and we have allied OMS. We have several different managed service providers for individual practices because we have X-ray machines that require boots on the ground, support, and long-term relationships there, but Black Talent allows us to have visibility into the status of how those are doing. I mentioned that dashboard is really helpful, but in the financial world, people who are serious about their money have third-party audits. Same thing goes for your IT and your computer security, and I think an IT provider might say that they're good, that they're fine, but you don't know what you don't know. If you're serious about it, then you would open your doors to say, "Hey, let's check and see." I feel like those IT providers that are genuinely open and are sincere about wanting to find out where their vulnerabilities are, they welcome the relationship there. It's a partnership towards excellence, and there's accountability in that. We feel like we have some really great IT groups who have said, "Yes," and so when their vulnerability is found by Black Talent, then they work together to resolve it, and sometimes those IT groups say, "Hey, we weren't aware of this," and the team at Black Talent is great about supporting the IT provider and saying, "Yeah, here's some fixes that we're aware of." They're wonderful being hand-in-hand on those things, but just like Gary said, how often is it that somebody would tell you exactly how they suck? That's uncomfortable. As well as a conflict of interest, people aren't going to tell you their shortcomings very comfortably, and we'd like to think that people would do that, but I think it's also a very difficult thing to do. It would be easier for them to just try to fix it, and we hope and trust that they would do that, but I think a third party audit in that way is good, and I think another way to say that is we really do need somebody to watch the watcher when it's something so vitally important to our business and our ability to continue doing business successfully, so it's pretty vital. Thanks for that, Jill. As we start to wrap up this podcast here, and I've got to ask this question, and you can both answer it. I'm sure, Jill, you see women work with other peers, other DSOs, and kind of have an idea of what they're doing, and Gary, again, has a little bit higher level across some other healthcare verticals as well, but we talked about this for years. It's always been a reactive, so something happens, and then, "Oh, we've got to scramble and do something," and at that point, it's almost too late. Are we seeing DSOs become more proactive when it comes to cybersecurity? Something that's happened in the past six months, even nine months back, if you kind of go back to some other incidents, do you think we were seeing a change from reactive to proactive? Jill, what do you think? I don't know, I can't speak for other DSOs specifically, but I think I'm part of an organization of other oral surgery groups that are primarily private practices that I'm connected to other administrators that I've known for years, and I do feel like, as we talked about at the beginning of this podcast, awareness is definitely heightened because of just all the things going on, so I do feel like the trend has been, "How can we be more aware with our teams and training?" So I do feel like that's escalated. Gary works with so many DSOs, he could probably answer that on the DSO level. What do you say, Gary? So I agree with you 100%, whether it's a small practice or a large DSO, the level of attention that cyber is getting right now, is unprecedented, change healthcare flipped our entire world upside down. And Jill, you probably have colleagues that still aren't processing electronic claims to this day with certain platforms, so I think that created awareness. I also think that what tends to happen is sometimes you make some small incremental changes, and then it's out of sight, out of mind, back to growing even up, back to treating patients, acquisitions, and things like that, and then all of a sudden something happens, and I'm like, "Oh my God, we got to go deal with this again." Until it happens to the DSO, God forbid, and then all of a sudden, as Bill said, then it's a reaction. So I say that almost every cyber event that we've seen and we've done hundreds of cyber events have all been prevented. And there are some really, really strong methodologies and tool sets out there and technologies that can prevent the intrusion, and if that fails, at least minimize the damage. I feel that one of the big problems that I see is the Kool-Aid drinking of tools. And this is propagated directly from the firewall companies and the anti-virus companies. They basically pour the Kool-Aid down the IT companies and the IT resources through it and be like, "This will stop ransomware, this will prevent intrusions, this will get you back up and running in 15 minutes," and everyone kind of just bets the farm on that, and then all of a sudden, they get in with ransomware and company like ours and incident response company law firm will say, "Listen, you guys are going to be down for 2-4 weeks." And then they're like, "Whoa, hold on, we just bought the latest tools. How did this happen?" So one of the things and the best recommendation that I give, it's not just about the tools, it's about the humans behind the tools and making sure that they're managed and configured properly. So I do say that with proper proactive prevention, you can put your DSO in a really good place from a protection standpoint, but you have to think bigger and you have to understand and Jill said this, the attack methodologies change constantly, right? And you have to stay on top of this stuff. And if you're not staying on top of it, you will think you're protecting your office and your group and your DSO and your front doors and your back doors locked, the hackers are going to come in and smash the side window and get it. So think differently, be absolutely proactive about security, have this third party come in and make sure on a daily basis, you're right and tight and your doors and windows are all locked and your people are drained, et cetera. So that's really the best advice that I can give. That is a great way to wrap things up. Gary, if people want to find out more about Black Talent Security or they want to contact you, how do they do so? Sure. Yeah, you can visit us at blacktalenssecurity.com. I also suggest find me on LinkedIn. I have thousands of followers there and we're constantly posting some really great content, not only about dental and medical and general security, but personal security as well. And you can also call us at 800-683-3797, which I'll do us that way. Thanks, Bill. I really appreciate the time. Thank you, Jill. You did great as always. Oh, thanks. Yeah, thanks. And Jill, if people want to contact you, can they find you on LinkedIn? And how do they find out more about allied OMS? Yep, our website is alliedonest.com and feel free to reach out to me on LinkedIn as well. That'd be great. Excellent. We'll put all that contact information and the URL for Black Talent and allied in the show notes. We had great conversation. It's amazing how things have changed in the past six months. We appreciate the update. And also, make sure you are following the CyberWatch column. It's out every month on Group Dentistry Now. We appreciate Black Talent support educating the industry on these ongoing changes with cyber security. So until next time, this is the Group Dentistry Now show, and I am Bill Newman. We appreciate you watching and listening in today. The Group Dentistry Now show has listeners across North and South America, Europe, Asia, and Australia. If you like our show, subscribe today, and please tell your colleagues about us. [MUSIC PLAYING]
