1 00:00:00,140 --> 00:00:03,730 Hello everyone. I am Ryan Mohammed with Becker's Hospital Review. 2 00:00:03,940 --> 00:00:07,010 Thank you so much for tuning into the Becker's Healthcare podcast series. 3 00:00:07,430 --> 00:00:10,490 In today's conversation, we are joined by Gary Soloman, 4 00:00:10,690 --> 00:00:14,890 c e o of Black Talent Security. And Gary, how are you? 5 00:00:14,890 --> 00:00:16,090 Thank you so much for coming on here. 6 00:00:16,660 --> 00:00:18,930 Thank you so much. Great to be here. Yeah, of. 7 00:00:18,930 --> 00:00:20,210 Course. Yes. Um, 8 00:00:20,270 --> 00:00:24,370 so glad to talk with you today and we can jump right into our conversation, 9 00:00:25,110 --> 00:00:27,570 um, as the expert on security, 10 00:00:28,270 --> 00:00:30,290 the first question that I wanted to ask you is, 11 00:00:30,560 --> 00:00:34,730 what value can be realized from having an independent cybersecurity company 12 00:00:34,990 --> 00:00:37,130 assess a D SS O risk? 13 00:00:39,120 --> 00:00:43,370 Yeah, so I think one of the biggest challenges we see in the D S O space is 14 00:00:44,680 --> 00:00:48,330 DSOs believe that their cybersecurity posture is strong. 15 00:00:48,950 --> 00:00:53,370 And often what I see happen is when you start digging into the security 16 00:00:53,990 --> 00:00:55,410 in these environments, 17 00:00:56,230 --> 00:00:59,210 you quickly unravel quite a few problems. 18 00:00:59,470 --> 00:01:02,130 It usually starts at the executive level, 19 00:01:02,780 --> 00:01:06,290 where when you ask the executives, Hey, you know, Mrs. C e o, 20 00:01:06,290 --> 00:01:10,210 what are you doing for cybersecurity? She's like, you know, I think, uh, 21 00:01:10,370 --> 00:01:12,450 I think we have that covered. And then I'll say, well, 22 00:01:12,450 --> 00:01:14,370 what does that actually mean? You have a covered, well, 23 00:01:14,370 --> 00:01:17,930 I have an IT manager and they do cybersecurity, and we have a couple folks, 24 00:01:18,390 --> 00:01:22,480 you know, that handle cyber. And then I'll often say, well, you know, 25 00:01:22,480 --> 00:01:26,160 one of the most important things to, to realize is that in the end, 26 00:01:26,380 --> 00:01:29,800 if things go sideways, you have a cyber event, a ransomware attack, 27 00:01:29,820 --> 00:01:31,920 an email intrusion, a theft of patient data, 28 00:01:32,800 --> 00:01:36,280 ultimately you're gonna be responsible and you're gonna need to have all the 29 00:01:36,280 --> 00:01:39,080 correct answers for a state attorney general, 30 00:01:39,460 --> 00:01:44,360 for the officer for civil rights. And you really need to have a, 31 00:01:44,520 --> 00:01:49,320 a clear understanding of what it means to have proper 32 00:01:49,460 --> 00:01:53,760 SI cybersecurity measures in place. So typically what we find is, 33 00:01:54,460 --> 00:01:56,640 you know, really regardless of the size of the dso, 34 00:01:56,640 --> 00:01:58,600 so I'm talking like small to medium, you know, 35 00:01:58,950 --> 00:02:01,720 DSOs with say 10 locations up to a couple hundred, 36 00:02:02,470 --> 00:02:05,760 they often just have very basic security in place. 37 00:02:05,790 --> 00:02:08,680 They have firewalls and they have antivirus software, 38 00:02:08,680 --> 00:02:09,920 and they have some backups, 39 00:02:11,000 --> 00:02:15,620 but they're missing a lot of the core elements of a true cybersecurity 40 00:02:16,060 --> 00:02:18,940 solution. And as we know in many organizations, 41 00:02:19,760 --> 00:02:22,980 as the information is passed up the chain, 42 00:02:23,680 --> 00:02:27,380 it is kind of changed, right? Because you don't want your bosses to know, Hey, 43 00:02:27,380 --> 00:02:30,380 maybe we're not doing a good job from a cybersecurity perspective. 44 00:02:31,160 --> 00:02:33,340 So to answer your question, you know, 45 00:02:33,340 --> 00:02:37,340 what cybersecurity companies like ours can do is we can come in and do a true 46 00:02:37,390 --> 00:02:39,140 third party evaluation. 47 00:02:39,680 --> 00:02:44,500 We can help everyone that touches compliance and 48 00:02:44,600 --> 00:02:49,470 and security to have a clear understanding of how well they're 49 00:02:49,630 --> 00:02:53,710 actually doing from a security perspective. And that's done in two ways. One, 50 00:02:53,890 --> 00:02:54,990 actual tests, right? 51 00:02:54,990 --> 00:02:59,110 We can conduct very sophisticated tests against all the computers, 52 00:02:59,160 --> 00:03:03,080 like the workstations, the servers, the laptops, the firewalls, 53 00:03:03,180 --> 00:03:06,360 and give the business a really good understanding of how secure they actually 54 00:03:06,360 --> 00:03:07,240 are. Um, 55 00:03:07,260 --> 00:03:12,040 we can also evaluate the DSOs policies and procedures, 56 00:03:12,170 --> 00:03:14,160 right? The, a lot of times what we see, 57 00:03:14,280 --> 00:03:16,240 'cause we do a lot of incident response cases. 58 00:03:16,370 --> 00:03:20,600 We've done quite a few ransomware attacks in, in the, uh, dental space and, 59 00:03:20,600 --> 00:03:21,720 and D S O space. 60 00:03:21,820 --> 00:03:26,680 And what we often see is the executives believe they have all these protocols 61 00:03:26,700 --> 00:03:28,520 and policies and procedures in place, 62 00:03:28,620 --> 00:03:31,840 and backups and protections against these types of events. 63 00:03:32,220 --> 00:03:34,880 And then all of a sudden they turn around and a ransomware attack hits, 64 00:03:35,180 --> 00:03:38,840 and everyone kind of has the deer in the headlight syndrome and the finger 65 00:03:38,840 --> 00:03:41,640 pointing starts, and the, I thought you were doing this, 66 00:03:41,660 --> 00:03:44,000 and I thought we had this, and how did this happen? 67 00:03:44,280 --> 00:03:47,480 I thought we had these discussions start occurring. So, you know, 68 00:03:47,480 --> 00:03:51,490 cyber company can come in and really do a deep 69 00:03:51,900 --> 00:03:54,810 evaluation of how well, you know, 70 00:03:54,950 --> 00:03:58,890 the D S O is doing from a preventative perspective, you know, 71 00:03:58,890 --> 00:04:01,410 preventing a ransomware attack or theft of patient data, 72 00:04:01,790 --> 00:04:05,410 and then help them implement strong solutions to actually, uh, 73 00:04:05,410 --> 00:04:09,010 further harden their, their cybersecurity posture, uh, 74 00:04:09,010 --> 00:04:13,010 verse what we typically see in most organizations, which is, you know, 75 00:04:13,170 --> 00:04:16,570 I think we're fine. And, and unfortunately that's all too common. 76 00:04:19,090 --> 00:04:23,860 Yeah, definitely. You made some excellent points in there, um, especially about, 77 00:04:23,860 --> 00:04:27,020 you know, the finger pointing and, you know, I thought you were doing that, 78 00:04:27,020 --> 00:04:29,340 that I feel like that often happens a lot. Um, 79 00:04:29,480 --> 00:04:34,340 can to go more into detail on why is so crucial for D s O leaders to 80 00:04:34,340 --> 00:04:38,060 understand why cyber threats are a major concern for the overall health of the 81 00:04:38,220 --> 00:04:39,053 business. 82 00:04:39,740 --> 00:04:43,110 Sure. Look, I think, I think it can be broken down into a couple buckets. 83 00:04:43,690 --> 00:04:45,550 One is the legal issue. 84 00:04:46,060 --> 00:04:50,350 What we're starting to see now is when ransomware attacks hit DSOs, 85 00:04:51,090 --> 00:04:54,550 almost all DSOs are suffering from the data theft. 86 00:04:54,930 --> 00:04:59,070 So most of these hacking groups not only hit the D S O with ransomware, 87 00:04:59,070 --> 00:05:02,750 which basically locks up all of the computers and servers for a two week period, 88 00:05:03,370 --> 00:05:08,310 but most ransomware groups are stealing as much or all of the patient 89 00:05:08,460 --> 00:05:09,200 data, 90 00:05:09,200 --> 00:05:14,110 which puts the D S O in a very precarious situation from a compliance and legal 91 00:05:14,110 --> 00:05:17,790 perspective. And now what we're seeing is, and it's public information, 92 00:05:17,790 --> 00:05:22,590 there are now multiple DSOs that are not only under investigation by 93 00:05:22,590 --> 00:05:25,790 state attorney generals, um, by the federal government, 94 00:05:25,790 --> 00:05:30,790 the officer of Civil rights, but now the victims, right? The patients, 95 00:05:30,790 --> 00:05:33,070 unfortunately, in these types of attacks, there are multiple victims. 96 00:05:33,100 --> 00:05:35,110 There's the D S O themself that's a victim. 97 00:05:35,180 --> 00:05:39,430 Then you have the patients that are victims. The patient victims, um, 98 00:05:39,580 --> 00:05:43,510 through class action lawsuits are actually, uh, 99 00:05:43,510 --> 00:05:48,390 winning claims against the DSOs because the attorneys are claiming that the s o 100 00:05:48,450 --> 00:05:52,670 did not have adequate cyber protections in place to protect these patients. 101 00:05:53,460 --> 00:05:57,360 This is relatively new, you know, within the last 12 ish months or so, 102 00:05:57,740 --> 00:06:01,120 and we're starting to see more and more of these class action, uh, 103 00:06:01,210 --> 00:06:05,400 suits against the DSOs because the attorneys have figured out how to get it 104 00:06:05,400 --> 00:06:07,120 through the court systems. Previously, 105 00:06:07,800 --> 00:06:11,920 a lot of the judges were throwing these lawsuits out because the patients 106 00:06:11,920 --> 00:06:16,640 couldn't prove harm. Right? Now, some of the judges are saying, well, 107 00:06:16,660 --> 00:06:19,360 we know what happens when patient data gets stolen and I, 108 00:06:19,420 --> 00:06:21,920 and how it relates to identity theft, et cetera. 109 00:06:21,920 --> 00:06:26,640 So we're gonna allow the court systems to hear the cases. So that's one issue. 110 00:06:27,310 --> 00:06:29,840 Then you have the compliance component of it. Um, 111 00:06:30,020 --> 00:06:34,760 so what happens typically is the state and federal government will 112 00:06:35,400 --> 00:06:39,720 investigate a ransomware attack, you know, an intrusion into an email system, 113 00:06:39,980 --> 00:06:44,560 et cetera, and they're gonna dig really, really deep into that organization. 114 00:06:44,560 --> 00:06:46,480 They're not gonna just say, well, okay, 115 00:06:46,480 --> 00:06:48,560 this just impacted one or two of your locations, 116 00:06:48,620 --> 00:06:51,080 or maybe it did impact all of your locations, 117 00:06:51,500 --> 00:06:55,240 but they're gonna want the D S O to be able to answer some really difficult 118 00:06:55,520 --> 00:07:00,320 questions on how they are implementing cybersecurity solutions to 119 00:07:00,320 --> 00:07:01,360 prevent these intrusions. 120 00:07:02,180 --> 00:07:07,060 And the investigator or investigators from officer of Civil 121 00:07:07,060 --> 00:07:08,380 Rights may deem, well, 122 00:07:08,380 --> 00:07:12,820 you had nothing in place and you weren't doing what's considered best practices 123 00:07:12,820 --> 00:07:15,020 from a security perspective, um, 124 00:07:15,480 --> 00:07:20,420 and potentially levy fines or require the D S O to start implementing 125 00:07:20,450 --> 00:07:22,500 much more stringent security solutions. 126 00:07:23,260 --> 00:07:26,300 Probably things that they should have had in place to, uh, begin with. 127 00:07:27,040 --> 00:07:29,940 So you have, you know, to deal with that. I will tell you, 128 00:07:30,060 --> 00:07:33,500 many of these federal investigations can take 12 plus months, 129 00:07:34,280 --> 00:07:39,220 and they will request a tremendous amount of documentation and proof 130 00:07:39,690 --> 00:07:43,100 from the DSOs. So they kind of turn them upside down and inside out. 131 00:07:44,480 --> 00:07:48,010 Then really the last part of, uh, 132 00:07:48,790 --> 00:07:53,690 the investigation really revolves around, um, 133 00:07:54,200 --> 00:07:55,690 what the, uh, 134 00:07:56,050 --> 00:08:00,770 D S O is going to feel from a pain perspective related to the 135 00:08:00,770 --> 00:08:01,770 financial impact. 136 00:08:02,670 --> 00:08:06,610 So what most DSOs don't realize is when you get hit with ransomware, 137 00:08:07,350 --> 00:08:09,760 if it's systemic throughout your environment, 138 00:08:09,760 --> 00:08:12,920 like we've seen recently with some of the larger DSOs where, you know, 139 00:08:12,920 --> 00:08:17,150 almost every location gets hit, you're gonna be down for two to four weeks. 140 00:08:17,850 --> 00:08:20,390 And I believe seeing it firsthand, 141 00:08:20,940 --> 00:08:24,790 many of these DSOs don't really realize the potential impact from a financial 142 00:08:24,790 --> 00:08:27,750 perspective. Could you imagine A D S O with, you know, 143 00:08:27,750 --> 00:08:31,350 50 to a hundred locations or more, or even one with 10? It, 144 00:08:31,420 --> 00:08:35,110 it's all proportional, right? Literally having to close their doors for, 145 00:08:35,410 --> 00:08:39,290 for two plus weeks. And typically, Mariah, 146 00:08:39,290 --> 00:08:42,410 what what we hear executives say is, well, I've, 147 00:08:42,410 --> 00:08:46,650 I've been told that we have backups and, you know, we're in the cloud, 148 00:08:46,910 --> 00:08:50,690 so you know, we, we can't be impacted by a ransomware event. 149 00:08:51,270 --> 00:08:56,080 And then when you realize how damaging and destructive these ransomware 150 00:08:56,080 --> 00:09:00,960 events are, you then realize and actually see some of these news broadcasts, 151 00:09:00,960 --> 00:09:03,760 right? Well, you know, X Y Z D S O, you know, 152 00:09:03,900 --> 00:09:06,760 has all of their facilities closed and you know, 153 00:09:06,860 --> 00:09:10,280 ha have been closed for two weeks. You quickly realize, wow, that's, 154 00:09:10,300 --> 00:09:14,760 that's devastating for the organization from a financial perspective. 155 00:09:14,940 --> 00:09:18,640 So what I tell every board that I talk to, or C-suite, I say, 156 00:09:19,320 --> 00:09:22,920 I want you to play this out in your head. Do back of the napkin math. 157 00:09:23,380 --> 00:09:27,250 How much do you generate every day right now, multiply that by 10, 158 00:09:27,390 --> 00:09:28,810 and that's gonna be your minimum loss. 159 00:09:28,810 --> 00:09:33,450 That's just strictly production from treating patients gone. Now, 160 00:09:33,450 --> 00:09:38,450 think about the impact over the next three to eight weeks 161 00:09:38,910 --> 00:09:41,530 as these systems slowly come back online, 162 00:09:41,530 --> 00:09:44,450 because even with really good incident response, 163 00:09:44,810 --> 00:09:49,700 companies that help recover from the ransomware attack and good IT resources, 164 00:09:50,540 --> 00:09:52,930 I rarely see, uh, 165 00:09:52,930 --> 00:09:57,490 dental practices and DSOs come back online in less than two weeks. And, 166 00:09:57,510 --> 00:10:01,010 and they, they suffer kind of the pain and anguish for weeks after, 167 00:10:01,010 --> 00:10:05,250 because you forget how many interconnected systems you have. 168 00:10:05,310 --> 00:10:09,130 You not only have, um, uh, scheduling and billing, 169 00:10:09,190 --> 00:10:12,650 you have two dimensional x-rays, you have three dimensional x-rays, 170 00:10:12,650 --> 00:10:15,770 you have text messaging, you have, uh, 171 00:10:15,770 --> 00:10:19,890 connectors that gather all of this data and mine the data and, 172 00:10:19,890 --> 00:10:21,250 and generate forecasts, 173 00:10:21,590 --> 00:10:26,570 and you have payroll and phone systems and appointment reminders. So yeah, 174 00:10:26,600 --> 00:10:27,320 look, it's, 175 00:10:27,320 --> 00:10:31,810 it's often way bigger than what people perceive. 176 00:10:32,390 --> 00:10:37,250 And until an executive has actually gone through 177 00:10:37,530 --> 00:10:39,050 a ransomware event firsthand, 178 00:10:39,560 --> 00:10:44,290 it's often very difficult to communicate that to them because they just don't 179 00:10:44,290 --> 00:10:48,610 understand the, the gravity of these types of situations. And then obviously, 180 00:10:48,610 --> 00:10:51,850 like we just described, the long-term consequences and impact, 181 00:10:52,550 --> 00:10:57,020 and then you have to think about maybe you're getting ready to sell your D S O 182 00:10:57,800 --> 00:11:00,780 now with all the class action lawsuits occurring, 183 00:11:01,830 --> 00:11:06,050 is another D S O gonna wanna buy you with the potential of dealing with millions 184 00:11:06,050 --> 00:11:11,010 of dollars of class action lawsuit payouts in the future? Like, it, it's, 185 00:11:11,010 --> 00:11:13,650 it's a big question on a lot of people's radar right now. 186 00:11:14,150 --> 00:11:15,930 Why would you take that risk? You know, your, 187 00:11:15,930 --> 00:11:18,690 your investment in that organization could be, you know, 188 00:11:18,930 --> 00:11:21,690 diminished dramatically if in a year from now you get hit with multiple class 189 00:11:21,690 --> 00:11:25,890 action lawsuits. So I think, I think we really need to, uh, 190 00:11:26,240 --> 00:11:30,210 address all of these concerns holistically and, and, 191 00:11:30,230 --> 00:11:33,690 and look into solutions to try and prevent these types of intrusions. 192 00:11:35,980 --> 00:11:39,790 Yeah, absolutely. Thank you so much for giving us that rundown. Um, 193 00:11:39,910 --> 00:11:42,150 I certainly do not know all of that about what happens. 194 00:11:42,450 --> 00:11:46,870 So thank you for sharing. Um, and I know at Becker's we report, 195 00:11:47,130 --> 00:11:50,990 we have been reporting on these cyber attacks very frequently. Um, 196 00:11:51,890 --> 00:11:54,880 why are healthcare organizations including those in dentals, 197 00:11:54,880 --> 00:11:58,680 seeing such a rise in cyber attacks in these, you know, recent months? 198 00:12:00,370 --> 00:12:02,740 Yeah, it's, it's been dramatic. Um, 199 00:12:03,220 --> 00:12:07,970 I would say if you go back to the beginning of the war with Russia and Ukraine, 200 00:12:08,030 --> 00:12:12,490 the cyber attacks kind of dropped off, literally, like fell off a ledge. 201 00:12:13,150 --> 00:12:18,010 And ransomware, uh, for lack of a better word, almost died for, for months. Um, 202 00:12:18,030 --> 00:12:22,460 and then earlier this year, they, you know, 203 00:12:23,280 --> 00:12:26,780 became systemic, right? We were seeing them hit, uh, 204 00:12:26,780 --> 00:12:30,180 we were seeing the threat actors hit all different sized dental groups with, 205 00:12:30,180 --> 00:12:33,780 with ransomware, literally like someone turned the switch on again and boom, 206 00:12:33,780 --> 00:12:38,340 they started. So that the question really is why. So I think there's, 207 00:12:38,340 --> 00:12:41,260 there's a, there's a couple reasons here that we see, right? 208 00:12:41,320 --> 00:12:44,380 We deal with ransomware attacks firsthand, not, you know, 209 00:12:44,380 --> 00:12:47,420 second secondhand or third hand by, by reading articles. 210 00:12:47,420 --> 00:12:49,340 We actually deal with these DSOs that get hit. 211 00:12:49,840 --> 00:12:51,580 And I think there are a couple reasons. First, 212 00:12:52,620 --> 00:12:55,520 the hackers know where the money is, right? And, 213 00:12:55,540 --> 00:12:59,000 and if you are a hacker and you know that 214 00:13:00,270 --> 00:13:04,200 DSOs and medical groups have a ton of patient records in their system, 215 00:13:04,590 --> 00:13:07,720 they also have a clear understanding of our HIPAA laws. 216 00:13:08,180 --> 00:13:11,360 And believe it or not, hackers have, you know, 217 00:13:11,430 --> 00:13:15,520 sent communications to me saying, we know the HIPAA laws you have to pay, 218 00:13:15,780 --> 00:13:18,520 you'll face, you know, serious fines from your government. 219 00:13:19,230 --> 00:13:23,840 They understand that most healthcare entities do in fact pay the ransom demand 220 00:13:23,840 --> 00:13:26,720 because when the hackers steal this data, 221 00:13:27,460 --> 00:13:30,000 if the victim like a D S O doesn't pay, 222 00:13:30,420 --> 00:13:34,880 the hackers will publish and sell all of those patient records on the dark web. 223 00:13:35,580 --> 00:13:37,240 And you can imagine, once again, 224 00:13:37,240 --> 00:13:41,600 the legal and compliance issues related to that. So kind of follow the money. 225 00:13:42,220 --> 00:13:42,510 Um, 226 00:13:42,510 --> 00:13:47,160 they also know that most DSOs have pretty substantial insurance policies related 227 00:13:47,220 --> 00:13:49,600 to paying out on cyber events. You know, 228 00:13:49,600 --> 00:13:53,800 many DSOs have multimillion dollar policies, um, and, 229 00:13:54,380 --> 00:13:54,680 you know, 230 00:13:54,680 --> 00:13:57,760 the insurance carriers do in fact pay because that's what they're insuring, 231 00:13:57,760 --> 00:13:59,240 right? They're, they're trying to, you know, 232 00:13:59,240 --> 00:14:03,600 provide insurance to these DSOs and help them recover from these types of events 233 00:14:03,600 --> 00:14:08,080 so that that hacking community understands that concept as well. In fact, 234 00:14:09,210 --> 00:14:13,550 one of the methodologies that hackers use is they will actively search 235 00:14:14,090 --> 00:14:14,923 the network, 236 00:14:15,010 --> 00:14:19,630 the server workstation storage devices for copies of the 237 00:14:20,060 --> 00:14:23,070 DSOs insurance policy, and they'll say, oh, 238 00:14:23,230 --> 00:14:25,270 you're claiming you can only pay us half a million. 239 00:14:25,850 --> 00:14:28,990 We found your insurance policy and you have $3 million in coverage, 240 00:14:29,290 --> 00:14:32,870 pay us $3 million. You know, so it's crazy to even think that, 241 00:14:32,870 --> 00:14:37,270 but those are some of the, the tactics that they're using. Um, the attack, 242 00:14:37,890 --> 00:14:41,750 the attack surface is another big issue for DSOs. 243 00:14:42,330 --> 00:14:46,520 We see so many DSOs with, um, 244 00:14:47,360 --> 00:14:49,960 a lack of standardization in their technology, right? 245 00:14:49,960 --> 00:14:54,720 They'll have five to 10 different brands of firewalls, you know, 246 00:14:54,860 --> 00:14:59,200 10 different flavors of antivirus and intrusion detection software. 247 00:14:59,860 --> 00:15:04,520 Um, lots of different practice management systems, both cloud-based, um, 248 00:15:04,780 --> 00:15:06,000 and on-premise based, 249 00:15:06,900 --> 00:15:11,840 and they have no real visibility into their attack 250 00:15:11,840 --> 00:15:15,520 surface. And what an attack surface is, is basically every, 251 00:15:16,750 --> 00:15:20,330 uh, component of your network that presents cyber risk. 252 00:15:20,790 --> 00:15:24,770 So examples of attack surface are your firewalls. Um, 253 00:15:24,870 --> 00:15:29,450 so a lot of DSOs have work from home employees. 254 00:15:30,160 --> 00:15:33,370 They have third parties who remote into their systems. 255 00:15:34,670 --> 00:15:37,040 They have firewalls that actually have vulnerabilities, 256 00:15:37,290 --> 00:15:41,520 which can be caused by a piece of software on the firewall, 257 00:15:42,340 --> 00:15:45,880 uh, that has in fact some type of, um, 258 00:15:47,430 --> 00:15:48,640 problem with it, right? 259 00:15:48,830 --> 00:15:52,720 Some type of defect within the software that the hackers can scan and find, 260 00:15:53,140 --> 00:15:56,920 and then they exploit that firewall and they get into the practice or into the, 261 00:15:57,060 --> 00:16:01,320 you know, central, uh, management console of, of A D S O and, 262 00:16:01,320 --> 00:16:05,440 and then potentially gain access to all of the locations. Um, so you have that, 263 00:16:06,060 --> 00:16:10,840 you have vulnerabilities on computers that hackers can exploit vulnerabilities 264 00:16:11,060 --> 00:16:15,000 in pieces of software vulnerabilities in pieces of hardware, 265 00:16:15,220 --> 00:16:19,200 and the hackers will basically build hacking toolkits to exploit these 266 00:16:19,200 --> 00:16:21,640 vulnerabilities. So this is also part of your attack surface. 267 00:16:22,460 --> 00:16:27,120 And what we find for most DSOs is they 268 00:16:27,210 --> 00:16:31,940 don't have any tools that identify this 269 00:16:32,160 --> 00:16:36,660 attack surface issue, right? They're focusing on what I like to call defense, 270 00:16:37,070 --> 00:16:40,340 which basically means, hey, if someone gets into our environment, 271 00:16:41,030 --> 00:16:45,860 we're going to hope that some piece of software we have on our network 272 00:16:46,000 --> 00:16:50,060 is going to alert us, and then someone can potentially take action. 273 00:16:50,600 --> 00:16:54,820 But what I say to everyone is, once that tool's going off and alerting, 274 00:16:54,880 --> 00:16:55,780 if it actually does, 275 00:16:55,980 --> 00:16:59,340 'cause nothing's a hundred percent someone's already in your network, right? 276 00:16:59,440 --> 00:17:01,620 Or malicious code is already in your network. Now, 277 00:17:01,620 --> 00:17:04,020 you're just hoping that this tool is gonna stop it. 278 00:17:05,200 --> 00:17:08,250 What I find is through attack surface management, 279 00:17:08,270 --> 00:17:11,930 by analyzing your firewalls daily, by scanning your computers daily, 280 00:17:12,030 --> 00:17:15,410 by running penetration tests through ethical hackers, 281 00:17:15,870 --> 00:17:20,810 you get a clear picture of your attack surface and you can 282 00:17:20,830 --> 00:17:24,690 now play offense. So offense basically says, Hey, 283 00:17:24,790 --> 00:17:26,450 how do we harden our computers? 284 00:17:26,590 --> 00:17:29,650 How do we harden our firewalls and all this other technology? 285 00:17:30,110 --> 00:17:31,530 So when hackers scan them, 286 00:17:32,280 --> 00:17:35,170 they actually don't see any vulnerabilities that they can exploit. 287 00:17:35,870 --> 00:17:40,290 So offenses very important. Um, that's done with these, 288 00:17:40,290 --> 00:17:44,490 these daily scans of the firewalls and computers and pen testing. Um, 289 00:17:44,710 --> 00:17:46,970 and that's kind of your outer defense, right? If we, 290 00:17:47,030 --> 00:17:51,800 if we don't give the, uh, threat actors, 291 00:17:51,810 --> 00:17:54,840 these hackers an opportunity to break in, 292 00:17:55,230 --> 00:17:58,200 then the chance of them breaking in is lower, right? 293 00:17:58,580 --> 00:18:03,220 The other part of an attack surface is your people. Now, 294 00:18:03,220 --> 00:18:07,660 federal law says you have to train every single person in A D S O, uh, 295 00:18:07,960 --> 00:18:08,940 on cyber threats. 296 00:18:09,040 --> 00:18:13,140 So how to detect phishing and spear phishing and other forms of social 297 00:18:13,500 --> 00:18:14,333 engineering. 298 00:18:14,360 --> 00:18:19,060 And what we find is a lot of DSOs don't have a thorough, 299 00:18:19,920 --> 00:18:22,940 uh, cybersecurity awareness training program. Some will be like, oh, well, 300 00:18:22,940 --> 00:18:27,260 we just send out reminders to our doctors and staff and tell 'em not to click on 301 00:18:27,260 --> 00:18:29,580 things. And then I'll ask, Hey, 302 00:18:29,580 --> 00:18:33,140 do you actually test them by sending out simulated phishing or spear phishing 303 00:18:33,140 --> 00:18:36,500 emails? Like, nah, you know, we've talked about that. We don't really do it. 304 00:18:37,010 --> 00:18:41,700 Like that's a huge problem. You know, the human element of cyber is, 305 00:18:41,800 --> 00:18:44,620 is an issue. You know, depending on what study you look at, 306 00:18:44,620 --> 00:18:49,500 somewhere between 60 and 90% of all cyber events are the result of a 307 00:18:49,500 --> 00:18:53,340 human making a mistake, right? Clicking on a link, opening an attachment, 308 00:18:53,440 --> 00:18:57,260 giving up usernames and passwords and, and things like that, 309 00:18:57,530 --> 00:19:01,980 causing the downloading of malicious code into the system like 310 00:19:02,030 --> 00:19:06,540 ransomware. So if you can take a look at your entire attack surface, 311 00:19:06,770 --> 00:19:10,900 both from a technical perspective as well as a human perspective, 312 00:19:11,980 --> 00:19:16,040 you're going to set yourself up for success. And this is one of the things that, 313 00:19:16,260 --> 00:19:19,600 you know, O C R Officer of Civil Rights is looking for. You know, 314 00:19:19,820 --> 00:19:24,280 did you as A D S O do what was necessary to try and prevent this event? 315 00:19:24,300 --> 00:19:27,560 And if you did, okay, we understand nothing's a hundred percent, 316 00:19:27,940 --> 00:19:31,040 but if you can't start providing concrete, uh, 317 00:19:31,150 --> 00:19:35,240 data showing how you're managing risk by addressing vulnerabilities and training 318 00:19:35,240 --> 00:19:38,120 your people and using more advanced, um, 319 00:19:38,620 --> 00:19:43,300 AI based antivirus software and, and good firewalls, 320 00:19:43,720 --> 00:19:47,420 you know, these DSOs are gonna have a big problem. And, 321 00:19:47,480 --> 00:19:49,140 and that's what we're seeing here. Um, 322 00:19:49,140 --> 00:19:54,140 so the technology exists to be able to really help minimize the chances of an 323 00:19:54,140 --> 00:19:58,060 intrusion, but what we're finding is many DSOs in fact aren't, you know, 324 00:19:58,060 --> 00:20:01,500 leveraging them or they're leveraging the wrong partner, you know, 325 00:20:01,500 --> 00:20:03,380 that doesn't truly understand the threat matrix. 326 00:20:05,670 --> 00:20:07,850 Got it. Thank you so much for all of that insight. 327 00:20:08,110 --> 00:20:12,610 And if you could make something clear, should it resources, 328 00:20:12,610 --> 00:20:16,130 whether internal or external be providing some type of protection. 329 00:20:19,000 --> 00:20:22,620 So yes, um, they should, but I, I, 330 00:20:23,160 --> 00:20:27,840 the challenge that I see is most IT 331 00:20:27,990 --> 00:20:31,280 departments in DSOs, and this is regardless of size, we have, 332 00:20:31,300 --> 00:20:34,640 we have clients that have 10 locations and clients that have hundreds, 333 00:20:35,150 --> 00:20:40,120 most of the time the IT resources are focusing on what I like 334 00:20:40,120 --> 00:20:43,520 to call firefighting, right? Practice, you know, 335 00:20:43,840 --> 00:20:47,840 a has a problem with their server and they can't take X-rays, right? 336 00:20:47,840 --> 00:20:50,680 And they're on the phone with the it's tech support department, 337 00:20:50,680 --> 00:20:52,400 and they're trying to get that practice up online. 338 00:20:53,220 --> 00:20:57,040 And because of resources and often the lack of, um, 339 00:20:58,320 --> 00:21:00,970 certified individuals, uh, in security, 340 00:21:01,620 --> 00:21:05,330 those organizations are mostly doing IT work, right? 341 00:21:05,340 --> 00:21:10,170 Which is keeping those practices up and running, you know, diagnosing problems, 342 00:21:10,200 --> 00:21:11,970 answering questions, things like that. 343 00:21:12,590 --> 00:21:17,210 And often they don't have the correct tool set or, uh, the correct, uh, 344 00:21:17,690 --> 00:21:20,170 training in order to really leverage, you know, 345 00:21:20,170 --> 00:21:24,650 some of these higher end security tools, security applications. Um, 346 00:21:24,870 --> 00:21:25,703 and then frankly, 347 00:21:26,270 --> 00:21:31,250 you really need individuals that truly understand cybersecurity 348 00:21:31,250 --> 00:21:35,420 and the cyber threat landscape. Um, because if you don't, 349 00:21:35,880 --> 00:21:38,380 and you, and you don't understand how hackers are breaking in, 350 00:21:38,480 --> 00:21:40,500 it becomes very difficult to defend against it. 351 00:21:41,120 --> 00:21:45,900 And what I typically see is the IT resources 352 00:21:45,970 --> 00:21:50,220 believe they know how hackers break in and are trying to defend against it, 353 00:21:50,320 --> 00:21:52,500 and they're putting their resources, you know, 354 00:21:52,800 --> 00:21:55,500 for argument's sake on the left side of the building, right? 355 00:21:55,500 --> 00:21:56,580 And the hackers are like, oh, 356 00:21:56,580 --> 00:21:59,020 look there exposure on the right side of the building, and they walk right in. 357 00:21:59,980 --> 00:22:04,160 Um, so having kind of a third party company that comes in and, 358 00:22:04,160 --> 00:22:08,600 and can help identify where the cyber risk exists and helping implement 359 00:22:09,440 --> 00:22:13,160 security tools along with human intellect, i i, is really where the, um, 360 00:22:13,540 --> 00:22:15,000 the cyber world is at right now. 361 00:22:17,180 --> 00:22:21,200 Got it. Thank you so much for all of that information. Um, 362 00:22:21,500 --> 00:22:25,880 if we could get some solutions, the next question I wanted to ask you is, 363 00:22:26,270 --> 00:22:31,080 what should the private equity firms and fast-growing D s O groups do to protect 364 00:22:31,080 --> 00:22:33,600 themselves when acquiring emerging locations? 365 00:22:34,590 --> 00:22:35,423 Right? 366 00:22:35,960 --> 00:22:40,830 So one of the challenges that exists right now is are you gonna buy a 367 00:22:40,830 --> 00:22:42,950 breach, right? So you're, you're, you're about to, 368 00:22:43,010 --> 00:22:46,790 you issue a letter of intent an l o i for a practice, 369 00:22:47,730 --> 00:22:52,680 and maybe that practice had a cyber event that they weren't aware of. 370 00:22:53,460 --> 00:22:57,560 Or what I hear a lot of time, uh, being said to me is, oh, well, you know, 371 00:22:57,560 --> 00:23:01,040 we had this thing like two years ago, you know, 372 00:23:01,040 --> 00:23:05,440 our IT resources called it a crypto virus. I'm like, well, 373 00:23:05,700 --> 00:23:08,760 what's a crypto virus? Right? That's, that's a, uh, 374 00:23:09,100 --> 00:23:13,120 that's a phrase that often IT people use, uh, 375 00:23:13,150 --> 00:23:15,760 instead of ransomware, right? Because it's not as 376 00:23:17,570 --> 00:23:22,010 horrible sounding. Um, and the IT resource would be like, oh, no, well, we just, 377 00:23:22,010 --> 00:23:24,810 we got rid of that crypto virus. And then I'll say, well, 378 00:23:24,950 --> 00:23:28,090 did the hackers steal your patient data? And they're like, well, I've, 379 00:23:28,130 --> 00:23:30,290 I have no idea. My IT company said they took care of it. 380 00:23:31,030 --> 00:23:35,430 So what now happens is a private equity company, 381 00:23:35,490 --> 00:23:38,750 larger D S O goes to acquire that practice. 382 00:23:39,040 --> 00:23:43,390 Maybe they had a cyber event in the past and 383 00:23:44,000 --> 00:23:46,020 three months after they close on the deal, 384 00:23:46,640 --> 00:23:50,810 there's a disclosure maybe through a government agency that finds the data, Hey, 385 00:23:50,950 --> 00:23:54,890 uh, you have 10,000 patient records being sold on the dark web. You know, 386 00:23:54,950 --> 00:23:58,780 are you aware of this? And, you know, 387 00:23:58,780 --> 00:24:00,260 typically when the government finds it, 388 00:24:00,260 --> 00:24:05,100 it's not very much longer thereafter that private entities, 389 00:24:05,460 --> 00:24:08,580 researchers start finding that data. Law firms start finding that data. 390 00:24:09,000 --> 00:24:13,250 And that's kind of the escalation to these class action lawsuits or 391 00:24:14,210 --> 00:24:17,650 attorney general, right? Of the state or states or O C R. 392 00:24:18,430 --> 00:24:23,170 So what PE companies and other DSOs 393 00:24:23,290 --> 00:24:25,770 can do is they can conduct cyber due diligence. 394 00:24:25,870 --> 00:24:28,770 So typically cyber companies that specialize in this, 395 00:24:28,770 --> 00:24:32,810 this is one of the things we do. We will conduct a, um, 396 00:24:33,160 --> 00:24:38,050 comprehensive assessment against the practice or D S O that's going to 397 00:24:38,050 --> 00:24:42,290 be acquired. Uh, we'll deploy some very sophisticated tools, um, 398 00:24:42,290 --> 00:24:46,410 both artificial intelligence based as well as some tools that look for 399 00:24:46,840 --> 00:24:48,890 potential entry points into the environment. 400 00:24:49,420 --> 00:24:53,410 We'll ask the practice and the IT company a whole bunch of questions, uh, 401 00:24:53,410 --> 00:24:57,210 related to how they do things. And then we go back to the D S O and say, Hey, 402 00:24:57,640 --> 00:24:59,930 here are the things that we've identified as high risk. 403 00:25:00,320 --> 00:25:02,970 Here are some of the things that we've identified as moderate, 404 00:25:03,350 --> 00:25:07,130 and here's a list of kind of low risk things that you probably don't need to be 405 00:25:07,130 --> 00:25:10,890 concerned about. Um, we can also provide information on the technology, 406 00:25:10,890 --> 00:25:13,450 whether or not it's kind of outta date and antiquated, 407 00:25:13,450 --> 00:25:15,810 and they're gonna need to make some big financial investments. 408 00:25:16,270 --> 00:25:19,210 But most importantly, we come back with a risk score. You know, 409 00:25:19,210 --> 00:25:21,970 we'll tell the D s O, Hey, on this scale, 410 00:25:22,400 --> 00:25:26,530 this acquisition is low, medium, or high risk. 411 00:25:26,790 --> 00:25:29,330 And then the d s O gets to make some decisions what they wanna do. 412 00:25:29,330 --> 00:25:30,850 They may walk away, they're like, wow, 413 00:25:30,850 --> 00:25:32,930 they had a ransomware attack that they didn't disclose. 414 00:25:32,930 --> 00:25:36,450 You guys found the code and the executables, that's not good, right? 415 00:25:36,450 --> 00:25:38,610 What else didn't they disclose? Um, 416 00:25:38,750 --> 00:25:41,770 or it's something they can go back and say to the, you know, the seller, Hey, 417 00:25:41,830 --> 00:25:45,310 are you, are you aware you had this event? And see what they say. 418 00:25:45,770 --> 00:25:50,110 So cyber due diligence has been very popular in other sectors. Um, 419 00:25:50,330 --> 00:25:52,470 but it's starting to become more and more popular in, 420 00:25:52,470 --> 00:25:54,910 in the healthcare sector now. 'cause like I said at the beginning, 421 00:25:54,970 --> 00:25:56,350 no one wants to buy a breach. 422 00:25:58,650 --> 00:25:59,390 Yeah, yeah. 423 00:25:59,390 --> 00:26:04,180 Thank you for giving us all of that information that's very important to right 424 00:26:04,200 --> 00:26:07,540 now. Specifically, um, Gary, before I let you go, 425 00:26:07,560 --> 00:26:09,260 the last thing I wanted to ask you is, 426 00:26:09,690 --> 00:26:14,260 what are the key things these DSOs need to assess within their attack surface 427 00:26:14,800 --> 00:26:15,633 as they grow? 428 00:26:16,430 --> 00:26:20,870 Right. So I think, I think attack surface management is critical. Um, 429 00:26:20,930 --> 00:26:25,870 you need to understand where you're vulnerable and vulnerabilities 430 00:26:26,410 --> 00:26:29,110 are broken down kind of into those two buckets that I described before, 431 00:26:29,170 --> 00:26:33,630 the human vulnerability and then the technical vulnerability. So DSOs, 432 00:26:34,090 --> 00:26:34,460 you know, 433 00:26:34,460 --> 00:26:39,230 need to be leveraging cyber companies to look at the technical vulnerabilities 434 00:26:39,230 --> 00:26:43,360 through vulnerability scanning and penetration testing and security risk 435 00:26:43,360 --> 00:26:45,720 assessments. And really, you know, 436 00:26:45,720 --> 00:26:48,920 kind of like virtual chief information security officer roles, you know, 437 00:26:49,120 --> 00:26:53,240 engaging with folks that are credentialed in the cyber world, 438 00:26:53,240 --> 00:26:56,720 like a CI S S P, or H C I S P P. 439 00:26:56,720 --> 00:27:01,440 These are individuals that have legitimate cyber certifications. Um, 440 00:27:01,460 --> 00:27:05,080 so they need to be looking at that. And most importantly, Mariah's, 441 00:27:05,080 --> 00:27:07,560 they have to be doing this ongoing, right? 442 00:27:07,560 --> 00:27:11,680 Having an assessment done today and not doing it again for a quarter or half a 443 00:27:11,680 --> 00:27:11,840 year, 444 00:27:11,840 --> 00:27:15,960 or even worse a year is almost useless because the cyber world is moving so 445 00:27:15,960 --> 00:27:20,640 quickly. These te these types of tests, like I just described, 446 00:27:20,740 --> 00:27:23,320 really need to be done almost on a daily basis now. 447 00:27:23,980 --> 00:27:26,120 So they need to look at that. Um, 448 00:27:26,120 --> 00:27:28,320 they need to look at their policies and procedures. 449 00:27:28,380 --> 00:27:32,640 Do they have a disaster plan? Do they have an incident response plan, right? 450 00:27:32,780 --> 00:27:35,600 So do they have a plan for a ransomware attack, a fire, a theft, 451 00:27:35,760 --> 00:27:39,280 a natural disaster, and how do they address it? But more importantly, 452 00:27:39,280 --> 00:27:42,720 have actually tested the plan. That's another big issue that we see. 453 00:27:43,140 --> 00:27:44,280 Backup solutions, 454 00:27:44,520 --> 00:27:49,320 a lot of DSOs do not have a formalized backup solution. Um, 455 00:27:49,500 --> 00:27:52,800 or they have some type of solution, they've never once again tested it. 456 00:27:53,100 --> 00:27:54,760 So I think that's, that's really important. 457 00:27:55,060 --> 00:27:57,840 But for the executives that are probably listening to this, 458 00:27:58,620 --> 00:28:02,800 the most important message that I can get out to you is you have to do the trust 459 00:28:02,800 --> 00:28:07,440 but verify, right? You have to leverage third parties to come in, 460 00:28:08,190 --> 00:28:11,240 analyze your environment, see what your people are doing, 461 00:28:11,340 --> 00:28:14,920 and then present that data back to you so you can make educated decisions. 462 00:28:15,660 --> 00:28:19,680 You know, I I, I've been around for a long time in this IT and cyber world, 463 00:28:19,700 --> 00:28:22,430 and often what I hear, you know, 464 00:28:22,430 --> 00:28:26,910 folks who are in decision making roles is, well, 465 00:28:27,450 --> 00:28:31,710 if I had known that we had all this risk, I would've done something differently. 466 00:28:32,330 --> 00:28:36,590 But instead, people, you know, at a level, a level lower or two levels lower, 467 00:28:36,730 --> 00:28:40,630 say, oh, you know what? Our executives are never gonna pay for this technology, 468 00:28:40,690 --> 00:28:42,310 so I'm not even gonna bother and ask them, 469 00:28:42,370 --> 00:28:44,990 or I'm not even gonna warn 'em that we have risk because they're, 470 00:28:44,990 --> 00:28:47,710 they're against, you know, investing in new, uh, 471 00:28:47,710 --> 00:28:50,750 technology or security features. So, in the end, 472 00:28:51,720 --> 00:28:56,690 when these things go sideways and a ransomware or, you know, intrusion occurs, 473 00:28:57,370 --> 00:29:00,470 the ones that are gonna be held responsible are the executives in the board. 474 00:29:00,890 --> 00:29:05,230 And my suggestion to everyone is you need clear 475 00:29:05,240 --> 00:29:07,630 visibility, right? You're, you're gonna be responsible. 476 00:29:07,630 --> 00:29:12,270 And without visibility into where your security risk is, you can't address it, 477 00:29:12,640 --> 00:29:15,350 right? You may say, okay, you know what? I'm gonna accept that risk. 478 00:29:15,450 --> 00:29:19,510 I'm okay with this risk. Or you may say, as an executive, I'm not, okay, 479 00:29:19,940 --> 00:29:23,710 what do we need to do, you know, to lock down our environment, uh, 480 00:29:23,740 --> 00:29:28,480 more so we're not at risk for some type of cyber event. The last thing, 481 00:29:29,070 --> 00:29:32,880 there's some really amazing artificial intelligence technology out there. 482 00:29:33,820 --> 00:29:37,310 It's known as X D R, extended detection response. Um, 483 00:29:37,340 --> 00:29:40,910 this is a technology typically, you know, cyber companies are gonna deploy and, 484 00:29:40,990 --> 00:29:44,000 and monitor. It is a defensive mechanism, 485 00:29:44,140 --> 00:29:47,600 so it's triggering when something is happening in your environment. Um, 486 00:29:47,700 --> 00:29:51,120 but it is, it is powerful. It is nowhere near a hundred percent. 487 00:29:51,340 --> 00:29:54,960 So everyone knows, right? There is no technology that stops all cyber events, 488 00:29:55,340 --> 00:29:59,920 but it is a good tool that you need to evaluate and have in your 489 00:29:59,920 --> 00:30:01,080 environment, right? 490 00:30:01,160 --> 00:30:05,280 A lot of DSOs are still running kind of antiquated antivirus software. 491 00:30:05,390 --> 00:30:10,160 This X D R, um, software is, is a platform you need to be investing in. 492 00:30:11,900 --> 00:30:13,240 Wow. Thank you Gary, 493 00:30:13,500 --> 00:30:17,200 so much for your time and thought provoking responses today. Uh, 494 00:30:17,200 --> 00:30:20,320 we really do appreciate c appreciate you coming on the podcast. 495 00:30:21,100 --> 00:30:24,520 And we also wanna thank our podcast sponsor Black Talent Security. 496 00:30:25,020 --> 00:30:28,640 You can tune into more podcasts from Becker's Healthcare by visiting our podcast 497 00:30:28,870 --> 00:30:31,920 page at becker's podcast.com. Thank you again, Gary. 498 00:30:32,340 --> 00:30:33,600 You're very welcome. It's my pleasure.