Is cybersecurity one of your top concerns as a dental practice owner? If not, today's episode will likely change your mind. Join me in this important conversation with IT expert Reuben Kamp, where we delve deep into the chilling event of the recent cybersecurity attack on UnitedHealthcare. UnitedHealthcare was manipulated into transferring a shocking $22 million in Bitcoin to a hacker group known as "Black Cat" and this incident will serve as a firm reality-check and wake up call for everyone in the healthcare industry.
In our discussion, Reuben unwraps the tangled mess of this cyber-crisis, explaining how these ransomware attacks are affecting dental practices just like yours. Are you aware that a disturbing 6% of dental offices have already faced such debilitating attacks in 2022 alone? Our conversation pivots around the critical importance of stringent cybersecurity measures, such as HIPAA compliance, robust firewalls, ongoing risk evaluations, and how these can be your safeguard against such threats. Stick around as we close with vital insights on the gaping vulnerabilities that led to the UnitedHealthcare breach and how Reuben and his team, at Darkhorse Tech, take proactive steps to ensure that their clients remain secure and HIPAA compliant.
What You'll Learn in This Episode:
Remember, investing in reliable cybersecurity measures is the first step in protecting your valuable assets. Make sure to tune into this crucial episode and equip yourself with a robust defense arsenal against the rising tide of ransomware attacks!
For DSO integrations, startup solutions, and all your dental IT needs, let our sponsors, Darkhorse Tech, help out so you can focus on providing the amazing care that you do. For 1 month of FREE service, visit their link today! https://thedentalmarketer.lpages.co/darkhorse-deal/
You can reach out to Reuben Kamp here:
Website: https://www.darkhorsetech.com/
Email: admin@darkhorsetech.com
Phone: 800-868-4504
Facebook: https://www.facebook.com/DarkhorseTech
Mentions and Links:
Businesses/Services:
Other Mentions:
If you want your questions answered on Monday Morning Episodes, ask me on these platforms:
My Newsletter: https://thedentalmarketer.lpages.co/newsletter/
The Dental Marketer Society Facebook Group: https://www.facebook.com/groups/2031814726927041
Michael: Hey, Ruben. So talk to us. What's one piece of advice you can give us this Monday morning?
Reuben: Wow. Well, we're going to talk about cybersecurity. just recently we had United healthcare. I think you've heard of them before. Uh, they just wired 22 million in Bitcoin to a hacker group called black cat.
that name is familiar. It's cause they hit Henry shine three times last year. So. This Monday morning broadcast is about cybersecurity and how you can protect your dental practice.
Michael: Interesting. Yeah. You sent me that the literally right before we're about to record right now, the link to it and it happened, it says on March 1st, a Bitcoin address connected to, and then it 350 So then they basically United healthcare paid them, right?
Reuben: So the full story is. Last week, uh, they noticed something was wrong with their system. this is Change Healthcare. They're owned by United Healthcare. their role in a, in a dental practice is they are the middle man. They process claims.
They are also involved on e prescribe, right? narcotics, you know, you're clicking your button in your practice management software, that's getting sent to the local pharmacy. That is actually still down by the way. so we're, we're 10 days with so far. and the E prescribed modules that are powered by that are down.
What just happened? Um, but you were referring to that article I was talking about is I was going to ask you how, how many Bitcoin do you think 22 million is? But I think I already told you, it's not that much, it's like, 22 millions, about 350 ish Bitcoin. and you can see how devastating the attack was because they actually paid it.
which is insane. I think, uh, you know, when you, when you think about organization, a business that gets. Hit by ransomware. Why don't they have backups? why do we have to pay this ransom? You should have backups. Well, they either didn't have backups Which again just absolutely insane for an organization this size the backups were also encrypted which again is just mind boggling For a company of this size that they didn't take their internal IT Uh, seriously.
Michael: Interesting. So then let me ask you, because this has happened with UnitedHealthcare, oh, huge organization, right? So how could this be prevented and can something like this happen on a smaller scale, like a practice, single practice, single doc practice?
Reuben: Yeah, I mean, the stats last year. So we, um, I should say 2022 because we don't have clean data yet for 2023.
That's still being compiled. So the big kind of flashing yellow banner here is 6 percent of all dental offices had an issue with ransomware. In the year 2022. So I mean, quick math, 250 practice locations, uh, 6%. So that means 15, 000 dental offices dealt with ransomware last year. It's not a small number, the problem is getting, you know, even data further than that. Basically, once this happens and there's a breach and patient health care information is involved. we're talking about radio silence, right? The, the OCM, these government organizations try to keep it unless it's a giant thing.
They, they try to keep it relatively under wraps. Right. So this is something that a large percentage of the industry is dealing with, I mean, think about like. If 6 percent of all the drivers on the road got into accidents, that would be a monstrous number. so to answer your question, small dental practices, small DSOs, emerging DSOs, midsize DSOs, large DSOs, like Aspen Dental that got hacked last year, they're all dealing with this same problem.
But UnitedHealthcare is a larger target. Right, so they're going to attract black cat is like the creme de la creme of the hackers out there. they were the ones that did shine, as I mentioned before. were not involved in the Aspen Dental, but you know, those are three big, splashy events, that happened and are breaches because patient health information, in this case, six terabytes of patient health information, claims data, social security numbers, treatment performed, that's why they paid 22 million.
Michael: Okay, so you mentioned two things. Their backups, they probably didn't have a backup or their backups were not encrypted or encrypted or something like that, right? You said
Reuben: so how you're supposed to do backups is you're supposed to have two copies. One can be connected to your server and the other one needs to be what we call air gapped, basically one step removed.
And the reason is. What we're talking about right here. You get hit that one that's actually connected to your system directly is also going to get compromised. So that's why you need to have an air gap. You know, sometimes that's a cloud backup. that's probably the easiest way to explain it to the audience here is like you have a local backup, you have a cloud backup backup should be set up to be air gapped so that I mean, we can talk about ransomware with the building burns down, you want your backups not in all in one, not have all your eggs in one basket.
So backup. if anyone ever pays the ransom, you know that their backups are not working properly here's what happens when you have a backup hacker comes in, they encrypt your data. You say, Oh man, that sucks. And then you kick them out of the system, clean it all up and you restore from your backup.
You do not have to pay. The ransom, the ransom is there because they are saying, Hey, you want your data back? You have to pay to get it. Well, you should be like, no, I have, I have backups. I'm not going to pay you go away. so it's just like, if you ever see an article about someone making a ransomware payment to hackers, it's because their backups didn't work.
Now there's a lot that goes into protecting a dental practice. Backup is just one part of that, but it's a hundred percent of the time that if they're paying the ransom, it's because they don't have backups.
Michael: Interesting. Okay. So then this can be prevented. How besides having backups, like you just tell your it company, like, Hey, make sure everything's backed up.
That's it.
Reuben: Yeah. I'll just, uh, for the sake of ease, assume everyone works with a competent it professional. So yeah, you should say, Hey, it company, am I HIPAA compliant? Are all my systems HIPAA compliant, right? Cause that should really answer the question, uh, questions, you know, one through 100 that follow after that firewall anti ransomware antivirus software, or you're keeping your computers up to date, you know, all this boring stuff, dentists just want to practice dentistry.
And then we, you know, keeps us up at night over here on this side of the world, um, and backups. Which are the last line of defense, right? You get hacked. It's because something got through your firewall. Something got through your email filter. Something got past your antivirus software. The only reason we're talking about backups is because everything else failed.
Michael: Hmm. Okay. So this is the last resort kind of thing is if
Reuben: you're using backups, let's say outside of, I guess let's just continue to focus on ransomware, right? Because if your server fails, Hey, I've got a backup. No problem. We're going to get a new server. We're going to, but again, when we're talking about, if you're down because of ransomware and you're making a payment to this company, it's because you don't have backups.
You would just tell them, hey, thanks for, uh, that headache, go away, cause you wouldn't have to worry about it.
Michael: how common is this Ruben? Honestly, like within practices, have you seen this? Like, Oh my God, ransomware has happened.
Reuben: Yeah, we don't have to deal with it as an IT company. We work for currently 1077 distinct practice locations, right?
That's a lot of patient health information. A lot of different networks. We're not dealing with ransomware. Okay, and it's because it's not rocket science. It does take. Someone who's devoted and pays attention to the market, you do what HIPAA says you get a firewall in there, you get anti ransomware, you make sure the network is set up properly, you make sure, you know, Wi Fi is secured, backups, and this is not something you deal with.
So, you know, the fact that it's affecting 15, 000 dental offices and, you know, it's crazy. It's affecting the small, the medium, and the large, right? No one is being spared by this. You know, uh, people continue to hire professionals that are, are saying, Hey, yeah, we got you covered doc. But what's actually happening is, is not that, so, you know, it's, it's a really hard.
Position for the doctors in, right. You get, let's say you get a referral from buddy who's not in healthcare that doesn't, you know, Hey, I got a great it guy. Well, it's really important that he knows what it takes to protect your practice. Right. And again, yeah, backups is one part of that. I would argue it's the most important part, right?
Backups equals downtime. They're not set up properly downtime. Patients are walking in the door, your systems are down, you can't take x rays, they're looking at you in the face, it's embarrassing that your technology doesn't work, let's just skip that and just do it right the first time.
Michael: Mmm, gotcha. Okay, so it's more like the HIPAA compliance type of deal.
You gotta ask them, hey, are you HIPAA compliant? And if they're like, yeah, sure. Like, yeah, sure.
Reuben: Well, uh, yeah. And then I guess the, the, the follow up question, the magic words you could say is at, you know, where's your risk assessment, ask them for a risk assessment. And that's basically they have to give you a report.
And this is the first thing. If you ever get audited by OCR office of civil rights, who's in charge of enforcing HIPAA and the fines and all that, that's the first thing they asked for, where's your risk assessment, right? It is. your self evaluation, It is, Oh yeah, we have this old CBCT that only works with a Windows seven PC.
Okay. That's an identified vulnerability in your system. That should be in your risk. So that's just one example. It's basically an analysis of your practices, security profile.
Michael: Gotcha. Okay. So in a nutshell, United healthcare, were they not HIPAA compliant?
Reuben: We know they're not HIPAA compliant because they paid the fine.
Michael: We can
Reuben: skip right to the conclusion, which is, again, you're paying the fine, you didn't do your backups properly. We know that six terabytes of patient health information have been compromised. Names, date of birth, social security number, treatment provided. We're talking about, you know, claims. So prescriptions, I mean, this is a monumental event, uh, in the industry.
Michael: Yeah. And it just happened because of an email.
Reuben: So I'm glad we got to the why right? So we look at Aspen Dental. We look at Shine last year. Exactly what you just said is true. It happened just because of a single email, right? We can talk about fishing. Fishing is Someone pretends to be someone else.
Could be UPS, it could be your boss, they want you to click on a malicious link. So someone from, let's say Shine, clicked on the link, it encrypted their information, all of a sudden, you can't order supplies from Henry Shine's ordering website or for your rep, and, uh, they got hacked a couple times just because of some hubris that happened.
But, this changed healthcare, UnitedHealthcare situation is actually a different attack vector. All right. So we learned the lessons from that one. It was a great reminder, train your staff, have good email filters. Okay. This one, you want to guess how they got, you're never going to guess because it's so stupid.
All right, Michael, you know what remote access software is?
Michael: Yeah. Where you can access it from like a, another location, right?
Reuben: Yeah. All right. Well, United healthcare. Wanted to save some money, so they bought a program and hosted it themselves, I'm a small business owner like many people listening here.
I do the real thing It's a cloud product. It gets updated in real time. They bought a old product to use called connect wise And they hosted it in their own facility. Okay. And didn't update it. So black cat found the vulnerability cause it hadn't been updated in years, got into the system and the rest is history.
So lessons are, I mean, this, this is applicable to windows security updates, right? There's a reason that Microsoft releases them. call it patch Tuesday, right? There's that Tuesday they it's because people like black cat are getting into the system, right? Researchers as well are identifying and windows is releasing, patches to fix those holes in the system.
All right, well, imagine if, you know, you wait a couple of weeks, probably not that big of a deal, right? For your system to be out of date by a couple of weeks, take it back a month, still probably not six months. That's getting to be a little worrisome, right? That vulnerability has been known for six months.
Okay. Oh, now we're talking about four times that amount of time. And I keep going back to the size of these companies and it's the hubris. It won't happen to me. is just, again, it's one of those things you don't think about. I call it roads and bridges, right? You don't think about it until you haven't paid enough attention or spend enough money on it, and then something like this happens.
Michael: Interesting. All righty, Ruby, man, and your company dark horse tech covers this, right? So if I were to sign up with you guys. Immediately and ask you, Hey, make sure you do the HIPAA compliance. Everything it's already cut.
Reuben: We do not enter into client engagements without this being in place, this protection being in place.
So yes. And, uh, you know, to further accentuate presence in the industry. Um, if something ever did happen, right, I started this 12 years ago. This is not something we've dealt with at all. If something were to happen, that is going to be on our cyber liability insurance, not the clients, because that would be a failure of a service that we're providing to them.
So it's, it's probably a topic for another day, but, uh, I will leave you with, please have your it company sign business associates agreements.
MME Reuben Kamp Ransomware DRAFT: Nice. Okay. Awesome. Ruben, I appreciate your time. And if anyone has further questions, where can they find you?
Reuben: CEO of Dark Horse Tech, dark horse tech.com. I am admin A DMI n@darkhorsetech.com.
Um, email, call me numbers everywhere. You know how to reach me on Facebook, I'm around.
Michael: Awesome. And that's gonna be in the show notes below. So if you wanna ask Ruben any more questions or concerns or look into Dark Horse Tech at the same time, going to channel Notes below. Look for Reuben's name and look at those links there.
And Reuben, thank you so much for being with me on this Monday morning episode.
Reuben: Thanks Michael.