Are you investing enough into cybersecurity? In this eye-opening episode, I'm sitting down with Amy Wood, a renowned cybersecurity and data breach prevention specialist, to uncover the critical importance of spending wisely to protect patient information. Amy reveals why dental practices are prime targets for cybercriminals and lays out essential security measures that can provide robust protection. From business-grade antivirus systems to the significance of encrypted emails, she leaves no stone unturned in exploring the landscape of cybersecurity for dental practices.
Amy dives deep into the cost structure of effective cybersecurity, offering a detailed breakdown of what practices should expect to spend. We explore common pitfalls that can compromise a practice's security and provide practical advice on vetting IT providers to ensure they meet HIPAA compliance and other security standards. With insights into managing costs without sacrificing security, Amy's expert guidance is crucial for any dental practice looking to fortify its defenses against cyber threats.
What You'll Learn in This Episode:
Tune in to fortify your dental practice against cyber threats and safeguard your patient information with, Amy Wood!
Sponsors:
For DSO integrations, startup solutions, and all your dental IT needs, let our sponsors, Darkhorse Tech, help out so you can focus on providing the amazing care that you do. For 1 month of FREE service, visit their link today! https://thedentalmarketer.lpages.co/darkhorse-deal/
You can reach out to Amy Wood here:
Website: http://copperpennyconsulting.com
Instagram: https://www.instagram.com/copperpennyconsulting
Mentions and Links:
Businesses/Services:
Organizations:
If you want your questions answered on Monday Morning Episodes, ask me on these platforms:
My Newsletter: https://thedentalmarketer.lpages.co/newsletter/
The Dental Marketer Society Facebook Group: https://www.facebook.com/groups/2031814726927041
Michael: Hey, Amy. So talk to us. What's one piece of advice you can give us this Monday morning?
Amy: So it's actually a very unpopular opinion and piece of advice. It's that you need to spend an appropriate amount of money in order to protect patient information.
Michael: Interesting. So we need to spend or we don't have to.
Amy: talk to us about that then.
so what I do is cybersecurity and data breach prevention. I used to be an IT provider mostly in the dental space for almost 20 years, so I know what it's like to have to. Be set up in a way to try to prevent things like ransomware, computer downtime, not planning ahead for your failures, things like that.
what I've realized is that mainstream medical has a lot more resources, both financially and just time and people to actually address all things for HIPAA or cyber security, things like that. But dental generally doesn't. It's a much smaller market. The bad news is that a lot of cyber criminals are targeting dental practices because they also know that dental offices don't have the resources.
Interesting. Okay. So then when it comes to that ransomware, and I guess spending the right amount of money, how do we know what is the right amount of money and what are we spending it on specifically?
on average, I would say if you're spending roughly 150 a month per computer in your You're about on trackand that's just for basic security prevention.
That's going to overlap with some cybersecurity. It's going to overlap with HIPAA regulations and just basic business best practices. For having computers in a business. So that's the rough price range on that. Some places are more expensive. So if you're in a major metropolitan area, you might be paying more.
You might be paying less if you're more rural or if you try to cut some corners. Which I do not recommend. As far as what things you need to have uh, let's start with the big four. You've got business grade antivirus patches and updates. So running your Windows updates, making sure all your apps are up to date, kind of like we do on our phones, where we run all the Mac updates and then the app updates.
It's the same thing for computers. Then we have business grade firewall. I'm not talking about what the internet provider gives to you. And, or Windows Firewall, that's not appropriate either, business grade firewall. And then the last one is probably the most important, it's backups. Right now the FBI is recommending a 3 2 1 approach, three kinds of backups in two different formats, with one of them being completely off site and or offline.
know that's a lot.
No,
Michael: no, no. But it's interesting. So you did mention cutting corners. Do you see this a lot? And where specifically are the most common corners that are cut in a dental practice?
Amy: So I see people not having a business grade firewall, not having encrypted email. And I'm also seeing a lot of computers right now that people did a whole bunch of upgrades from Windows 7 to Windows 10, but they didn't actually replace the computer.
They just put a new operating system on an old computer. And now we're a few years into that, and these practices want to do things like, Add Conebeam or add 3D Invisalign or anything like that. And they can't do it because these computers, while they might have a current operating system on them, they're really, really old and they just can't handle it.
So that's a very common corner that I see cut.
Michael: Okay. So do we have to. Always upgrade our computers. Like all right, we all have to buy new computers every five years. Kind of thing. Whenever you're gonna do an upgrade like this.
Amy: Yeah, I think it really depends on I'm gonna put my former IT provider hat on for a minute.
Uh, I think it really depends on how you purchased it. Did you overbuild it when you purchased it or did you buy the cheapest thing you could at the time? So if you bought the cheapest thing you're looking at maybe three years before it really starts giving you problems. And if you overbuilt it to start with, you're still looking at five years.
You might be able to stretch it just a little bit longer than that, but three to five years is the current standard of care. Kind of That expectation for end of life.
Michael: Now, what are the really big problems it could get? Let's just say the three or one and you're like, Maybe some people are listening like, Amy, it's been five years and mine's just doing pretty well.
It's slow, but what are the really big problems we need to look out for?
Amy: So it's things that won't work with older computers, let's say your printer fails. hopefully you have more than one printer in your office, but you have a printer fail and you get a new one. It might not work on that older computer.
Or if you have an older operating system on it, you might find that if you're doing anything electronically with your bank, they might not work with that. It's not compatible. So there's this whole interoperability engineering process that has to happen with computers. And it's a lot less important than it was.
10, 15 years ago, but dental is about 10, 15 years behind technology wise. So It's a little more complicated than the rest of general business and even mainstream medical. So depend on your IT guys to actually know how to engineer a solution, not just a product. Kind of Like dentists do. It's not what kind of implant you use.
Yes, everyone has a preference, but it's more about how you the professional are actually implementing this as a solution for your patient. Yeah.
Michael: Interesting. And now one 50 a month, roughly to be on track per computer.
Amy: I'll be honest. I charged a lot more. I lived in the San Francisco Bay area.
we had much higher cost of living.
Michael: Interesting. Okay. So then depending on where you live and you're at one 50 a month per computer, this is how much we're looking at to when it comes to just protect our data from like any ransomware attacks. Okay. Disasters or anything like that. That's the basic.
Okay. Because I see a lot in specific groups and specific places, Facebook groups, right? Where they're like, I need a lower quote. I need something different. And so if people are finding a lower quote.
Amy: Refurbished computers, which basically means they're new to you, but they're not new computers. I have seen where the I.
T. provider is not installing all the programs on the computer. They push that back onto you as the practice to do that work. I kind of look at it as, It costs a certain amount to do a certain job for any specialist any, contractor, you contact a plumber and electrician. It costs a certain amount to do the job if they're charging you less.
Something isn't happening. And it's the same way with computers and with security. Something isn't being done because there, there are metrics out there. We know what it costs.
Michael: Commonly, what's not being done that you've seen by like agencies, like it.
Amy: I have seen not the right kinds of backups. I have seen not having a properly encrypted email.
I have seen the wrong kind of patches and updates being done where people think it's being done, but it's not. I've also seen a lot of IT providers use the this will make you HIPAA compliant. Um, I've also seen a buzzwords of, uh, this will make you HIPAA compliant.
And the reality is HIPAA compliance is thousands and thousands of pages of regulation and recommendations and tech information. And in terms of HIPAA, the technology portion of it really only represents about 20 percent of HIPAA as a whole. So it's the most expensive and the most fast paced and changing aspect of HIPAA.
But it's also the smallest portion of that regulation. So if an IT provider is saying, Hey, we're doing your HIPAA for you. They're doing 20 percent of So I'm seeing a lot of things like that.
Michael: Yeah. So can they ever do 100 percent of it or no? Or it's just like, no, it's not in their wheelhouse. Interesting. So they're just doing the 20 percent of it. Now, what questions should we ask them when it comes to like, Hey, are you doing a proper backup? And they're like, yeah, you know, how would you even know? thank you. I can tell you're doing it. So what questions should we ask when it comes to these type of scenarios?
Amy: Obviously that so one of the cool things about HIPAA and know I'm the weirdo, I like. regulation. I like being a rule follower. I am the weirdo that loves HIPAA. Part of HIPAA actually requires that you as a healthcare provider and professional do something called due diligence review on any of your subcontractors and business associates, which basically means all your vendors that touch practice management data and patient information.
And. Part of that is asking really intrusive questions. So things like, how do you log into our, computer systems? Do you yourself do HIPAA training for your team members? Do you have cyber insurance? So if you screw up we don't have to foot the bill as a practice. And I think the most important one is, do you offshore any of your services?
So HIPAA is a U. S. law and doesn't always follow companies out of our borders. And so that's when contracts become really important. That's when having, black and white in writing evidence from them that can hold up in court. Companies like Change Healthcare right now is dealing with a massive data breach for a second time in the last month.
And they're having some issues because some of it is due to their lack of security internally. so these are a lot of questions that you can ask, not just IT providers, but all vendors.
Michael: Yeah, I know. I feel like with those data breaches Like United Healthcare right, and all them, when it happens, you're kind of thinking like, well, if it got them, we're a small practice, right?
Or maybe a multiple practice location, but you're kind of wondering how well is our IT company doing? Or, on the flip side, Amy, let me ask you, how often is this overlooked? How often do you see people kind of just say, it's just IT?
Amy: They think it's a commodity in general. Those dental practices look at IT as it's interchangeable.
And I adore my father in law dearly, but he comes from a generation where he thinks that all things are equal. The only difference is price. And I see a lot of that in the dental industry. And unfortunately, when it comes to this, that's not true at all.
Michael: So is there anything we can do to, I guess, I guess, lack of a better word, like negotiate or if we're like really counting our pennies here and we're saying, Hey, I just can't foot that bill.
150 per computer. Is there anything we can do or you got to swallow it?
Amy: I think it really depends. That, that pricing is really for kind of a full service. Dental is fraught with all kinds of technology problems. Things just don't always work well. It's antiquated software. Even if you're on cloud, there's still problems.
It's just, Finicky and persnickety in general, just dental software is fraught with problems. So if you need someone to just take care of all the problems for you, that would be more of that price point. I know there are a lot of it providers. my own former business was the same way we would do just the security suite.
So just the security products. And if you needed. Traditional IT support, as in my printer isn't printing, I put an x ray in the wrong patient's chart, my email isn't sending, I don't know what's going on, the sensor won't fire, things like that. That's what we would consider traditional IT support. a lot of IT companies can bill those hours separately.
So that's one way without cutting corners on at least the basics of security. I will tell you that from an IT perspective, if you have those basic business best practices in place and there's some situational awareness on part of the IT provider, then when something happens, it's going to generally be a five to 15 minute problem.
Instead of hours of billable time. So we did the calculations for years and we found that most people came out ahead financially by going on the all you can eat option, and they would call us more frequently, but we both had the financial incentive of getting them back up and running as quickly as possible.
So we were both losing money if they were down. Whereas in that break fix model, if you're down, the it guy makes a lot of money. So every contractor is believed to just be milking it for the hours flip that model on its head. It's entirely different. And then guess what? best part is now you're not low hanging fruit for cyber criminals.
Because you've got at least baseline of security in place. And the reality is most of these hackers, you've got two different categories. You've got people that are going after MGM Shine and Change Healthcare. And you're not stopping someone who's a determined threat actor that's going to get into one of those organizations.
They'll find a way into those big companies. But for the most part Small dental practices, the ones that are getting hacked, they're easy targets because they don't have even the basics in place.
Michael: Okay. Interesting. Awesome. Amy, I appreciate your time. And if anyone has further questions or concerns, where can they find you?
Amy: Copperpennyconsulting. com. I'm all over social media too. I do lots of fun videos, even though HIPAA and cybersecurity isn't always known to be fun or happy.
Michael: That's awesome, Amy. I appreciate that. We all appreciate it. And that's going to be found in the show notes below too, if you want to reach out to Amy.
So thank you, Amy, for being with us on this Monday morning episode.
Amy: Thank you.