Cybersecurity is becoming more of a priority for company executives as risks and attacks increase worldwide.
U.S. Oral Surgery Management's CIO Chad Ehmke and his team recently prevented a data breach from taking place at the company. USOSM is an Irving, Texas-based management services organization supporting practices in 26 states.
Mr. Ehmke recently spoke with Becker's about the averted attack and what other companies can do to protect themselves.
Note: Responses were lightly edited for length and clarity.
Question: How have cybersecurity threats increased in the dental industry?
Chad Ehmke: Well, I don't think the dental industry is unique. Year over year, global cybersecurity attacks have increased. There's an increase in ransomware attempts. There's an increase in phishing … These attacks can very frequently be targeted towards specific people. For instance, they might go onto LinkedIn and see somebody new has joined U.S. Oral Surgery Management. Next thing you know, that person's getting emails from people [and] it looks like they might be legitimate emails, but they're not. They're getting smarter about how they're doing it. They're learning, and it's turning into an entire industry.
Q: What can you tell me about the attack that was prevented at USOSM?
CE: We have a partner we work with called Cytek and they are our security monitoring company. They have software that runs on all of our servers and PCs that helps us detect when there might have been some malicious activity. Anytime any of these detect malicious activity, they send an alert out. On a Sunday at about six o'clock in the morning, an alarm went off that somebody was trying to do something on one of the servers. Our team jumped into it right away and isolated the machine. Because we had good backups in place, we didn't even have to worry about whether or not they had infected that machine. We made sure they hadn't gotten any further on the network than that one machine, and then we just restored it from backup.
There's also a forensic process you go through to try and figure out how the attackers got there in the first place, which is ongoing. But it was scary at first. We're not exactly sure about what the initial entry point was, but we felt pretty good about the fact that we were able to respond to it as quickly as we did. If you think about what that would've been like if we weren't working with a security partner and we didn't have the monitoring software, what would've happened is everybody would've shown up for work on Monday. There would've been a message on one of their machines that says, basically, "We've got all your files, call this number and pay us money or you can't have your files back." Then it turns into a negotiation for how much you're going to pay them. Even if you do pay them, you're never sure if they took data and that they're going to later on extort you for "If you don't give me more money, I'm going to put all this customer data out on the web," which is a HIPAA violation. The next thing you know, you're getting fines because customers who did business at your location, their data was exposed and it happened through you.
Q: What is the first thing that goes through your mind as a CIO when an event like this happens?
CE: It's scary at first. It doesn't matter how many times you've been through this because you don't really know at first what's happened. You just know there's an alert. It's a crime scene essentially, so you're always peeling back layers of what happened and trying to figure out how did they get in, where did they go, what did they do? That takes some time to try and figure that out. At the same time, you're trying to make sure the practice isn't impacted and that they can still do business the next day. As the CIO, you just want to make sure the practice is ready to go and their data is safe, which is the same thing you were trying to do before this happened.
I'm amazed at the number of people who think they're safe with just antivirus, and they really aren't safe with just antivirus. You need layers of protection. The metaphor used for me was to think of a castle. If you're trying to protect the most important things, you put them in the middle of a castle and they have to get past the moat, the drawbridge and the portcullis, and then they have to get into the keep. We try to do the same thing with layers of security. You have passwords and multifactor authentication, you have network monitoring, firewalls and all those things. It can sound kind of boring, but at the end of the day, it is essential to have those layers there because if they really want to focus and get in, they're going to get in. All it takes is one person. The lady [at Cytek] who works with us said something to me the other day that was really interesting. She said, "When you're working in the security world and you're defending, you have to be right every time. They only have to be right one time. Once they're in, that's when they do the damage." It's a really interesting way to look at it, but it's scary because you're like, "Oh God, how bad is this really?" and you don't really know until you get in there and you start peeling back the layers.
Q: Who in the dental industry is most at risk for data breaches?
CE: I think it varies. If you're a hacker and you're trying to decide where you're going to spend your time and effort, you're probably going to go after the biggest payload. If you could rob two different houses and one of them had $1 million and one of them had $100, you might spend more time on the house that has $1 million and try to get in there. Hackers are the same way. The bigger targets that have unfortunately gone through one of these situations — it is unfortunate no matter who it is — have more resources to pay. If you contact a local dentist and you breach them and then you say, "Give us $5 million," you're probably not going to get it there. Larger companies make bigger targets, so you really have to know your stuff. That doesn't mean small companies are not targets as well because there's a whole ecosystem of hackers out there. They all specialize in different things. But I would say if you're a larger company and you don't have a good security program in place, you're just asking for trouble.
The other thing I wanted to mention is that people focus a lot on prevention. Prevention is important because we don't want anything to happen, but it's just as important to focus on, what do you do when it happens? The statistics will show you that it is going to happen to you at some point and the question is, what do you do if it does? That means you really have to have good disaster recovery plans [and] business continuity plans in place and make sure you are resilient and that you can operate. If something goes down and you have patients show up at your door and you don't have computers, what do you do? People need to focus as much on that as they do on preventing it.
Q: How can dental companies and practices protect themselves? What are the best ways to respond to these incidents?
CE: The first thing I would say right now is to get help. Have someone else look at your environment. Don't be afraid to have another opinion on your environment and your risk level. It'll cost you some money to do that, but it's just like buying insurance. Don't just assume you're good. The other thing is to have insurance. There's cyber insurance that's available out there. Before they'll approve you for insurance, they're going to give you a list of things they want you to do and have in place. That's a pretty good list to start from to say, "Here are things I need to do in order to be more secure." The third one is to be resilient. Know what you're going to do if it happens. Then, I'm a big believer in having a security partner. You can do it in-house or you can do it with a third party. Have somebody that can do continuous monitoring, training and penetration testing so you're always testing the environment because the security landscape changes very fast.
What it all amounts to is about what your risk appetite is. Security is a risk management discussion. It's how much time and energy do you want to spend on it versus how good do you feel about the fact that you may or may not get hit by some kind of security incident? … The people who are at risk for data breaches are people who don't think it's a real thing and the people who won't take the extra steps to be secure. It's like living in a neighborhood where the crime rate is going up and refusing to lock your door. You have to do the basic things.