Episode #344: Cyber Security, with Debi Carr

You wouldn't give your keys, wallet, and phone to strangers — but you're giving personal information to strangers online! And you may be doing it unawares. Phishing emails, security questions, and even that game on Facebook could all compromise personal information. And to help you be proactive in protecting yourself, your patients, and your practice, Debi Carr is here to educate you on how to develop a culture of security, both in and out of the office. For expert advice and best practices for cyber security, listen to Episode 344 of The Best Practices Show!

Main Takeaways:

• We are giving away more personal information than we realize.
• Always investigate when hit with ransomware.
• When buying supplies online, buy from reputable and known sites.
• If buying from lesser-known companies, investigate before giving your information.
• Be wary of links and be aware of what you are downloading and clicking on.
• Every practice should have a security manual, and a record of the training you’ve done.
• Always use two-factor authentication whenever it is available.
• Have an IT partner that fully understands security.
• For patients and employees, have guest Wi-Fi that is off your network.
• Be proactive and create a plan. Without a plan, it will take longer to recover.
• Security doesn't begin and end in the office. Practice this everywhere.

Quotes:

• “While we’ve been living in fear, there is one group of people that have actually been thriving. This is their dream environment, because any time a hacker can create fear, can create chaos, they are going to profit. And they have done that. As we become desperate, they thrive.” (00:52—01:17)
• “In February alone, there were over 300,000 malicious websites that were listed with ICANN and WHOIS. And this is where you claim your website domain — 300,000 of them. The FBI has identified, or actually, Google, has identified over 500,000 phishing emails, daily, being sent out. And over 200,000 of those have got malicious attachments with them. It’s crazy, because they know that if they can create panic, if they can create fear, that we won't think. We’ll just click, and we’ll go with it.” (01:28—02:20)
• “We hear a lot about ransomware, but what we don't hear a lot about is the other viruses that can affect and infect a computer or a network system. And they are actually, as far as I'm concerned, do more damage. Because a ransomware attack, it’s bad. I'm not going to lie to you. That can be a devastating attack. They get into your system with a ransomware, they encrypt your system, you know they're there.” (02:36—03:04)
• “Whenever you get hit with ransomware, you should always investigate, especially now. We’ve seen more sophistication in the attacks where not only are they attacking and encrypting the data, but they are actually exfiltrating the data now. So, it’s really important that you have a forensic investigation and do the response to a ransomware attack in a methodical manner.” (03:08—03:37)
• “To me, the infection that is worse is infections such as keyloggers that sit in your system. We’ve seen LokiBot. That is a keylogger that sits in the system. And we know that it’s coming from emails. There's a lot of talk and conversation out there about contact tracing. And so, the hackers have jumped on that bandwagon and they're sending emails out from the World Health Organization saying, ‘You’ve been around somebody who has been verified with COVID-19. Click here. Download this so you know what to do.’” (03:38—04:25)
• “What they're doing is they're allowing a keylogger, which is a type of virus that sits in your network, and it basically mimics everything and traces every time you hit a key on the keyboard. So, you go to your bank, you put in your password, you're putting in your username, you put in your password. You're giving that information away to the hacker that's sitting in your system watching everything you do.” (04:26—05:00)
• “LokiBot can also happen on your Android phone as well. So, it’s really important that we watch, when we’re downloading, while we’re getting these emails, to stop and think, and take a step back and realize that these are phishing emails.” (05:03—05:22)
• “How they get your information is we give so much information. We have to in order to market, so we have it on our websites. We have it in our Facebook pages, in our Instagram, on our LinkedIn, how to contact me. Well, the hackers are going in and finding that information.” (05:30—05:46)
• “Doctors are desperate to find gowns and to find N95 masks. So, they're getting emails from people that they normally would not buy from. I know several doctors that have bought N95 masks from a source that they normally would not buy from. They got an email saying, ‘Buy here.’ They bought it, and their credit card was compromised.” (05:52—06:23)
• “There's another type of keylogger that we’re seeing called HawKeye. And what it does is it goes into your subject line. We’re so worried about information that we’ll click on anything that talks about COVID-19 or a riot happening in our neighborhood. We’re going to click. And hackers know that. And again, they're getting our information because we’re publicizing it. So, we need to be very, very cautious about what we’re reading and how we get our PPE. We want to make sure that we are getting them from a legitimate source.” (06:56—07:43)
• “It’s always best to order, even if they're on backorder, from a reliable, known site. I would even, at this point, caution on ordering from some of the places such as online suppliers where the online supplier is the main, you can order from that organization, but it’s other people actually doing the selling, because that other organization is not necessarily able to keep up until complaints start coming in. So, just be very wise and try to order your supplies from reputable websites if you're going to order online, or pick up the phone and call your Schein or Patterson rep.” (07:53—08:40)
• “As we’re coming back from home, it’s really important that we remind our patients or remind our employees about our security policies . . . Every practice should have a security manual. Every practice should have a record of the training that they’ve done on their security manual. But as your team is coming back, remind them, do a short training on opening emails, making sure that we’re not clicking on links, that you're not using the computers at work for your home computer or for your personal use anymore.” (09:33—10:24)
• “Consider changing all your passwords as you come in, just in case there is anything sitting there. And also, you've been working remotely. Consider terminating that remote access. So, making sure that we’re not having everybody having access.” (10:30—10:48)
• “To get rid of a keylogger would actually depend on exactly what the nature is, what the type of it is. It does require someone that has some technical skill because you have to go into registries. So, I would work with an IT vendor or partner that can go in, because you need to run scans on it, but you also need to be able to go in and change registry and hotkeys and those kinds of things. So, it’s not always easy to detect.” (10:53—11:24)
• “We have the antivirus on our computers, but how often are we running scans of our systems with that antivirus? A lot of times, the antivirus will pick them up when we run a scan. And it’s always good sometimes to download another antivirus and run the scan, and then delete that antivirus, just because the antivirus is the first thing that gets attacked.” (11:29—11:57)
• “We should all be very wary of this, even on our phones, even in our homes. Security does not only happen in an office. It should happen everywhere. In the environment that we live in today, we have to have that mindset, the security culture, so that even when we’re at home, we think about what are we going to click on, do we really need to follow this link. So, it’s really important. But in the office, we want to make sure that we’re documenting that we’ve done this training.” (13:15—13:46)
• “To create a culture of security, we can't just do it once a year and say, ‘We’re done.’ It needs to be an ongoing process.” (13:58—14:06)
• “[Giving employees access to Google] does leave the computer vulnerable, to a point. It comes down to training that team member to make sure that she knows that when you tell her, ‘Go look up this drug,’ to go to specific sites that have the drug listed, not that she’s just surfing Google, ‘Oh, here’s this place,’ and going out there. They're approved sites that you have listed. You vetted, as the doctor, ‘This is where I want to get my information from.’” (17:36—18:11)
• “We want to keep the business flow. We always want to remember what our mission is. We never want to vary from that. Our mission is always going to be to provide quality healthcare. But we want to make sure that we’re doing it in a manner that protects our patient, because our patients trust us to protect their information. And we also want to do it in a manner that's going to protect the practice.” (18:19—18:42)
• “When you log on to a new site — this is a site that you want to be on, so let's say your bank — they will ask you for some information. They will say, ‘In case you forget your password, here are some questions that we want to be able to ask you so that we know that it’s really you.’ So, what are some of those questions? ‘In what year did you get married? Where did you meet your spouse?’ So, what are those games on Facebook? ‘What year did you get married? Where did you meet your spouse?’ You're giving this information away. ‘What's your dog’s name? What year did you graduate from high school? List the first five people in your camera roll.’ Now, you're spreading it, because now I know who your friends are. I challenge everyone to do a Google search of their name. It'll be amazing, the things that you find out about yourself. It’s actually almost scary to find the things that you find out about yourself.” (19:25—20:30)
• “We recommend that no matter what you have, you always use two-factor authentication whenever it is available. And again, it’s about developing that culture of security. Everyone should enable two-factor authentication on your bank. On your Facebook page, you can have it now. I use GoDaddy. You can do it on GoDaddy. Yes, it’s a pain, because they're going to send you a code. And invariably, when I need the code, my phone is upstairs and I'm downstairs, or vice versa, and I have to run. I just say, ‘I'm getting my exercise.’ But it’s for our protection and it’s about developing that mindset of having a culture of security.” (21:47—22:33)
• “As you're coming back, do a check of your IT system, of your information system. Scan your computers. Make sure that there is nothing sitting on them. And have your IT partner come in and scan them. Also, make sure that your firewall is configured properly. And again, these are all technical things. This is why it’s important to have an IT partner that fully understands what security is. So often, when I go into offices, I find that they're using their 13-year-old cousin, or even the doctor is doing the IT.” (23:29—24:06)
• “I had a doctor tell me there were 35 patches that were missing — critical patches that were missing. And he looked at me and he said, ‘Do you know how long it takes to do patching?’ ‘Yes, I do. But I also know the ramifications of not doing the patching. And this is why you should have an IT guy, and you stick to doing dentistry so that these things get done.’” (24:06—24:33)
• “In your practices, you want to make sure that you have a guest Wi-Fi that is off your network, has no access to your network, and only your devices that are required inside the practice should be on the network Wi-Fi. Everybody else, including employees, should be over on the guest network.” (28:12—28:36)
• “The best thing to do is to be proactive and have a plan in place. My husband used to say having a plan is a plan not to fail. Failing to have a plan is a plan to fail.” (33:50—34:03)
• “We want to trust our IT because they're going to be an IT partner. But we need to vet them first. Trust, but verify.” (34:35—34:43)
• “A good IT partner, the BAA is going to be one of the first documents that they're going to give you, or you can have them sign. Because it’s always the practice’s responsibility to vet whoever has access to their information. So, it’s really important that you have a good IT partner. So, one that refuses to sign a BAA, we’d be looking for a new one.” (34:57—35:25)
• “Any IT partner that you have, you should vet them to make sure how they're doing things. Ask them questions. Don't be afraid to ask them questions. Ask them, ‘When was your last risk analysis?’ Doctors are required to do one annually and so are the BAAs. An IT company is a BAA, a Business Associate Agreement. These are the people that have access to either create, transmit, or store your PHI.” (35:26—35:56)
• “Hypothetically, you have a practice that is making $100,000 a month. So, $1,000 a month towards your IT. Most IT companies should be around $700 to $800. Depending on where you are, some of them are higher. It also depends on how many devices are in your office. There are a lot of variables. On Facebook, a lot of times I see questions saying, ‘How much should I be paying for IT?’ Well, there are a lot of variables that are involved with that because it depends on how many devices that are in your network, because every device in your network needs to be under the umbrella of that IT company. So, just like we charge for cavity per tooth per size, they charge by device. So, there's not a blanket cost.” (38:26—39:19)
• “Everything we do, is it going to stop a ransomware attack from happening? No. You cannot ever stop an attack from happening. But what you can do is have a plan in place to recover quickly.” (41:20—41:36)
• “Every team member should have a unique user and password to the information system. Everybody should not be using DOC. Everybody should have a unique user ID into the information system, not just the practice management but into the information system, so that when that team member leaves, all you do is call your IT company and say, ‘So-and-so is leaving. I'm going to be escorting them out of the building at 9:00 on Tuesday. Terminate their ability into the information system.’ There are so many stories that I can tell you about where they have gone in, and one person still had access to the Facebook page and posted derogatory things about the doctor. But I've also seen them go in and actually steal their records, because they still had access to the information, and steal information that they wanted.” (45:03—46:01)
• “We don't hand our keys and our wallets and our phone off to everybody. We should be doing the same thing with our passwords.” (47:02—47:08)
• “[Dentists don't care] until they get hacked. And then it’s, ‘Could I have done something? Was there something I could've done? I can't believe this is happening to me. Was there something I could've done before?’ Yes. If you had a risk analysis before, we would've told you that you didn't have versioning in your backup. We would've told you that everybody had access. We would've told you that there are people that have access into your company that shouldn't have access. We would've seen the open ports and said, ‘Okay. Let's look at these and evaluate them. Do we really need all of them?’ and make sure that your IT company is only using what is absolutely necessary, not because you've changed to a new vendor or a new IT company and they left the old ones open.” (49:57—50:36)
• “Our greatest asset and our worst nightmare is our team, because we can only do so many things to protect the team, but we still have that human element. And unfortunately, it only takes one click, one opening, and that would be it. It can download a malicious code into the system. Because our team, they're not doing it maliciously. They're doing it because they didn't stop and think. So, we want to create the culture that says stop and think before you do it. And when that doesn't work, we want to have the next step in place.” (51:01—51:44)

Snippets:

• 0:00 Ransomware has spiked during COVID-19.
• 2:36 How keyloggers affect and infect your system.
• 5:47 Be cautious of phishing scams.
• 08:58 Trust, but verify.
• 10:53 How to get rid of a keylogger.
• 13:00 Security should happen everywhere.
• 17:17 Is it okay to allow employees to access Google?
• 19:05 Be wary of Facebook phishing.
• 21:06 Develop a culture of security.
• 23:29 Have an IT partner.
• 27:19 How do you stay safe when providing patients with free Wi-Fi?
• 28:37 Is there any safe way to remotely access patient records?
• 32:17 Be proactive and have a plan.
• 34:14 What to look for in IT partners.  
• 44:50 Password management.
• 49:29 Resistance from dentists.
• 53:06 Debi’s favorite password manager.
• 54:51 Conclusion.

Reach Out to Debi:

Debi’s email: [email protected] 

Debi’s Facebook: https://www.facebook.com/debijcarr 

Debi’s LinkedIn: https://www.linkedin.com/in/debicarr 

Resources:

Splashtop: https://www.splashtop.com/press_release/splashtop-extends-affordable-remote-access-solutions-to-dentists-in-the-dws-network

TeamViewer: https://www.teamviewer.com/en-us/

LastPass: https://www.lastpass.com/

Keeper: https://www.keepersecurity.com/

Debi Carr Bio:

Debi Carr is an information cyber security and compliance consultant with over 20 years in the dental industry and 30 years in technology, focusing on information security management, business processes, and HIPAA compliance. She has built a strong foundation in the areas of consulting, speaking, and training in the ever-expanding arena of cyber security and how to use HIPAA compliance as a tool to protect a practice from financial and reputation issues.

She is certified as a Healthcare Information Security Privacy Practitioner (ISC2) and is a Certified Associate of the Healthcare Information & Management Systems Society (HIMSS). She has served as a member of the Interoperability Board and secretary of the local ISC2 Chapter. In addition to AADOM and ADMC, she is a member of the Healthcare Information and Management Systems Society, the International Information System Security Certification Consortium, and the Information Systems Audit and Control Association.