The Dental Integrators Association’s (DIA) Michelle Hambidge and member, Dan DeSteno of Nova Computers Solution, sat down to have a chat with Stuart Crawford of Ulistic’s The MSP Show.  The topic? The benefits to providing vertical based specialized expertise in Dental IT Support.  How Nova Computers is able to leverage the community that the DIA provides to increase his MSP business; and how you can too.

 

https://youtu.be/22P3YjSXKfA

 

This is an article written for Sally McKenzie’s newsletter The Dentist’s Network which can be found Here

By Patrick Jacobwith, CEO Sunset Technologies, DIA Board Member

 

 

 

If you are connected to the internet, this is a must read.

Imagine, it is Friday morning. You stop at the local coffee spot; your mind is on the day and weekend ahead. You are thinking about your patients, events for the kids, and chores at home. Your life is smooth right now, your business is thriving, and you love where you live.

What is any dentists’ worst nightmare? Losing their data? Losing their business? This story includes both possibilities.

Your phone rings and it is your office manager telling you the computer is not working. Probably no big deal, you head to the clinic. What happens next tears at your chest. Good people, taking care of others, are put into a terrible situation by a faceless cyber-criminal.

 

DIA Member Case Study

Upon arrival the doctor and staff see a ransom note on the computer asking for seven bitcoins (approximately $60,000) to get access to the data…the clinic has been hit with ransomware. This begins an distressing emotional rollercoaster.

IT Support receives the first call at 8:09am. The clinic’s system was infected with a “Zero Day” type of ransomware, which means this attack was new to the entire world. We verified the Zero Day designation with the FBI. IT Support deploys its emergency response team comprised of on-site and remote staff.

 

The Rollercoaster

Friday

Concerned but hopeful – There are patients walking into the clinic and you have no ability to check them in or see any of the details of their appointment. The team quickly pivots to paper and stress is building. IT Support validates the cyber-attack and begins the restore process.

Concern rises – IT Support arrives and brings loaner equipment and begins to look for the backup files. The doctor has been thinking about the backup. He grows concerned because there have been no updates for some time from the outside company he uses for his backup (not an IT Support solution). He remembers receiving daily emails regarding the backups.

 

Shock then stressed out! – IT Support confirms, the outside company was not backing up the practice management system, only other parts of the business. The most recent backup files for the practice management software are seven months old. IT Support begins two processes on parallel paths:

1. Find any back doors or other methods to restore data
2. Track down the perpetrator and try to negotiate

The doctor leaves the clinic in disbelief. Desperate thoughts enter his brain. He is unable to eat yet had to attend a friend’s birthday party and pretend nothing has happened. He has called his partner and they are thinking:

Raise money and just pay the ransom. They know this could lead to more demands and more money and still not get the data back.

They live in a small town, this has put the business in jeopardy. If word leaks out they are concerned they may still lose patients or the entire business.

Was this a HIPAA breach? If so, what do we do with that?

Try to rebuild the data manually.

Start over.

What happens on Monday morning?

 

Saturday

No sleep. Stress remains constant.

IT Support Path 1 – IT Support has had no luck finding a back door. One of the doctor-owners is at a game for their child, but mentally completely absorbed with what might happen. Waiting is horrible.

IT Support Path 2 – IT Support’s cyber team has begun to track down the cyber-actor. There are methods that have been deployed and developed as a member of Infragard (a private sector organization tied to the FBI) to track down cyber-actors.

With cyber actions, in general, there are two possibilities i) a larger organized crime entity or ii) an individual. In this situation the team caught their first break, the cyber-actor was an individual, larger organized crime entities do not typically negotiate. In these situations, the clock has started, which is usually 36 hours. Also, payment is only through bitcoin. As a result, time is critical. After fast research, an initial email is sent. The game of cat and mouse is on.

 

Sunday

Helpless, Insecure, Depressed and more…

The doctors call an all-staff meeting on a Sunday. The situation is dire. The entire team digs through the garbage, they look through all paper files to try to lessen the blow and solve Monday. The team does find one ray of sunshine: the clinic uses an online appointment reminder company and have one-week’s information! They can at least deal with Monday, yet the larger questions remain. The team goes home after several hours at the clinic. The doctors are still full of doubt and continue to wait.

IT Support Path 1 – New computers have been put in, the team is working on restoration plans, either if they receive a key, or if they need to rebuild. The team is in constant and close communication with the doctors, which at least provides some sense of relief.

IT Support Path 2 – The cyber team has been playing email cat and mouse with the cyber-actor through the night. The negotiations have been fruitful, break-throughs have occurred. Late Sunday afternoon, the decryption key was received, and the process began. IMPORTANT NOTE: the game is not done, because the cyber-actor can still disrupt the decryption. The conversations are continued while the lengthy process of decryption is performed.

 

Monday

Very early Monday morning, the data is restored. The cyber-actor realizes he has been beaten – until another day.

The total negotiated ransom:                                                                           $304.55

 

Back to the Zero Day designation: IT Support also reported all of this information to the FBI (IGuardian), which resulted in helping many organizations across the country.

Monday

Relief!

The doctors have avoided a potentially catastrophic event to their business. The rollercoaster of the weekend is behind them. One doctor commented after, “I feel like I lost one year off of my life!”

 

Summary

We roll the clock back on this story. The clinic decided to stick with a separate backup solution from the IT Support recommendation. Unfortunately, as hackers become more sophisticated, situations such as these happen more often. Let a qualified IT Support team, like those in the Dental Integrators Association, help you to minimize your risk. The DIA is an organization dedicated to educating IT professionals. We want to be sure you have cutting edge knowledge on your side, let us help you!

 

Patrick Jacobwith is the CEO of Sunset Technologies a multi-state organization based in Minnesota.  Patrick is also the President of the Dental Integrators Association.  He believes in excellent service and building healthy and productive relationships.  Patrick’s core values are built on three words: Service, Humility and Love. Patrick can be reached at patrick.jacobwith@sunsetsecure.com

 

 

 

 

 

 

This is an article written for Sally McKenzie’s newsletter The Dentist’s Network which can be found Here

By Wesley Robinson, President of Integrated Axis Group, LLC and DIA Member

 

If you could put part of your practice on autopilot, would you?

Every twelve to eighteen months, computers double their capabilities, and so does the information technologies that use them. Currently, there is regenerative medicine in clinical trials using consumer wireless computer-brain interfaces for $300. If we can do this today, what will it be like in twenty years, when technology is a million times better? Three-dimensional processors and memory drives along with biological, photon, and quantum computing will keep the rate of information improvement at an exponential pace.

So, without getting too technical, here are a few of my observations based on current emerging technology and solutions.

Softbank Robotics launched its first 58 cm in height NAO Robot in 2006. In 2009, a 140 cm tall humanoid ROMEO Robot project with the goal of assisting people facing a loss of autonomy. Then in 2014, the first personal emotional 120 cm in height Pepper Robot was launched. Pepper can identify the main emotions: joy, sadness, anger or surprise. He is also capable of interpreting a smile, a frown, your tone of voice, as well as the lexical field you use and non-verbal language such as the angle of your head, for example. The combination of all this information enables the robot to determine whether his human interlocutor is in a good or a bad mood. These are just a few of his capabilities.

We recently integrated Pepper a human-shaped robot in one of our Orthodontics offices. Currently, Pepper is just interacting with the patients and families as they enter the office. Both Pepper and NAO are entirely programmable and offer infinite possibilities to enrich the customers’ experience and office assistance. For example, patient education, registration, scheduling, electronic collections, patient photo and questionnaire to name a few. Plans are to also include staff training, inventory assistance, and order supplies.

It still takes time to integrate Pepper into a practice; however, as robotic technology is adopted and can be shipped pre-configured based on application, they will be easier to implement. It’s exciting to see the interaction of employees and patients of all ages with Robotics. To learn more about SoftBank Robotics, visit their website.

 

If you never had to ask a patient to fill out a registration, history or consent form, would you?

As the Hospitals, Dentists, Doctors, Labs, Pharmacies, Insurers, Researchers, and Patients continue to require improved collaboration, MediChain is solving the problem. For my entire Healthcare Information Systems career, this has been frustrating and inefficient due to proprietary solutions and government regulations.

MediChain is a Healthcare Big-Data platform that provides a safe way to store sensitive information without the need for trust. By using a combination of blockchain and off-chain storage of EMR, MediChain is creating a simple way to transfer information between entities. With this app, a patient can share data from their dentists, doctors, pharmacies including non-prescription medication and devices like smart watches, smartphones. Their complete records are accessible with anyone or any entity they see fit by granting access by exchanging their decryption key. As the records update so are yours, without having to enter or request updated information once the patient grants access.

Emergency access is in an extended version of MediChain even it the patient cannot give consent. This advancement will ultimately save lives by allowing easy access to accurate patient information.

As with any new technology, the current concerns with blockchain are HIPAA, PHI, FDA 510(k), IEC 60601-1 and ISO 12485 compliance. Health Information Exchange security is crucial in healthcare, especially as data sharing becomes more popular. It will need to take into consideration national and international regulations as data travels.

MediChain is currently in trial with a minimum viable product (MVP) at pain clinics in the UK. The trial has already attracted positive feedback from major pharmaceutical companies, medical technology solution suppliers, and an internationally recognized independent research institution.

Other businesses are working on bringing the EMR to the blockchain; however, MediChain has stood out to me based on these scalable and sustainable solution. To learn more about MediChain, visit their website or read their whitepaper.

 

Wesley Robinson Owner / President & CEO of Integrated Axis Group, LLC  a National Managed Services Provider (MSP) based in Texas. He has been in Healthcare Information Systems for more than 30 years and is a founding board member of the Dental Integrators Association.  Married to Kelly Robinson, DDS a third-generation dentist, they have three sons and a daughter-in-law. He has personally helped countless Healthcare Providers create efficient technology strategies and service solutions that fit their unique needs.

Wesley can be reached at WRobinson@IAG-USA.com

 

 

 

 

 

 

 

This is an article written for Sally McKenzie’s newsletter The Dentist’s Network which can be found Here

By Mike Whaley, Director of IT Security for CRC Technologies and DIA Member

 

It has been estimated that it can cost the victim of a healthcare data breach (the patient) $13,500 to recover after their medical data has been stolen. A Ponemon Institute Study on Medical Identity Theft (publication date 2015) compiled these costs based on credit restoration, reimbursement to healthcare providers for fraudulent claims, and correcting inaccuracies in health care records. Due to HIPAA privacy regulations, victims of medical identity theft must be involved in the resolution of the crime. Those who have resolved their crime spent, on average, more than 200 hours working with their insurer or healthcare provider to make sure their personal medical credentials are secured and can no longer be used by an imposter, and verifying their personal health information, medical invoices, claims and electronic health records are accurate.

Dental professionals are keepers of some very sensitive, embarrassing, and potentially discriminatory data. Dental professionals are also keepers of enough information for one person to easily create a false identity – therefore it is necessary to take measures to keep patient data safe.

Most of a dental practice’s technical security controls are provided by their IT vendor, such as firewalls and antivirus. Hopefully the practice is already taking their IT vendors technical security control recommendations seriously and implementing them. Controls are also driven by the practice, such as security cameras or security policies and procedures, and access controls like door locks and server room locks. Even if a practice has their security locked down, it could easily take only one of their employees to accidently download and run a malicious program delivered by email or a website and BOOM – the practice data is ransomed, or the computers are suddenly being remotely viewed and staff keystrokes logged while login credentials are stolen.

If properly trained, staff can become the biggest guard against cybersecurity threats. They will become the human firewall. Security threats can come from many different directions like email phishing, the internet, phone calls, or an in-person visitor. Training employees on a regular basis about cybersecurity threats is called Cybersecurity Awareness Training.

Ongoing cybersecurity training helps to prevent bad outcomes from threats like phishing, which is when the bad guys trick a person into following a malicious link in an email or downloading an email attachment. A study reported by the INFOSEC Institute reports that, “…26% to 45% of the employees of the chosen companies were susceptible to phishing. With the security awareness program, that percentage decreased by 75%.”

Ransomware is a big moneymaker for the bad guys. If a practice downloads malware that ends up encrypting their patient data and demands money to unencrypt the data, this can cost a practice thousands of dollars in ransom to decrypt the data. Plus, if hit by ransomware, HIPAA requires practices to prove their data wasn’t taken by the bad guys, so it could be a double whammy with fines.

Cybersecurity Awareness Training programs aren’t expensive and there are plenty of options out there. Implementing a Cybersecurity Awareness program shouldn’t be a one-time event, it needs to be ongoing and training needs to take place quarterly at a minimum to be effective. The National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce recommends training modules, testing users, simulations, posters, and newsletters as part of the program.

Popular security awareness training vendors include KnowBe4 and PhishMe. KnowBe4 includes phishing, fake voice calls, and they can even send a USB drive to the practice to see if staff will plug it in. PhishMe is one of the more senior companies in the space and has perfected the phish and training that goes along with it. If an end user clicks on a link in a phishing email, it will send them to a training web site. One organization to consider is SANS for their cybersecurity training. They are an organization made up of cybersecurity professionals and have a good reputation for being on the forefront for training end users.

Practices should be on the lookout for cybersecurity training that is offered from their HIPAA consultants or their bank if enrolled in a PCI compliance program. They may have training modules included with their online solutions. The practice’s IT vendor might have some good options for cybersecurity awareness training programs and may already have a program they can refer to or administer.

Rather than a costly breach or a down server do to ransomware, Cybersecurity Awareness Training can help build the human firewall and keep out the bad guys. Loss of patient data can cost not only the practice time and money, but it can cost the patients time and money also. Training programs are easy to find and easy to administer. Stay safe out there!

 

Mike Whaley is the Director of IT Security for CRC (www.crctechs.com ), a managed service provider based in Seattle, Washington. Mike has more than 20 years of client and project management along with a formalized education in Network Administration.

CRC is a proud member of the Dental Integrators Association, a network of leading independent dental technology integration firms from across the country. It was formed to create and deliver a higher standard of quality and care for dental practice technology integration.

Mike can be reached at: mike@crctechs.com