A Conversation with Anatomy IT on Cybersecurity in Dentistry: Protecting Your Practice and Patients

Joseph: Welcome to Marketing Matters with WEO Media. Today we're addressing one of the hottest topics in dentistry, if not the world, cybersecurity. To help us tackle this critical subject, we've got our friends and experts here from Anatomy IT. Thank you for joining us, gentlemen.

Bill Sintiris: Thank you, Joseph.

Clint Delander: Thank you for having us.

Joseph: Great having you here. Let's start with both of you sharing a little bit about what you do and who you are.

Bill Sintiris: Absolutely. So I'll jump right in. Thank you for your time today. We're looking forward to this conversation. My name is Bill Sintiris. I'm with Anatomy IT. I'm the Chief Product Officer. Prior to that, I was the Chief Operating Officer for two and a half years. I joined Anatomy IT three years ago after a 25-year career in IT in hospitality. So over the last two and a half, three years, I've been focused on driving healthcare IT and cybersecurity into the mid-market and lower end of the healthcare market space, providing solutions that are tailored towards small practices all the way through critical access regional hospitals.

Clint Delander: Great. And I'm Clint Delander. I'm also with Anatomy IT. I'm a business development executive here. I've been in the dental IT space for over 20 years in various forms. I recently joined Anatomy IT through an acquisition. They acquired a business that my partner, Zach Spaniel, and I started called Manta HealthTech. We provided managed services and cybersecurity solutions primarily to dental offices.

Joseph: Thank you Clint. Great having you here. Bill, what are you seeing in the market specific to cybersecurity and dental offices?

Bill Sintiris: Yeah, I think that's a great question. I'll start with healthcare in general and then we'll target specifically around dental offices. So healthcare, as you know, over the last several years has become more and more of a target of attacks. The threat landscape is continuing to evolve. And one thing that we're seeing from our clients is that they need to keep on top of the ever-existing threats and evolving threats, and they need solutions that can go along that journey with them. So one thing that we're seeing for sure is a deeper investment into cybersecurity by our clients, an investment into overall governance and resiliency planning, and then an investment into training and user awareness training.

So when you start to break it down, our healthcare partners are definitely seeing an increase in investment into cybersecurity tools as well as overall practices because they are becoming more and more targets. And for them, their focus is twofold. One is to protect critical patient data and two, ensure the availability of systems so they can continue to provide care.

Now, specifically to the dental market, the dental market is becoming more and more of a target even in the last several months. So in early May, you may have seen the ADA announced a bulletin along with the FBI where they were seeing an increase in threat activities targeting dental practices. And so there were a few things happening there. One was typical social engineering scams where they were trying to get into the systems, get access to critical patient data. And then certainly that was disrupting business activity. So there are some precautions that are coming out from the ADA that I think are very, very spot on. And they're based upon the CISA recommendations and we can certainly talk about those and what that means for dental practices.

Joseph: Clint, do you have any specific examples of what you see or what's happening in dental offices, dental practices?

Clint Delander: Yeah, Joseph, there are a few that come to mind. One thing is most recent, the breach with Change Healthcare. So it's a third-party insurance processor that a lot of dental offices used and small medical offices used and they were breached. And as a result, for about three weeks, practices were not able to submit claims to insurance companies. It affected millions of patients. Right now I'm just actually looking at some of the recommendations that the Office for Civil Rights is stating in a bulletin here regarding offices needing to notify their patient base about the breach as well. So the notifications are underway, which obviously requires a lot of resources from a dental clinic, especially in an office that is already stretched for resources, but also there's the impact of cash flow.

Imagine three weeks of not being able to receive payments from an insurance company puts strains on the office operations. I even had some customers who had to seek outside capital and tie up their credit just to bridge the three weeks and the time that followed until they would receive payment from the insurance companies. So that's a large, scaled breach that occurred just recently.

But I also have a couple of situations that I was involved with. One of them was I met with a young dentist at a trade show. He had just purchased an established practice from a gentleman that retired. And the retirement dentist did not have an IT company. He did his own backups and managed it all on his own. And the gentleman that purchased the practice was trying to learn more about the services that we provide and all that comes along with it. And he chose at the time not to move forward as he was still getting his arms around cash flow and prioritizing his spend and where to invest. And then about three months later, I remember vividly, it was a Tuesday before Thanksgiving, he called me and he's like, "Clint, I need your help."

And I said, "What happened?" He goes, "Well, I went into my computer today at work, and there I was informed that I was infected with ransomware." And he described what it looked like, and he had a choice to make, which was to either pay the ransom in the form of Bitcoin or lose the ability to access his data. So I advised him to look at a backup, his most recent backup, which he then told me that a backup had not occurred, a successful backup had not occurred for over two years. So he was really in a spot, which was obviously very unfortunate for him.

So what he chose to do was to pay the ransom. So I helped him facilitate that transaction through a colleague of mine that had Bitcoin. And fortunately for him, his only way out was paying the ransom and he was able to get the code that unencrypted his data. And fortunately, the patient information was not breached as a result, but a disaster in the making nonetheless.

Joseph: It's terrifying. I know the question on everyone's mind is, what can I do today, like right now, to protect myself from something like this happening? How do you answer that?

Bill Sintiris: Yeah, I can jump in there. So I think there are a few things that you can do immediately, right? And I think this is where I think the ADA did a very good job highlighting some of the precautions you can take. And I think there are a few more. So the ADA very specifically came out and said, teach your team to recognize and avoid phishing scams. And what that means is user awareness training on what security scams are out there, how to avoid them and how to protect your patient data. First and foremost, training is so critical to our employees to make sure that they really understand how to protect patient data. That's the first step.

The second step is to really require complex passwords. In the case that Clint talked about, there are a couple of breakdowns. One, they were compromised, and then two, they didn't have the data accessible, but they could have avoided compromise by a couple of things. One, making sure they have complex passwords. And then two, making sure that they leverage multi-factor authentication. So when they log in, you want a second factor of authentication. There are a number of tools out there. And a lot of online tools are now moving to second factor authentication to send you a text code. That's a very common thing to implement and should be implemented across all key systems.

And then finally, updating all business software. So what we see a lot in healthcare is that there are a number of legacy systems still in service, a number of legacy workstations, servers, and even applications. So having a holistic plan to update and modernize your systems to supportable levels is critical. When Microsoft stops supporting an operating system, that's a big risk for an organization to take on because once they stop supporting it with security updates, those become target vectors for attacks. So certainly updating your business software, the underlying operating systems.

And then I would say the final one, which they don't touch upon, but I think is really important, is the ability to back up and confirm the quality of your backed up data. So in the case that Clint talked about, this organization, they weren't backing up their data effectively, nor could they recover it and avoid the fee and paying the fee to get their data unencrypted. Had they had a backup that was separate from their internal systems and what we call air gap, they would have been able to quickly recover and avoid the disruption in service. So those five things I think are super critical to do right away.

Joseph: I'm glad you mentioned the backup, especially since Clint mentioned that. I've heard, again, I'm not the expert, but I've heard that one of the first things a smart hacker does is poison the backup before anything else. And so if you have that backup that's current, and you mentioned air gap or some kind of a gap, meaning it's completely separate from the system itself that's inaccessible to the hacker, then you would not be held hostage, would you?

Bill Sintiris: Absolutely, absolutely. So it's a critical step and you're right to call it out. Air gapping really separates the infrastructure. So if one set of infrastructure is compromised, you still have the backup copy in a safe place and that's going to be critical. Some practices do choose to do that backup on the same network and on the same devices that get compromised. And as you rightly called out, that will be the first thing they compromise to take away your recovery.

Clint Delander: Yeah, we often say it's like a game of whack-a-mole, right? They come up with a new way to penetrate the network and a new way to disrupt things. And companies like ours are closing that door and then another door gets opened up and it's this constant game, if you will, almost.

Joseph: Are there any cybersecurity needs of a dental practice that are in any way different than what you see in healthcare in general?

Bill Sintiris: No, and Clint, I can start and I'd love your opinion on this as well, but I would say not really, right? So what we see in most dental practices is a common set of tools, typically somewhat modernized. And as long as you're doing endpoint detection and response on it, which is kind of the next level of antivirus protection, so threat detection and management, if you're doing that across all systems, you're covering yourself pretty well, along with the practices that we already talked about. But that's common across all medical practices. So nothing different necessarily about dental that we see and we have a common set of tools that we can bring into dental environments that protects that data.

Joseph: What about with regard to DSOs? Is there any particular additional challenge for a DSO than a single location dental office? Anything come to mind?

Bill Sintiris: Yeah, well, there are a few things that come to mind and Clint, I don't mean to jump in again, but certainly when you're working across multiple practices, you always have to think about the network connecting those practices. So if there is some shared systems or environments that need to be connected, you need to think about the integration points. Whereas a typical single practice will not have those integration points, you will have that typically in a DSO scenario. So you have to make sure those are protected, locked down and then obviously gapped enough to where there can't be exposure across it. Clint, I don't know if you have anything else to add on that.

Clint Delander: No, I just think, you know, going back to some of the challenges that a dental office has, you know, is just stereotype a hospital has a larger budget, more resources at their disposal, and, you know, an individual dental practice doesn't have that same means to protect themselves. What we try to do is at least on an annual basis is have a business meeting with owners so they understand where those gaps might be and then almost put a treatment plan in place with them like they do with their patients and oftentimes it's phased based upon budget or where we think the biggest gap is. We want to close that one right away and then be making decisions about things that are also coming in the near future.

Bill touched on end-of-life software so that means that the manufacturer is no longer going to provide updates or patches for that software and we have a big one on the horizon here where Windows 10 will no longer be supported or end of life here in October of 2025. So that's something that all offices, healthcare, dental, whoever it might be, should be aware of and how that impacts them because it's just around the corner.

Joseph: Updates represent a specific vulnerability, don't they?

Clint Delander: Oftentimes, dental offices count on their managed services provider to perform those updates for them on a regular basis. So patching the computers themselves and the servers is a service that we offer.

Joseph: You hinted at this Clint and that is, you know, the larger the organization it's possible that their budget is slightly better for the cybersecurity and IT than an individual dental practice. How can they make this affordable? How can the single location practice make cybersecurity part of their budget?

Clint Delander: It really does require an investment as well as a prioritization. This right of course money doesn't grow on trees if it did this would be a lot different conversation, but it's understanding the risk tolerance that they have associated with things and then we through those conversations and budgets a big part of those help them prioritize what to do immediately and you know what might be able to be put off from a prioritization standpoint, but it is a definite challenge.

Bill Sintiris: Yeah. And I would add, I think you're spot on prioritizing the most urgent and pervasive issues and then protecting against those as quickly as you can is critical. Doing the things that we mentioned like air gap backups, multi-factor authentication, some level of endpoint detection and response. The other things can come. You can layer these in over time. But what we're seeing really is there used to be a separation of patient care investment and then IT investment. And really that's coming together to ensure good quality patient care, protecting patient medical records, and then protecting the availability of care if systems go down. It's one bucket of spend. So we try to help clients with that.

Joseph: I can see that. It's becoming one great big bucket, as expensive as it may be. It's all merging together. I like what you said about as one of those five, there is a staff training, a team training element there. I think you mentioned early on, which is the phishing training, what not to open. Could you expand on that a little more? I'm not sure if some new members of the team may not know what a bad email looks like when they're maybe relatively new to dentistry. What could that policy look like when it comes to email?

Bill Sintiris: Yeah, so there are a few things that you kind of wrap into that. One is effectively training your end users on what is good behavior, what is bad behavior, and what to look for in your email, right? So an email might look like it comes from the CEO, but there are signs that it's not from the CEO, right? And then what do you do to validate that? And don't click on links that you don't know. Some of the basic things that seem obvious, but when you're busy in your day-to-day, you just click on things because you're moving fast.

User awareness training as you step back with small segments of training, usually 20 minutes once a month where they go through training and refresher. They get taken through the scenarios, some examples, really reminds them what to do, what not to do. And then throughout the year, you can do phishing simulations where you basically send them phishing attacks that are fake phishing attacks, but see if they click on it. And then you start to judge your team to say, how often are we clicking on these attacks? Do we need to do more training? And then holistically wrap that together.

Clint Delander: To add on to that, when we look at the DSO or a larger organization, you know, controlling that message and making sure that each staff member is trained gets a lot more difficult, right? Just because of the mass. I had one example of I was doing a cybersecurity awareness talk to this specialist organization had 67 employees and this is you can't even make this up all but one employee was able to make the session. The person that was not there came in the next day and clicked on an email that contained ransomware and infected four offices and impacted their business for over two weeks as a result of that ransomware.

Joseph: Don't get me started on weakest links. At WEO Media, we have a real appreciation for how much it takes to stay on the cutting edge of marketing with the hundreds of changes that Google makes to their algorithm on an annual basis. I gotta believe that that same thing is true for an IT company focusing on cybersecurity. How do you stay current? And yeah, what do you do to stay current? What does that look like in such a rapidly changing landscape comparable to Google's algorithm?

Bill Sintiris: Yeah, I'm not sure much is as complicated as the Google algorithm for sure. But from our perspective, staying on top of what's going on in the threat landscape is critical. So we parse it in a few different ways. So the first is we have a security team that is constantly staying abreast of evolving threats that are coming to the market, whether it's zero-day threats or threats that are forthcoming, and ensuring that our clients are patched according to those threats. So sometimes you'll get a Microsoft notification of a zero-day threat. You have to patch everybody very quickly. So we're very early on getting those notifications. We act quickly to make sure our clients are updated. So that's one segment of it, which is kind of your OS level threats. Then there are the behavioral threats, like we talked about. Knowledge is critical on those. So evolving our training for the end users to make sure that they understand what kind of threats are evolving and what they might see and what they should be aware of. So part of it goes from our notification all the way into the training.

And then finally, it's designing the systems to make sure that they're resilient and they can handle the attack because in a lot of cases, it's not a matter of if, it's a matter of when. So what can you do when you design the environment to make sure that if it is attacked, that you can mitigate that attack and that you can recover from it if it does invade you. And some of the things we talked about, start with design, start with making sure that your backups are running all along and then being able to recover those backups from a clear source.

But on our team alone, we have seven certified CISSPs. So those are the top level security level certifications in the industry. And those team members are constantly attending training, staying abreast of the most relevant information, specifically with our technology stack and beyond, and then they make recommendations to the operational organization to put that into practice.

Joseph: So Clint, did you have something to add there?

Clint Delander: Yeah, one thing we haven't really talked about is I think is a disaster recovery plan. You know, I think the customer should have expectations based upon what their current network stack is and services they have. You know, if something like this, you know, terrible event were to happen, what does the recovery look like in those steps and how long would that take? So that's a very important thing that, you know, everyone should have, regardless of what solutions they have in place or don't have in place.

Bill Sintiris: I think this is a great call out, Clint, because you talked about what the larger organizations have to spend money to prepare their organization in the event of a disaster. And in the hospital segment, they call it a code dark. If they have to shut down all their systems, can they continue to provide critical patient care? But the reality is, is that even in the clinical setting and in the dental setting, you need to continue to run your business and see patients. So there was a small set of things that you can do to make sure that you can continue to operate as a clinic, even in the event of system challenges, right? So part of it's design, part of it's what steps do you take if you are compromised? And then part of it is how do you recover? But sometimes just documenting it, you find gaps in those steps and making sure that you document it so when it does happen, if it ever does, it's just a simple playbook to follow. And it doesn't have to be overly complicated like a hospital using a code dark, but it simply needs to be documented.

Joseph: In the offices that need to have a good heart-to-heart conversation after listening to this podcast. For those not fortunate enough to have an expert on their team like you are, what would a dental office do to stay on the cutting edge of the latest? How would they keep themselves informed of what's happening?

Bill Sintiris: Yeah. So maybe Clint, I can start and I'd love you to jump in as well. But I would say a lot of times, you know, dental practices are really good at providing patient dental care, right? They're not going to be great at managing IT and emerging cybersecurity threats. So finding a partner that can support their practice is typically critical. And they don't need to, you know, they don't need to do everything with that partner, but they need a base level of support that they can ensure that they're getting updates regularly, that they're getting backups regularly, and they're getting that guidance and that kind of, that river guide guidance that takes them along that journey, because things are always changing. And just like in the medical space, the things are always changing. It is in healthcare, in healthcare IT as well. They need to stay on with that. And so typically a partner is your best bet.

Clint Delander: And a partner that specializes in healthcare IT, you know, a generalist just doesn't have the exposure or the depth of experience to understand HIPAA regulations and recommendations and guidance and be compliant with all those things. So definitely look for a partner that focuses on healthcare and maybe even specifically dental.

Joseph: What can you share with us then as to how, given the rising costs and the budget constraints that an individual practice might have, let alone a DSO, how can you make an investment like this affordable?

Clint Delander: So first thing I want to say is make sure you have cyber liability insurance. Okay, if at a very minimum have cyber liability insurance to cover you in the event of an attack where there's expenses that are going to be incurred. The challenge that offices are receiving now with cyber liability insurance coverage is since the pandemic, the number of threats have drastically gone up. So as well as the claims against insurance companies for cyber crimes and events. So the standards or the qualifications just to get a policy now are much higher than they used to be pre-pandemic levels.

So insurance companies are now mandating that they have things in place like Bill had mentioned earlier, endpoint detection and response or EDR, multi-factor authentication, encrypted backups, and the list kind of goes on and on. So at a bare minimum, make sure you're covered with a good cyber reliability insurance policy and understand how that works should you need to use it.

But then also, more directly, how do you consume or how is it digestible to add these additional services on? And that's really where a trusted partner, an advisor, someone with an experience like this that understands that there are budgetary challenges, that the ability to prioritize, I think, is probably the best way to accomplish that.

Joseph: Anything to add there, Bill?

Bill Sintiris: No, I think it's spot on. I think what we're seeing is, you know, there are some base minimum things you need to do, right, as a healthcare provider. But you can prioritize those things and invest where you can along the way. It doesn't have to be everything at once. But as we mentioned earlier, the most urgent things should be addressed pretty quickly. And having a cyber liability insurance provider to work with in the event of an issue is really critical as well. We've seen a number of offices forgo that insurance coverage. And then when those bills start to come in, when they're trying to recover from an incident, it becomes pretty big.

Joseph: I would love to know what upcoming initiatives Anatomy IT has on the horizon that may be something you could share.

Bill Sintiris: Yeah, sure. There's a few things we're pretty excited about as we go into the second half of the year. One of them is ensuring that all of our clients have the right level of coverage. So we're giving that kind of that river guide guidance to our clients on what is minimally needed to protect their environment and then offering them ways to help them get there, right? So that we know that they can't do it overnight. So we have a program underway where we're bringing our clients on that journey.

But even for non-clients, we've developed what we call the Health IT Framework. And that framework is a series of 44 questions that allows an office or an organization or DSO to assess their IT health and maturity, not just from a technology perspective, but from a process, business continuity, disaster recovery, HIPAA compliance perspective. And it gives them really an objective score of how they're doing and how they're doing against other providers. So we're very excited about that in the market right now. And we think it's a way for clients to really see where are they on the IT maturity journey? What do they need to do next? And then they can develop that prioritized roadmap that Clint talked about to say, here's how we should invest over the next 12 to 18 months.

Joseph: That sounds like a very realistic plan. I would love to have a plan like that. And they can get that from you by just contacting you at Anatomy IT. That's a business development question there, Clint. How would you prefer listeners get a hold of you?

Clint Delander: Yeah, so there's multiple ways, you know, email's a good one. Clint, C-L-I-N-T dot Delander D-E-L-A-N-D-E-R at anatomyit.com is one of the most effective ways. Or you can contact me directly. 715-307-1796.

Joseph: Thank you. And your website is anatomyit.com? Wonderful. Well, you said it. It's not a matter of if anymore. It's simply a matter of when. And to pretend that it may never happen is not very prudent in this scary cyber nutso world that we live in. We're so glad we had you on this episode so that we could be more informed. And on behalf of our clients, thank you very much for helping us be more prepared.

Bill Sintiris: Well, thank you, Joseph, for having us, and we're very excited to talk to you and your listeners.

Joseph: We are most fortunate. Thank you again. Bye bye.

Clint Delander: Thank you, Joseph.