Anne Genge, a cybersecurity expert specializing in dental practices, discusses the importance of cybersecurity, particularly how to avoid ransomware and phishing threats and the importance of training for the entire dental team.
Read the audio transcript below:
Dr. Luisa Schuldt (LS): Hi everyone. Welcome to Brush Up, presented by Oral Health Group, the dental podcast, where we speak with industry experts to discuss a variety of topics such as technology, finance and practice management. I’m your host, Dr. Luisa Schuldt, a prosthodontist and periodontist based out of Fonthill, Ontario. In honor of October being Cybersecurity Awareness Month, we are joined today by Anne Gage, who’s a certified healthcare privacy and cybersecurity professional and is the founder of Myla training company, Canada’s first ever online privacy and cybersecurity training platform for dental professionals. With over two decades of experience, Anne has become a leading expert and trainer in this field. Welcome Anne. Thank you for joining us today.
Anne Genge (AG): Well, it’s so great to be here.
LS: I would love to start out our conversation just hearing a little bit more about your background and how it is you got involved in cybersecurity, specifically for dentists and the dental industry.
AG: Well, thank you. I’ve spent my entire career in the dental industry. I started working in a practice a long time ago. This is actually my 30th year working in dentistry, so I really don’t know any other industry. So I went, worked in a clinic for a very short period of time, and then I decided that I really wanted to go into sales. So, I was involved in pain management products, bone grafting, implants. And my brother had a tech company, and I joined him early on, in around the year, I guess, 1999 to 2000 to help him sort of bring his IT company into the dental industry. He was from finance. And then by the mid-2000s, 2010 we realized that there was so much digitization, so much transformation, move towards putting everything digital. We both kind of looked at each other one day and said, wow, you know, we’re going to have to do a lot to protect this data. And smaller businesses, especially healthcare practices, with all that sensitive information, they’re going to need a lot of help. And so, we went on a mission to develop software tools that would protect systems. But my true heart has always been in education, teaching, and so that’s how I got to where I am now, and it’s a lot of years later, but I love it. And obviously it’s an area where we have a lot of room to improve, and as technology grows, lots to learn.
LS: I think what you’re mentioning is that now we know that cybersecurity and our patients data is so important and needs to be cared for. It’s funny that, as of 10 years ago, 15 years ago, we really weren’t understanding the implications that this would one day have. As dentists, we are not necessarily tech savvy. Some may be very tech savvy, but a lot of us are so focused on our patients and health that this isn’t an area we are extremely knowledgeable. So, it’s wonderful to have someone like you and the team you’re involved with supporting us for those aspects. What do you see as the most common cybersecurity threat for our dental practices today?
AG: Well, I think most people are always hearing in the media about something called ransomware, which is, you know, that nasty thing that locks up your data and then demands a ransom be paid. Or, as we’ve seen more recently, what are called these double extortion attacks. So essentially, the cyber criminals get in and steal the data and then they ask the organization to pay. Or in some circumstances, as we’ve seen in a couple of healthcare scenarios in the past year or so, they will even try to extort patients directly. And so that’s the overarching, biggest threat that you have. But under that, the way that it happens is through, essentially through, mostly through email phishing. And so, I think our people, anyone who’s working with email in the practice, which is usually just about everybody, the naivety, the naivety of people, and, you know, silly mistakes, or disinterest in understanding the true sensitivity of the type of data they’re managing. So, it’s kind of all those things, but at the top of the pyramid, there really is ransomware, and I think that’s the thing that will attract most people to watch this podcast in the first place, because it’s just so prominent everywhere now.
LS: So, what you do is quite different than what our, you know, general IT service provider does for us. Should we be the ones reaching out to you directly? Should we and our IT service provider be chatting with you? What is different that you do for us?
AG: Right. Well, my main role every day is to educate and create awareness and help people build cyber risk management plans. I work both together with IT companies and directly a lot with practice managers or those who are taking on the role of privacy officer. But I’m heavily involved with training all team members with the sort of basic cybersecurity skills. But there is a differentiation between, sort of, day to day IT and cybersecurity professionals. You’re familiar with this hierarchy in dentistry already. For example, you’re a specialist, right? So you had to go to school for an extra, huge number of years to become an expert in what you’re doing. Much the same with cybersecurity. The top cybersecurity certifications take an extra or take at least five years to obtain, and these folks must keep up with CE credits and so on. Much the same as, you know, dentists would as well. So I think what you have is like hygiene and general dentistry. General Dentistry is day to day IT, and then your cybersecurity pros are more like your specialists. And every dental office really, pretty much needs a relationship with both now, because although the tools for cybersecurity are available to most IT providers, the experience is not necessarily there, and that’s the differentiator. And that’s the important factor right there, is these professionals really understand the scope of the types of threats. They’re able to go in and do an assessment and determine what the treatment plan is right for, you know, putting a protective set of systems in place for your practice so they work together hand in hand. You won’t see these cyber folks every day, but you’ll know that they’re there, because typically, there’s a good deal of reporting that will go along with the types of services that they provide, just ensuring you day to day, that those systems are being protected and monitored professionally.
LS: So, you’ve mentioned a few things that I find very interesting. First of all, having a plan that includes prevention systems that you’re mentioning, and also a plan that includes what to do if it does happen. In this sense, what type of training should our practice or practice team members be seeking to be able to handle data safely, not fall for these phishing emails that you mentioned sometimes happen? Is this a training that you and your team would be able to provide?
AG: Yes, well, I provide this type of training in a number of ways. You may see me on some of the courses that you would take through some of your associations, or you might see me at a conference. Typically, the way that people are engaging with me, for the most part, across the country, is through my online training program, which is a basic cybersecurity awareness training, which is really about 35 minutes, provides a certificate for proof of compliance, insurance and so on. And what’s heavily baked into that is just exactly what you need to know. And uses case studies, real life, dental related case studies to have people really have an easy way to understand what that looks like in a day or in a life of their job working with this type of information. And above that, then again, there’s things that an office manager might need to know, right, to make sure that these things are being implemented and followed up on. That person might be involved with creating your policies and procedures, overseeing it, this type of thing, or sometimes it’s one of the dentists themselves. So, there’s little bit higher levels of training for those folks. And again, I do those online or can be one on one. But you know, I think the overall mission for me has always been, how do I take this complex subject matter and make it in a way that people can instantly relate to? And I think that’s the beauty of having spent my entire career in this industry is I know how the inner operations work. I know how the technology works, but I’m not so stuck in the computer world that I don’t know how to make that language relatable. So that’s always my mission is, how do I make it relatable? How do I simplify it so that it really sticks? Because, let’s face it, there’s a lot of bad training out there, and that doesn’t help anybody. You know, we need to arm people with skills that they can learn something and then put it into effect right away. And you know, we’re all patients somewhere, so we should all be invested in this type of learning, not to mention that we’re all using technology ourselves. So that’s, yeah, that’s the overarching theme. And it’s always being on a mission to make dentistry safer online, to make the world safer online.
LS: It sounds like you have several levels of training available, one for the dentists or office managers, and one for the people who are opening emails, contacting patients, filtering through the information as it comes into the office. Really great. Have you seen any examples of where these efforts have already paid off? An example of where proper cybersecurity training has prevented an incident in the office?
AG: Yeah. You know what’s really amazing is the relationships that I’ve been able to create over the years. And so, what I find is people really kind of get into it, right? There are some people that send me a screenshot, or they’ll take a picture with their phone, and they’ll say, did you see this? Or they’ll say, is this real? So, you know, a number of times, even just in the last six months, I’d say probably at least 10, where I’ve gotten and seven or eight of those were actually Microsoft, where these cyber criminals, what they want to do is use tools that are familiar to us or pieces of software that are familiar to us and spoof it. So, a really common one is, you know, you must change your windows login password, you must change your Microsoft 365 thing, or these messages haven’t been read, relog in. There’s a lot of spoofing of Microsoft products. And so, these are the ones that have come to me in the last little while is, you know, taking a picture, they’ll send it to me and they’ll just say, look, I didn’t open this. I didn’t act on this. But is this real? I mean, no, it’s not real. Good thing that you didn’t, right. So, I know that in those situations, this has averted probably quite a few disasters. And it’s interesting how, even though, if we put all of the cyber security controls, all the different fancy software in place, it really does just come down to humans. Because cyber criminals know that it’s hard to get through those tools, but that if they can trick a person into opening the doors for them, then you know, they’re in, right? And it doesn’t matter. And they can really, once they get in through that person letting them in, using their credentials, or by whatever means, then they can move around and do a lot of a lot of damage. So, I think the training is really important, and I do have high confidence and evidence that people that I’ve worked with are getting the memo, so to speak. But there’s plenty of research that shows even up to a 70% increase in security posture just by providing employees basic cybersecurity awareness training. And I think that’s why you keep seeing it showing up in all of the different types of privacy laws and guidelines, college guidelines and so on.
LS: I think cybersecurity and these risks are things we need to talk about with our team members, but also our families. And the team members are finding these threats not only related to our preface, but in their personal lives as well. Whether it’s a credit card scam or an email that’s coming to their personal account, the more we all know about that, the more prepared we are to protect our dental office, but our private lives as well, the better off we’ll be.
AG: Absolutely yeah.
LS: What are some of the first steps a dental practice should take to see what their, you know, risks for cyber security are, and maybe prepare for those?
AG: Well, I guess it’s…here’s how I would relate it. If a new patient walks through the door, right? You don’t give them all the same treatment. You’ll do a new patient exam, you’ll take X-rays, and from that you derive their treatment plan. Yeah. Same thing with cybersecurity. You should always start with an assessment. And this is where it gets a little bit muddy, because there’s a lot of IT companies that’ll give you a free IT assessment. And I think they’re valuable, but they’re kind of like your free break inspection. These are designed to find out, you know, what equipment is aging and should be replaced, what type of software upgrades should be done, whereas an actual security risk assessment will use a piece of software, and it will ask thousands of questions per minute, just knocking on all the different doors, seeing if there’s any windows open a crack, kind of thing. And it will give out a report that shows all of the gaps, the blind spots, the vulnerabilities and create your treatment plan of where to start and how to start, closing those things up and making your practice more secure and, obviously, by extension, more compliant and easier to get cyber insurance as another example. But I think you know, doing that and really investing in training, for example, is something you can do immediately. Yeah, that’s like, you could do it today and tomorrow, you’re going to be that much safer. But there’s a lot of other nooks and crannies that you need to find that go beyond the human aspect, and that’s where a professional cybersecurity risk assessment would come in. So, you’re going to get all of that data. It’s going to be aggregated together, and then a professional person will sit with the dentist or practice owner, and sometimes the manager as well, and say, okay, this is where we’re going to start. Okay, it’s like this tooth has, yeah, four surface cavity. This one needs an implant. You know, these teeth could be a little bit wider, but let’s do that after we do these big things. Yeah, so that’s kind of what that is. That’s what that’s like.
LS: That sounds…you mentioned insurance, and it’s so important to have that for your professional life, our practice. We have it for our home. We have it for our car. Having it for any situation that involves cybersecurity is important as well. But prevention sounds like is the number one thing as well to be preparing for, doing the training, getting everybody on board. What would be the most common aspects that are missed when just the IT people are looking at this, or not even the IT people are looking at this? Unless an expert in cybersecurity is involved, I’m sure there are lots of things that hide in those little nooks and crannies. What would be some of the most common mistakes?
AG: I’m always surprised at how terrible people’s backup systems are, to be honest, and that’s a big problem, because the last time, you don’t want to find out that you don’t have a good backup system at the very time that you need it. So unfortunately, in some of the cases that I see, I start a relationship with a dental office, or we do as an organization, because data’s already been lost, so inadequate backup, misconfigured backup, backup that’s somehow got corrupt along the way. You know, we say that you should test your backup, but it’s a very costly process to go through if you’re doing it manually. And then there’s these things called security updates or system updates, and sometimes, or not, sometimes, many times, we find that those are really out of date. Even despite a dentist having paid for this type of service, they really need to be kept up to date almost daily, monitored and put in place. And the reason is that a lot of these updates are not there to give you, you know, a new feature or a new emoji. They’re there to patch up a hole in that software that cyber criminals are exploiting, are able to exploit. And so those security patches, or updates, as they call them, are very important. But I don’t want to make it sound like everything is so complex. You know, I just finished creating a ransomware course. Well, I’ve done a few of them, but, you know, in this latest one, I talk about how ransomware is actually quite preventable, but you just need to know where your holes are, to make sure that they’re closed up. So, you know, caries is preventable with good cleanings and fluoride or whatever. You know we have these abilities, but I think naivety is still our issue, because even a lot of IT companies are very good at creating networks and making sure that your software all talks together nicely. But there’s many of them that really just haven’t been able to or, for whatever reason, don’t have a certified cyber person on staff. And so, there’s gaps, not because people don’t care or they’re not trying to do their jobs, but it’s that you don’t know what you don’t know thing. And so, these are sort of our challenges,
LS: And you mentioned that backup, and the way I’m understanding it is, if you don’t have a good backup, your original set of information just becomes that much more valuable. They’re just giving these people creating the malware or taking your information, you’re giving them that much more power. If you have a backup, you’re, in a sense, taking their power away and giving yourself a lot more freedom to make decisions and manage a threat, should it be present.
AG: Well, in the case of, now, I talked briefly, but I didn’t, they didn’t name the two different types of ransomware. There’s encryption ransomware and there’s extortion ransomware. Sometimes you get both. But, you know, when I started studying ransomware, it’s 10 years ago now, all we had was encryption ransomware, and the situation that you just described is absolutely true. If we have a great backup, if somebody puts ransomware on our systems, we can just tell them to take a hike, because we’re just going to restore from the backup. And by the way, the reason why you don’t see the ability to recover quickly with larger organizations or hospitals is because they have thousands of computers. It is really quite easy to restore a typical dental office quickly. First of all, nowadays we have such things as failover servers, so we don’t even care so much about the backup anymore. We can just instantly flip over to another device, and you can keep working, taking x-rays, taking money. But even if we’re using just a traditional type of backup with regular drives, we only have to restore 10 or 15 or 20 computers. This can be done in a day or two, again, providing we have good backup. Now, having good backup doesn’t protect us from extortion type ransomware, because that actually steals data and then publishes it somewhere, like on the, what we call the dark web. So, but yeah, I mean, it’s not just that. In the course of you operating your practice, you could get ransomware, but what’s more likely is probably something like a server crash, in which case you need that same backup system to protect you from that scenario.
LS: As we’re learning more and more about this, we were just talking about how different things were 10 to 15 years ago, when you started on this journey of learning more about cybersecurity and bringing us your knowledge now. How have privacy laws and college guidelines changed over this time? Have they incorporated some cybersecurity strategies in the recommendations? How would we be following suit as a dentist?
AG: Well, you know, PHIPAA, that’s the Personal Health Information Protection Act. This is just for as an example. In Ontario, most provinces have healthcare specific privacy laws, and people should be familiar with what that is in their individual province. But you’ll notice that we have PIPEDA, which is the federal privacy law that’s been in place since the year 2000. They’re continuously making amendments to that. A lot of what is just considered best practices are baked into those compliance documents. Or, you know, your guidelines for electronic health records that you might get through your college, they all pretty much mirror each other. There are basic concepts. It’s training, keeping the systems up to date, having a backup plan, having written policies and procedures and things like disaster plans, so that no matter what happens, you’ve got a written roadmap of what you should do next, and no matter what happens, you can recover your data. Because you have to maintain, of course, you want to keep your data, because that’s the lifeblood of your business, right? If you don’t have your data, you don’t have anything. But you need, you know, under any kind of compliance and laws, you need to maintain constant access to the data, make sure that it’s all up to date, that it’s whole and so, you know, it’s just kind of the rule book, right? It’s a basic rule book of all the things that you should do, but that not just that you should do, but that you want to do to protect your business. Again, losing data, you know that affects your operations, but what also affects your operations is having to report a breach to your patients. Dentistry is a highly competitive segment of healthcare. You know, a physician can roll into town and put up a sign and have lineup of patients, but dentists, as you know, we have many communities where there’s one on every corner. We’re constantly battling and marketing for those. So, we don’t want to give patients a reason to lose trust and go somewhere else. So, I think it’s also very much about that.
LS: Thank you so much for your time and thank you for enriching us and bringing us this information about cybersecurity, especially at this time Cybersecurity Awareness month in October. Thank you to our listeners for joining us. Thank you for listening. Be sure to subscribe on Spotify and follow us on social media to be notified every time we post a new episode. Keep brushing up!