Skip to content
Back to Blog

945: The Cybersecurity Checklist Every Dentist Needs – Travis Wentworth

Most days, we are online. But how often do we think about cybersecurity? In this episode, Kirk Behrendt brings in Travis Wentworth, cybersecurity expert from Intelligence Quest, to share the safeguards to put in place to reduce your risks and protect your patients and practice from common cybersecurity threats. Don't take cybersecurity for granted! To learn the best practices to stay ahead of cyberattacks, listen to Episode 945 of The Best Practices Show!

 

Learn More About Travis:

Learn More About ACT Dental:

More Helpful Links for a Better Practice & a Better Life:

Episode Resources:

Main Takeaways:

  • Don't be complacent with cybersecurity.
  • Find a great, trustworthy IT group to work with.
  • Know the questions to ask your managed service provider.
  • Never panic when cybersecurity issues arise. Have protocols in place.
  • Make sure your team is comfortable coming to you with questions or issues.
  • Be diligent with knowledge transfer, password management, and phishing awareness.
  • Use a guest network for all of your patients. Don't allow non-authenticated users access.

Quotes:

“Don't get complacent with this stuff. You can let it roll, and you can continue your training, or continue to make sure that your network is great, or that your technical infrastructure is built correctly. But make sure that you are continuing with your due diligence.” (3:32—3:49) -Travis

“Some of the questions that I would ask [my managed service provider] would be . . . what do they do for cybersecurity, which is like antivirus. Sometimes, you could use a term called EDR, Endpoint Detection and Response. That's just a fancy term for a more advanced antivirus that sits on the endpoints. We use an EDR system at our office, and I manage it. It's called Sentinel One. They're a very good EDR, but there are a bunch of them out there. I would bet if you ask a question like this, what's going to happen is you're going to catch an IT person off guard. They're going to be like, ‘Huh? You're asking me this question?’ That's going to be good for you because then you're going to get an honest answer from that person. They're going to say, ‘We use,’ whatever it is. ‘We use Windows Defender as our antivirus. The embedded defender in Windows is actually pretty good. Most people have decent things to say about it. Then, we use an EDR solution like Sentinel One,’ or some other example. So, that would be a good one where you use a term that's in their space that catches them off guard and gives you a little bit of information.” (8:56—10:00) -Travis

“Another [question] that you can ask [your managed service provider], which I have found to be the case in my office is, do your security solutions interfere with the things that I do on a day-to-day basis? What happens when you apply security to my office?’ I would hope that they have a good example for you. I have one, specifically, where we have a remote management utility. We use Splashtop to log into PCs remotely sometimes. I've had our EDR quarantine that solution and say, ‘This is a remote access utility, and you shouldn't be using this,’ and it shuts that thing off. So, that's a good example of a product that you would use in your office. If you asked me this as a dentist, or other practitioners in the office, you said, ‘Have you had an example of this?’ I'd be like, ‘This is the example, and this is what I would do for you.’” (10:00—10:50) -Travis

“A thing in the dental space for both your practitioners, hygienists, and assistants is knowledge transfer. But this also applies to cybersecurity, and it's becoming even more practical. Let me give you an example of knowledge transfer that's really important. So, a lot of the insurance portals are requiring a second factor of authentication. That's a cybersecurity requirement. They're saying you need a second factor. Okay, that's great. What if your office manager sets up a second factor? A lot of these say download a token on your phone. Your office manager downloads a token on his or her phone, and they take that token, and they use it to log into insurance portals, either verification portals or submission portals for insurance claims. Now, what happens if that person decides to go somewhere and you don't have a written system in place for the second factor? Now, they've got a token on their phone to log into your insurance portal. That's a problem for you. It’s one example of cybersecurity knowledge transfer that's missing.” (14:16—15:16) -Travis

“What are your systems for managing passwords? We talked last time about utilizing a password manager, which is extremely important. If you're going to utilize a password manager, there's a critical piece that people miss, which is you want to secure that password manager because it is the key to your kingdom. So, you should always have multi-factor on that password manager. There are a few ways to do this. One of the ones that I love is called YubiKey, which is a little USB token . . . It's a physical token. You put it in, you press the button, and you authenticate — and you don't have to do this every time. So, we can make it more easy or more difficult, depending upon how paranoid you want to be about this. But typically, a password manager will give you a little button you can click and have it valid for 30 days. All you have to do is reauthenticate every 30 days. It's a little bit of a hassle, but it's very secure — and security is extremely important when you're talking about your business, access to your patients, HIPAA compliance, and PCI DSS. Passwords are the root to all of that security.” (16:47—17:50) -Travis

“Email phishing and phone call phishing, we talked about it being the number one mechanism for organizations to be compromised year, after year, after year. It is, period. So, we said be aware of this. What does that mean, though? I wanted to expand upon this, which is, what does it mean to be aware? It means you should have written policies in place. You should have lists of vendors that you use. It's not just vendors in your office manager's head. We should have, ‘We use Henry Schein for this. We order through Amazon on these days.’ So, you should know when the receipts for these things are coming through. Now, I agree that this is a really high degree of specificity. But if you can work on this over time — and we ended the last episode with the same advice — build this stuff out over time. It doesn't have to be done tomorrow.” (22:03—22:49) -Travis

“Phishing awareness, there are a number of ways that you can do this. So, you should know who you're ordering with. You should know where the email should come from. You should know what time and what days of the month these things come through, what days the receipts come through. Another good one is you should be using an email suite that has some anti-spam functionality as well. You don't have to go into the weeds on this. You don't have to use things like DNS filtering . . . But you could use Google Suite, G Suite. You could use Gmail. They do some great spam filtering. If you ever look in your spam, there's a lot in there. They are filtering stuff out for you. Or you could use Office 365 and Outlook. Those are my two go-to solutions. You should be using one of these two. You shouldn't be using some random hosted website utility from your advertising group that has your website and uses HostGator, and they tell you to use your HostGator website email. You shouldn't be doing that. You should be using one of the big three.” (22:52—23:50) -Travis

“There should be a written policy for a threshold of how much an invoice can be paid without any authorization. This actually happens to our office. I know that it happened to a small, I believe it was a religious organization in Virginia. But I'll say this. We get these requests, and an organization that I know of in Virginia that I worked with, one of their cybersecurity engineers, over six months ago, this happened to them where they get fraudulent requests to change ACH for their employees. So, it has, at least in the ones that have come to our office, taglines from registered dental hygienists that say RDH and a bunch of additional  information. We’re like, ‘Our registered dental hygienists don't have email taglines like that.’ So, that's an easy way to figure it out. But also, there should be a policy in place for you and your office. When would you change the ACH location for an employee? It’s not just an email request. You should validate with that employee. The employee should probably have to submit a physical form request so that you have it documented, and then you go through and make that change and validate the change with them with a small transfer so that they know that we have the correct bank account on file.” (25:02—26:13) -Travis

“You should preach diligence, and you should have things like written thresholds. But the one thing that I really want to continue to focus on is the people in your organization. If it's a small dental office or a large dental office, they should be comfortable coming to you with questions. There should never be a time where they can't say, ‘Hey, should I pay this?’ or, ‘What happened here?’ or, ‘Why did I get this request?’ I'd rather be inundated with requests than have email phishing cause a cybersecurity issue or a payment issue.” (26:56—27:30) -Travis

“If you're frustrated being at the top of the food chain and getting those requests, you should realize that this is a cost of doing business. This is what happens. They are getting better. This is the lowest-hanging fruit. We call these black hat hackers — people who are trying to get access to your organization, get information from you, get money from you. This is the lowest-hanging fruit. This is what they do. If you're going to run a business, this is a component of that business. Don't get too frustrated with it. Just know that this is an allocation of your time that is going to be needed, and you can put policies in place to make it a little bit easier. But it's going to happen, and you need to be there for your team to answer the questions and make them feel comfortable so that you are not a victim of this stuff.” (28:35—29:16) -Travis

“You should be using a guest network for all of your patients. This is a little bit obvious, but what this actually means is not as obvious. What is a guest network? . . . A guest network is a segment of your network that is isolated from all the other IT in your network that is dedicated for non-authenticated users — we call them untrusted users — that can get and gain access to the internet and do whatever they want to do. What that is, is you've taken your internet connection that you pay for, your commercial internet for your business, and a subset of the infrastructure of your business, probably your wireless access point, and your managed service provider has taken a portion of that traffic and a portion of that network access on that wireless access point and given it to the guest users and your patients in your office. They want this. You want your patients to be happy. You want to act like a high-quality business, so you give them guest network access.” (31:25—32:27) -Travis

“You should have at least two other network segments in your office. You should have what's known as a backbone network. In a dental office, I'd call it a clinical network. So, this has your server on it. This has your front office manager and your office team's PCs on it. This has your operatory’s PCs on it. This has your doctor’s PC on it. All of those devices that communicate directly to that server all the time are on this primary backbone network. Now, that network can also have things like your intraoral scanners. It can have things like your Nomad, your roaming X-ray. It can have other things like this on it, although I would argue that those wireless devices that are operational technology should be on their own network. So, that's acceptable to have them either on the same network or on their own little OT network. But there are some issues with that because they don't always play nice with network segmentation. Sometimes, you need to have the Nomad on the backbone network that's communicating to your Eaglesoft server, and you really can't get around that unless you have a deep technical knowledge of how it's communicating to the sever.” (33:03—34:16) -Travis

“If you have TVs in your office — which you all do — if you have Rokus, if you have iPads that aren't used for clinical things that are used to give to children, if you have other little devices that sit around the network, how about you display rolling information on a TV at the front? Maybe you know how it is set up; maybe you don't. Your managed service provider put a little box behind the TV that has a little HDMI cable and rolls information for you. Typically, it's either a Raspberry Pi or an Arduino, some of these tiny devices. Those are IoT devices. They are not designed with security in mind. They should be on their own network. Those little devices should not be able to contact your X-ray arm. They should not be able to contact your Nomad. They should not be able to contact your Trios. They should be on a separate network that isn't the guest network and isn't your primary backbone.” (34:36—35:26) -Travis

“The TVs that you have in your offices, a lot of those TVs spin up their own little wireless networks to make them easier to configure that you cannot turn off at all. They literally have a little wireless access point in there, and they broadcast their own . . . If you have someone in your office like me who is looking at networks, you'll say, ‘Hey, that's kind of weird. That's pretty strong right next to this TV.’ That's an access point to your network, and you don't want that device broadcasting its own little wireless signal and allowing me to connect to it and then connect to your network. That's why those things need to be segmented.” (35:32—36:06) -Travis

“Your guest network, you don't want random people being able to communicate between their cell phone, their wireless device, and your patient information. Whether you like it or not, the devices in your operatories, your server, your front office machines, those are access points to patient information. That's what they are. They are literally the way that you access patient information. So, anything that has access to those devices can then access patient information, and that's a HIPAA compliance issue. They might also be able to access patient information and credit card-associated information if you're storing those in some digital portal, so that's a PCI DSS issue. Those are both compliance issues and business issues for you in the sense that you could be subject to people installing ransomware or doing these random things.” (36:25—37:11) -Travis

“Let's say a machine isn't up to date, or something fails, or things like this. Your managed service provider should be your primary point of contact for this. So, they should be your primary point of contact for both. But if it's a technical issue, you should be comfortable going to them with technical issues. If it's within the workday, then you should be able to ask them via whatever portal they utilize, either a phone call or some messaging portal or whatnot. You should be able to contact them to resolve these issues, whether it's software issues, hardware, AX wireless, whatever it is. That's for your regular technical issues. Your managed service provider should be that point of contact for you, and you should be comfortable contacting them. If you're not, get a new managed service provider.” (39:29—40:07) -Travis

“From a cybersecurity perspective, what if you have an incident? Ransomware is probably the worst-case scenario. Let's say the second worst-case scenario is you log into a device in the morning, and your mouse is moving around. You're like, ‘Whoa! What is going on here?’ First of all, you contact your managed service provider. But I will tell you, there's a right and a wrong answer to this. If your managed service provider tells you to turn that device off, that's wrong. That's not correct. The reason for this is the person had access to that network. The black hat hacker had access to that network well before you saw a mouse moving around. I can guarantee you this: if you turn that device off, what have you done? You've indicated to that black hat hacker that you know that they are there and that you are scared. So, they know that they have a ticking time bomb to get whatever they need, or to lock a system, or to ask or make a request from you. They know what to do at that point. So, then the question is, what should you do? It's called isolation. You should isolate and quarantine that system. There are a number of ways to do this. Sentinel One, for example, the endpoint detection and response utility that I use, has an isolation and quarantine functionality. But it can be as simple as isolating that device, pulling that device off of the network, and putting it on an isolated network. Maybe your managed service provider has something to do with this. Maybe they have a specific switch in your office that you can pull it off and plug it into that. They can then come to your office and take a look, or they can remote-in. But the answer is isolation and quarantine. The answer is not to panic and turn that device off.” (40:08—41:50) -Travis

“The analogy for dentists is, when you give someone a big treatment plan, you don't say, ‘Hey, take care of all of it today,’ typically. You say, ‘We can piecewise this together with things that work well for you, that work within your timeframe, and work within your budget.’ That's the way you should approach this in your office.” (44:04—44:22) -Travis

Snippets:

0:00 Introduction.

0:53 Travis’s background.

2:17 The current state of cybersecurity.

5:17 Cybersecurity insurance and the evolution of technology in the dental space.

6:54 Managed service providers, explained.

8:07 Questions to ask your managed service providers.

11:19 What an IT group does for a dental office.

13:33 Cybersecurity best practices: Knowledge transfer.

16:50 Cybersecurity best practices: Password management.

21:54 Cybersecurity best practices: Phishing awareness.

24:56 Set checks and balances and policies in place.

26:51 Your team should be comfortable coming to you with questions.

29:16 Be wary of using direct payment options.

30:54 Solutions: Guest networks and segmentation.

39:19 Solutions: Resolving technical and cybersecurity issues.

42:41 Final thoughts.

45:20 More about Intelligence Quest and how to get in touch with Travis.

Travis Wentworth Bio:

Dr. Travis Wentworth has been training students in engineering, networking, and cybersecurity for over a decade. He received his PhD in engineering from the University of Kansas in 2015 and completed a Postdoctoral Research fellowship at the University of Chalmers in Gothenburg, Sweden. While there, he was part of the world-renowned research group led by Dr. Louise Olsson and had the privilege to work with the European Union, Swedish Research Council, Volvo, and Chalmers University.

As a researcher, instructor, and consultant, Travis has presented his technical content to far-reaching corners of the globe including China, Germany, and Sweden, to name a few. Returning to the United States in 2017, he narrowed his emphasis to cybersecurity and networking training.

Travis has a diverse background with a proclivity in the acquisition and analysis of public and proprietary data. He is a published author in numerous peer-reviewed journals for computer modeling and catalysis and is well-versed in programming, networking, data acquisition, and cybersecurity.
ACT Dental Team

ACT Dental Team

    Subscribe to our newsletter