3 Steps to Dental Data Protection to Avoid a $100,000 Mistake with Dr. Lorne Lavine

Alec Goldman (00:28.77): Welcome to How I Grew My Practice. My name is Alec Goldman. This is a podcast sponsored by NexHealth. Today we have the dental world's very own Dr. Lorne Lavine. You guys may know him as the Digital Dentist, Dr. Lavine. How was your weekend? How are you doing?
Dr Lorne Lavine (00:48.456): Thank you for the pleasure to be here. I had a great weekend. I live in the LA area, but we, some family, we went off to Colorado for a few days, did some hiking, had some good food, went to a Rockies game. So I'm rested and ready to hit the ground running as I usually am at the beginning of the week.
Alec Goldman (01:08.81): Sounds great. I mean, what's a better way than to hit the ground running to talk about three steps to protect your office and avoid that $100,000 mistake? Obviously, we're extremely lucky to have you here. And I know that you know a whole lot about running successful practices, a whole lot about HIPAA. I mean, there's so many topics that you and I have spoken about at length, even dating back to doing marketing in our session a year ago. But today, we're here to talk about data protection. And I first wanted to ask you the question, why is that the, why was that the topic that you wanted to discuss today? Why is it so important, you know, as of May 30th, 2023?
Dr Lorne Lavine (01:51.484): Well, I think it's been important forever, but certainly COVID brought us to the forefront. Pre-COVID, people had heard about ransomware. We'd seen some data out there, some news reports. It completely took off. And part of the reason for that is that people weren't in their offices anymore, but they still had to have the offices running and you just didn't have the same level of... being able to really monitor what was going on in your practice when you're working remotely. And we just, you know, I'm not a black market expert, but what I've heard from many people is that there is nothing more valuable on the black market than a patient record. If you think about it, it typically has the patient's name, their date of birth, their phone number, their address. Oftentimes it might have copies of their driver's license, credit card information. It is just about a trove of valuable data. And the unfortunate reality is that over the last number of years, the number of ransomware tax, the number of things that we see out there has increased exponentially. So we think that this is as good a time as any to kind of reevaluate what are you doing or to protect yourself. Because I think most dentists would agree that there is nothing more valuable in your practice than your patient data. I mean, everything is there, your schedule, all your billing, everything's there. If you lose that, you're going to lose your it's pretty much game over. So I think it's critical that offices have some type of plan in place to protect it and to be able to recover if all else fails.
Alec Goldman (03:26.894): So we've had a number of folks just so recently coming onto the show talking about the 1099 employee and being able to create and leverage office staff who may not necessarily work in the office in kind of the, I don't say new, but certainly the shift to having a more digital office where a lot of the repetitive tasks that were once thought to must being performed within the office are now online. But to your point, that means that more interaction around patient data, records, information is also brought online. So there's a lot more data to protect. So when you and I were chatting before, you were saying that there was a three-step process to ensure that an office remains and stays safe. Can you tell us a little bit about that three-step process?
Dr Lorne Lavine (04:05.664): Correct. Sure, so when we can get into the specifics from a large 30,000 foot view of the whole process, think of it kind of like a funnel. You've got tons of all this really bad stuff that's attacking your practice, attacking your network. What you want to try to do is narrow down that funnel, really limit what can get through and be able to deal with it. So, the first step in the process is trying to prevent it from getting it. It's that old adage that an ounce of prevention is worth a pound of cure. I think in this case, it's worth like 10 tons of cure. The best ransomware, the best malware infection to deal with is the one that you never got in the first place. So steps to try to limit what can actually get into your network. The reality is that no matter how good of a of the processes that you have in place to prevent that, nothing's foolproof, nothing's 100%, for sure gonna work. So you would then have to say, okay, well, if there are gonna be some viruses in malware that get into my practice, what can I do to deal with them? They're actually in there, how do I deal with them? And the third, which I've mentioned briefly before, is again, that's not 100% foolproof. So you need to have some type of system to say, if all else fails.
Dr Lorne Lavine (05:44.468): Can I recover? Can I get my data back? Can I get rid of all that infected data that we have and basically be able to continue on as if nothing had ever happened in the first place? So, all three are important, but that's kind of the three-step approach that we would take when working with an office to get them where they need to be, to have the peace of mind that they can sleep well at night knowing that they're doing everything they can to protect that critical data.
Alec Goldman (06:11.33): So if you were to give three steps, words for each of them, one would be.
Dr Lorne Lavine (06:17.86): Okay, so the first step would be, we talked about limiting access of the malware to get in. There's two things that you wanna do. Number one's a firewall. You have to have a firewall in place. I would recommend against software firewalls, every router out there, every, you know, the cable motor that you have, every router, they have a firewall built into them. They're okay. You know, they're mediocre at best. I would highly suggest for everyone listening, get yourself and invest in a good business class firewall. Ones from companies like Sophos, and SonicWall, WatchGuard, they all kind of do the same thing. But that's always your first line of defense. One of the misconceptions out there is that the way that most viruses get into the, or that almost all of them get into the network is through people opening up email attachments that they shouldn't, or going to websites that they shouldn't. That's actually not the case. That's a good chunk of it. But the other really most very common way of the stuff getting in is unpatched software. Every software program out there, Windows and Office and your practice management, so all of them have security holes in them. And the companies that make the software are constantly releasing patches. We call it patch management where you have to patch it. And, you know, you can do it automatically with programs like Windows and Office. We don't typically suggest that. We want to have more control over it.
Dr Lorne Lavine (07:45.7): A lot of IT providers are what's called managed service providers or MSP. That's one of the things that I do. It's basically a fancy way of saying automation. That rather than having to go out manually and find the patches, the software can do that for you. And that's critical. You always want to be on top of that. And one of the questions we get from a lot of people is, well, does HIPAA play a role in any of this? And that's a perfect example of it because there is a HIPAA law, you have to do patch management. You have to keep things current and up to date. The second stage, we talked about trying to limit what gets in. Well, let's assume that some stuff gets through. You obviously need to have antivirus software in place. I'm not a huge fan of the ones built into Windows. It's called Defender. It's OK. It's gotten better over the years. We would certainly recommend something a little more robust, programs like MSSoft, Trend Micro, Kaspersky, that they're all decent. All of them will tell you that they do a good job against ransomware, the viruses that lock your files. That hasn't been our experience. So we typically would recommend supplementing that with ransomware-specific software, ones like Intercept X or Hitman Pro. You know, Hitman Pro, Intercept X are owned by the same company by Sophos. So, you know, they kind of do the same thing. The challenge with everything that I've talked about so far; the firewalls, the patch management, the antivirus software, is that many of the ransomware and other types of viruses that are coming out are what we call zero-day, meaning that they're so brand new, your firewall, your software doesn't know what to do with it. It doesn't recognize it as a virus. All viruses used was called signatures. It's kind of like a little piece of DNA that tells your software, hey, this looks kind of like other viruses, so we know what to do with it. That's not the case with zero-day.
Dr Lorne Lavine (09:44.376): So the newer way of dealing with this is something called application white listing. We use it for our clients. It's called Threat Locker. I guess the best analogy I can give you is think of, just giving you an analogy. So you heard that there's a private party in town. It's got a lot of movie stars and sports stars. And you decide you want to try to crash that party. And you get to the front door. There's a very large bouncer with a very small list of names. Basically, you ain't getting in. That's kind of the way that application whitelisting works, is that we create a list of all the approved programs, all your practice management software and image software, and everything else that's running on your network. That's all good software. At a certain point, we flip the switch, and if any program tries to run and it's not on that approved list, it gets stopped in its tracks. All viruses, ransomware, they're all just tiny little programs, just a series of instructions that tells the virus what to do. In the two and a half years that we've been installing application whitelisting for our clients, we have yet to see a single virus. So, not that I would ever say, hey, just get this one thing and you're done. We still wanna have that funnel. We still wanna have those multiple levels, but if you had a very, very limited budget, and said, hey, there's only one thing I can do. What should it be? It would be this, because we haven't found a single virus to get through. That being the case, now we get to step three, which is that just because I haven't seen it yet doesn't mean it won't happen. But they will come where these viruses will find a way around application whitelisting. So for those offices and for every office, we always recommend that you have a really good backup and disaster recovery system.
Dr Lorne Lavine (11:35.304): The local backup should be an image of your server, which is basically a snapshot of the entire server that you can virtualize so that usually within an hour or two at most, you can have an exact duplicate of your server up and running if your server goes down. That's not going to help you if the backup got hit with a ransomware, not going to help you if there's a fire, theft or flood or anything like that. So you really should have something off site. We still have some offices that like to do external hard drives take them out of the office. That's just, it's a pain in the rear and most people have better things to worry about. So we are huge fans of cloud-based so that you get it off to the cloud as well. And that way the whole office can burn down. You still have a copy of all your data. It might take a little bit longer to restore from there because you have to download it, but usually you just need to download the practice management software, which is usually only one to two gigabytes of data. It's the images that take up all of the space. And once you have that download, you can then start calling patients up because obviously you're not worried about anything other than rescheduling people or letting people know that they're no longer in office there. So that's basically the approach that we take. Limit what can get through, deal with it if it does, and be able to recover when all else fails.
Alec Goldman (12:53.582): This is a full master class in regards to that. The three steps.
Dr Lorne Lavine (12:56.82): That's about a full day lecture that we condensed into around 15 minutes. It's a real high level, but I hope that gave some people some concrete ideas as well as far as the names of the firewalls and the programs that we recommend. Backup we don't really, we do it ourselves. I mean there are programs out there. I usually recommend against generic type backups like Mozi or Carbonite ones like those. It's got to be HIPAA compliant. HIPAA has their hands in all of this. So with backup, for example, HIPAA says you have to have it retrievable, which means it's offsite, it has to be encrypted, you have to test it and verify it on a regular basis. So for those reasons, you really wanna have a better than average one, which a lot of those generic, non-healthcare related backup systems just really can't accomplish for you.
Alec Goldman (13:50.786): So the three steps that you provided for the most part sound like software or a combination of software and perhaps hardware if you want your back, your... Yeah, yeah, and the firewall. Are these things that practices just purchase and it's kind of like once you set it and forget it, or there are additional processes to continuously maintain and ensure that things are going?
Dr Lorne Lavine (13:59.024): Yeah, for the firewalls hardware. Right, so I mean, the goal here is not to sound self-serving. As an IT provider, we obviously recommend that Dell offices, unless they're extremely tech savvy and know what they're doing and have the time to do it, that they outsource this to people who know what they're doing. The firewall normally is not set and forget it. You have to first set it, which sometimes is not all that easy to do. You have to set it up properly. The other thing is that most of the better firewall systems out there, will have some type of anti-malware subscription service that needs to be updated on a regular basis. Something like installing antivirus software, again, it's not like it was in the old days where you just put some McAfee or Norton's on there and you're done with it. You really need to make sure that it's set up properly. One thing that's really critical for most offices is that you set up exclusions. There are certain file types like.exe files, which is the main program files. that typically can't get hit with a virus. If your antivirus software is always checking those files, you're gonna see a huge amount of slowdown. Everything's just gonna crawl. So you have to know how to set up exclusions, but you obviously don't wanna exclude the critical files like the data files, which is part of it. The application whitelisting, they won't even sell to end users. They only sell it to IT companies because they know it's a really complex thing to set it up.
Dr Lorne Lavine (15:43.584): And there's no way that they'd be able to provide the support that's needed, because it's a constant massaging. We're always having to add programs. You know, someone's an Open Dental user, and Open Dental comes out with a new update. Our software's going to flag that and say, hold on a second, this doesn't look familiar, so it's going to block it. So then we have to go in, we have to approve it, we have to make sure all the other 350 of our clients also get approved for that software, because other people are going to be applying that update as well. So as much as it would be nice if you could just throw this stuff onto your system to not worry about it. The reality is that it needs, I mean, something like a backup. We monitor every day for our clients. I mean, we, you know, every day of all those offices will have at least 10 to 12 that have some type of error that we have to try to resolve. So, and that's, again, that's a challenge for a lot of offices. You're sitting there chair side, practicing dentistry, you really don't have the time to be able to check the backup and if it went wrong, how do you know how to fix it, how do you read those error messages, do you know how to test it properly, do you know how to verify, do you know how to document all that for HIPAA? It's just something that does require basically ongoing and almost daily maintenance.
Alec Goldman (17:00.414): Yeah, I mean, it is a lot of technical and it certainly sounds like one of those things where it's out of sight, out of mind, where when it's not a problem, you're not really thinking about it. You're really thinking about the patient who's right in front of you, the service that they need, the care that your team needs to provide. So there's an additional question that I kind of have for you. Of all of the years that you have seen in really been assisting with this type of IT work, specifically in regards to data protection, what is the biggest, not to scare anybody here, but what is the biggest downside that you have seen from a practice, if you could share a story as to what happens when you don't protect yourself?
Dr Lorne Lavine (17:48.4): Yeah, so I have a not great backup story to tell you. So the way that we do our backups, we do everything cloud-based, is that there are, there's two parts to that backup. There's the initial backup, what we call it like the base image, the base file. Every image we do beyond that is what called an incremental, that it's basically just changed files and updated files. When someone has a lot of data, what we would typically do, it had done in the past, we would send them an external hard drive, we'd say, go ahead and put the, we're gonna go ahead and put the initial backup on there, we'll do that for you remotely. And then here's a shipping label, go ahead and you're going to send it right to the data center, because we had a data center that was using that. They would copy it on there, and then we could do all the incrementals beyond that. The incrementals would continue to run, whether the base image was there or not. We still, because it had done that initial backup. So we had an office a few years ago in Paradise, California. And people listening may be familiar with the name of that town. It burned down completely, like the whole town just there was wildfires, I think it was 2018, 2019, it was around that time, the whole town was just wiped out. We had one client there and they lost everything that we knew we had all of those images up in the cloud. We went to check in the cloud, we had three and a half years worth of those incremental images, we didn't have the base image. You cannot restore the incrementals unless you have the base. They still have the server in the office. It was fried. We sent it to a data recovery place. There was nothing they could do. They lost the data. We lost all the data. It changed how we handle base images going forward, that we decided to do all of them remotely, that we were going to have full control over it. That's the only time in 20 plus years I've been doing this that a client has had complete loss of data and we felt horrible. Now they didn't have a practice either. So it was, you know, but you know, I assume that they were able to start up somewhere else and eventually need that information. So that's probably the worst from the client standpoint and from our standpoint, because we obviously felt that, you know, even though they, you know, we had sent it to them, we sent the label, we had documentation of all that, that doesn't help in that particular situation. We're not gonna save the client, oh, by the way, this is on you because you forgot to send it back to the data center, we should have had a system in place to be able to monitor if it had been done or not. So, hard lesson, but a valuable lesson.
Alec Goldman (20:52.466): Yeah, I mean, it certainly puts in perspective kind of the things you're sharing with the group here. It really is just insurance on your livelihood, right? And the folks that work at the practice with you as a dental owner.
Dr Lorne Lavine (21:07.428): Yeah, you can't put a price on it. I mean, the easiest sale, I mean, we have people that come to us all the time through downtown and all kinds of, I do a lot of webinars and I write in DPR. The easiest conversation that I can have with a client is someone that's lost data, that didn't have a backup, or they get hit with ransomware and they couldn't restore from it because they are ready, they know what they went through to try to recover their data and they never wanna go through it again, so, we hate having to get to that point, but like I said, it's usually a very quick conversation. What do I need to do? I tell them, great, sign me up. I don't care what it costs, just sign me up.
Alec Goldman (21:48.246): Nope, I mean, it's extremely painful. Dr. Lavine, we're coming up at time. We're at the 22 minute mark. I want to just make sure you have the opportunity to add any last remarks specifically on the topic of data protection.
Dr Lorne Lavine (21:51.484): Yeah, we are. No, I'm happy to, you know, to any of your listeners, I'm more than happy to speak with them one-on-one, what they can do, if they want, they can go to my website, which is thedigitaldentist.com. There's a form there where you just put in your name and email address and phone number, we'll follow up with you. We're happy to evaluate your practice, no charge, to let you know where you might be falling a little short on cybersecurity and data protection. If you don't wanna quite get to that stage, and just want to pick my brain. I just, you know, you can go to the website, get my phone numbers on there, and you can just call us up and I'll be happy to speak to you. Again, no charge, just to help guide you on what you can do. And, you know, obviously I'd be thrilled to help you in that process, but at the very least give you the information so that you can make the best decisions for your practice.
Alec Goldman (22:52.706): Dr. Lavine, thank you. And for everybody listening, listen, part of the reason that we started this podcast is not really far to be salesy. It's to connect everybody in the community with one another. Dr. Lauren Levine is an expert when it comes to data protection, IT. And I can tell you, that phone call that you're making to him, it's not for the purpose of anything salesy. It really is, if you wanna pick his brain, ask a question about your cybersecurity setup, it really is a free audit. We have tons of partners that we work with who do similarly with marketing and just trying to connect everybody together to really push everybody's practice forward and find ways to grow together. Dr. Lavine was really awesome having you on the show and obviously I know that there's a whole slew of topics we didn't get to today that you have a ton of expertise.
Dr Lorne Lavine (23:36.628): Yeah, bring me back. I'm happy to come back out. We just scratched the surface. Ha ha.
Alec Goldman (23:39.874): Yeah, I mean, no. Well, I mean, listen, synthesizing three steps into a single episode that's 15 to 20 minutes is very impressive. So we do appreciate it, and certainly would love to have you back.