Steven and Stephen

Make an appointment today to discover how our expertise in practice branding, patient acquisition, advanced marketing tactics, and patient retention can help you thrive.

Recent Posts
Sign-Up for the "The Definitive Guide" Book

Steve Schwartz reveals secrets to successful marketing campaigns and growth strategies for the concierge medical industry, this guide draws from 25 years of digital marketing expertise and experience working with over 900 clients.

Steven and Stephen
Episode 7: Cybersecurity Essentials for Concierge Medical Practices with Stephen Sharp
September 22, 2024

Hello and welcome to another episode of the Concierge Medical Marketing podcast. I’m your host, Steven Schwartz, and it’s my pleasure to have you along today. Today, my guest is Stephen Sharp. He is a systems administrator for PD/GO Digital Marketing. Stephen, thanks for being with me today.

Thanks. How’s it going?

Really good. Just thank you for taking the time to share your knowledge with our audience. We have a great show lined up for this podcast today. Stephen, you are so smart in so many areas. And as we were talking before the show on the topic of cybersecurity, and this is in the news. This is a topic that business owners have become increasingly concerned about with regards to the safety and security of their devices, their computer networks, their smartphones, social media, even something like TikTok. I mean, there’s been so many things related to cybersecurity. And I’m so glad you came on the show today that we can get into a nice discussion about topics related to cybersecurity that concierge medical practices need to be aware of in order to help protect their businesses as much as possible. Are you ready to talk about this?

Right. Let’s do it. Alright. Good. So tell me a little bit more about what got you interested in the topic of cybersecurity.

Well, great question. So, to start off, as you mentioned, I’m a system administrator. I’m an admin for Pedigo Digital Marketing. I’ve been working here for eight years, if you can believe it, as of this Saturday. So I’ve been blessed to be able to work here with a great group of people. Well, before I actually worked for PD/GO Digital Marketing, though, I saw some things that I thought were some interesting trends, in myself and as well as the job market in general. So I was looking to figure out what I was interested in specifically. When it comes to IT, I knew that I enjoyed IT. I knew that I was pretty technically inclined, not a programmer or anything by that stretch of the imagination. But I knew that I enjoyed it, and so I also knew that I liked puzzles. Well, I also saw that when it came to the job market, there was this weird trend that was going on where the cybersecurity job market, they were needing more people as time was progressing, but there was either less people or the same amount of people. So it was not going to match up, and it was only getting worse. So that, it was just getting farther and farther away. So, like, well, you know, this is something that I already enjoy and cybersecurity is basically just working on one big puzzle at a time. So to me, it was like, okay. This makes sense. So that’s kinda what got me interested in it. Yeah. It’s a huge industry and unfortunately with, it seems like in the news just about every day or two you hear about some major data breach and x number of millions of records have been exposed and now you get a free, you know, what is it? Monitoring your credit monitoring or whatever. You know, for your one favorite one. Exactly. You know, it is like every single day or you know, every week definitely you’re hearing of some major breach and that is frightening when you think about all the private information that we as consumers have on the internet and then it obviously goes to a whole another level when you’re talking about private medical information that physicians need to keep very confidential.

So tell me, what are some unique cybersecurity challenges that concierge medical practices face compared to traditional medical practices?

That’s another good question. So here in general, when we go to when we talk about the health care industry, you’ve got some unique challenges in and of itself. So you have HIPAA data that you have to manage, but then also you have compliance, and these two things are not the same thing. So when it comes to, like, a breach, you have a certain amount of time period that you actually have to disclose these sorts of things. And there’s all sorts of, legal things that you have to deal with when it comes to being a, working in the medical field. So when it comes to concierge medical, in general, I think the one of the problems is you might not end up with the big budgets that some of these larger hospitals or larger insurance networks might have. And so that might make you think that you can cut that, cut that from your budget. But if anything, you need it even more. So I think that’s kind of a unique challenge that you’re you’re sort of having to, make more with less in that particular industry. That’s true. I mean, obviously, the bigger hospital networks have bigger budgets to protect their business. Smaller businesses you know have obviously typically smaller budgets and with that you you need to make the money that you do have stretch to cover everything you need and unfortunately cybersecurity is one area where people, you know, shortchange it because they need to take care of other things more importantly like you know payroll and their malpractice insurance premiums and the rent and the air conditioning bill and the Internet. So you know you think yeah I could not pay this extra money for proper cyber security and then, unfortunately, if a business gets hit, realizing that they made a mistake on where those funds were allocated.

Correct?

Exactly. Yeah. That is one thing that you really can’t you can’t cut. You can cost optimize, but you can’t cut out the security, in general. And, you know, you might even think, okay, well, I’m paying for an MSP, so a managed service provider. I’m paying for an MSP to handle things for me. Well, I mean, you know, there are certain things like establishing a culture of cybersecurity in your organization that they, you know, they simply can’t handle for you. You actually have to be, you know, on guard yourself.

Exactly. Well, let me ask you. What measures can concierge medical practices take to safeguard their businesses against cyber attacks?

Well, I would say one of the things that, unfortunately, some people don’t really care for, you know, they think it’s just another checkbox to to knock out maybe for compliance or, you know, if you’re working for an organization. But security awareness training, I think that’s one of the things where you’re going to get your best bang for your buck. And that goes back to the cost optimization thing, is that security, the people in your organization are going to be the weakest links. Us cybersecurity people, we like to think of things as, like, it’s a race against time against the hackers in North Korea. And, you know, we’re going against nation state actors, and we’re battling them. And, you know, it’s it’s, a battle of equals. It’s nothing like that in general. It’s, you know, Bob over in accounting clicked the link. Not right. Said there was they were gonna get, you know, twenty extra days paid time off if they click the link and download this and run it. You know? We actually, did security awareness training here at PD/GO. And one of the things that was brought up was a a guy in the training. A guy had, got himself in a little bit of trouble, and he was nervous. And so because he was nervous about, this message that he got, he was able to be coerced into downloading and installing malware that ransomed the entire organization. Oh, no. And it cost them half a million dollars in order to pay it to pay for it. Right? Because ransomware is one of those things where they actually will sometimes they will pay for their data, which is kind of sad, but it’s a thing that happens. So half a million dollars because because, you know, I don’t have his name, but let’s just say Bob in accounting Right. Clicked and ran something.

If we knew their name, we wouldn’t share it here anyways.

No. No. And hopefully the security awareness, training wouldn’t share it with us either but yeah. Exactly. So Okay. Well, cool.

Why is cybersecurity particularly critical in the healthcare sector?

I think so you’ve got a sort of, triple whammy, and that triple whammy is that, you know, you have data, that you’re that everyone you know, I have data. Data. Like, here at home, I have data, data on my computer, data on my NAS. I have data. And some of that data, I’ve spent a lot of time building, working on documents or ramps, all these sorts of stuff. You know, you think about the many, many hours that you put into that data. There’s a lot of time value, with it. Well, it’s not just data though. You also have compliance you have to worry about. And these are not the same thing as I mentioned. And then you also have the health of your patients that you have to worry about. So for example, when you when you see a, health care organization get ransomed, it can actually impact people’s health because they’re, you know, in the midst of administering things to their patients, and they need that information. You know, they might have backups or, hopefully, they have backups. There’s a saying, there are the two kinds of people, those who have backups and those who will have backups. And, so hopefully they have backups, but maybe they don’t or maybe they’re going to paper. Some people have to do that, but, you know, it’s going to impact people’s health. So these, multiple things going on at the same time, it gives a threat actor a good leverage to go after you for. So they can go after you for the fact of the data or the health of the patients or your compliance. You know, let’s say they got in because you weren’t being fully compliant. Well, now you’re not just talking about paying the threat actor for, to get the, key, due to ransomware. You’re also talking about the, government or regulatory, organizations breathing down your neck. And so they could also threaten you with that releasing that information. So there’s a lot of there’s a lot of points that they can use against you that may or may not exist in other industries.

Sounds like a very significant threat to concierge medical practices. Are there any other potential consequences of such an attack that you wanna share today?

Yeah. I think ransomware in general is is has to be on your radar. And that’s for everyone. But I think, you know, it’s gotta be on your radar, especially if you’re, in a medical practice. And definitely concierge medical practices, whatever your medical practice is. According to Jericho, security health care is the most targeted sector for phishing. So let’s just be realistic. Where are you? Where is the threat going to be? It’s gonna be phishing probably, for you. You know, who is it going to be? It’s probably gonna be someone in your organization who clicks a link or takes a phone call or something. So, you know, yeah. That’s, that’s just something that has to be on your radar. We talk about, you know, what what do you think the the threat vector is going to be? Well, hopefully, you’re thinking about that. So phishing is you would say say is number one as the most, typical or common vector of getting into someone’s systems through the human Yeah. According to Jericho, security, seventy percent of all health care breaches are attributed to phishing attacks. So, yeah. That’s that’s most likely gonna be it. Yeah. That’s significant. That’s a huge number. Yeah. And if your mouth dropped like like mine did when I heard half a million dollars. Sure. From our vendor. Just wait till you hear the the average for health care. Nine million dollars per incident. Man. So if you don’t think that you have the money for that awareness training, I think you just found it. Exactly. You’re gonna make it work. Yeah.

What else can be done to mitigate this risk?

Backups, backups, backups. You know, it’s that’s that’s what you’re Let’s dig into that a little bit more. You can say backups and someone says oh I backup stuff to you know external hard drive on my desk. Whatever. You know that’s you know. There’s also online backup services. What would you recommend to a practice, let’s say a concierge practice with maybe three to five physicians, one location. What would you recommend that they do to help protect their data in case it was hit with a ransomware attack?

Well, I’ll give you a principle, and that is that if the ransomware attack, is successful and gets on your computer, it should not be able to also get onto your backups. So it should not be able to encrypt your backup. So you could be using a NAS like I do or we do.

Can you explain what a NAS is to our Yeah. Partners?

Yeah. It’s a network-attached storage. It’s like a mini server. So and particularly for files also although they’ve sort of grown into the, like, the home server space. But, yeah, it’s like a little mini server and they’re fine, you know. If you have that somewhere remotely where it’s not on the same network, you know, it’s isolated from the network, and then it reaches out and grabs the data at the right time from, from your computers. But there should not be that back connection where the computers can decide to reach back out to it. So it should be a one-way thing, and it should be able to scan the backups to make sure that there’s nothing, you know, no viruses, anything like that. And it should also create the backups to be immutable. It means that they can’t be changed. So or at least if they are changed, you should be able to know about it through hashes or something like that that checks the integrity of those backups. So now whether you use a Kronos or your own NAS or something like that, you know, having multiple backups, I think you’ll find at one point in your life, you’ll be glad that you have multiple, but at least have one.

For our physicians and office managers who are watching this podcast, if they want to set up a NASS and these type of backups, is this something that they can realistically do themselves or is it more likely pay an IT professional in their area to come out set it up and if so, what would they expect as the ballpark investment for doing this?

Well, it’s gonna depend on how much data that you’re gonna end up backing up. So that’s really gonna, change from organization to organization but, you know, a typical Synology NAS which if you’re doing it yourself, you’re probably gonna go with Synology. I’m a big fan of TrueNAS, but and you can get an ask from them as well. But Synology is gonna be a big one. You know, that’s gonna run you, you know, say, six hundred dollars for the actual NAS itself. And then each hard drive, is going to be another couple hundred bucks. And so it just really depends. But, you know, you gotta take a look at your computers. If you only have one or two computers that you needed to back up, you know, it might end up costing a thousand dollars or so. And if it doesn’t cost you a whole lot, maybe you’ll get a couple NAS so that you can have one over at this space and one over at this space to make sure that you do have those redundant backups.

Right. And what about off-site backups? Where the data would be automatically backed up to a cloud server somewhere.

Yeah. I’m all for, I’m all for that. If your finances allow it at your organization, that’s definitely a great thing. It would be great to have, you know, both the cloud backup through through whichever is, compliant with HIPAA and willing to sign your BAA. You know, that’s great. So having multiple forms of backup is generally, best practice.

Can you explain BAA? That’s an acronym that some of our audience may not be aware of.

Yeah. So in the medical space, that’s the, business, associate agreement. And, basically, when it comes to, HIPAA data and compliance, just because I sign a check over to you does not mean that I’ve also signed over responsibility to you. So that’s the same whether you’re talking about your HIPAA data going over to a backup vendor or, you know, really anyone, that’s going to see that data. Just because they see that data does not mean that they’ve agreed to comply with HIPAA and take on that portion of your responsibility. So when you have a vendor that’s gonna manage your email or manage your backups, you’re gonna have to offload that compliance risk off to that person or that organization by getting them to sign that business associate agreement.

Right. So, does that basically mean legally that if there was a breach of some sort then the insurance of that vendor helps cover the cost of remediation as opposed to your medical practice?

That would be my understanding. Yep. You’d have to take a look at it yourself. I’m not I’m not fully versed in, say, the legal Right. Of, health care. But, yeah, that would be my understanding is that you are now saying this is this portion, what I’ve given you whether it’s my mail server or what you know, you have to also handle it in a HIPAA compliant fat, fashion whether that’s encryption definitely be encryption in all best practices so you gotta offload that. So, fascinating. So many intricacies here.

I know you’ve been studying cybersecurity for the last several years. What has changed in cybersecurity literally in the last few years that you’ve been studying it?

Well, something that’s, I’d say, exciting and also terrifying is AI. It gets hyped up, for a lot of things that maybe it doesn’t need to be hyped up for. You know, it’s gonna take our jobs and all this and that. And it’s like, I told someone asked me if I was afraid that AI was gonna take cybersecurity jobs. I was like, if AI could somehow make every single computer out there secure magically, I’ll give up the jobs. Like, that’s fantastic. But because I don’t think that’s the reality we live in, you know, I, I find it really interesting. I love playing around with AI myself, through different, like, chat GPT and other, large language models. I love watching this particular space as it develops. But, probably one of the first things that I thought when I when I saw this, happen is we have a sort of interesting thing in cybersecurity, in securing our organizations. And that is, as I mentioned, phishing is a big deal. And a lot of phishing is just they send out that, you know, the the ones that we mock, then the Nigerian prince type emails. He has a lot of money for me. Right? Yeah, exactly. Like, you know, the bad, the bad English, emails that end up in spam and somehow we fall for anyway or, you know, all that sorts of stuff. Like, so that’s been phishing in general and it’s still been effective. Then you have something that’s called spear phishing. And that’s where I, as a threat actor, am going to look at your particular situation. You are Steve Schwartz. You are, you know, whoever you are. I find your name. I find out where you work. I find your phone number, your email. I find as much information as I can as I can take in from breaches. That’s another vet. That’s another thing that, you can get, that data from. I’m gonna get as much data as I can and then I’m going to craft a persona of you and I’m going to use that in order to target you specifically. It’s a lot of work but it’s also very effective. And then you take that particular thing, and then you go after, like, really high level targets like presidents of that sort of thing. It’s called it’s called whaling. You’re going for large targets. Well, the problem with this is that takes a lot of investment. That’s a lot of time. And fundamentally, a lot of these, unless you’re a nation state, a lot of these are businesses. I mean, you know, they’re looking for profit. They’re looking for the most profit for the least amount of effort. So, you know, they they just can’t spend all that sort of time on every single person doing spear phishing. So they do that general phishing. The problem then with AI is that what it could do is allow you to get all that data from breaches and about these people as much as you can, and then use AI to spearfish them. So that’s been my concern.

Oh, my.

Yeah. So exactly. Right? So now you it it sort of acts like you have that amount of time to go and know exactly, oh, you work in billing. Oh, you do this or you know? And then yeah. So and there’s very little time investment from the actual threat actor. So that’s that’s a concern of mine. But on the flip side, you know, there’s with technology, there’s always a flip side. On the flip side, one thing I’ve gotten to use AI for is we’re at, us at PD/GO. We’re a small organization. So what I’ll do is I will take a alert that I get from Wazuh, which is a, free, SIEM, security and information, security information and event management tool, which is a fantastic thing to have if your organization doesn’t have it. It should probably yesterday. That gives you visibility into what’s going on with your organization. You can take the alerts that you generate from that, and you go, okay. Well, something happened. Okay. Well, this alert, particular alert looks a little funny. Alright. Give that to an LLM. Tell me. Tell me about this alert. What do I need to do? What are my next steps? Right? For a small organization that might be budget constrained, that’s a fantastic thing. You know, just tell me what I should do with that information. I might say, okay. We’ll take that IP address and go to abuse IPDB and then ask it what the reputation of that IP is. You know? And then it might turn out to be nothing. But that’s something that you’ll wanna take a look at is using something like a, SIEM. But that’s what I’ve been using AI for so far when it comes to, like, the cybersecurity space as well as, you know, summarize summarize this article for, what’s happening in AI, what’s happening in cybersecurity, what are the latest breaches, what are the latest trends. You know trends is a big thing too that you want to pay attention to. I could see you also capturing information from multiple articles on a particular topic. Dropping those into an AI tool like chat GPT or something similar and basically saying take the information from these five articles on this topic and summarize it into a you know, five hundred word article that I can share with my, concierge medical clients, something like that. And it pulls all the all the different information together into a single quick and somewhat easy to read summary that’s actionable for the audience it’s intended for. Right? That’s another Yeah. I would say great use of of AI tools to help summarize these complex topics and make it easy to understand. Right. And that’s sort of a big thing is when things are happening out there and you’re hearing about them like this breach, you know, the national public breach or whichever breach, one of the questions you ask yourself is what does this mean for me? And that’s something that AI can also help do is, okay, well, you’re working in this particular space. What do I need to do about this information? Okay. Well, it might say, check out have I been pwned? See if your information was on that breach. No? Okay. You’re good. Right. So being able to advise you in these sorts of things where, you know, let’s be honest. A lot of people don’t have a whole lot of time to investigate what’s going on in this space. I like the have I been pwned service because it can run in the background and literally check the concierge medical practices emails every single day and scan the dark web or however it works behind the scenes and then alert the physician, the owner, the practice manager, hey this particular email in your business has an issue and basically brings attention to it automatically.

Correct?

Right. And that’s a great thing to bring up is being proactive. So using a service like that that will tell you, okay. Well, we found your information in this breach. So now you need instead of having to actually go there and putting in your email to check it, it can actually tell you. So, yeah, that’s a phenomenal resource. We use it personally. We love it. We recommend it. And it can run in the background. So it’s not like you have to think, oh, I have to check the, the web today and see if any of our team has been breached. Right?

Right. So they have their own service where you subscribe to, you know, you put in your emails, your team emails, or your whole domain and ask it to alert you if if there’s been a breach, related to emails on that domain. Conversely, you can also, if you have a little bit of, programming background, you can also use their API in order to check passwords. Now that’s not something that you want to actually go out and provide password. Hey. Yeah. Can you please check my password to see if it’s breach while you put it online? It wasn’t before you did that. It is now. Yeah. Exactly. Yeah. So but, you know, what it’ll do is, there are cool tools out there that will hash the password. So that’s generating a a sum, checksum of the password, that makes a unique string and then takes the first part of that string, sends it over to have I been pwned and have I been pwned, sends back, oh, yeah. I’ve seen these that start with that. And then your own computer can take a look and go, oh, yeah. It’s right there. Change your password.

So, this has been so interesting and do you have any final tips to share with our audience? Anything actionable? Anything do you look out for?

What else can you share? Yeah. I would say something worthwhile and this goes for concierge medical medical organizations. If you can join your local or join your ISAC, ISAC. So that’s basically an organization that’s going to go ahead and, find out what’s going on in this particular like, if it’s health care, if that’s your health care ISAC, then those, in those industries can share information amongst each other about what’s going on. So that’s very helpful to know if healthcare is starting to get an uptick in attacks. And it is good to know that before other people know that. So that would be an important thing. Another thing that I would say is just, you know, establish a culture of security in your organization. We mentioned the whole, you know, dollars to, you know, what’s the cost optimized way of protecting your organization? One thing is just to have that sort of culture of security. If someone has a question about an email, you don’t mock them for asking about it, you know, because they could have clicked it, and that could have been your five hundred thousand dollars that just went to some ransomware organization. So, you know, and resource your, cybersecurity team. That’s just your IT team. Make sure that they’ve got they know that they’ve got everything that they need in order to succeed. That’s what I’d say.

Love it. Stephen Sharp, thank you so much for taking your time today, sharing your knowledge and giving so many great actionable items for our concierge medical practice physicians and office managers to be able to help protect their organization. Our doctors go through med school and residency and maybe borrow a lot of money to start a practice and find the right staff and do all this work and all this investment, all this time only to potentially get hit with a huge expensive ransomware attack that you had no control of because somebody who’s working at your front desk clicked an email, Right?

Yep. So I encourage all of our audience members listening here. Please speak with a quality, cyber security IT professional in your area. Have them come and do an audit of your systems. Help have them come and look for holes that could be, able or, places where where bad guys, the the threat vectors and literally do immeasurable, exceedingly expensive, and very stressful damage on your business. So please, reach out to an IT professional in your area who knows cybersecurity and have them do an audit of your system to be sure that where you are now is not vulnerable to threats.

Thank you once again, Stephen Sharp, for your insights and for helping us understand the critical nature of cybersecurity in concierge medical practices. It has been a pleasure having you on the show.

Thank you for having me. It’s been great to share this knowledge and, hopefully, help practices better safeguard their vital information.

Absolutely. And to our listeners, stay safe, stay informed, and prioritize cybersecurity in your practice. Until next time!