Dr. Lorne Lavine, The Digital Dentist, on Patch Management – Cybersecurity, data safety, and HIPAA compliance in dentistry.
About Dr. Lorne Lavine
Dr. Lavine is the Digital Dentist. A former periodontist turned cybersecurity, IT, and HIPPA expert for dental offices, Dr. Lavine lectures and educates globally to keep dentistry safe from all the various cyber threats.
About Alex Nottingham, JD, MBA
Alex is the CEO and Founder of All-Star Dental Academy®. He is a former Tony Robbins top coach and consultant, having worked with companies upwards of $100 million. His passion is to help others create personal wealth and make a positive impact on the people around them. Alex received his Juris Doctor (JD) and Master of Business Administration (MBA) from Florida International University.
Transcript performed by A.I. Please excuse the typos. 00:00 This is Dental All-Stars, where we bring you the best in dentistry on marketing, management and training. Here’s your host, Alex Nottingham. 00:12 Welcome to Dental All-Stars. The topic of this podcast is Patch Management, and our guest is Dr. Lorne Lavine. Dr. Lavine is the digital dentist, a former periodontist turned cybersecurity IT and HIPAA expert for dental offices. Dr. Lavine lectures and educates globally to keep dentistry safe from all the various cyber threats. Please welcome Lorne. Thanks Alex, pleasure to be back here and looking forward to the presentation today. 00:42 I usually get a lot of the stuff that you put out there. Like it’s really interesting and what, what is patch management? Well, every office, every dental office has software. You know, it’s there’s a windows, there’s office, there’s Adobe, there’s all their different programs that use, I mean, a typical office might have 30 or 40 different software programs. Every single one of those software systems has security holes in them. 01:11 even though they tried to design them to the best of their ability, the fact is that they all have security holes in them. The people who develop that software are constantly finding patches to apply to that software so that you can get them current and basically eliminate some of those holes. The challenge is that a lot of times those patches themselves have holes in them. 01:39 You’re kind of playing this game of whack-a-mole where you’re constantly trying to snuff out the security holes. And of course the people out there that are trying to exploit those holes are finding new and new ways to do that. So it’s kind of a moving target. It’s not like you patch it once and you’re done. A number of years ago, really when we started moving towards digital records and HIPAA started to get involved with things, there was a realization that 02:08 you are doing your patients a disservice if your software is not current and up to date. So there actually is a HIPAA law called Patch Management, which basically says you have to keep things patched. You have to do that. You know, one good example that a lot of people are probably familiar with is that every few years, Microsoft goes what we call EOL, end of life on certain systems, you know, a number of years back in 2014, it was Windows XP. 02:38 A couple years after that, it was Windows 7. Going end of life means end of support, which most people don’t care about because, you know, who calls Microsoft for support? The more critical thing was that that also meant the end of security patches. And one of the things that we would always tell our clients is, listen, once Microsoft is no longer supporting or patching… 03:03 that operating system you need to update. You need to get to the next level up or higher because you’re not in HIPAA compliance. And one of the arguments we would hear as well, there’s nothing in the HIPAA laws that says you have to be on Windows 10 or Windows 11 and like that. Indirectly there is though, because there is a HIPAA law that says you must do a regular risk assessment to evaluate where you’re at risk. If you do one, you’re gonna discover of course that you’re running an operating system that’s no longer being patched. 03:33 and part of doing a risk assessment is addressing whatever you find in that assessment and resolving it. There is no way to resolve an unsupported, unpatched operating system. You can throw firewalls at it and antivirus software at it, but the fact is that it will always be a security risk. So that’s a very long explanation of what exactly patch management is. It’s a HIPAA law and it’s a common sense thing that we always recommend for all offices. 04:03 that you keep your computers, uh, you know, the software current and up to date. So patches are updates. Whenever they say update your software, that’s a patch. Yeah, we call them security patches. There’s different terms that are used, but it’s absolutely a, um, it’s a security patch. It’s, it’s a small piece of software that is added on to the existing software to plug up, you know, quote unquote, those security holes that, that exists in, in that particular program. 04:33 Now we said, so patches or updates are there, cause I see on windows, I don’t know, what do I have 11? That’s the newest one. They have like general updates. You have security updates. I see like your Apple phone also does the same thing. There are updates. There are some of them now, are they different is an update includes security updates to make sure typically, usually a lot of times I like for you use Apple as an example, a lot of times when you 05:00 Click on the general icon and say, you know, what’s in the new update. It’ll say security patches or improve security or something like that. The terms are used interchangeably, but they all basically mean the same thing. We know you mentioned windows update and that’s kind of a sticky situation. With windows is depending on which version of windows you have. 05:26 you don’t have a ton of control over those patches. There are certain types of patches like security patches that were ones that they considered to be high risk security patches that you have zero control over. Now, for some cases you can kind of say, okay, I don’t want to apply these patches. What most offices do is they’ll just turn on the automatic setting that allows windows to decide here’s when we’re gonna do the patches. Usually it’s done late on Tuesday nights and a lot of offices where, 05:56 probably familiar that they come in on Wednesday mornings and their computers were rebooted and they don’t know why, is because those patches were applied. The challenge with that is that Microsoft is not infallible and a lot of times, as I mentioned, their patches have issues. They’re not always the most stable. Sometimes they break things. We had a few patches a number of months ago where almost all of our Dentrix clients couldn’t print because something had happened in the patch. So… 06:24 as an IT provider, most of us who are called managed service providers, which means that we automate a lot of that, we can take over the patch schedule. We don’t let Microsoft determine the patching. We decide when it’s going to be, almost always is on weekends, so that’s not going to affect your working. And we oftentimes want to not necessarily apply the patch on the day that it comes out. 06:51 But let other people be the guinea pigs to find out that there were some problems. We can go a week, two weeks before we then apply those patches. So a good IT company is typically going to want to have control over that patching schedule to make sure that you’re getting good, solid, tested patches that you need to apply. That makes a lot of sense because I was just thinking, Oh, let me just auto update everything. But you’re right. Sometimes there’s bugs in the patches. 07:20 And it may fix one thing, but another area of, like you mentioned in denture, something will fail. So you’re like saying, let the other morons, so they’re morons, but it was auto updates, let them be the guinea pigs and they have the issues. So you’re being smart with that. You’re waiting for more data to come through. Now by not patching right away and doing automatic, are you more vulnerable to viruses or. Or malware? Yeah. I mean. 07:49 Yes and no. I guess in theory that is the case. That’s why with Microsoft, again, depending, usually it’s with the pro versions of the software that you have more control over the schedule. Home versions you typically do not. In most cases, especially with the pro versions, you can basically turn off most of the patching. If Microsoft determines that it is a high priority, high risk situation, 08:18 they will not, they’ll override any settings that you might have. That patch will be applied whether you want it or not. And with the automatic patching, the truth is there’s not a ton of programs you can do that with. Windows, you can do it for sure. Office, you can do it. There may be a few other programs, but things like practice management software programs and Adobe and all that, a lot of the stuff that people use day to day, you really don’t have. 08:46 automatic patching and that’s also been a challenge over years as well. How do you know that there is a patch that’s available in the past? As an IT company, what we would do is we would have an inventory of everyone’s office software. We would go online, we would look for the patches. If we found one that looked like it was critical, we would go ahead and apply the patches, reboot the computer. As an IT company, we love that. 09:16 unbelievable number of billable hours. And it took hours and hours and hours. You know, if an office had 10, 15 computers, it would take us three, four hours to apply all those patches. We loved it, our clients, not so much. So a lot of us, as I said, in IT are now what’s called managed service providers or MSP. And that’s really just a fancy way of saying automation. That rather than us having to do that manually, there’s specific software that we can put on the network. 09:44 that will recognize what software you have. It will go out and find the patches on the schedule that we tell it to, apply them on the schedule that we tell it to, reboot when we tell it to. We have complete control over that patching schedule. And that allows the office to only have patches that are really necessary and that have been tested and that we know are really valid for that particular office’s situation. 10:14 Well, actually you, you kind of said how actually let me go back. You spent a lot of time talking about what can go wrong by patching too early. Well, why do I need patching? Let’s go with the obvious. Why do I need patching for security or HIPAA issues? Why not just wait even longer? Well, they have identified these problems. So, you know, we’ve. 10:40 We find that a lot of times those initial first patches are problematic. Either they themselves have security holes in them or they break other things. At a certain point, whether it’s three days, a week, maybe a couple of weeks, but at some point they will have resolved those issues. There’s still the need for that patch. They have still identified the security hole. I mean, part of the thing is people, they worry about ransomware. That’s the number one concern that we hear. People are worried about getting attacked. 11:10 And most offices think, hey, the only way that this happens is through email. You know, we get an email with a bad attachment on it, or my staff go to a website that they shouldn’t have gone to, and that’s what causes the issue. It’s true that email is the number one reason for ransomware infections. Close behind it, really close behind it is unpatched software. It is a major way. 11:37 that ransomware and malware can get into your network. So if the software company has identified a security hole, it does need to be patched. We’re talking more of a when rather than an if. And as you alluded to, there is a HIPAA law, it’s called Patch Management, that says, you have to do this, you have to keep it current. If you are doing your risk assessments properly, you will identify that there are needs for patches. 12:04 And by definition, you have to address that. And that’s what patch management can accomplish. With the patches, what type of software needs patches? We talked about the operating system that needs patches. What else? Microsoft office constantly is releasing patches, Adobe or other PDF types of programs, your practice management software oftentimes is coming out with patches. Now, a lot of times when, when 12:32 Open Dental, Dentrix, Ecosoft, they come out with patches. A lot of times they’re also updates where they’re doing new features or adding new things that the software didn’t have before. But in a lot of cases, they are finding security patches as well. I think what other programs do offices use? A lot of times people are using third party software, KPI type software, image management, basically all software programs, all code. 13:01 is subject to exploitation in some manner. So if it’s a piece of software, if it’s running in your office, you have to try to do your best to make sure that it’s current and that you’re keeping your data secure. Well, tell me how to do this, because it’s a lot of patches, because also your antivirus has patches, your security routing system, everything’s having patches, everything has software. 13:29 in your, in your practice, even the hardware components. So how do you, how do you manage all this? And then you call us up or call up your IT provider. Most dentists, even ones who are very tech savvy, and we do have a number of clients who are really on the ball. Um, it’s very time consuming. They don’t have the time to learn how to use these, these patching programs and set it up correctly. 13:58 They don’t have time to monitor it. They don’t want to have to deal with the aftermath when it doesn’t work. If, you know, listen, nothing that we do is a hundred percent foolproof. You know, we can apply patches and some computers, the patch doesn’t work or, you know, it, it fails or, you know, it causes a crash or whatever. I mean, there’s a lot of things that can happen. Um, so for that reason, we really recommend, you know, finding not only an IT company. But 14:22 a managed service provider who specifically deals with patch management. That’s what managed services basically means is the automation. And ideally work with someone who understands healthcare. Because you know, a lot of it companies don’t really understand HIPAA. They don’t understand risk assessments, patch management, all the other things that healthcare has to deal with. So you know, if you’re if you’re looking for an it company, or you’re not sure if your it company is really on the ball, I would definitely recommend 14:51 finding a company that really specializes, if not is exclusive to dentistry or the healthcare field. What can go wrong? What have you seen go wrong with improper patch management? We have seen patches. As I said, we’ve seen them crash computers. We’ve seen them not work. We’ve had people think that they were patched when they weren’t patched. There’s a lot of stuff that can happen and you just don’t know until you actually apply the patch. 15:21 but nothing’s gonna destroy your data. We haven’t seen that yet, but we’ve seen a lot of downtime, lost production. Like I said, this really should be an automated thing. It should be happening after hours, on evenings or weekends. It shouldn’t require any input from you. It just should work. And when it doesn’t, you’re trying to deal with computers that are down, programs that won’t open up. 15:48 uh, error messages, pop-ups, you just, all the things that you have to deal with. It’s just, it’s time consuming. It’s distracting. It’s, it’s, it’s, you know, it’s affecting your, your productivity. So those are typically the main concerns that we would have. Okay. And you do this, you help with, uh, patch management? Absolutely. It’s one of the things that we do, you know, when we work with an office, typically 16:13 the first thing that we want to do is some type of an evaluation. We call it a security audit or a technical audit. Just like when you’re treating patients, you don’t know what the issues are until you look, you know, you can’t really treatment plan unless you diagnose first. So that’s what we do. We’ve typically always charged for that. Uh, one thing that we are more than happy to offer for your listeners, uh, is that we will waive those fees. I mean, it’s free. 16:42 It takes maybe 20 to 30 minutes for us to hop onto your network and gather the data that we need. And based on all that, we can let you know, hey, here’s what we found and here’s what we recommend and here are your options. And these are all things that we’re more than happy to provide. But certainly some practices might want to do it on their own or see if their local IT people can handle it. And that’s fine. The critical thing is that it be done. Who does it isn’t as important as that you have someone who’s competent. 17:10 that can do this for you. But of course, we’ve been doing this for 10 plus years. I’ve been doing my business for 20 plus years. HIPAA really became finalized in 2013 with the Omnibus rules. Patch management was part of that. So really for the last 10 years, it’s been one of the focuses of what we do. It’s interesting, we, whenever I speak to you, I go look at my backup system and again, it failed. So I gotta reevaluate my process. It’s not… 17:39 working. I have this little, I have external hard drive connected to USB. I got to put together a server. It’s, it’s ridiculous. I happen to know a good IT company if you’re looking for some help. So just throwing that out. I got, man, I had, I had malware. What was it? Malware, ransomware once and I called you freaking out. We did it. We did a, a session on, on backup and we’ll shoot it, do it again. I also forgot to mention that this is another episode of tech talk. 18:08 So every month we have the digital dentist with us on some topic of technology. And at least for me, I get to talk to you and immediately I check all my systems and something’s failing. So at least it reminds me. So every month, make sure you’re listening to Dr. Lauren Lavine, because at the very least he’ll scare you to make sure you’re doing what you’re supposed to be doing. And it’s a good reminder because it’s, we cover a lot of things at tech talk. We talked about. 18:36 Backup systems today, we’re talking about patch management and we’ll keep bringing more and more on technology. We did artificial intelligence. That was a fun podcast as well and how that works. So we talked about for those and I’ll put this in the show notes. It’s the digital dentist.com to reach out and they can request a security audit from you. 19:00 Yeah, on the website it actually says request a free consultation. You put in your name, your email address, your phone number that goes straight to my office manager. She will then contact you and schedule a time for one of our technicians. And like I said, it usually takes about 30 minutes. We usually only need someone from your office for about five minutes, someone that can get us onto the server and a couple of workstations that we can gather data and someone that can answer a few questions. There are things that we can’t determine by being logged into a computer such as, you know, how 19:29 How are you doing your backup? How do you email patients? When’s the last time you did a risk assessment? So, we’re gonna have a few questions that you would have to answer for us verbally, but the entire process takes 30 minutes, maybe 40 minutes if it’s a large office, and then I would follow up me individually with the dental office, with the dentist, and go over the findings. I have a full report that they would get afterwards that shows everything that we found, all the recommendations. 19:57 what would happen, what the options are, and then we decide what’s the best path forward. Well, Lauren, thank you so much for being on the program. Thank you for having me. Remember to follow us on Apple Podcasts, Spotify, and YouTube. Get the episodes as they are released and share with your friends. Until next time, go out there and be an All-Star. 20:24 We hope you enjoyed this episode of Dental All-Stars. Visit us online at AllStarDentalAcademy.com.