Dental All-Stars explores cybersecurity and HIPAA with Dr. Lorne Lavine. Stay informed and protect your dental practice.
Resources:
About Dr. Lorne Lavine
Dr. Lavine is the Digital Dentist. A former periodontist turned cybersecurity, IT, and HIPPA expert for dental offices, Dr. Lavine lectures and educates globally to keep dentistry safe from all the various cyber threats.
About Alex Nottingham, JD, MBA
Alex is the CEO and Founder of All-Star Dental Academy®. He is a former Tony Robbins top coach and consultant, having worked with companies upwards of $100 million. His passion is to help others create personal wealth and make a positive impact on the people around them. Alex received his Juris Doctor (JD) and Master of Business Administration (MBA) from Florida International University.
Episode Transcript
Transcript performed by A.I. Please excuse the typos.
00:01
This is Dental All-Stars, where we bring you the best in dentistry on marketing, management, and training. Here’s your host, Alex Nottingham. Welcome to Dental All-Stars, and we’re doing another episode of Tech Talk. The topic today is cybersecurity and HIPAA team training, and our guest is Dr. Lauren Levine. Dr. Levine is the digital dentist, a former periodontist turned cybersecurity IT and HIPAA expert for dental offices.
00:29
Dr. Lavine lectures and educates globally to keep dentistry safe from all the various cyber threats. Please welcome, Lorne. Thank you. So if this is the All Stars podcast, does that mean I’m considered an All Star? You are. And you are also one of our instructors. We have you a little module on HIPAA on our courses. So yes, you’ve been an All Star from the beginning. Okay. Well, my ex and my teenage son may disagree with that, but it’s okay. I’ll take it. It’s worth it.
00:58
You are, you are, they just don’t know it yet, but one day they’ll come to their senses. Yeah. So we’re all about training at all. Start dental academy. That’s so important. And HIPAA training. And we do such a, we have a little bit of HIPAA training from you. It’s just a little teaser, but there’s an official HIPAA training process. There’s cyber security training. There’s ways of making sure your team understands the area of what you do. In the office, because it’s so critical.
01:27
to success. So tell me about what are areas that need to be trained in the office on cybersecurity, on HIPAA, on technology, and how does that get done? Yeah, so basically everything. You know, one is that we’ve talked about in previous podcasts is that dental offices are under attack. And a lot of times that comes through email. Sometimes it’s
01:54
comes from websites that you go to, and sometimes it comes from not having patched systems in place. Um, it’s really critical for offices to know number one, how do you prevent your office from, from being subjected to these types of attacks? And number two, how do you deal with it once it manages to get through? So one of the things that we’ve been providing and recommending to offices for forever, even long before HIPAA became HIPAA.
02:23
is that they do some type of staff training. And obviously the dentist needs to be part of that. We have, unfortunately, a few offices that just decide, hey, I’m gonna let my staff do this and why do I need to worry about it? And of course the dentist is oftentimes the number one culprit for opening up email attachments that they shouldn’t have or going to websites that are sketchy websites and causing all kinds of issues for the network. So there are a ton of programs out there. You can do it in…
02:53
person, you can do them online. Some of them are cloud basement. There’s a lot of ways to get that training under your belt. There is a HIPAA requirement that says that you really should be training you and your staff on a regular basis. Everyone’s definition of regular is different, kind of like with CPR training. I mean, you get it, but you have to renew it on a certain basis.
03:17
Every state’s different for that. We typically would recommend yearly just because you forget a lot of the stuff that you’ve learned. You can make the argument, hey, we have the same staff, we have the same software, the same computers, nothing’s changed. So, you know, in theory, you can make the argument that maybe we’ll do it every couple of years, but it really should be on a regular basis. And when you consider the fact that most of them are very competitively priced, and usually well under $100.
03:46
per person, you know, to get that training. One of the things that, you know, one of the reason that we like the programs that we specifically recommend is that you get some type of certificate afterwards that you can prove that, you know, one of the big things with HIPAA isn’t so much that you do the things that you should be doing to get yourself compliant. But the question is, if you are ever called out on that, if you were audited, can you prove that you did those things?
04:15
And that’s the beauty of some of the programs that are out there is that you will actually get a certificate that shows that you did the training when you did it, that you passed the course and then you are ready to go ahead and, uh, you know, and, and prove that you’ve, you’ve got that in place. So hip was one kind of nugget. We’ll talk more about. There’s also a lot of, in terms of training and we were, we’re talking about this, we can be very broad, right? Obviously.
04:45
practice management, well, it’s a practice management software training. There’s practice management training, what we do, phone skills, scheduling, things like that. There, there’s also the policies and procedures when it comes to all of these softwares and, and how to interact properly with them, what they have to do there to, to support them. I know a lot of it you do remotely, but also what to avoid. So not to encourage breaches. Right.
05:15
Essentially. So how do we, how does that happen? So how do you train the team on the technology protocols? It’s usually, so like I said, the ones that we normally recommend are a web base that you go online and you do it. They go through actual examples to show you, and this is something we do individually, you know, apart from the formal training with offices to say, Hey, let’s show you what.
05:42
a sketchy email looks like and let’s show you how do you test for example. You may get an email from what looks like another office with just a link, but you weren’t expecting that email for that office. They didn’t tell you, hey, by the way, I’m going to send you something. You’re not really sure what’s going on there. Do you click the link? Well, usually you know. You may get something from an insurance company. Hey, we’ve processed your claim. Click here. Do you know how to…
06:10
for example, to know if that link is valid. You know, the link may be written out a certain way, but some people don’t know that if you just hover your mouse over that link, it’ll show you what the real link is and it’s really typically pretty easy to be able to see, hey, this is not the link. And you know, our normal advice, which is something you would get with the training with cybersecurity and HIPAA training, is if you’re not sure, don’t click it. You know, if you get something from Delta Dental and you’re not sure, just go to Delta Dental’s website.
06:39
and pull up your account and do it there. You know, there’s a lot of ways that training can help you to, I mean, that’s really the focus of a lot of it. It’s being able to recognize malware, phishing attempts, you know, other things that are designed to separate you from your critical data. So, um, there’s a lot of good programs. You mentioned like all the other types of training that are out there. And this is kind of a little pet peeve of mine. Um, there are a lot of great.
07:08
companies, a lot of people that I know that do OSHA training. And I think that’s critical that every office get OSHA training. OSHA has literally zero to do with hip, there is no crossover. They have nothing to do with each other. And we have seen a number of OSHA companies who have said, Hey, we’re now doing HIPAA training as well. And honestly, that would be like a patient going to the dentist.
07:37
You know, they get a treatment plan and they tell you that a dentist, oh, by the way, while you’re fixing my teeth, can you please repair my toaster? I mean, they, they just have nothing to do with, with each other. And the thing is that with proper cybersecurity, HIPAA training, a lot of it is very IT tech oriented. It’s about emails and firewalls.
08:04
and usernames and password policies and backup and patch management and encryption. That’s all part of the training is understanding those things. And, you know, this is not a knock on, you know, all OSHA companies and most of them, you know, are graded OSHA. But unless you have someone doing that training that is an IT professional that really understands HIPAA and cybersecurity, it’s not a proper training. You know, we’ve seen.
08:33
For example, there are some online companies out there, because there is a hip, there’s a lot of says you have to do, you know, hip training. You’ve got to do a risk, let’s use a risk assessment as an example. There’s a lot that says you have to do an annual or at least a very regular risk assessment for the practice. And there are some companies out there that said, hey, go online, take our 10, 15 minute questionnaire.
08:58
And boom, you’re done because if you actually look at the HIPAA laws about doing a risk assessment, it’s one sentence. It says you have to do it. There’s no guidance there. If you went online and did 10 minute questionnaire and then got audited, the auditor would probably laugh and then say, no, seriously, no, sure. It’s your real risk assessment. You know, thanks for the joke. Cause it, it’s not a real risk assessment. When we do a risk assessment, it takes eight hours. So, you know, there’s no way you can get all that in 10 minutes. Same thing with the training. You have to.
09:27
use a some type of program, whether it’s online, in person, however you choose to do that. It can be lunch and learn, you know, there’s lots of ways to get that under your belt, but it really needs to be done by a company that knows what they’re talking about. You know, we supplement what the online companies do for training for our clients, but we recognize years ago, we’re not experts in this. You know, we are experts in cybersecurity. We’re experts in
09:56
You know, in, in HIPAA, but we’re not expert trainers. We’re not like all-star dental Academy who knows training and knows how to teach it properly. That’s not our expertise. So we hire professionals to, to help us with that. So that’s kind of the approach that, that we take as well as let’s find someone who really knows what they’re doing. That can get you this training and then we’re going to fill in the gaps and do hands-on as necessary with offices to make sure they really understand what, what they need to be doing or not doing.
10:25
Yeah. And that’s always the problem when you have companies that go outside their kind of niche and it’s, it’s almost like, I love this example. Like if you’re going to hire a performer who plays multiple instruments or masters one, which one are you going to, you’re going to pick? You want the expert when it comes to cybersecurity HIPAA, we know that’s you. You’re the expert on that. And that’s where
10:53
you’re doing your due diligence. And I think often, look, we understand you were a dentist before, right, periodontist, in a prior life, and there’s a lot going on. Dentists wanna do dentistry, they just wanna get it done. This is not fun for them. I know you and I enjoy taking apart computers. That’s why we have Tech Talk, it’s fun for us, but not for them. So I just wanna get it done, and then there’s others, I get it, I want it cheap, and I just want it over with. And what you’re saying to me is,
11:22
Yeah, you can check that box off. Kind of like when you have your LLC, oh, you know, we’re on a cruise. We did our minutes, write it down. But did you? So in this situation, if you do have breaches or you have problems and they go to audit to see how thorough were you in your security audits in your processes, that’s not going to stick, right? So it’s got to be done thoroughly. And so.
11:48
Now, cybersecurity and HIPAA, just for my understanding, I’m always learning here, is they’re interrelated because a lot of HIPAA issues relate to cybersecurity failures, correct? Correct. I mean, the whole premise of HIPAA, and first of all, there’s two parts of HIPAA. There’s the privacy rule, which has been around since 96. You know, the reason HIPAA basically came about, because, you know, there’s the P in HIPAA, which is portability, is that.
12:14
There’s a recognition that people, it’s not like it was 50 years ago where people were born, raised, went to school, worked and died in the same place. People are mobile. You know, you grow up in one city, you go to college in another, you get your job somewhere else and you need to have access to your record. That’s basically part of the privacy. Where it became the security rule, which was in 2009, which was with the, you know, that was with high tech.
12:40
is a recognition that, okay, now records are now electronic. And the whole premise of the security rule is that now that records are in this digital format, it’s easier for them to be compromised. Dental offices need to take steps to protect and secure the information that patients have entrusted in us. That’s the whole premise of the entire security rule. So they are absolutely interchangeable.
13:09
Um, which is actually sometimes a good thing from the standpoint that the things that you do to get yourself more secure, which you really should be doing anyway, are also going to satisfy a lot of those HIPAA rules and regulation. You’re killing two birds with one stone. When you encrypt your software, when you do your staff training, when you patch your software system, when you put in your, your, your antivirus software, you know, all those things are also part of the HIPAA rules and regulations. So.
13:39
Um, you know, you, what you are basically accomplishing a couple of goals by doing the things that you really should be doing anyways, protect that data. So HIPAA mandates regular security audits annually. It mandates training. You mentioned online options are probably your best way to go for HIPAA. What, what does it cost to be HIPAA trained? Uh, how often do you need to do that? And what are the options to get that done?
14:08
Right. So I, I, I may have a smoke if I said it’s the best it’s online is usually the easiest and cheapest way to do it. So for a lot of the offices we work with that qualifies as best, you know, they can go online and within 40, 45 minutes, which they can stop and start, you know, at any point, you don’t have to do it in one sitting, but in under an hour you’re done, you know, you, you, you’ve taken the course, you take a quiz, which is
14:36
almost impossible to fail. I think if you put your name down, you pass, but, um, you take that quiz at the end and you get a certificate that says that you’ve passed it. The ones that we have been recommending, um, typically, I think they just raised the fee a little bit. I think it’s $59 per person to do it. And like I said, it takes 40, 45 minutes. Once a year. Yeah. I mean, you can do as often as you want. I mean, we have some offices that want to do it quarterly.
15:03
We have some that come to us, like I said earlier, that said, you know what? We just did it a year ago. Everyone feels comfortable with it. Uh, you know, we don’t feel like we should have to do it more than once every couple of years. You could probably make that argument. I mean, honestly, the only time that you’re ever going to have to prove it is if you’re audited. But you know, everyone knows their staff and you know, it’s just the reality is that people forget things, people get lazy. You know, we, when we set up an office and handle all their IT, we don’t
15:30
put in all their computers and all the software and then say, Hey, thanks. See ya. That’s not the end of it. It’s ongoing. It’s constant updating and upgrading and monitoring and retraining. And it’s all part of it. You know, same thing with practice management software. You, you install the software, you know, most often, I mean, a lot of offices, unfortunately don’t do additional training, but any like all-star would probably say to them, listen, if you’re getting
15:56
updates to your software every few months with new features, you really should do some type of training, whether it’s a lunch and learn for an hour or two, or bring in a trainer or do something online. But the software that you installed five years ago that’s had 10 different updates and features is not the same program that you installed. There’s all kinds of new efficiencies and new ways of doing things that you’re probably not going to be aware of because you just…
16:25
didn’t do the training. You don’t have to do it every day, but you should like, every six months, yearly, just do something to, you know, get you guys up to speed on. So same thing with the hip and the cybersecurity stuff. People forget, you know, you’re not dealing with that day to day. So there’s nothing wrong with spending 59 bucks a person once a year to get some necessary training. Well, it’s, there’s attrition when it comes to an atrophy, when it comes to just learning in our mind and.
16:53
Our minds are designed to dump as much data it doesn’t need or it’s not using. So we can use processing for other things, just like a computer. You’re not going to waste data on, on one area. If you’re not using it when it comes to HIPAA, if you have good security systems in place and you were trained, you’re not going to be using it that much. You have the training. So that’s a good thing, but also periodically we, we have to check in on it because there will be for, Oh, I forgot that. Yeah. I learned that five years ago.
17:23
So you’re saying every year sounds like reasonable, every other year, so be it. Every month wouldn’t make sense. You don’t need that with HIPAA. With what we do with phone skills training and scheduling training, you’re doing that every day. And just because you learned it once, when you stop training on those, when you stop thinking about it, you start to go back to bad habits, right? Because you’re using it. So the more you’re, the more you use something, the more you have to make sure you’re trained and you’re updated with those.
17:53
uh, those processes. And what’s great about what you do is automation, it’s systems and the systems and the automation will protect you. And if you have breaches, if you have audits, you can show I’ve done my due diligence. And as an attorney, right, those are all these things you look at. Did you act reasonably? Did you, and these are standards we use in law. What would a reasonable person do? What is due diligence? And
18:21
It’s not like they’re laying it out exactly. This is something that if you are a reasonable, right person, you get it. Right. Uh, doing a one page thing every five years is not going to get it done for HIPAA. You’ve got to show you made the effort that you took it seriously. Right. And the challenge with cybersecurity of course, is that these criminals, which is what they are, are coming up with new and inventive ways to try to get into your systems.
18:50
or get money from you. I remember a few years ago, we started getting a number of emails or people contacting us. They were getting these emails out of the blue from people that said, hey, I got some bad news for you. I put a tracking software on your system and it monitors your webcam and we saw that you were going to some X-rated sites and we know what you did.
19:18
and you need to pay us this amount. I get those five to seven a week on average of those and typically I’ll respond to them with a two word response and it’s not a pleasant response or I just don’t even bother. But there’s constant coming up with new ways to get into the systems. In the past, I was clicking on an email link.
19:46
doing anything where they haven’t clicked on any links, but because they haven’t patched their systems up, or maybe their firewall has an opening that you, you know, you, a lot of people will use a remote control software programs because they want to be able to access the office on the weekends that requires them to open up a port on the router or the firewall. That’s not a good thing. That that that’s a security hole and you need to be aware of what you’re doing and how it’s putting you at risk.
20:16
HIPAA, and HIPAA for the most part hasn’t changed. What we have found is that what they are enforcing and where their focus is on enforcement, that oftentimes does shift over the years, but cybersecurity is absolutely a moving target. And the things that you put in place, I mean, years ago, you would maybe have a firewall, you had some antivirus software, or you used Windows Defender that’s built into the Microsoft Windows.
20:45
And that was enough. You know, you, you recovered. Now, you know, we found, for example, that a firewall, antivirus software, anti ransomware software, it’s not enough because a lot of the newer viruses are what we call zero day, which means that they’re so new, your firewall, anti virus software doesn’t know that it’s a virus. So we, you know, basically started implementing a completely different type of program called application whitelisting, which says, Hey, you know, we’re going to.
21:14
to dictate which programs are allowed to run on this network, anything else like a virus or a ransom, whatever, is gonna be stopped in its tracks. So we’ve had to constantly come up with new ways of dealing with it. With that application whitelisting software, it requires the staff to understand how it works because you’re gonna get pop-ups, you’re not gonna know what to do with it. Again, this is why we recommend the training because the things that we’re doing to protect our clients changes every year, if not more frequently than that.
21:44
they need to be trained on how to handle all that stuff. Now, is that training in the HIPAA training or that’s a different training? When we do HIPAA training, it includes cybersecurity. We bundle those together. Okay, so if I’m interested in HIPAA training, cybersecurity training, security audit, I go to you, digital dentist. Yeah, we usually combine those together. Our focus tends to be on the tech.
22:11
part of it for obvious reasons. This is what we do. Certainly, you know, the ADA, there’s other resources that people have specific questions about, you know, where do they get their manual from and how do they fill out incident response forms and, you know, but we do that as well. When we do a risk assessment for an office, we always bundle in a customized HIPAA manual for them. And we also bundle in
22:37
cybersecurity breach insurance because nothing you do is a hundred percent. So you need to be protected. You know, a lot of people, for example, you know, they know that HIPAA says you have to have a manual. A lot of people go to the ADA and they buy their $400 manual, whatever it is. They never crack it open, which they should, because if they did, they would see that it’s a template. It’s there’s a lot of blank space in there that you’re supposed to go through that and fill it out. We can certainly help an office with something like that, but the formal HIPAA training.
23:06
Do you usually tends to be more on, you know, what are the HIPAA rules and regulations? What are you supposed to have in place? Um, and then it really focuses a lot on the cyber security part of it. The firewalls, the emails, the ransomware, you know, the patching, all that stuff is really part of the formal training, but there’s between us. Um, and other resources and the companies that we work with, every office can get their questions answered. That there’s always a way to know what you’re supposed to be doing. Okay.
23:35
Make sure all of you go to the digital dentist.com. I’ll put the link in the show notes, get requests, a security audit. You’ll get it free. Mention All-Star and you get a whole bunch of, of goodies. Thank you, Lauren, for joining us on another episode of tech talk, dental All-Stars and remember to follow us on Apple podcasts, Spotify and YouTube. Get episodes as they are released, share with your friends and until next time, go out there and be.
24:05
All-Star.
