On this episode of The Modern Practice Podcast, host Gary Tiratsuyan welcomes Brad Deflin, Founder and CEO of Total Digital Security to the show to discuss the steps healthcare practices can take to protect their business and patient data. During the episode, Brad outlines:
- The risks small practices and larger healthcare organizations face and debunks the myth that single location offices are not a target for cyber criminals.
- Why cyber attacks on healthcare have risen in recent years.
- The different types of threats practices need to be mindful of and prepared for.
- The impact a cyber breach can have on a practice or organization. And what healthcare providers can expect in the next 12-24 months as cyber threats evolve and become harder to detect.
Guest:
Brad Deflin is the founder and CEO of Total Digital Security (TDS), a cybersecurity solutions provider for private clients, families, executives, and VIPs.
Brad started TDS in 2013 to provide enterprise-grade digital security with concierge-level service and IT support for individuals and their personal technology. Clients include wealthy individuals and families, family offices, NYSE executive teams, board members, trusted professionals, and VIPs. Before starting TDS, Brad worked in executive leadership roles with Merrill Lynch, Lehman Brothers, Wells Fargo, and J.P. Morgan. Brad’s career working with private clients in the financial services industry honed his expertise in technology, risk management, and digital security. This distinct perspective allowed him to recognize a massive shift in mainstream risk and foresee the coming super-cycle of online crime. The experience fueled his vision for a comprehensive approach to providing individuals and personal technology with autonomous protection for privacy, digital security, and enhancing personal safety.
Brad is an author and frequent speaker on online risk, cybercrime, and the emerging technology that defends and protects from what has become our most critical personal and professional risk today.
Connect with Brad on LinkedIn.
Transcript
Gary Tiratsuyan 00:18
Hi, everybody, and welcome back to the Modern Practice Podcast, presented by Rectangle Health. I hope you’re all doing well. And as always, before we get started, I just want to thank you for your support and feedback. We greatly appreciate it. Today, we’re talking cybersecurity at your practice, and to help us better understand risks, course of action, why this needs to be top of mind in the healthcare industry now, more than ever, is Brad Deflin, founder of Total Digital Security. Brad has been operating his own cybersecurity company for 10-plus years now, and brings a wealth of knowledge. But most importantly, he will help break down what you need to know to protect your practice and patients in terms we can all understand. Brad, thanks so much for taking the time to join us.
Brad Deflin 01:04
Good morning, Gary. Happy to be with you today.
Gary Tiratsuyan 01:07
Awesome. And before we dive in, I always want to give our audience a chance to learn more about you. Can you kind of take me through your career in cybersecurity, leading up to today running your own company?
Brad Deflin 01:21
Sure, I actually started the company about 10 years ago, as you mentioned. That was after a 25-year career with Wall Street firms and a variety of senior executive positions, where I had a purview of technologies systems as the industry was evolving. And then by the time we got into the late 2000s, early 2010s, we started to see cyber risks come in a very big way. By 2013, I decided to start Total Digital Security to start to address some of those concerns.
Gary Tiratsuyan 01:58
I’m really glad we’re connecting here today. Because as you just mentioned, cyberattacks have been on the rise. And as you know, healthcare practice staff, no matter what position they hold, are wearing multiple hats in their day to day. So, time is not on the staff members side as they manage so many daily duties. Cybersecurity is not always top priority. So, my goal for this episode is to really level setting in the law, allow our listeners to understand what they are potentially up against. And I want to start with the people behind the cyberthreats. Who are they? Who are the bad guys?
Brad Deflin 02:37
So, the bad guys are no longer just the 400-pound guy in the basement, right? I’m sure there’s still an element, but really, these are global criminal syndicates. And a lot of the traditional global syndicates that have been around forever, whether they’ve been in drug running, bank robberies, or you name the crime, have retooled over the last 10 years or so to get into cybercrime. Because when you think about it, it’s the perfect crime. You can do it from anywhere. Walls, borders, jurisdictions really don’t matter. It’s a faceless crime that leaves no traditional evidence forensically.
And in a lot of cases, the loot if you will, is in digital currency. And digital currency is the perfect criminal bounty. It’s portable, it’s liquid and it’s anonymous. And you know, a big challenge for traditional criminal syndicates is how do you move the cash around? How do you how do you launder and make that cash legitimate? Digital addresses a lot of those concerns. So now today, these are professional, very smart criminals that maybe are not necessarily really well-versed in technology that they hire or contract others that are really well versed in technology in order to conduct their exploits.
Gary Tiratsuyan 04:05
And so, we know who they are. But let’s talk about who they target now. And the reason I want to shift there is because I was always of the mindset that you need to be this Fortune 500 company to really need to focus on cybersecurity, but we know that’s not true. Can you talk to me about the risk in being a small it’s a single location or two to three-location healthcare practice? Are these smaller businesses truly that low hanging fruit for a cybercriminal?
Brad Deflin 04:40
Yeah, very much so, Gary. And honestly, that was the impetus for me getting into the business. In 2012 or 2013, I coined a phrase, the democratization of cyber risk. And what I meant was that previously the 25-year history of the IT security industry was really all about the enterprise, the Fortune 100 companies, the Pentagon, military, sovereign states. And what I saw in my positions on Wall Street was, now they were targeting really anybody, especially those that may have some assets, money in motion, or critical information. And that democratization of cyber risk was game changing in terms of the battlefield. And we realized that so many, were unprepared, and we’re still in the mindset that it’s somebody else’s problem, somebody else will fix that. I don’t really need to worry about that. And there’s still a large component.
We fast forward to today, we still read headlines about the hacks at the IRS or some name brand, because that kind of sells headlines, but the fact of the matter is, well over 80% of the incidents, and the damages are way downstream, and conducted in volume against many, many different targets, looking for some probability of success. And yes, further downstream, they are considered low-hanging fruit, under protected, not as aware as they should be. And when you can do these things in volume, you don’t necessarily need one big strike, you can get many, many smaller strikes and do just as well or better.
Gary Tiratsuyan 06:23
That makes total sense. And it perfectly explains why healthcare is a prime risk, primary target. Because like I said earlier, these practices are often understaffed, overworked, having staffing issues and retention issues. So, their minds are not really in that space to think and be alert when it comes to cybersecurity. And something you mentioned when we first connected and started talking about bringing this episode to life is, you mentioned this tsunami of activity in cyberattacks in recent years. Why is the bigger wave of threats and attacks happening now?
Brad Deflin 07:08
Well, first of all, so many more people are connected. Maybe 5 out of 7 billion people on the planet are now connected to the internet. Additionally, more and more devices are connected. It’s not just our computer, laptops and phones. But it’s our ring doorbells, our IP security cameras, smart homes, smart offices, all of those internet connected devices are essentially onramps for the bad guy. So, it’s becoming easier. It’s becoming more profitable. And the pool of potential targets is just massive.
And there’s another side of the coin to that, where the pool of potential targets is so massive. Many of these cyber criminals go after the low-hanging fruit. And when you are not the low-hanging fruit, they will move on. It’s kind of like if you’re the only home in the neighborhood that has a fence and a German Shepherd and an armed guard and every other neighbor has an open front door. What the bad guy is going to do is go by your house and go on to the next one that’s a little bit easier. There’s still a big component to that in cyber risks.
Gary Tiratsuyan 08:22
Yeah, sounds like they take the path of least resistance to just keep their attacks going and keep their momentum going. And I want to get into some specific types of attacks. Are there some that are more common and then than others? We’re hearing ransomware attacks are the biggest threats to specifically medical practices right now. Can you talk to me a little bit about that?
Brad Deflin 08:47
Sure, So, ransomware, which is essentially the kidnapping of your information—call it patient information or medical records are things that are crucial to your practice and HIPAA compliance, and also patient loyalty for that matter, is very attractive. So, kidnapping that for a ransom is a pretty big deal. But I think that whether it’s ransomware or any other exploit, I really think what’s important to understand is that the cybercriminal is targeting the human as much or more than targeting your technology, because the human remains the weakest link. So, whether it’s ransomware or something else, more and more of these exploits start by fooling, misguiding a human that might be busy, trying to complete a task, answering to who they think might be their boss, or a vendor or what have you. And that’s where the problem is generated, not because a server was hacked, or an email account was hacked—those things happen and we have to be aware of those—but because the human was hacked and that’s really what we need to focus on as much as anything else today in the industry.
Gary Tiratsuyan 10:05
And we have to take a look at the business side here as a result of these types of attacks. What kind of impact do you see on any business really, whether it be a healthcare practice or any other industry you help out?
Brad Deflin 10:22
It can be devastating in so many different ways—financially, reputationally, emotionally, and just in terms of convenience, or burden of getting through. It can take years to unwind these things and a professional practice in the healthcare industry, it’s incumbent on you that if one patient record is stolen, you got to tell every single patient that that record was stolen. And so, the regulations are very stringent. And again, whether the hack is a medical office, a person or a Fortune 100, it is enormously expensive to recover. And it has other effects that can have a long tail and are long-lasting.
And it’s unfortunate because there’s an asymmetrical battlefield here. Remember, hackers only have to win once. You have to protect 100% of the time. And so that requires not only the best in class of cybersecurity technology, but people in staff that are aware, that get it and have really a new set of life skills to counter this new face of risk that we’re seeing today. And now with AI, Gary, the next couple of years, we’re going to see things we’ve never seen before, exploits we’ve never seen before, damages we’ve never seen before. And if not now, I don’t know when is going to be the best time to get ready because it is at hand, literally at this moment.
Gary Tiratsuyan 11:58
It’s pretty scary stuff there, especially with developments in AI. I want to kind of go back to something you just said a little bit earlier about the human being impacted. And let’s say a dental practice or any medical practice, let’s focus on the humans that are being treated—the patients, if they fell victim to this kind of attack, how are the patients impacted short and long term?
Brad Deflin 12:28
In so many potential ways, data is interesting, because the more you have, the more valuable your set of data is. Unlike, let’s say money, if I have $1, and you give me two more dollars, I have $3. With data, if you give if I have one set of information, but you give me two more sets of information, the value of that information, because we can crosscheck data and look at it from different ways, goes up exponentially.
So, all of our information has been stolen, all of our information on some level is available on the dark web, whether it was stolen from the IRS or Equifax or Home Depot or anybody in between, it’s out there, it’s being traded. When you add really personal elements like medical information, it’s really impossible to tell how that information will fit into the other sets of data. And now with AI that is creating exploits based on the data that you feed it, that even the most innovative, creative criminal in the world would never dream of… an exploit that AI can come up with as a result of connecting all these dots… It’s kind of like when the internet came out, we couldn’t even imagine how it was going to be used. We had a very naive, basic level. I remember very smart people saying, ‘Wow, that internet thing is pretty cool. But I don’t think I’ll ever need it.’ Right? It’s the same thing with AI. ‘Wow, but we can’t even imagine how it is going to be used, much less in a criminal manner.’
So the point is, we’ve got to shore up this information. We’ve got to have our people on their toes. And we’ve got to be prepared to see things that we’ve never seen before, because that’s what AI does. It muddies the waters between fact and fiction. So, without some critical thinking skills, and without resources to raise your hand, ‘Hey, is this real? What do we do about this without knowing the pause?’ That can be dangerous in this day and age?
Gary Tiratsuyan 14:43
Well, thanks for that, Brad. And I just want to reiterate, we’re not here to scare anyone. This is strictly to what raise awareness, bring about good habits and strong mindsets, so practices have some peace of mind. And does that peace of mind require having a full time IT or cybersecurity specialist on staff?
Brad Deflin 15:05
It doesn’t. And I think here’s the most important point I can make today. Cybersecurity technology is amazing. It has come so far in 10 years, and it has the benefit of AI and machine learning, and collaborative threat intelligence—a lot of things that it did not have the benefit of when I started 10 years ago. Cybersecurity technology is taking care of itself. You do have to expose yourself to that, and maybe come up the curve a little bit in terms of what’s out there, what’s suitable for my environment or my practice. But you can handle that. That can be done. What you have to know is that the technology is out there, and it’s up to the task.
The bigger task, I think the harder challenge is to change ourselves and to change those around us. And to your point around fear—there are reasons to be afraid here. However, you can very much look at this matter as being empowering. It is empowering people to think a little bit differently, to be a little more informed and educated, and to develop critical thinking skills that don’t just apply in the office or at the practice, but across their life. Because this risk does not go away for you, even as an employee much less than doctor, when you leave the practice and go home. This risk is in the ether, if you will. It is out there everywhere, because every device is connected, and we have so many networks. So, these critical thinking skills will apply throughout life. And we should positively empower people to understand there is technology that will handle this risk and we can help you incorporate life skills that will make you better, personally and professionally.
Gary Tiratsuyan 17:08
I definitely want to get into some of those life skills. But before we get into that, I want to ask you so today, like right now, what are some steps that a practice can take to fortify the defenses so to speak?
Brad Deflin 17:23
Sure. So, I’m going to go into the most fundamental levels, and this will be repetitive for many. But that’s for good reason. Because these work, and without these certain elements of best practices, all bets are off. And that includes passwords, okay? Passwords are the keys to our kingdom. When you leave your home, you might have to lock the door, double bolt it, turn on the alarm system, maybe make sure the gate is closed, maybe a little bit inconvenient, but you do it. Because you’re protecting your castle. It’s the same thing with our passwords. So a good password has to be more than 14 or 15 characters, anything less can be hacked like that. And it has to be unpredictable. It can’t be your pet’s names, your kids names, the address that you grew up at, the phone number you had when you were a kid—they know those things. And password hacking technology will cycle through all that information in a nanosecond to try to crack it. The best approach though, is to use multiple words put together that might put something in your mind’s eye to help you remember it. For example, I’m going make one up right now: monkeymoonbeach2023, Exclamation point. That’s a great password. It’s unpredictable. Yet in my mind’s eye, I see a monkey sitting on the beach on the moon in 2023, with an exclamation point. Now, I’m still going to write that down and put it my sock drawer as my password. But it’s a great password and it’s very effective.
Number two, use a password manager. Take 45 minutes to learn to use a password manager and I guarantee you, your life will be infinitely more secure, much less convenient. Take my word for that.
Thirdly, finally, you’ve got to use two factor authentication. When you use two factor authentication, which means not only do you need to know the password, but you need to have a device to confirm that with a code, that lops off so much of the risk—Microsoft will say well over 90% of the risk of an account being hacked when you use two-factor authentication. So, a little bit of inconvenience, but the tradeoff is so well worth it. Those fundamental basic practices are a must to begin with.
Gary Tiratsuyan 19:59
It’s funny you mentioned it; I was just recently speaking to my wife about accessing the apps in our phones. A lot of them are now even requiring that two-factor authentication, you can’t even get into your accounts or anything without it. So, that’s really great advice there.
Okay, I want to now shift back again to when we first met, you mentioned that teams that manage cybersecurity well, they take those skills with them, whether they stay in their current roles or move to a completely different industry. And you mentioned that a moment ago, new life skills. Can you just expand on that a little bit?
Brad Deflin 20:41
Sure. So, we teach our kids not to walk down dark alleys or across busy streets, right? The very thin, fundamental life skills. And those are still appropriate, and have been, you know, forever. But what’s new, what I would call this new face of risk, which is digital, and pervades everything we do personally and professionally, as leaders, as parents, as heads of households, as organizational leaders—we’ve got to encourage new life skills that are related to the digital realm. And that goes back to passwords, it goes back to two-factor authentication, it goes back to awareness. It goes back to understanding that with AI, you really can’t trust anything, determining what’s fact and fiction; just at first glance, is going to be really challenging. So, you’ve got to know well, this is someplace that I pause. This is someplace where I raise my hand. Do I have a resource with an IT company? Or do we use, in our family, a personal service would have you to ask, ‘Is this legitimate? Do I respond to this?’ And if in doubt, delete it out. Right? They will find you. But the other thing is, if you feel yourself sort of in a hurry, under pressure, that again, is a little bit of a red flag to say, pause. Let’s reassess, and let’s make sure that our next moves are the right ones that’s going to take some training that’s going to take some sort of soft tissue work and some practice. Nothing terribly complicated, just some change for individuals to embed in their everyday skills.
Gary Tiratsuyan 22:39
That’s really insightful and great advice. And I think habits will form if you just keep at it. As with anything. Last question, before we wrap up here, and you’ve already touched on it. What does this next wave of cyber threats, let’s say in the upcoming two years, look like? And how big of a role does AI plan it? Meaning how is it going to be used?
Brad Deflin 23:07
Yeah. So, it is AI, that’s the big elephant in the room over the next couple of years. It stretches our imagination, in terms of how will it be used. But you can summarize it as what’s fact and what is fiction. Am I really talking to Gary right now? Or is this a deep fake? Is that really his voice? Is that really his image? Is this email really from FedEx? Or the electric utility? Right? Is this length really valid and going to do what the email purports it’s going to do? Is this phone call I answer, really the bank or my lawyer? Sure sounds like my lawyer, that phone number is my lawyer’s. Right? You double check these things, because all of these elements are being masked, and can be fake. And so if your lawyer calls you because you’re moving some money for a real estate closing or something else, and it sounds like your lawyer, and it’s coming from the lawyers phone number, you may want to say, ‘Okay, I got the information for you, let me get back to you.’ And you call the lawyer back, or you authenticate in another way, whatever that communication is. And again, these are part of the life skills and best practices that we’re going to have to get used to.
Gary Tiratsuyan 24:38
As you were saying that, I just thought to myself, recently I heard that an actress or a singer, her voice was redone by somebody else. And they created their own new song using her voice. And it was exactly as you would hear it on the radio. It’s truly incredible what the power of AI is. And we’ve only scratched the surface to get smarter, so we can’t imagine what’s coming next.
Brad Deflin 25:12
Tom Hanks is being used in a commercial, but it’s not really Tom Hanks. It looks and sounds like Tom Hanks but it’s not really him. We have a case, high net worth individual moving money from one of his Fidelity accounts, called his office and said, ‘Listen, I’m moving money from my Fidelity account. When Fidelity contacts you, go ahead and approve it.’ The office staff said, ‘That’s my boss, I know his voice.’ It was a deep fake. They approved it, the money left, and that’s the end of the story. And that’s just and that’s not even at a Fortune 100 company, right? That’s just a private individual.
Gary Tiratsuyan 25:55
There’s lots to think about and even more motive motivation to get in the right mindset, develop the right culture and skills to protect your patients, your staff, your practice yourself. So, Brad, I want to thank you for taking some time to join me today. I think this was very insightful. I’m going to add links to your LinkedIn profiles and site in the episode description for our listeners to connect with you and learn more. Again, super insightful, and I hope we can chat again real soon.
Brad Deflin 26:26
Thanks for having me, Gary. I enjoyed it.
Gary Tiratsuyan 26:29
My pleasure. One final note. If you enjoyed today’s episode, be sure to subscribe, like and leave your feedback on your preferred streaming channel. Your comments, questions and reviews are always appreciated. And be on the lookout for our next new episode coming up soon. Thanks for tuning in. Till next time, everyone.
Editor’s note: This interview has been edited for length and clarity.
