In this episode of Beyond Bitewings, Lynn sits down with Duane Gallup from Vital Technology Group, a specialist in dental cyber security. Duane shares insights into the evolution of their company from a Managed Service Provider (MSP) to a Managed Security Service Provider (MSSP), focusing heavily on security issues within dental practices. The discussion highlights several misconceptions in the dental industry about cyber security and stresses the importance of having robust systems and professional oversight.

Lynn and Duane cover crucial elements of cyber security such as the importance of secure DNS, backup systems, phishing prevention, and compliance with HIPAA and PCI regulations. They also share anecdotes about real-world security risks and the impact of compromised systems on dental practices. Duane emphasizes the need for dental practices to use professional IT services rather than relying on DIY methods while detailing the range of products and services his company offers to help mitigate these risks.

For more information about Duane, visit: https://vtgtx.com/

Key Topics Discussed:

• Introduction to Vital Technology Group
• Cyber security threats in dental practices
• Importance of secure DNS
• User-initiated security risks
• Real-life examples of phishing and cyber attacks
• Ethical hacking
• Evolution of ransomware
• Compliance with HIPAA and PCI
• Importance of professional IT services
• Tools and services offered by Vital Technology Group
• Cost-effectiveness of consolidating cyber security tools

Welcome to Beyond by Wings, the business side of dentistry, brought to you by Edwards and Associates, PC. Join us as we discuss how to build your dental practice, optimize your income, and plan for your future. This podcast is distributed with the understanding that Edwards and Associates PC is not rendering legal, accounting, or professional advice. Listeners should consult with their business advisors before acting on any of the information that is shared. At Edwards and Associates, PC, our business is the business of dentistry. For help or more information, visit our website at eandassociates.com.

Hello, and welcome to another episode of Beyond Bitewings. I am Lynn Ledbetter taking over for a moment for Ash, who is right now at the dental show, and he's out mingling because that's what he likes to do. And I'm here talking about cyber security, which is something I would much rather do than than mingle. So this works out for us. And I have a guest with me. His name is Dwayne Gallup. And, Dwayne, tell us a little bit about yourself and your company, and and just

kinda what you do. Hi, Lynn. Okay. So I am with Vital Technology Group. It is a company I started in 2013. We are dental specific.

Okay.

And we started out as an MSP, a managed service provider.

Okay.

And providing, you know, support services and installation services for computers, and we have grown into an MSSP, a managed security service provider.

Okay.

And, what we're what we deal with today in 2024 is more security issues than we do maintenance issues.

I am not surprised about that at all.

You know, catfishing is is I've got it. Well, I'm not wearing the shirt today. Tomorrow, I wear the Gone Fishing shirt.

I love it. I like your shirt today too.

Well, thank you. Thank you. Yes.

Today, his t shirt says ethical hacker. It's great.

And and at the bottom, your your password's too short. So I changed it for you. So, yeah. We're we're all about trying to to to secure everybody from the just the onset of security issues that that our computers have opened the door to.

Is is this because everything is cloud based now or because there's so many email spams coming in or what do you see as the biggest kind of threat and weakness?

Well, you know, the it doesn't matter if you're cloud or premise based

Okay.

On your software. Security comes in many different factors or forms. The biggest problem today I mean, everybody has antivirus. If they don't, I don't I don't know what they're thinking, but Right. Everybody's got antivirus. Everybody probably has or should have backups. So, they've got some protection. They got 2 layers there.

We go a bit further and we'll we'll promote, secure DNS. You need secure DNS, and DNS is like a phone book for computers.

Okay.

So, when you say I wanna go to google.com, your computer doesn't know where Google is. It it it does a DNS search.

Okay. So it

checks the phone book and then it knows where to find it. It's an open book. You you get a free book with every m s or m every ISP.

K.

So your internet provider gives you a free phone book.

Got it.

But their phone book will take you to bad places.

K.

Dirty neighborhoods, bad neighborhoods. Okay. Scary neighborhoods.

Wrong side of the track kind of place.

Wrong. It'll take you anywhere. So their DNS service is fine, but it it it can be dangerous. So what we do is we'll take and put people on a secure DNS. That DNS, that secure DNS you pay for it, but it prevents you from going to places you don't wanna go.

Because correct me if I'm wrong, but most of the security issues are are are instigated by the user accidentally. Right?

Absolutely. Okay. Absolutely. And and that's kinda where I was going with everyone has backup, everyone has antivirus, but the biggest way into your network is through a a user.

Okay.

Is the user can bypass every tool you have put in place, your firewalls, your your DNS. You it can they can get past it. I I had a customer. Funny thing. I was I was picking up my son from the airport for his wedding and literally was driving around the neighborhood or around the airport. Airport I wasn't familiar with in Vegas and I'm getting text from this doctor and he's saying, hey, I got this QuickBooks problem and I'm a, you know, I got this QuickBooks engineer and he's wanting me to put in a code Mhmm. To give him access. And and so I'm I'm having to have my wife text him because I'm driving.

I don't know where I'm at at this airport. And she and she's reading it to me and I said tell him no. Tell him stop. Right. Wait. Did he initiate the service call?

That's the biggest question.

And he didn't initiate it. No. He got a text. It didn't even come from the computer. Yeah. He got a text that made him think he needed to give somebody access

to this. I've seen it. I've seen it.

So, you know, and I've been catfished, myself, and and it's embarrassing as as the owner of a security company. But, I was having trouble with QuickBooks. And, and it was a payroll problem and I needed payroll help. And, I go to their website within their product.

Okay.

They give me a number to call and I'm thinking I'm talking Intuit, but I'm not. I'm talking to an Intuit partner. Wow.

Okay. That is scary.

Yeah. And it was a legitimate partner. Okay. But they ended up selling me payroll services for 3 times where QuickBooks Intuit sold me.

Okay.

And and to this day, they call every anniversary and attempt to get my credit card number and they're basically listed as a CPA. Wow. So, the the billing was coming from Florida and and that was my own catfish experience. I had to then transition back to Intuit instead of going through that that CPA. Right. But, it was misleading. The whole thing was misleading. Exactly.

And and I was lucky. I've had customers call me going, okay. I just fell for this. I'm like, why didn't you call me first? I know. I know. Anyway, I get the call and I had I was logged in to Google And I I used Google password manager. And they saw me log in to Google. So now, they can log in to Google as me.

They don't even have to be on her computer. They can go through her password manager and and have access to her Amazon

That's so scary.

Bank, to everything.

Yeah.

And I and she had 40 or so passwords that she changed only to realize, initially we didn't know they they knew her password into Google. She didn't change her password to Google. The next day she had to change it again. So, we offer a variety of different services to help associations, organizations deal with, these risks. Security DNS is one of them. We offer phishing. It says ethical hacker.

Yes.

We will phishing you and your employees.

Okay. I love that feature. Yeah. Yeah.

And and and I've been bit by my own fishing.

Oh, no.

Okay. We target it based off your role Okay. In the organization. Okay. Well, my CTO, our technology officer, he knows I my primary role is chief financial officer. Well, I had happened to let an employee go and I'd been on Amazon killing his credentials on, so he couldn't buy under our organization Right. And wouldn't you know I got an email from I thought it was from Amazon, but it I just been there. So I didn't verify.

I didn't go through the process. I thought I had made a mistake and and I got catfished. I had the secure DNS so I didn't get to go where it was gonna go.

Okay. So there were So safe guards in place.

Safe guards in place. Okay. So it came up and said, hey, we're blocking this site.

Yes. Thankfully.

And then I get a phone call from my CTO going Yeah. Gotcha.

Yeah.

Now you need to go through training.

But that is great because people don't realize how vulnerable they are or their staff is because They're all wrong. It all looks so legitimate.

Yeah. They they are today's malware or today's ransomware, let's go there. Today's ransomware isn't the ransomware 5 years ago or 10 years ago. It used to be just very random. Okay. Okay? But today's ransomware is is very pointed. They know who they are going after. And so, they start fishing you to get access or to get you to to to click a link.

And a link can be it can be malicious. It can it can pull a virus or malware into the system. You know, malware isn't detected by antivirus.

Okay.

So, malware doesn't replicate. So, antivirus doesn't pick up on it. It just thinks it's another program. But malware can give people information that you don't want them to have. Right. It can give them access.

And that seems like a a special risk because dentists, you know, are subject to HIPAA laws and things like that, and they can't allow patient information out there. That's a violation. And so that seems like a real risk for dentists to Absolutely. Allow those kinds of programs. And, I mean, it is for any business as far as financially and but it's an extra layer that the dentist has to be aware

of. Absolutely. And, you know, we're big in the HIPAA space and the PCI PCI compliancy. Yes. Oh my god.

Yeah. Yeah.

That has outgrown HIPAA Yeah.

It has.

By tenfold. It's unbelievable. So, we have tools and procedures. We do we help with PCI and HIPAA audits annually, you know Mhmm. Compliance. But, it it is a problem. We've got a product called EDR and I'm I'm gonna I always get the first, but it's basically, a response. It's auditing in response of Okay.

Of everything that's happening in your computer. And, I struggled to sell it. It's a 3 dollar a month product.

Okay? Okay.

And I struggle to sell it because it's big brother adds security operation center to it. We have live people watching these Oh, wow. Okay. Audit that's always going on Okay. On your computer. And so, you get alerted to then immediate threat and they they can lock Wow. Your computer down. So, if you're starting to get a ransomware, if they see encryption taking place

Right.

They can stop it and say, hey, are we reversing from this? You know, it it has that extra tool. So that's an easy tool to sell Mhmm. Even though it's pricey per compared to the $3 tool to $20 tool. Okay. And so, I've struggled with how to sell the $3 tool because everyone's gonna say, well, gee, if it's making these reports, why aren't y'all reading them? Well No. We will for $20. Right. Right.

You know, why gotta have to

Oh, I mean, that takes a lot of

You know, it takes a lot

of manpower. Sure. Yeah. But

then the other day, about 3 weeks ago, I had a client, his office got physically broke into.

Okay.

And they destroyed everything. They got into the server Wow. Closet. And and so now, he came to us going, oh, jeez. Do I need do did I have a PCI violation? Did I have Right. A HIPAA violation? Is there a data breach I need to now alert all my patients to?

Right.

And I said, well, you know what? You got the EDR. I'm I'm I'm starting to have a light bulbs go off. This is how I can sell this product.

Okay.

You've got the EDR. Let's look at the logs. His x his computers, none of his computers, his server, nothing was accessed over the weekend. Okay. We could verify what does that there was 0 log in attempts even. They didn't even attempt. So we were able to tell him for that $3, you don't have to follow the procedure for a net data breach.

Right.

Whereas if you don't take

the deal That's right. You wouldn't know.

You have to on the side of caution.

Exactly. Exactly. Well, and I think that too many dentists don't realize how cumbersome it is to keep to keep the compliance and to do everything that needs to be done and they try to kinda just tackle it themselves when they just don't have the ability or time to dot every I and cross every t themselves. So I it makes me nervous when they're not outsourcing that piece and having someone oversee their compliance level.

Compliancy is a thing all its own. It is one of the products we sell. But I have I I I I don't I don't try to sell it and be an end all. I wanna work on the IT side. There are companies that do nothing, but compliance Okay. That I partner with.

Oh, okay.

When it comes to compliance and Dwayne Tinker. I don't know if you've you're familiar with Tank.

Not yet. Is

his his company, he's the he calls himself the HIPAA police. He was actually a HIPAA police officer. And now, he I would do events with him and and work with him. But, you know, it's I have customers call me often saying, you know, we've we've shifted here to compliance. But saying, you know, hey, I need help answering these these twelve questions for my HIPAA compliance or my PCI compliance. And I'm like, okay. Here's the problem. You want me to help you and do this as, you know, part of my basic services.

But, those 12 questions, it takes me answering 771 questions to be able to answer those 12.

Right. Yeah. It's hard to know all that in the Yeah. Background

too. And and so, I have that service. I have that product Yeah. That capability. But some customers are buying it from other sources, you know. So, we're, you know, if if they're buying it from another source, they don't wanna duplicate it with me. But I I'll tell them, you know, for a rate, we will help you walk through all this. Sure.

And it's really the toughest the first time because the next year, you're only dealing with what has changed in the wall. Right. If your procedures stay the same and or you follow the procedures. And the problem unfortunately in the dental world is everyone's hot coming home from a convention. They're hot for 6 weeks.

Mhmm.

And then business takes over. Yeah. Life gets back to you. They don't think about it again for a year.

So if we talk about hacking, what do you think is the biggest pitfall or or what advice would you give or, where do they go wrong and where can they go right?

We well, you know, I've the the dental industry is full of a lot of DIY, do it yourself computer guys. Yep. Or they'll have, you know, their kid's friend from high school help. And that's that's probably the biggest error.

Okay.

Because you don't know what you don't know.

That's very true.

You know, I mean, I can I can screw a wood screw in, but does that mean I can set an implant?

Right.

Yeah. So, the best thing you can do is call somebody like Vital Technology Group or or another IT company that that knows your industry and and ask them what do you

offer? Okay.

Why do you offer it? That's probably the biggest question. Okay. Why do you offer it? I do IT services for DIY doctors Okay. That don't want our managed services.

Okay.

But they want our security services. Okay. So, you know, they don't have to buy everything in my menu. I I I literally present them a menu.

Right.

Kinda like going to a restaurant. Right.

And here's the value of this and here's the value of this.

Here's this, this. Where do you need help? Right. Because you may have your HIPAA and your compliance secure there.

That's true.

You may think you have your security here, but if you let me come in and look at it all, I'll tell you what you really need, not just from me, but this is what you need.

Right. This is the piece that you're missing. Yeah.

Yeah. This is this is what you need. It's about taking care of the client. I'm I'm a 3rd generation, or I'm in the middle of a 3rd generation dental family.

Okay.

Okay. My dad was an orthodontist. He taught locally here at A&M back when it was Baylor.

Wow.

And I my brother and sister-in-law are both dentists.

Okay.

And now my niece.

You're surrounded by them?

I'm surrounded by them. I've been in this I've been in this space since the nineties. And security is my number one concern today.

Yeah.

So what what I do with a customer when it comes to securing you for not just compliance. Okay. So talking about hacking

Mhmm.

PCI covers a lot of that.

Okay.

H, HIPAA covers a lot of that. If you're PCI and you're HIPAA compliant, you're probably fine on the on the security side.

Okay.

Because they have that request. And my cyber security suites that I sell are all based on what they require.

Oh, okay.

Okay? And and or what insurance, cyber insurance Yes. Requires. Yeah.

That's right.

Which I had a customer ask say to me, he says, that exist.

Oh, yes. He asked me to just

ask you

to have it. If you don't have it, you need to look into it.

So, yeah. And so, we have actually an agreement with the insurance company. If they have our stat, they will discount, the insurance company will discount their services and they don't make you go through the 100 questionnaire.

Good. Because Because you

guys we did

that and it was a huge, you know, time Oh, absolutely. With our IT guy and our staff. I mean, it was a huge undertaking.

So you can you can buy our Very familiar. You can buy our security suite And it was as a whole and that insurance company will come in, they'll quote you, they don't even they don't even question you.

Because they know that you've got the things in place to help

protect Absolutely.

Their investment policy.

That's right. That's right. And that's why we offer what we offer on our on our

security side. That's

great to know. Yeah. And and it's just trying to have one give you one place. So, you know, we we know your dental software. We know the Dentrix, the Carestream products, the Patterson products. We know everybody's software out there, Open Dental. So, you know, that that side we whipped ages ago. And the security stuff, we're going to training twice a year.

And, and every time there's something new.

Yeah.

Every time I come home with a new tool in my pocket that now I need to go sell because, doggone it, there's a new there's a new vulnerability.

Yeah. It's crazy.

So, you know, where does it end? I don't know. But I what I do know is it doesn't always add to increased cost.

Mhmm.

What I'm seeing with, the vendors and and and and our product as well as the risk, you know, as some of the older risk, they're still there, but they're they're contained.

Okay.

If you will. Okay. It's like a like a tumor that's been contained. It's still a little risk. We we've got it taken care of, but we don't wanna let go of the tool that keeps that Right. Thing. But that tool becomes less valuable. Okay.

So, what happens over time is some of these tools that were really hot 5 years ago are not so hot and they're getting combined and they're getting acquired by bigger companies. And so, we're seeing some of the older stuff combine in into smaller cheap less expensive packages. So, yeah. I'm always coming home with something new that's pretty shiny and fancy, and it does something that that protects us from some area of of vulnerability we didn't ever know we had. But, at the same time, we're also consolidating old tools.

Okay.

So that the cost aren't always going up. Right. You know.

Okay. Great. Well, this has been so helpful. Great information. It was really great of you to to take time from your booth and come talk to us at the show. It's been so much fun.

Thanks for having me.

And so if people wanna find you, I assume you're on the web, what would they do?

We are on the web. I have, my website and my phone number are the same.

Okay.

So it's it's 855digidds.com.

Okay.

So think of digital dentists 855digi dds.com.

Perfect. That's makes it easy for everyone.

There you go.

Thanks so much. Thanks so much.

Thanks so much.

To have you.

Appreciate it.

Thanks for listening today. Be sure to shoot us an email at info@eandassociates.com.