Hackers Are Targeting Aesthetic Practices. Are You Next?

Announcer (00:06):
You are listening to the Aesthetically Speaking podcast presented by Nextech.

Robin Ntoh (00:11):
You're listening to the Aesthetically Speaking podcast presented by Nextech. I'm Robin and Ntoh, and we are coming to you live from the Nextech EDGE meeting here in Orlando. I'm excited today with our guest. Our guest today is David Slazyk and he is our CISO. David, tell us a little bit about what a CISO really is.

David Slazyk (00:29):
First off, thank you for having me. It's a pleasure to be here.

Robin Ntoh (00:31):
Glad to have you here.

David Slazyk (00:32):
Having a great time here in Orlando. A lot of good energy in the room. A couple of great keynotes this morning. So a CISO is a Chief Information Security Officer, and ultimately they're responsible for securing the data that our customers entrust with us. Now, it's not just about a focus on data, it's also systems, employees, really cybersecurity items across the organization.

Robin Ntoh (00:56):
So basically you're trying to protect them from their own evil self.

David Slazyk (00:59):
Yeah, sometimes, yes, that is fair.

Robin Ntoh (01:02):
The dark side, sometimes it comes out right?

David Slazyk (01:03):
For sure, for sure.

Robin Ntoh (01:05):
Of the threats that come at us that we're not even aware of.

David Slazyk (01:07):
There are so many threats, too many to count really, but you can use technology to help sift through the noise just to get to the signal, the ones that we really, really care about, especially more modern threats that are being created by AI.

Robin Ntoh (01:26):
Yeah, it's a little frightening. I mean, I got a text message yesterday and it was clear to me after I read it a couple of times. It was very awkward, gave me that awkward feeling, and I think a lot of it's because of the education you've provided here at the company and I think about, wow, that struck a chord. There's something not right about that message. And then I immediately deleted it. But it was again, a smart message and that smart message made me initially think, okay, this might be legit. But then there was still something odd about it.

David Slazyk (02:01):
With social media the way it is today, even things like LinkedIn, we're putting more and more of our lives online and threat actors, not even savvy threat actors, they can leverage AI to grab that information online, create a profile, and then go to work trying to attack that profile. So if you've posted that you're going to Edge can't wait to see everybody, they may craft a message to you talking about Edge and maybe getting you to commit more information or possibly send some money somewhere depending on the type of message that they set up.

Robin Ntoh (02:36):
I didn't even think of it that way, but it's funny that you say that. One of the things that I'm known for is not being really interested in putting my life out on social media. I don't care for it that much. I'm not very active on it, but I am on LinkedIn. I see that the importance is there from a business perspective. It's a good way to communicate with other professionals, and I see that, but there's a lot of small out there that rely on digital media, the social media component, to really focus on how they build their business. I just finished with a panel not too long ago, and one of the physicians was talking about how it's vastly grown their business from a free perspective, and so many things cost today, but these little businesses really rely on what that can do for them. They don't spend a lot on the print advertising anymore, and so they think about how do I grow my footprint? Then there's the pressure out there from what we're hearing at the different society levels or these professional meetings where we're talking about it's a must do. You must do social media, and so I think that there's definitely more that's out there. But from your perspective, when you think about that little business, how do they actually continuously think about how they protect themselves?

David Slazyk (03:51):
That's a great question, and you're right. Social media has the ability to really take especially smaller practices to that next level, and it's not going to go away anytime soon. And so from a small business perspective, there's things that you want to do, and I guess first and foremost is cybersecurity or security in general should be something that is talked about probably more frequently than it is. It's not a once a year training session or this is something that you want to weave into your practice throughout the year. Just have those conversations. The other thing I'd suggest is when you're talking with your staff, you're having those conversations document that in the unlikely event or something really bad does happen, and HHS comes in Health and Human Services, they're going to run an audit. And if you provide evidence that you have been having conversations around cybersecurity, your understanding, okay, what are we doing from a HIPAA perspective? Are we conducting secure risk assessments? Do we have an incident response plan in place? That goes a long way with an auditor. I think a lot of healthcare professionals think it stops with HIPAA, but I love to say compliance does not equal security. There's more that needs to be done.

Robin Ntoh (05:03):
Right. So much to unpack there. I think about, and from a small business perspective, we work in several specialties and ophthalmology's generally a larger practice set. They have more figureheads, they have more staff to manage types of things like cybersecurity threats. They have an infrastructure that's focused on what they can do to prevent that. But our plastic surgery practices and some of our med spas, the majority of them are very small. They don't have that infrastructure. And what are some of the type of threats that we could kind of talk about today that they should be looking out for from a small business? You mentioned one already and I think that that's great. Maybe you want to talk more about that, but what are some things that they should really be considering as they think about those being a small business?

David Slazyk (05:50):
I think today, as it has been for a number of years, phishing, it's always in the top three threats that practices regardless of size are facing. So training around what to look for. You don't have to go out and spend a lot of money on technical tools. It is truly about awareness, right? And understanding what a phishing email looks like for a nominal cost. There's a lot of products and vendors out there where you can actually test your employees for those small, small practices that simply don't have an IT staff if they've contracted to a third party or considering a third party, and it could just help with the laptops, help with the workstations. But if I'm bringing in a third party IT shop today, there's three main questions I would want to ask. One, what will you do to help protect us or assure compliance with HIPAA and other regulations? The second specifically, what are you going to do to help prevent phishing from reaching our employees inboxes and helping us prevent breaches? And then finally, what are the SLAs that you put around the service? Definitely don't want to be constrained to a nine to five, right? If I've got something bad happening after hours or on a weekend, you want to know that that partner is going to be there for you no matter when you need them.

Robin Ntoh (07:22):
Well, yeah, let's think about it. I mean, if our threat actors, those bad actors know that you're a nine to five business and that you're not necessarily considering what you should do over the weekend, why wouldn't that be prime opportunity for them to go after you?

David Slazyk (07:36):
That's an outstanding point. Statistically, attacks usually occur after hours and on weekends because the threat actors assume that people have gone home for the weekend or holidays and no one's really paying attention, and folks may have let their guard down a little bit.

Robin Ntoh (07:53):
It's fascinating because they're sophisticated, you're right. The one thing that you said that I thought was really important to point out is awareness. Now in Nextech, that's become a very big part of how we in our organization have made sure that we're focused on this. It wasn't something that we thought about I'd say five years ago, but it's become more apparent as we see that cybersecurity is key here. But I think one of my favorite things is I'll get these emails and it'll be a test, and the question is, am I going to pass that test that has been invaluable for a reminder for me to remember, okay, be careful. Don't just open every email. Be careful and thoughtful because it's not just the impact to me, but it's the potential impact to the business. And when you think about a small business of something like a threat happened to them that could just come from one email that could shut down a business or close it for several days, the financial impact to that business, and that's the part that I find businesses just think they're immune. And from a small business perspective, we see the examples over and over again of where they're not immune. And it does happen.

David Slazyk (09:02):
When you're talking about something that's near and dear to my heart, which is creating a culture of security within the organization, I have always believed that you can accomplish that, not through punishment, but through education. People will make mistakes. It's inevitable, but it's how you move on from those mistakes that really, really counts. In the phishing example, 80% of attacks against organizations came in via phishing. So some of these are someone clicked something bad happened, or some cases the threat actor's playing a long game where maybe they're engaging with you, it seems legit, nothing bad is happening, but they're getting more and more information about you or others in your organization or the organization itself as they're setting up a much larger attack. So phishing is still a very big, big problem for everybody today, not just healthcare.

Robin Ntoh (09:52):
So we talked about awareness and you gave three primary things to think about when you're interviewing or looking for someone that's going to manage your IT or security within your business. And you bring up some really good points because I also go back to the fact that there's a lot of practices that don't even employ a full-time company to actually engage in that. As I look around, there's actually three vendors here at our user conference by invite that are here to help businesses manage their it. We don't have a lot of exhibitors because we by choice want people that are here to really think about how they support the businesses our users, but we brought in three different vendors because we see the importance around it. So again, I encourage our listeners, just because you may be one doctor and have three people in your office and that's it, and you think you're immune to this based upon what you've said, based upon what we've seen, I think it's important to go back and think about.

(10:47):
I want to make sure I've got that protection 24/7. I want to talk a little bit more about what you said around testing, really ensuring your staff are not just aware, but testing. And one of the things we did at Nextech is we've employed not just annually, I think a few times a year, not just the occasional phishing tests that you'll send to us to see if we are actually aware, but the actual LMS that we go through to, again, keep us up to date, help us understand the terms. Let's talk a little bit about that and where that has a place in a business.

David Slazyk (11:18):
From my perspective, it is absolutely table stakes to have that type of training in all businesses. And I think where maybe smaller practices get tripped up is not thinking the investment in time is going to help propel their business forward. And I would say that although doing phishing testing, cyber testing in general may not necessarily change the outcomes of a particular patient, but failure to do that or understand that in the event of an attack, you could be in a situation, and I've seen it before, where smaller practices end up closing their doors because the data hass been encrypted, reputational damage, really, really ugly stuff. And so it's absolutely necessary to spend the time in doing those things. And you can do it at a nominal cost. You don't have to spend a lot of money. I mean, at Nextech, you've got to CISO. Based on our organization, it's something that we absolutely invest in, but smaller practices may not do that today.

Robin Ntoh (12:18):
Well, I mean, we're a technology business and we are constantly working daily with our customers that are mandated to protect their patient's information. And via our agreement, it passes along to us as well. So we have to maintain that education to our employees, which in part protects or helps protect our customers as well, which is key.

David Slazyk (12:40):
I'm very passionate about this. This was years ago. I was working another company and my wife came in and said, Hey, I just logged into this patient portal. Isn't this you? And I'm like, yep, that is me, that's the company. It really hits home that the stuff that the security team and I get up every day focused on just the importance of that it hits home. I mean, this is my family's PHI that I'm entrusted to help protect. And so I take it really seriously.

Robin Ntoh (13:11):
Give us some examples of where you see some of the smaller businesses or maybe bigger businesses where you've seen in the past six to 12 months where cybersecurity has evolved or different examples of where you've seen those threats, basically make a practice, really, the breach or the infiltration has happened.

David Slazyk (13:28):
I mean, without getting into too many details, I'm aware of aesthetics practices where imagery is key to the success of caring for their patients. And those images are highly coveted by threat actors. In addition to the images, they will get personal information. They'll threaten the practice with a ransom if the practice does not pay, in some cases, they'll reach out to the patient, send the patient their images and say, you think you better talk to your physician and tell them to pay the ransom? Otherwise, it's mortifying. It's devastating to a patient to have that happen.

Robin Ntoh (14:09):
I'm speechless. I'm sitting here thinking about the practices over the years that I've worked with and the emphasis in a business around before and after photos. And you're right, it's key to not just the documentation of a visit. It is pictorial. It represents so much of what that encounter, that journey has been for that patient. But then for a threat actor to actually reach out to a patient. And why do you think that? Is it because of the images that becomes highly valuable to them?

David Slazyk (14:38):
Yeah, well, the decision to pay or not pay a ransom is probably another podcast. Okay. But when threat actors don't get their way, first of all, they're criminals, so there's really no scruples, right? They're going to use every lever available to them to try and get what they want. And ultimately, it's a financial gain through the form of a ransom. And if the provider practices not playing ball, so to speak, they could take it to the next level. And that's one example

Robin Ntoh (15:07):
Is taking it directly to the patient.

David Slazyk (15:09):
Yes.

Robin Ntoh (15:10):
Wow. As a big part of a physician's website is before and after photos. And we've seen the hoops that a practice has to go through to gain permission to put those photos on the website. And yes, those could be easily taken from a website. We've seen that, and physicians will steal from other physicians over the years. That's been a common issue. But those are the patients that don't want their personal life on display. They've not given permission. They don't want their images on social media or on the website of a physician. And that's very common in practices for being a very high percentage of their patients. But to have that breach for a practice, not only what it does to the patients and the morale of the patients, but the business overall, it can be devastating and close the doors.

David Slazyk (15:58):
For sure. I am aware of a situation where the threat actors actually posted a review on Google about the breach and what they had done. And so it's very public that, Hey, we've got these images. The doctor's not paying. If you have any contacts over there, tell 'em to pay. I mean, it's brutal, right?

Robin Ntoh (16:20):
Oh my goodness. So now they've not only infiltrated your system, they've taken your patient data, they've taken their photos, they've contacted the patient, now they're posting reviews.

David Slazyk (16:29):
Posting on social media under fictitious names and no scruples at all.

Robin Ntoh (16:33):
Wow. We already have enough to deal with in the healthcare industry. I mean, I call 'em bad actor patients because you've got the patients that come in and they don't follow protocols. They're complicated. We already have a lot to deal with just in the day-to-day activity with our patients, but then to have to deal with someone that's not even part of your practice, someone that's in the other world that then takes your data and now uses it against you. It's just one other area that these physicians are constantly looking over their shoulder.

David Slazyk (17:02):
Yeah, it's tough. It is really tough. But again, it reemphasizes the importance of making cybersecurity a part of your delivery throughout the year.

Robin Ntoh (17:12):
So how often do you think human error is part of the security breach?

David Slazyk (17:17):
More often than we'd want to admit. Last year, 80% of phishing attacks, successful phishing attacks were due to human error. Someone clicked on a link, someone opened something they shouldn't, someone responded to an email, they shouldn't. So it's still very, very prevalent. The ultimate goal beyond training is to eliminate the need as much as you can for the human firewall to be the last line of defense. But certainly people are going to be the last line of defense. But companies practices should do all they can to limit how much their people actually have to make the right decision every time. And it was a saying, we have to be right a hundred percent of the time. Threat actors only have to be right once.

Robin Ntoh (18:05):
So with that, I'm going to go back and say this again. One hyperlink, I click once and I could give full access to my system.

David Slazyk (18:17):
It is possible. Yeah.

Robin Ntoh (18:19):
That's frightening. And that emphasizes, again, the need to have someone there to help support the effort that you need to put in place to actually secure your business.

David Slazyk (18:28):
Correct.

Robin Ntoh (18:29):
And have the right knowledge and insight. I mean, okay, 10 years ago was CISO a role in a business, may.be the big, big businesses

David Slazyk (18:36):
10 plus years ago, you may have had a security officer, you may have had a CIO, chief information officer who was in charge security. I love saying security as job zero. Everybody thinks, oh, it's an IT problem. It's not. I mean, it's everybody's problem. And everybody, to your very good point about making sure you're not clicking something that looks suspicious, right? There's only so much it can do. It really is up to every employee to stay on top of their game.

Robin Ntoh (19:06):
So it goes back to education. We go back to education. So I'm on the other side of this with physicians all the time. We talk about their patients and patients can be bad actors, alright? And patients don't follow the rules. They'll not follow the pre-op information, the post-op information, physicians will get caught unawares, and it's a risk, it's a liability. But we go back to physicians are always very focused on patient education. How do I deliver education? We've talked about it on this podcast many, many times, but now we're talking about our staff and investing in their education. And I go back to where we started at the beginning with these little businesses not thinking that they're going to be impacted. They think they're immune to this cuz they're so small.

David Slazyk (19:52):
Yeah, it's just not the case. The type of data that some of these smaller specialty practices have, in some cases, it's even more valuable than a large ambulatory practice where you've just got massive amounts of traditional PHI versus something like an aesthetics where you have a lot of images, highly coveted information. There's some sort of actors that, yeah, they're going after the big fish, but there's a lot of them that are just dedicated towards the smaller, getting little here, little there, and trying to make everyone's life miserable.

Robin Ntoh (20:26):
And they do do that, don't they? What practical advice can you give for staff working in practices? If you said these are the three must-dos for every person and a practice?

David Slazyk (20:38):
Get a password manager.So you want to create a complex password, usually 16 plus characters, and it's hard for people to remember those. So use a password manager that can auto generate passwords that are very hard to guess. Use multifactor authentication, right? It's a second piece of the puzzle. So you've got a password that, and maybe a code on an authenticator app on your phone. Use that to help protect yourself. Do not share login information. I dunno if it's a source subject, but it's a complex subject to be sure. And I'd also say companies like Nextech, we have almost an obligation to figure out ways to help our clients. I talk about visualize on a sliding scale. On one hand, on one side it's says security. On the other side it says productivity. And you're constantly moving that slider back and forth. So you find that sweet spot, which again is going to change depending on threats and stuff like that. But I think there's opportunity there for vendors like us to make it a little bit easier for practices to do the right thing. At the end of the day, they shouldn't be doing that, but what can we do from a technical perspective to make it easier to not do that?

Robin Ntoh (21:50):
Well, I also go back to just some education. We're investing time in some different educational resources. This afternoon, we're doing a huge panel just on cybersecurity, and we've put such a big emphasis around it because we understand the impact. We've seen it cripple some of our businesses because they've not really invested in having that infrastructure that they really need. And you're right, there's only so much we can do. And I think that you go back to that human firewall, as you said, and it plays a big role in these practices.

David Slazyk (22:20):
And one other thing I would recommend practices do, and this could be a once a year thing, right? Pick a couple hours, maybe half a day, and run through a tabletop exercise where you are pretending that something bad happens. And you can come up with all kinds of scenarios and then just talk through it. And very quickly you'll realize, because there's no wrong answers, you're just gathering data points. You'll realize, oh, here's areas that we could do better. These things need to be shored up. Maybe we should invest in some tooling that eliminates a particular risk that just will pay so many dividends and cutting years and months. I mean, it's just powerful tool. I do have a, I don't know if it's funny, but here's a personal story. So in another life, I did work with our CEO, Rusty, the security team really got into tabletop exercises, and a couple of months before anybody knew how to spell COVID, we ran a tabletop exercise called Operation Global Pandemic. True story.

Robin Ntoh (23:21):
Really?

David Slazyk (23:22):
Now today, Rusty blames me for COVID.

Robin Ntoh (23:23):
Okay.

David Slazyk (23:24):
What this uncovered was a large number of employees that worked in one particular part of the organization who did not have laptops. They were on workstations. And so we identified that as a risk because in the scenario, people would had to work from home, right? People were gone, they were remote, they were at home taking care of loved ones who were sick. And so we made a conscious decision to start buying laptops to replace their workstations. About the time we finished providing laptops to these individuals, we were fully remote. And so we didn't skip a beat. Coincidence, of course, right?

Robin Ntoh (24:04):
Yeah.

David Slazyk (24:04):
We got lucky with that. But it shows the power of running a tabletop exercise, identify weaknesses, and then shoring up those weaknesses.

Robin Ntoh (24:13):
That's impactful. I'm going to switch up a little bit because AI is another big, big buzzword. So we've got AI and we think about where AI impacts a business. If there was one thing you could say about AI, because it could be a whole other podcast, and you think about cybersecurity or breaches in general, what would be important for people to know about where AI is a serious contender of risk here?

David Slazyk (24:40):
A couple of facets there. And you're right, that's definitely another podcast too. We're going to be good.

Robin Ntoh (24:44):
We're going to tease it up, right?

David Slazyk (24:45):
Going to busy. Yeah. Clinical decision making, people tend to want to connect the dots that, oh, AI is just going to take my job over. It's going to make these decisions. It's not, the AI is only as smart as the model that was used to train the AI. We have to learn how to use AI to help us do our jobs better. Security is no different. So it's about the model. On the flip side, AI, when trained appropriately, does a phenomenal job of preventing some of these advanced attacks. It's almost AI versus AI in some cases. There's a lot of promise there. I think in the future to the keynote today, AI, you hear it everywhere. Everybody's talking about AI. It's not going to go anywhere. It's only going to get better and better over time.

Robin Ntoh (25:31):
It's smarter. It's definitely coming along.

David Slazyk (25:33):
Definitely.

Robin Ntoh (25:33):
And I think with that, we'll think about that as another podcast episode. I think there's a lot to talk about there. Thanks for being here today, and I appreciate all the efforts and what you bring to the company, and excited how we're going to continue to forge forward in all things cybersecurity, and looking forward to where that takes us next.

David Slazyk (25:51):
No, my pleasure. Thank you for having me.

Announcer (25:56):
Thanks for listening to Aesthetically Speaking, the podcast where beauty meets business, presented by Nextech. Follow and subscribe on Apple, Spotify, YouTube, or wherever you like to listen to podcasts. Links to the resources mentioned on this podcast or available in your show notes. For more information about Nextech, visit nextech.com or to learn more about TouchMD, go to touchmd.com. Aesthetically Speaking is a production of The Axis, theaxis.io.