Dr. Lorne Lavine, the Digital Dentist and cyber security expert is interviewed by Alex Nottingham, JD, MBA on Dental All-Stars to discuss the importance of backups in dental offices. Dr. Lavine shares a true story of an office that experienced a flood, resulting in the loss of all their computer systems and patient records. Surprisingly, their backups were stored locally and not online or offsite. The conversation highlights the risks of inadequate backup systems, including ransomware attacks and data loss. Dr. Lavine emphasizes the need for proper backup strategies, following HIPAA regulations, and conducting regular tests to ensure data restoration is possible. The episode concludes with a recommendation for dental offices to work with IT experts or managed service providers to handle backups effectively, combining local and online systems for enhanced protection.
Resources:
About Dr. Lorne Lavine
Dr. Lavine is the Digital Dentist. A former periodontist turned cybersecurity, IT, and HIPPA expert for dental offices, Dr. Lavine lectures and educates globally to keep dentistry safe from all the various cyber threats.
About Alex Nottingham, JD, MBA
Alex is the CEO and Founder of All-Star Dental Academy®. He is a former Tony Robbins top coach and consultant, having worked with companies upwards of $100 million. His passion is to help others create personal wealth and make a positive impact on the people around them. Alex received his Juris Doctor (JD) and Master of Business Administration (MBA) from Florida International University.
Episode Transcript
Transcript performed by A.I. Please excuse the typos.
00:01
This is Dental All-Stars, where we bring you the best in dentistry on marketing, management and training. Here’s your host, Alex Nottingham.
00:13
Welcome to Dental All-Stars. The title of this podcast is Backup, Backup, and Backup Again. Our guest is Dr. Lorne Lavine, and he’s a digital dentist. Dr. Lorne Lavine is a digital dentist, a former periodontist turned cybersecurity, IT, and HIPAA expert for dental offices. Dr. Lavine lectures and educates globally to keep dentistry safe from all the various cyber threats. Please welcome Dr. Lavine. Thanks, Alex. Pleasure to be back here and looking forward to speaking with you today.
00:43
Alright, let me get right down to it. So I’m gonna tell you a story. This was conveyed to me by Heather, so I’m paraphrasing, and she goes into much greater detail, but this is a true story, and I’m sure you’ve heard it thousands of times. But apparently, and I was surprised, because considering the climate out there, and I think everybody is protected with their backup systems, we’re gonna talk about this, or they’re working with you, but this office got flooded, okay? The entire first floor,
01:13
where they were at was flooded. All their computer systems damaged, all their charts gone. And their entire patient records gone. And I said to Heather, well, it’s not a problem because it would be backed up. Apparently not. It was all backed up locally. Well, I said, wouldn’t it be online? Nope. That that’s crazy nowadays. And maybe I’m just been talking to you for so long. I assumed everybody’s doing this.
01:43
but that’s unreal. They got flooded. They lost. I mean, I get paper system, but they’re, they have a practice management system, PMS. I guess they have local backup, but no online backup offsite backup. So what happened there? Does this still happen? What’s going on? This is crazy. We just had a potential new client call us last Monday.
02:07
They could open up Dentrix on their workstations, but they couldn’t for some reason. It wasn’t opening up. They could get into the program, but it wasn’t opening up the data file at all. They called us up. We actually do work with their next door neighbor. We logged on and they were hit with ransomware. There was a pop-up right on the screen on the server, not on the workstations. Normally, it’s on the workstations that told them they were hit by ransomware.
02:37
and we go to look at their backup and they hadn’t checked their backup in about three years. They definitely didn’t have something that was offsite. It was just local. So they’re dead in the water. I mean, I told them, you know, we hardly ever recommend paying the ransom because you should have systems in place to prevent that. But in that particular case, I told them, listen, pay the ransom. It’s your best bet. The statistics, unfortunately, are pretty scary because what we have found is that
03:06
Typically, national average, when you pay the ransom, you typically get between 67 to 69% of your data restored. It’s rare that you get all 100%. So in this particular case where it’s a practice management software, a lot of times that’s a single file, it’s a.dat file, for example. If that is one of the files that even after paying the ransom that they couldn’t restore, you’re SOL. There’s literally nothing you can do at that point.
03:35
points. So yes, we unfortunately, a lot of people that in this age of ransomware and natural disasters and all the other things that can go wrong, really don’t have a proper backup system in place. And, you know, we certainly obviously recommend that people take another look at it if they haven’t looked at it in a while, because how you do your backup, there’s all kinds of rules and regulations from a HIPAA standpoint.
04:03
It’s from a common sense standpoint as well as far as what you should be doing to protect yourself. Yeah, it’s unbelievable. I remember I got hit with ransomware about six, seven years ago and I have all my backups locally and fortunately I had them online as well. Multiple redundancies. I think I spoke to you about this issue and all the local backup drives were killed too. I mean it not only hit the system but it found where your backup drives were.
04:33
And locally, and it infected the local backup drives are the right in the, in the office. But thank, thank goodness I backed that up because I heard you talk about all of this and it’s just crazy. So yeah, I was surprised about the natural disaster situation. I’m into IT like you, my undergraduate was management information systems and we both like put into other computers and taking them apart and all that. So I share.
05:03
I got hit and I think I know what I was doing. Well, I use the remote desktop remote desktop protocol without any protection. And it came through that, that line. That was kind of dumb anyway. So let’s, let’s back it up for the average mortal and where they’re at. I know, right? No pun intended. What data is important in a dental office that we need to protect and back up. Let’s go step by step.
05:32
Yeah, so I mean, basic rule of thumb is anything that you can’t afford to lose needs to be backed up and protected. For most dentists, it’s patient information. And one of the key things to keep in mind is that Office of Civil Rights, Health and Human Services has identified, again, no pun intended, 18 different identifiers of what qualifies as protected patient health information, electronic protected health information.
06:02
Everything from patient name, chart ID, date of birth, phone number, address, photo of their face, anything that would allow a third party to potentially identify who that is, is considered ePHI. And by HIPAA law, it has to be backed up. But of course, as I said, this is from a common sense standpoint, if you can’t afford to lose it, then you need to back it up.
06:29
So for most offices, it’s all their patient data. It might be photos. It could be literally anything that you just can’t afford to lose, that if you lost it, you would be in trouble. So for most offices, that means everything. Everything in the practice management system. I remember, gosh, eight to 10 years ago, you were giving lectures. I don’t know if you give this lecture anymore, but the paperless office. But it’s pretty much, you still do, because I would think…
06:59
Most practices have moved away mostly from that they still have some paper but you’re seeing yes i have to back it up because we have a one level natural disasters and so on that. Could destroy the paper stuff. What we know to back up the digital stuff so you said we’re taking x-rays for taking information and storing on the local drives so tell me how back up work so.
07:27
We have our practice management system. We have other software systems. They’re also stored on a computer, okay? And these computers are linked together through a network. So we have that locally. What’s next? So, as I said, the key thing is to backup all the patient data. The challenge for a lot of practices is that ideally, you wanna have all that data in one place, which is the server.
07:55
Most offices, that’s the only device that they’re backing up. The reality is that a lot of practices don’t have all their data in one place. Office manager might have some scanned EOBs on her desktop. The dentist might have some patient photos on his desktop. So the first order of business is to identify where the data is. What we normally would recommend for an office is rather than storing it on all multiple
08:23
What we can do is create folders on the server and then make a shortcut from those folders to individual workstation. The office manager would have one on her computer this is office manager and the dentist may have one on his desktop this is dentist. Save any information that you want to save into that folder. Because even though it looks like it’s been saved to your desktop it’s actually been saved to the server.
08:53
There are HIPAA laws that say number one, you have to encrypt data, which is a lot easier to do on a server than it is on a workstation, and that number two, you need to back up any data. Again, if it’s all in one place, then that’s half the battle there, is making sure that you’re actually backing up the information that you have. The real then issue becomes, well, how am I going to back it up and am I going to do it so that it is easy to restore?
09:22
And am I following all best practices for security? As I kind of alluded to, there are a number of HIPAA rules when it comes to backup. It has to be encrypted for obvious reasons. One of the things that is difficult but not impossible for ransomware, a ransomware can easily hit non-encrypted data. It’s much more of a challenge for it to hit encrypted data. So yes, we have seen instances where someone was hit with ransomware and the backup got hit as well.
09:52
It’s not as common if they have an encrypted backup. So we want to make sure we’re following best practices for that. HIPAA also says it has to be retrievable, which means offsite. And you have to be able to audit and log the backup. It also says that you have to verify it, which means you have to do test restores from time to time. And that’s the deal for, I think, a lot of practices is that they’re backing up.
10:21
but they haven’t really done anything beyond that. They have some software that maybe when the backup’s complete sends them an email or it says it has a message on the screen that says, hey, the backup was successful, but they don’t test it. They don’t verify it, which besides being a law, how do you know? How do you really know that the backup is working properly? I thought about, is there a way for me to say this without sounding…
10:48
self serving and i don’t think there is an apology for that. What is an analogy if you have a. Health issue you go and see a physician and if you have a legal problem you hire an attorney. I don’t understand why so many dentists especially one to really aren’t it savvy you don’t have a good understanding why they want to handle backing up what is far and away the most.
11:16
critical asset they have in their entire business life, which is their data. Why not trust that to somebody who does this for a living and knows what they’re doing? That being the case, I’m happy to give suggestions on how people should back it up. As I said, most people are going to be better off working with an IT company or a managed service provider, someone that can do the backups, that can monitor the backups on a daily basis, that can restore the data if there’s a problem.
11:46
That’s the issue for a lot of practices. It’s not, are you backing up the data? Because almost every system that people use probably works, whether you’re using an external hard drive or some cloud type of system or local computer. I mean, it’s probably working. The question that I think a lot of practices need to ask themselves is, if my server goes down for whatever reason, how long is it going to take me to get back up and running? Because as you mentioned, Alex, I mean, as offices are becoming more and more digital,
12:16
more and more functions are on the computer, that means that when your server’s down and your network’s down, you’re dead in the water. You can’t take x-rays, you can’t pull a patient from, you can’t schedule, you have no idea who’s coming in. You just, you can’t function. And the unfortunate reality for a lot of practices is that when it comes to restoring their backups, it’s been measured in days.
12:41
Ideally, you want something where it’s being measured in minutes. That’s in a perfect world. For most of our offices, because of the amount of data they have, it’s usually closer to an hour or two. But still, you don’t want it to be multiple days of downtime. The reason a lot of people will come to us and say, hey, I don’t want to pay for a backup is cost. It’s not, in my mind, all that horrible in expense. Our typical practice may be…
13:09
A hundred to 125 a month is typical for how much data they have for daily monitoring and free restores and free fixes of the backup. That’s all included in the monthly fee. You compare that to a day of downtime for a lot of practices is what? Three thousand, four thousand, five thousand or more. Two or three days of that, it would take you 10 plus years of pain for backup to make up for just that.
13:38
few days of downtime. So for those reasons, we normally recommend that people, you know, have someone that knows what they’re doing to help you with it at the very least. But most of our clients obviously have us do it and we take over for it. It was impressive when you said, well, you have to check that the restores work and the backups are working periodically. It’s almost like a fire drill either prepare because as you were speaking, I pulled up my backup and guess what? It hasn’t backed up in a few weeks.
14:09
something got disconnected and it didn’t work. And I’m thinking, oh my goodness, like, it’s just nice to have that reminder. And then you’re right. Is your restore system working? And I think this is not a tactical response. There are tactical aspects, but you have to have a big strategic view. For example, one might say, well, I’m going to do everything online and just do cloud base because then if anything goes down, I have the.
14:38
the backup, but here’s a problem. What if your internet goes down? Then you can’t operate. So you have to make sure that that that can go and. To you have better have a high speed internet with the, to transfer all those spot files so quickly. So I know what you recommend typically, I believe, correct me if I’m wrong, but it’s a hybrid approach. You have to have local systems. So you have the speed and then you have the online systems to back up other data. Is that kind of. Yeah. Well, so.
15:07
Yes, so we take a two pronged approach to it. 99.99% of the stores that we do are from a local backup. Way faster, we’ve got the whole server there. What we recommend is what’s called an image based backup. The better way to describe it is a snapshot. We take a snapshot of the entire server, not just the data, the program files, the network settings.
15:35
we create a virtual copy of that and put it onto another device. In theory, it can go onto an external hard drive. The challenge with that is that you need to move that over to another computer then when you go to restore it. So what we normally recommend is put it onto, say, a dedicated computer just for that. So you can do like a full-blown server, like basically have a second server in the office. That’s usually not that cost-effective for most people because servers are $3,000, $4,000.
16:02
So what we would recommend is get like a normal Dell computer, put a large hard drive in there, three terabytes, four terabytes, you can have multiple copies of the data. And we put that virtual copy of the server on there. Office calls us up, the server’s gone down for whatever reason, we fire up that virtual copy. As I said, that’s just a matter of minutes. Once that virtual copy is up and running,
16:29
As far as every other computer on the network is concerned, the server’s up and running again. You can pull up your practice management software, you can pull up your digital X-rays. It’s as if the server never went down. Of course, if it happens in the middle of the day, it’s only as good as your most recent backup. We normally do the backups at night. So in theory, if your server goes down at the end of the day, you have the possibility of losing that day’s worth of data. There’s ways around that as well.
16:59
But as you mentioned, that’s not gonna help you if there’s a flood or a fire or theft. That’s part of the reason why HIPAA, part of their regulations is that backup is retrievable, meaning offsite. In the past, and still we have some people to this day that still do external hard drives that they take home with them. And there’s not a reason not to do it.
17:25
You know, one of the things, one of the beauties of having a device that’s not connected to your network, we call it air gapped. You know, a ransomware can come in and hit the whole network, hit the backup. It can’t hit an external hard drive that wasn’t plugged into the computer at the time. So if you have something that’s a home or offsite or whatever, you know, that will potentially help you. Most of the better backup programs out there won’t back up corrupted data.
17:52
So that’s the fear that a lot of people have is they say, hey, what if I get hit with ransomware on my local backup? And then when I do the cloud backup, the cloud also gets hit with that virus. We haven’t seen that. It doesn’t mean it can’t happen. It just means that it hasn’t happened yet because of the fact that the backup software’s smart enough to say, hey, this file is not the same as the file that it’s supposed to be, that I have. And it actually compares. Anytime we do a backup, it’s called an incremental backup.
18:21
where it compares what’s on your server versus what’s up in the cloud and if they’re the same then great it’s gonna get the back of it but if it knows something’s wrong with that file is not gonna actually back it up. So that that’s kind of the saving grace but you definitely need to have something off site so that’s why i’m a huge fan of cloud. For the dentist office standpoint it just means it eliminates you from the equation you know more things to worry about.
18:49
It’s kind of nice, especially if you have an IT company handling it for you, that you go home and you’re done. We certainly, you know, we would set up a system that anytime there’s a failure, you would get an email, we get an email. We have a tech, I have a full-time technician, all he does is backup. We have about 150 offices that we’re handling, you know, backup specifically for that office. And the first thing he does when he comes in at six o’clock in the morning is to check the logs.
19:16
see, you know, have any backups fail. And usually for those 150, we’ll see eight to 10 failures. And usually it’s because their internet was down or, you know, the backup got full or the server went offline for whatever reason. We fix the issues and, you know, we, and it usually runs perfectly the next day. So, um, but yeah, you, you have to have that, that double layer of protection because, um, you want the speed restore from that local backup.
19:44
But for a true disaster, you want to make sure that you’ve got the data offsite so that you can restore from there. The other problem with doing it online only is not just if your internet goes down, but internet is sometimes just not as fast as we want it to be. In the past, when people only had practice management data, that might have been a few hundred megabytes of data, it took us five, 10 minutes. I mean, it wasn’t a big deal. Now our typical office has 100, 200.
20:12
300 gigabytes of data between X-rays and tone beam and all this stuff, you’re talking even with fast speeds, many, many hours if not days just to download that data. So for that reason, as I said, the local is always going to be our first line of data. I love it. I love it, Dr. Lavine. I see, again, there’s so many layers to this.
20:41
It’s not a simple, just get this backup system. I mean, you really got to step back for a moment and see that look, natural disaster, malware. There are so many areas that are looking to, what is that, Murphy’s law, all right? Something’s gonna happen here. And so we have to protect against this. And I like your, what was that quote? Did you give it to me again about, what is it, an ounce of what? An ounce of prevention is worth a pound of cure. And in this particular case, it might be worth like two tons of cure because…
21:11
Um, yeah, dealing with malware, dealing with having to restore a backup is, it’s always hit or miss. I mean, we set up systems for our clients that are as foolproof as they can be, as secure as they can be. But with the newer ransomware is that are coming out that are zero day and, and, you know, we don’t have a way of dealing with them. Um, you, you just don’t know.
21:39
even with all the best precautions in the world, you know, nothing is 100% secure and 100% foolproof. So we wanna have multiple layers there, but we wanna ideally make sure that you never have to deal with that in the first place. You know, we talked about how to restore from, you know, ransomware. Well, the better approach is to never get ransomware in the first place. You know, having a good firewall in place and having all your software patched and having…
22:05
application whitelisting, antivirus software, and all the things that you should be doing, you wanna protect yourself so that you never have to restore from a backup. Yeah, because like I said, backup restores for the most part, they work the way they’re supposed to, but we’ve had the occasional ones. I’ve been doing this for 20 plus years, and we’ve had a couple of here and there where it wasn’t the restore that we hoped for. We were able to extract the data in other ways, but sometimes stuff happens and that you just, you have no way to easily recover from.
22:34
So you need to make sure you’re covered. So tell me, how can the listeners learn more about what you do and how to protect themselves better? The easiest way for them to do that is to go to my website, which is thedigitaldentist.com, T-H-E, digitaldentist.com. There’s a lot of information on there. I’ve got a blog. I’ve got articles on there. But the other thing they can do,
23:03
is there’s a contact us form right on every page, and especially on the main page. You can fill out that form with your name, email address, phone number. My office manager will get an email with your information. She’ll call you up. And there’s a couple ways we can handle it. Number one, I’m happy just to have a conversation with people, she’ll set up time for us to talk. One of the things that we’ve always been recommending for offices is that it’s hard for us to be able to…
23:32
come up with a plan for your individual practice unless we diagnose what’s going on first. So we call it a security auditor, a technical audit. There’s different terms for it, but basically we would log in with your permission and gather information. Let’s see what’s going on with your server. There are a lot of things that we’d look at. Yes, we obviously want to look at your backup, but let’s look at the prevention part as well. I want to take a look at your firewall. I want to look at your internet speed. I want to see what you’re doing for antivirus software.
24:00
Are you HIPAA compliant? Is your software current and up to date? Do you have encryption in place? All these things, that would all be part of the evaluation. And then I can sit down with you and go over the results and just say, hey, here’s what I found and here’s what I recommend and here’s your options and hopefully come up with a solution that’s going to work for you. So there’s plenty of ways to do that. So they can do that. If you’d rather just call us up, we have a toll free number, which is 866.
24:30
I think it’s either option three or extension 200 or whatever. One of you will get you through to my office manager, Candice, and she’d be more than happy to schedule a call. For the audit, we typically charge for that, but obviously you and I have been friends for a very long time, Alex. You’ve been a big supporter of us and vice versa. We will waive that fee for any All-Star Dental Academy or All-Star Podcast listeners. So…
24:58
anyone that just mentions that they heard me on the podcast, we’ll do that at no charge. So we’re happy to do that. Yeah, my followers like free. Well, we definitely take a look at the Digital Dentist and remember to follow us on Apple Podcasts, Spotify and YouTube, get the episodes as they are released and share with your friends all this great content that we’re doing together. And until next time, go out there and be an All-Star.
25:31
We hope you enjoyed this episode of Dental All-Stars. Visit us online at AllStarDentalAcademy.com.