With 30 years in the industry, Anne Genge discusses the importance of cybersecurity in dental practices and the types of cyber threats that dental professionals need to be aware of. With 95% of breaches involving human error and stresses, she explains that the need for comprehensive training and policies is essential.
Read the audio transcript below:
Dr. Jordan Soll (JS): Hi everyone. Welcome to Brush Up on Business presented by Oral Health Group, a special Brush Up podcast series focused on the business of dentistry. I’m Dr. Jordan Soll, Chairman of Oral Health’s editorial board, and today I am joined by Anne Genge.
Anne is a certified information privacy and security professional and a certified health care security risk assessment specialist, a leading expert and trainer in this field with over two decades of experience. Founder of Myla Training, Canada’s first dental online privacy and cybersecurity training platform, Anne collaborates closely with practice owners, managers, dental teams and IT providers to ensure the safety of patients’ and practices’ data while enabling compliance with privacy regulations. Welcome, Anne.
Anne Genge (AG): Thanks so much for having me here.
JS: So, I want to say before we jump in, you’re kind of preaching to the choir here. I have a relationship with Anne in the fact that, personally, I find that cybersecurity for dental practices is incredibly important, and I sought out Anne’s expertise. But for some people that that may need a little more information, let’s, you know, let’s jump right into it. So please start by telling us how you got involved in cybersecurity, specifically within the dental industry.
Related article: The file you didn’t know you had and why hackers love it
AG: Well, I’m in my thirtieth year in the dental industry. I started, you know, obviously quite a long time ago, but about fifteen years ago, I joined my brother’s, or actually seventeen years ago, I joined my brother’s tech company. And we were really excited about how digital x-ray, you know, these emerging technologies, digital health records, everything was being embraced so heavily by the industry. And we also understood at the same time there was going to have to be a lot that was going to happen to protect all of this data and the systems.
And so we went on this path of specializing and making sure that we were finding solutions that were affordable, easy to adopt, easy to understand in order to protect you and other dentists like you who are investing so heavily in technology to grow and expand and refine your practice. But otherwise, we’d be kind of just left out there and using luck to get by, when cybercriminals were going to come your way.
JS: Tell me, what are the most significant cyber threats facing the dental practice today? And why should we be so concerned? You know, so many guys are going to think, “Not gonna happen to me.”
AG: Yeah. Actually, that’s probably the biggest threat is the thought that somehow we’re too small to be attacked. If we look at it, even the hospitals, governments, big businesses can’t seem to keep our information safe. So how much harder is it as a small business, for example, of which a dental practice is? Today, there have already been so many breaches. Most people’s emails are already on a big list that could be used by cybercriminals to do phishing attacks, and through those phishing attacks come what you’ve probably seen most of in the news. And that is something called ransomware, which we’ll talk a little bit more about.
It’s threats coming in through emails or bad websites, and really at the core of it is humans, human error. Humans not understanding the types of trouble they can get into using technology, and I guess it’s really everyone’s problem now, not just a business or a dental practice. We’re all using technology, so we all really need to understand these types of threats that are coming at us. You know, human error is probably the biggest thing. Not understanding what can happen, how everything that we’ve worked so hard to build could be wiped out at the click of a mouse.
The things that you’re seeing happening to these big businesses, they are happening to your peers. You may not be hearing about it as much because not every case makes the news, but it is a growing problem. Dentists are, like we talked about earlier, you have all sorts of different types of compliance, changing rules coming at you. This is just another thing that you have to be thinking about, allocating time to understand, finding budget for. So, it sometimes doesn’t hit the priority list as high.
JS: You said something I want to expand on just a little bit. You said something that we’re all human. Can you give us an example where unbeknownst somebody in the office, one of the support staff maybe on lunchtime have been, you know, going online just to check something. And like as we say in the old Scooby Doo, “rut row.” Okay? And that’s where, oh my god. So, if you could just maybe expand on that, how sometimes unbeknownst to a staff member can take you down a bat, not intentionally, just clicking the wrong time.
AG: Yeah. That is the most prominent way. I’ve been studying ransomware specifically since twenty fourteen. I can’t tell you, but it’s well above ninety five percent of the cases where there’s successful breaches. It is that scenario where someone’s clicked on something that they didn’t realize they’re being tricked. Social engineering you hear about. Often, it’s through email. It can happen through some types of bogus websites as well, but most often it’s something coming in through email and they’re getting really good at it. So, one that’s come up a number of times is a fake invoice or update your password in our payment portal or, you know, please redirect my pay to this new bank account. There’s scenarios that people would be engaging in email or online every day, and because these cybercriminals are better at their information gathering, they’re able to more highly contextualize it.
So, yes, it’s through these channels, it’s people either, you know, sometimes people don’t care, or an office doesn’t have a good policy. What’s a policy? A policy is a rule. In this case, it would be “don’t use practice computers for personal use.” That would be a policy that you should have. In absence of a policy, people don’t know the rules, so they may do it anyway. There’s one simple and cheap way that could have been safeguarded by just saying, “don’t do that.” That being said, people may still do it, which means that people understanding and getting just even the most basic training on these types of scenarios is extremely important and can have an exponential and dramatic impact on the security of your practice just by training and making the individuals aware of what those threats are.
JS: To put some context into this, and I’m very curious because you’re the preeminent information person in this area. What are you seeing in 2024 of dentists that are forced to pay ransomware? Throw out some numbers. To put some real context like, maybe I better pay attention to this. What’s the downside? How much dollars are dentists having to write checks for?
AG: The worst one that I heard of, I wasn’t involved in it, a colleague of mine was involved in it, was $187,000. But that included the remediation costs, the lost revenue, and so on. Most of the ransoms that are being asked for are, you know, south of $50,000, but that’s not the real challenge for you. The challenge for you now is patient trust, right? Which you’ve built in your scenario, like years and years of this, and that’s a conversation I’m pretty sure you don’t want to have with your patients when they have a million other choices in the city. They can go somewhere else the minute they don’t feel safe with you. And even though you may have built safety with them on a clinical level, if they don’t feel now that their information is, then that’s just a headache that you don’t need. It’s another reason to have them go somewhere else.
JS: Hundred percent. Alright, so let me ask you, what are some of the biggest gaps and vulnerabilities that you’re seeing, and you and your brother are seeing, in dental practice when it comes to cybersecurity? I will tell you when I made that personal decision to work with your brother and let him take over my cyber security. Holy cow. He went through everything. He went through my home computer and said, I don’t like A, B, C. Off it goes. I was really impressed. Like, he did a very thorough…when we decided to join him, he said, “Okay, this is where you’ve got some real problems.” Never even considered. So, what are you seeing?
AG: Well, what you experienced was a security risk assessment, which is very different than what normal people would see. They might get an IT assessment, which is mostly like a brake inspection, you know, those types of assessments are there and they’re free because we’re going to find out how many computers can we sell you. Very different than a full security risk assessment, really is pretty much like a new patient exam, full mouth series, and then from that evidence is derived your treatment plan, right?
So that’s what we did with you, and you’re right, he is relentless. Everyone should be that finicky. Everyone should be that relentless about it. The challenge is there are not that many certified experts in Canada, definitely not in the dental industry. So, you’re experiencing an individual who does things the right way, but most people aren’t getting access to those that level. Right?
JS: Or choose not to seek out the access.
AG: I think, you know, I find that if you have conversations with people in a correct way, they see the value. You know, I think it’s easy. I’ve always heard again, I’ve been in this industry for thirty years. I’ve always heard people say, oh, you know, dentists are cheap or whatever. I don’t believe that. I think that’s laziness on the part of or inexperience on the part of the person sort of selling. You’re right. Cybersecurity is either you believe it’s a threat or you don’t. I can’t sell it to you. I can’t sell you the solution if you don’t believe it’s a threat for sure. Right? There’s that element. But most people, right now, I would say over the last five years, have really been, you know, it’s been ratcheted up. It’s in people’s minds. But if you don’t explain it and have a conversation in a way that’s highly contextualized and really makes sense, you don’t get the buy in. And that’s where, you know, this really niche experience becomes so valuable.
JS: I’m wondering today if unfortunately for many dentists they may view cybersecurity as if you have that leak in your basement, who really wants to fix it? Because you fix it, it’s not like that big brand-new big screen TV or going on that trip. You got to do it, but things don’t really look different today than yesterday. Except you have that kind of peace of mind that you won’t have the water leak anymore, but it’s never fun to allocate funds towards it. So, it’s sort of like cybersecurity, you know? Yes, I see it because I’m going through multi step authentication to get in, and so it’s kind of like this visible aura around me. I derive a sense of security from it. I’m just not sure if the masses are yet.
AG: Yeah. Well, no. I mean, they aren’t. I know because I’m involved with really the only two companies that are addressing this in Canada. So if you’re not my client on one side or the other, then, you know, I don’t know what you’re doing. I am involved in doing risk assessments with many other practices. Ninety three percent fail on the basics, like things as simple as what you’re talking about, password management. I think that was the first question actually, you know, what are these biggest gaps?
But before I go there, I do want to step back for a second because you’re talking about ROI in a sense, right? You’re paying for this, you’ll never really know. If you don’t have a cyber attack, if you finish practicing and you haven’t had a cyber attack, you will never know whether it was because I did a good job, like whether we did a good job or you were just lucky, right? You don’t know.
But let me give you a scenario that I think most dentists do understand. Why do you put a crown on a root canal tooth? Right? So the ROI is only experienced when that tooth doesn’t blow up because you did that extra thing for it, right? And most patients don’t want to go through paying now for a crown after they just went through three root treatment. I don’t know the lingo as much, but that’s, you know, similar and you have to sell it in the same way, right?
But when it comes to the gaps, sometimes it is the simplest things to which the most exposure happens. I’m going to tell you that cybersecurity controls are very important. All of the things that we do to use automation, machine learning, AI to keep those systems running smoothly, check for anomalies, prevent intrusions from happening. These things are not that sturdy if you have humans on the outside that aren’t trained to understand what it’s like to be tricked into circumventing those controls. So if you have weak passwords or passwords that have been reused and you don’t have two factor authentication on it, for example, it doesn’t matter how much security I’ve put on your systems, they may invite a cybercriminal through the door. So that multifaceted approach, and it’s like the human firewall and the mechanical and the appliance firewall, metaphorically, is extremely important.
JS: Okay. So let me ask you, how can dentists effectively balance the desire to leverage the technology for growth with the increasing need for cybersecurity measures, but keeping in mind with everybody, budgets are tight.
AG: Well, you know, if you go to one of the trade shows, you’re going to walk the floor. Everyone’s going to want to sell you these new technologies. And when you ask the question, is it secure? Is it compliant with privacy? They blanketly say, yeah, it’s secure. I want everyone to adopt technology and leverage it and exploit it to the greatest extent they can. There’s so much that can happen in the field. Dentists have always been quite pioneering in embracing all of these technologies. At the same time though, each time you add a software or a hardware or, you know, one of these machines that scans this or that. These are all potential points of vulnerability. It needs eyes on. It needs more than just mainstream IT. It’s okay to have mainstream IT for day-to-day stuff, but you really need to have a professional set of eyes on it to evaluate it once everything’s set up or even before you purchase it so that you know where those gaps might be.
And if you do that well, most of the of the other general tools that you’re going to put in place are going to work really hard for you. It doesn’t have to be that you’re engaging with IBM or Deloitte.
There are of course, through my own company, managed cybersecurity or cybersecurity as a service, where we can take all of these enterprise grade tools and facilitate them and use them in your practice, but not charge you tens of thousands of dollars as if you were working through a company like the IBM. And then training. Training is something that takes thirty minutes online once a year for each of your staff, and it goes a really long way. If you put that together, bank it with some really good policies about what you allow or don’t allow to happen on your systems, you’re going to be pretty well set up.
JS: So in sort of winding down, that’s critical I want to ask you. So, the one pearl that our viewers and listeners can take away. Why is cybersecurity training essential for all members of a dental team and how can practices ensure that their staff are adequately trained?
AG: The evidence is as we’ve already talked about through this whole thing. Most successful breaches involve the human element. Last November, IBM put out a study that showed ninety five percent of breaches are facilitated by human error. So that’s the first thing that we want to do is make sure that whoever’s touching any of those emails or web portals or whatever first, if they’re armed with those defensive type tactics, then you don’t have to rely so heavily on the technology alone to keep you safe.
And then the…I’m sorry. The other part of the question was?
JS: So, I wanted to know why is it important though that every staff member is on board?
AG: Yes. Well, because every single person in your practice is probably working with the system. So, anybody with access to patient data, I mean, it’s not just a compliance requirement like under PHIPA in Ontario or PAPIDA federally or your college. They all are asking for people to be trained that way. But you really want them to be because, you know, slip ups are so easy to happen. It might even be your bookkeeper that does it, not necessarily your hygienist, right? So I think thirty minutes once a year to have that little certificate that says, okay, I understand what the current types of threats are, in a contextualized way, right, that applies to a dental practice. Not, say, just a law practice or something like that, gives scenarios and case studies of where they may get into trouble. This is going to do a lot to arm them, to defend your data every time they go on the computer, on the system.
JS: Great, great information in 2025 that things are changing so quickly. And all the talk now is AI, so very, very relevant and extremely appreciated by everybody who’s viewing Oral Health. So, thank you very much for stopping by and as always, Anne, great to see you.
AG: Thank you. Thank you.
JS: Be sure to subscribe to Brush Up’s email alerts, on Spotify or YouTube, to be notified every time we post a new episode. Please remember, keep brushing up.