Anne: Hi everyone. It's Anne Duffy and welcome to Dental Entrepreneur The Future of Dentistry's Podcast. I'm so happy you're with me today and I have a very special guest, a very good friend, a great friend as a matter of fact, but let me tell you a little bit about her before we get started. Amy Wood's goal is to protect people after her own information was compromised in a data breach.
She has made it her mission to ensure it doesn't happen to anyone else. She has spent the last decade as a HIPAA educator, risk assessor and data breach consultant. She is passionate about educating as many people as she can to ensure the safety and privacy of protected health information. Amy Wood.
Welcome. Welcome. How are you?
Amy: Great. How are you?
Anne: I'm doing pretty darn good. It's always good to see your beautiful face. I get to see that more often now, which is lovely for me. it's a beautiful day here in Charlotte. We're January and the weather's nice and sun's out. Sun's out, guns out, right?
Amy: Yeah. I mean, We're having a beautiful day in the Midwest. gorgeous. I might be able to actually get my Christmas decorations out of the ground. It might be unfrozen enough for that.
Anne: Yeah. I mean, It's not Valentine's day, so I give myself a break on that. But listen, you have always been so dear to the do community, but we decided to do this in dental entrepreneur, the future of dentistry, because you are such a profound.
so much in the field of cyber security and compliance. don't think we've ever been on a do connect, which is our gathering once a week when you don't have something that people need to hear. And my favorite tagline from you, of course, is, pay me now or pay me later, which scares the heck out of me.
But. You have saved so many people, in this industry. And tell me, Amy, how did this all start?
Amy: let's go back two decades, and I was running a very small, dental specific IT company in Northern California with my husband. And we had two small children, and I don't recommend having two under two.
It's really, really, really
Anne: stressful. It's too late for me now,
but
Amy: but for anybody listening, you under two is way too much. And, I decided to do upper and lower orthognathic surgery on top of all of this. I had to have all my titanium removed because my screws started on threading themselves a couple of days after the surgery.
And so I've nonstop. Family gatherings where they always say, Oh, still got a screw loose in there, Amy, like,
Anne: Oh, my gosh, not
Amy: physically. But yeah, I'm sure there are a few screws loose elsewhere. And then a couple years later, those x rays ended up for sale on the dark web, along with my name, birth date, social security number and my insurance medical record number.
And I realized that our dental community is ill equipped to handle cyber incidents. And information that's digital being compromised. here I was trying to get people to go digital, but how did I do that in a safe manner how could I educate them? And out of that came. Absorbing everything about HIPAA, both privacy and security, and trying to get people to understand it in layman's terms.
And so that really became my superpower, taking the geek speak and the legal jargon and breaking it down into, ideas and methods and processes on how to appropriately implement, all areas of compliance into their practice.
Anne: You can talk about it all day, but implementing it is the key, right?
Amy: There's a lot of hand holding, a lot of grumbling, and I'm pretty certain from a few clients, some swearing.
And sometimes when things are really hard like that, they just give up. you scare me so I can imagine. I say that lovingly because love how you handle it. you're the only person I know that can make compliance and Fun to listen to and then actually scared enough to like, do something about it. So what's happening? what is the future of cybersecurity now? Because, you know, we're digital, I think it's important to look at the history.
And see where we've come and what's happened in the past. I'm a huge history buff anyway, but when I came into dentistry, we were really just starting to go digital. the digital X ray systems had just really come out. They were. Being implemented in every operatory, every office that was our main heyday, and we were in a ton of practices and seeing how that was being done, but there were no guardrails.
no guidance on how to do that appropriately. And so we had created guide rails on what our parameters were, what we wouldn't do what we thought was safe and wasn't. And then after my information ended up for sale on the dark web, I got involved with a bunch of different government agencies.
And so I'm on all these different cyber task forces and, different meetings and groups. And so if you think. I'm scary. You should hear some of the meetings I go to.
Anne: Wow.
Amy: it's, terrifying what's actually out there, but. The reality is where we're at now is we're finally putting some guardrails up, finally having those parameters and guidelines on what we should be doing.
And I'm, thrilled to say that I've actually been a part of that process to make sure that dentistry is represented and it's quirky, it's weird, the programs are funky and, sort of are secure, and sometimes not, and sometimes are, and sometimes the vendors integrate properly, and sometimes they're secure and not, and so it's just an interesting time in dentistry, and I am, really excited to see where it's going to go with this new guidance that's coming out from Health and Human Services very shortly.
Anne: Oh, very shortly. Wow. how will we get that? Will it, go out to everyone or will we have to seek it out and find it
Amy: a little bit of both? Obviously I will be posting stuff, but
Anne: great.
Amy: Yeah. As soon as that comes out. So copper penny consulting, social media, we love to do fun stuff.
my girl Deanna talks about dirty things, right? so we're out there posting things as soon as they come out and things that need to be discussed, but I know a lot of the associations will be pushing out that information as they get it and consultants, obviously, but really, it's up to the doctors to seek that information and personally, I don't think that's very fair.
Anne: they've got a lot on their plate, that's for sure. And so now they can find it through you because again, I love the fact that your expertise goes beyond dentistry. I mean, Like I know that you and Scott you had the IT company before was in a sense outside of dentistry, right?
I believe it was mostly dental.
Amy: We were about 85 percent dental clients and Way back a long time ago Dentrix used to have a, engineer program where you had to be certified to do certain things within Dentrix. And uh, my husband was one of the first group to do that.
Anne: It's since,
Amy: Restructured all of that, but he was one of those certified engineers
that's cool. That's got such a smarty pants of course he was in the beginning of that whole phase, but just gives you the experience and expertise really know what's going on and understand it because it's so broad.
Anne: That's the thing. I think you make cyber security compliance not only fun but understandable give it. The tools to be able to execute it, in a practice and in the businesses around because, I mean, you were talking a little bit about vendors and speak on that. That seems like that is the future here in dentistry.
It's one of the parts of innovation and things that are going on in dentistry. So how does that relate to compliance and cybersecurity?
Amy: Oh, it absolutely does. So again, quick little history lesson, especially for the younger dentists that are coming up dental professionals that listening. When a lot of the server based systems came out, they didn't always have all the add ons.
that we have now. So third party apps would do appointment reminders and texting and payments and, all these different communication integration claims. And all of these things were third party applications that had to integrate with the practice management system. Now you've got some cloud providers that are trying to bridge that gap and not have third parties.
Involved. Some aren't, but we still have a lot of server based. practice management systems. And so now what I'm seeing is a shift in the vendors where a lot of them are integrating together or creating partnerships together.
Anne: You're seeing that
Amy: one click to do your care credit. application.
And not that that's a bad thing. It just means that when there is a problem, it's a lot more people and a lot more vendors are involved. And it could be a massive data breach like change healthcare was last year.
Anne: Okay. Cause that was the big wake up call. the industry had was like, wow, if it can happen to change.
Healthcare. My goodness, it could happen to anyone. And so more things have to be put in place than to protect those integrations. Is that what you're saying? Yeah.
Amy: Yeah. On the vendor side certain certifications, having certain people on their team that would have, cybersecurity qualifications, insurance.
Things like that. Vendor vetting is something that I started very early on back in the days when vendors used to threaten to sue me just for asking questions on behalf of clients. Okay. Okay. They don't do that anymore.
Anne: It's right. You've earned that right to be able to tell them what to do, but not to do, but I guess you've got to be very careful and you can't be naive about it anymore.
I mean, That's the other thing. And You know, no one goes to school for this, really. Very few people do. You do. But I mean, like, in the dental arena, it's out of a lot of our wheelhouses.
Amy: Yeah, it's becoming more of the norm and almost required, with Fortune 500 companies, Fortune 100 companies, where you have to have a member of your team that has certain credentials within cybersecurity.
And you have to report within a certain amount of time. Federal trade commission has rules. Department of justice has rules. Like we have all these various government agencies that are breathing down dentistry is back. And most of the time dental professionals don't even know that. That's what they're supposed to do.
They're too busy trying to figure out how to drill and fill and what's the latest in implants and what products for this. And I can't get this anesthesia. And now the price of gloves went up again and you know, they're dealing with a lot of things already. So trying to keep up on compliance, whether it's OSHA, HIPAA, HR, whatever they are.
those rules get more and more complex, and it's harder and harder for any kind of practice, regardless of your size,
Anne: So that's where you come in, Amy, is that, So you can have multiple practices multiple people that you can help and be their compliance agent. So to speak, that's a copper penny is working?
Amy: Yeah. Most of our clients come to us because they either had a data breach, which is horrible.
I hate dealing with those. Sadly, I'm a little too good at it,
Anne: which
Amy: is why I keep getting called. Yeah. I don't like working in that capacity if I can avoid it. I prefer working in a capacity where it's more a fractional compliance officer,
Anne: where
Amy: I spend my time living and breathing. HIPAA and cybersecurity and privacy.
And I have people on my team that live and breathe OSHA and infection control and DEA and all these other aspects of compliance. Everybody is an expert in their own thing. And that way we are tapped amongst all of our clients to be able to spread a little bit of information to, all of them so that they have a really good, robust program in place.
And. When things kind of go a little haywire, they have the phone and expert aspect of their program with us. So they don't have to have someone on staff. they can't afford that.
Anne: No. never seen anybody's hand raised up to say, I want to take care of that in the operatory.
I mean, It's like where's the book on OSHA? I mean, There's one person that knows what the book is in the dental practice and God forbid they leave the office and never find it. yeah. And they're still in the shrink wrap. Yeah, exactly. But it, seems like the most.
obvious way to secure and ensure that you're compliant and that the privacy of your patients and your practice is upheld because that's a big deal. I mean, When you think about, and it can happen just like, I've been on a coffee with you or whatever and you get a call that somebody's just been hacked and all of their records have been stolen and they're in ransom mode.
I mean, Similar to like what Henry Schein went through and things like that. It's a real thing and it could happen to anybody
Amy: it does and it's so fast I always tell people it's not a question of if it's when and so the real question is did you Make yourself low hanging fruit and easy to hack or to get compromised?
Or did you put just enough barriers in place to make the bad guys go elsewhere?
And whether that's an insider threat or a hacking group or employee that goes rogue or third party that comes into your system and they shouldn't have had unfettered access a hundred percent of the time. I mean, There's all kinds of things to look at and it's my job to look at things like a criminal.
How would I compromise this? How could I get into it? And how do I close the gap on that?
Anne: And you can do that. I wouldn't have any idea how to do that. And then that's like,it's just like, you look at you, you're lighting up like a Christmas tree. It's like, Oh my God, I can't wait to get in there.
And everybody, I would imagine it's like, this would just help the practice. Sleep well, the owners, especially because, you know, you can call Amy and anybody in your team for, you know, a copper penny to help with the situation. Otherwise like, I don't even know what to do. it seems like it's imperative to be able to have someone on their team that they can call and also to set things up, right? you know, are you locking your door at night If you're a low hanging fruit and it's a gateway to get in easily, you're right, it's not if, it's when it's gonna attack you.
Amy: And honestly along that same line, when That thing happens. Is it going to be a minor inconvenience or is it a major catastrophe
basically what ends up happening is these offices can have minor little inconvenience and it's a bad day, but it's not a bad life and it's not, catastrophic to their practice.
I've also had others that have called me on the worst day of their life like I'm dealing with one right now where, they had several front desk people and one of them was terminated and a couple others left in protest and they all had shared passwords and they were able to get in and just mess with the schedule for the next six months and delete documents and be able to do all kinds of nefarious things.
That, are causing chaos.
Anne: Yeah. And if you're naive and you're heads down in into the patient's mouth, 99 percent of your day. first of all, I can't even believe people do that, to hurt somebody on purpose.
But, you know, we do live in a world that stuff happens that we would never believe could possibly happen. I don't know how long it took change healthcare to get back on their feet or even like, can we shine?
Amy: They're dealing with
Anne: it. Yeah.
Amy: And, each of those situations was very interesting and I guess some interesting insider information.
I'm not allowed to share, but, there were other forces in play with both of those incidents and they could have been managed better so that less people were affected.
Anne: Yeah, I think that's the key is to just do everything you can. is
Amy: an art form.
It's like writing the perfect FU email, like that's a skill that you have to learn very carefully.
And it, takes time and patience and coaching and being able to respond well in an emergency is not a skill that you learn overnight. There's a reason why you have to do basic life support training every two years. It's not because the dental board says you have to, to keep your license. I mean, yes, that's true, but it's to create the rote muscle memory so that when you're faced with a true emergency, while your adrenaline might be pumping your brain still knows automatically what to do.
You might not do it a hundred percent perfect, but you still know the motions to go through. And I a hundred percent believe that in the future of dentistry, if I'm looking at a crystal ball five years from now, Things like cyber security will be added to a disaster preparedness plan and people won't actually practice it.
Anne: Wow. How does AI fit into all this? Because that's a whole, that's a whole new world. I think we were both on the DoConnect call when they had the first chat GPT came up and I think it was Ash was talking about. I think you were on that call. So tell me, how does that play into. The future of dentistry?
Amy: Everyone thinks that AI is new. It's actually been around since the 1950s and we use it in everyday life. We use chatbots on websites. We deal with phone trees. We have, vacuums the. Roam around our house for us and use Lidar technology. We use AI in a lot of ways already, and we don't even realize it, but it's been introduced to us very slowly.
And now what we're seeing is. Chat GPT was this huge thing and it was accessible to everyone and the lay person could use it. And so everyone knows what it is and how to play with it. But that also means that you can use it very incorrectly because new technology very rarely has guardrails on what you should and shouldn't do with it.
So just to clarify, all technology can be used in certain ways, but it doesn't mean it should. And that's true with everything, whether it's a Nest thermostat, which I've had hacked an entire practice management database compromised and sold on the dark web, or a ring camera system, or Sonos speakers, or like all of these things that we put into practices now as just a standard thing, AI is being used on a lot of them.
We're just now hearing about it more. It's just been around for a long time. But what I'm seeing is a lot of our vendors are using it and they're not necessarily putting their guardrails in place and what they should and shouldn't do with it. Probably the worst call I've gotten lately was from an IT company that I work with.
And they said One of our clients, the people working at the front office someone put in the patient's name and address, date of birth and all the reasons why they wanted to terminate this individual from the practice and said, how do we get it back? And I said, you don't, once it's in there, it's in there forever and it will be reused over and over and over again.
And that is absolutely compromise of patient information.
Anne: What? Now, wait a minute, back up because I'm not confused. other words, if you put that into chat GPT, no, is that what you're talking about?
Amy: Yeah. So they wanted to write a dismissal letter for the patient. And so instead of just saying write me a generic dismissal letter for the following reasons, they put the patient's name and address and their date of birth in there and the specific reasons why they wanted that patient dismissed from the practice.
And so now it's just recycled over and over and over again in CHAT GPT world. Because AI will learn from what you put into it.
Anne: Wow. Yeah. that's an eye opener right there. it's the wild, wild west. It truly is.
Amy: There aren't rules or guidelines and technology is one of those things that, like I said, we have to really look at just because it can be done, doesn't mean we should do it.
Anne: Just
Amy: because I can go and look at patient information as. access of part of my job for vetting the overall security compliance of network or a practice does not mean I should go snooping in all the patient records.
Anne: Yeah.
Amy: Especially if it's a family member that I know went to that office to go look to see what's their open balances, what kinds of things do they need to get done?
Snooping happens even in dentistry.
Anne: that's blowing my mind right there because actually I was on a webinar. This is early on in JAT GBT and the person that was doing the seminar, brought up all of her PNLs. On the chat, GPT and showed how it could give you the whole algorithm and all that kind of stuff.
So are you saying that's not a good idea? No. Wow. And you have
Amy: to de identify that information. I mean, PNL is different than, having a whole list of patients for refund checks. And I mean, that's usually what you see inside QuickBooks,
Anne: but
Amy: There's all kinds of things in reports that information needs to be extremely limited.
Anne: And I think that's just going to get more what's the word I'm looking for? Policed, if you will. I don't know if that's a good word, but privacy is really a big deal. And you were saying earlier that this younger generation doesn't even know what privacy is because they've been living on Facebook and Instagram and TikTok and all those things.
Where do you see that going in the future, the idea of privacy? Because you know my age, we didn't even think anybody would care about what we were doing or say anything about it.
Amy: All data is valuable. Think of it like a yard sale. Someone else's junk is someone else's treasure.
And what we don't realize is every little piece of information can be sold and resold and compiled into different databases. So one office might have a weight. of one person and another office might have their blood pressure and both offices have their list of medications that they're taking and another office might have their blood type.
And so what the hackers will do is they'll compile all these different data breaches, these smaller data breaches together to create almost like a dossier on a person. So then you get a full package and someone can buy that for, 1, 500 and they'll go and impersonate a person. And had that happen to me a couple of years ago.
Someone tried to get gastric bypass surgery under my insurance. Because they had enough information. And the crappy part was, I'm Irish and German, we come out of the womb with high blood pressure. So obviously I've been on blood pressure meds for a long time. The woman that impersonated me had perfect blood pressure.
And I could not get my prescriptions because of that. It took me three months to fight that battle.
Anne: Oh, my God. That's just so unfair. And just again, when I think of, you know, even hearing your story like, again, if it could happen to Amy Wood, it could happen to me.
Amy: I hope the weirdest things happen, though.
I mean, like, Who rejects titanium? Yeah, well, that's true.
Anne: Yeah. is a good story. I have not heard that one before. But, gosh. I just feel like what you're doing is noble. I think it's so important. I feel like that if anyone's listening and you don't have someone in your office to hold your hand and answer the phone at midnight when you realize you've just been hacked or, something goes awry
Or call before. Oh, or call before. proactive, not reactive. Right. I I'm sorry. I keep forgetting. Yeah. If you want an answer on the first ring, you make a relationship with Amy and her delightful, fabulous team of just amazing women. I think your team is.
all
Amy: ladies right now. that's not on purpose and weirdly enough all of them are gingers in some way, shape or form. All three of my daughters are redheads and business is copper penny. Our youngest kid is, Penelope. She's our little lucky penny. And it's not on purpose. I'm not discriminating to my HR friends.
It just happens to be those are the people that we attract that really love this kind of work and they're confident about what they do too. they have interesting stories and experiences as well.
Anne: Wow. That's really amazing. I know so many on your team and I just adore everyone.
They're all smart as whip and they're, just really caring people. So how do we get in touch with you when you mean listening here? how do you get in touch with Amy Wood and your team?
Amy: Social media is easiest. Website is the next everything is under copper penny consulting and we're pretty easy to find.
And actually we're all over everything but tick tock. And that's because security, security says no, actually, one of my government groups says no, no one in my house, like my teenagers have never had tick tock and they're not missing anything.
Anne: They're not missing a thing. Oh my gosh. They're going to grow up being amazing young people.
And they're going to be aware of what's going on in the world. And what I love also about your story is. Everybody needs a lucky penny and you can deliver that, Amy. So thank you so much. We will reach out to you. I'm so happy that we had this time today. I'm still trying to build my relationship with you so that when anything happens to me, you will pick up the phone and I know that you will.
So you're just
Amy: okay. You share, you tell me the stupid stuff you're about to do and I stop you from doing it.
Anne: I know. Like I said, we all have a band on you know what Amy Woods says, everybody listens. So what would Amy Woods do? What would Amy Woods do? All right, darling. Well, Listen, thank you so much for being here today.
Thank you for enlightening our audience. The dental entrepreneurs, and if you're listening to us today, don't forget to keep doing you. Thank you, Amy. Have a great day and I'll see you next time.
