Interview with Debi Carr on security, software updates and passwords

Debi Carr

Did you expect your cybersecurity expert and high-tech CEO to have a cold and technical approach to problem solving and training? Not Debi Carr! While she is recognized as one of the top experts in small medical and dental practice HIPAA HITECH compliance and cybersecurity, she is also a friend, a mother, and a caring mentor. Plus, her years of private practice management experience and experience in technology and security make her your perfect companion on your security adventure. Debi is a member of AADOM, ADMC, HIMSS, IAPP, ISC2, ISSA, ISSAC, InfraGard, SCN and Women of Cyber Security, and holds all the important security certifications including:

  • HealthCare Information Security and Privacy Practitioner
  • Certified Associate Healthcare Information and Management Systems Provider
  • HIPAA Certified Professional
  • Certified Ethical Associate-IT.

DK Carr and Associates is also certified as a Women’s Business Enterprise by the Women’s Business Enterprise National Council, the nation’s largest, Third-party certifier of Women-owned businesses.

Dayna and Debi sit down for an important conversation about keeping all your software up to date and current. This is not just your Dentrix software, but all 3rd party software that integrates with your practice. Your IT company might not be installing all necessary updates so it is up to you to double check.

I know passwords are a pain in the (you know what) and Debi dives into why we need to embrace them.

For more information on this topic or to reach out to Debi to schedule your assessment, go to

Dayna Johnson 0:08 

We are super excited, you have found Novonee on the Go, the Premier Dentrix community’s free podcast. I’m Dayna Johnson, the founder of Novonee, and my goal is to give you about 15 minutes of juicy content to take back to your practice and help your team have a more productive and less stressful day. Enjoy! 

Dayna Johnson 0:28 

Hey, welcome everyone, to the Dentrix superuser podcast. I’m Dayna Johnson, your host, and this week, we have a special guest. Someone that I just had the opportunity to network with over the past week or, so we were both at the Speaking Consulting Network annual summit in Nashville over the last week, and it was really fun to see a lot of my colleagues and reconnect with some people that I hadn’t seen in a couple years. So that was really fun. That’s also where, as a speaker and consultant, we get to learn from some of the industry leaders, like how to grow our business, how to, you know, optimize new software and, and things like that in our own business. And so that’s always exciting for us to get to, you know, get our CE on out in the industry. And so, Debi and I had the opportunity to kind of sit down and, and catch up. And you know, I thought it was fitting to have her on as a guest. Because recently, I’m talking a lot about the Dentrix update, because Dentrix has already had three updates this year, so far. As you all may have noticed, Dentrix has started to do smaller updates, about every six to eight weeks, maybe six to 12 weeks doing updates. And so, I thought it was fitting to have Debi come on since she is a cyber security consultant, she helps dental practices get compliant and stay compliant. And one of those ways is to stay up to date on your, on your computer updates.

Debi Carr 2:29 

Thank you so much Dayna, for having me this is I’m always so excited to educate on cybersecurity and what practices can do to protect themselves because we, we work with small healthcare entities including doctors, dentists, chiropractors, eye doctors, to help them to protect against the cyber-attacks that are happening right now. And we’re seeing in large amount and of them happening. And a lot of times they are totally avoidable. It’s just doing some best practices in your practice to protect them. So I’m always excited to talk about that.

Dayna Johnson 3:10 

Exactly, I hear you I know, you know, it’s not just our practice management software, but it’s also our phone, they’re always updating the software, you know, our TV, or updating our Wi Fi is constantly our software is constantly updating to the most current software updates. And so that’s kind of where that’s the first question I want to dive into with you is, you know, I was just mentioning that Dentrix updates their software, probably about every six to 12 weeks. And it’s really important to keep your software updated. And I get a lot of practices that tell me oh, we’re not going to update. You know, my hardware tech is telling me that I shouldn’t update my software. Or, you know, I recently did a online assessment with a practice that was still on Dentrix 9. Oh, my goodness! Tell me about it. I know that’s from like 2000 and Oh, God. Oh, man. I mean, yeah, yeah. So guys in with our audience about why, as a professional, you know, in your professional opinion, tell us why it’s important for practices to keep their software up to date and on the current version.

Debi Carr 4:47 

So it’s very important and there’s a lot of reasons but the main reasons are that one you want to be on the current version, because that is the version that’s being supported. That those past versions are no longer supported, which means now you will have a security risk. And the reason why it’s important to make sure that you are updating, you know, we want to update any application that we have, and not just Dentrix. But our antivirus updates on a regular basis, all of our applications should be periodically reviewed, I tell my clients that they should do have their it do a review, pretty much quarterly, and make sure that all the patches are applied. And that’s what updating is, it’s applying patches. And when those patches are, is it there has become an issue has been found out, or we want to add a feature, or we want to make a change. But in a lot of cases, those patches are closing an issue or vulnerability that has been found, and that they’ve written a code that will close that issue, and will make it so that it’s no longer an issue, which means now your application is current, and is able to defend against the most recent found vulnerabilities, you know, all we can do in the landscape that we’re in, is to stay one step ahead of the hackers. Hackers, it used to be that all they would just you know, they would get in your system, they would drop their little code, and then ask for their three Bitcoin and off, they’d go there and they really didn’t do anything. That’s not the case anymore. Now what’s happening is I’ve had them sit in systems, I have one client where they were in the system for 48 days just a while looking around. It’s called privilege escalation. And I want to talk to you in a minute about how to avoid that. But let me stay on patching for right now. All we can do is stay one step ahead of these very, very sophisticated hackers, and they there they run a business. I recently attended a FBI briefing and on one of the groups, and they literally they called their people that work for them associates, do we use that term in health care, and were their clients who what are clients people that owe you money who owe you money, the people you have injected, and you expect to pay with Bitcoin. So it may seem trivial to update your applications that when we do a risk analysis, that’s one of the things that we look for are your applications up to date and current and being supported. Because a lot of times there are residual applications that are left on I’m dealing with a data breach right now where the vendor is no longer involved with the practice, but the application was left. And so that’s that was the means the hacker came in, because it was an open door between the vendor and the practice. And they were able to be it was called a man in the middle attack they were able to at and get into the practice that way. And so Wow, it’s really important that we stay very current on making sure that the that all applications are up to date. But we have to remember that Dentrix is should be in every practice should be identified as a critical application, that means that it has the highest protection levels. And that means when it’s deemed critical or been labeled as critical, every patch that comes out for it, every update that comes out for it should be applied, and to make sure that it is current. And that any issues that because you know Dentrix doesn’t come out and say well, we’ve picked the fact that I don’t know that the screen saver isn’t working just quite the way it should be or some little minor issue, as they’re introducing a new feature, they’re not going to advertise those things because it would be too time consuming. But it’s really important that all applications be up to date, especially those that are labeled critical, because that is that is the one that you know runs your practice. And that is the one that if a hacker gets in, what are they going to do that’s the crown jewel for them, because that’s where all your pH i is stored, created, transmitted. And so it’s really important that it be current and up to date. And that that’s not just the updates, that’s also when a new version is released. Those should be done you should invest because that’s what it is, it’s an investment in your practice, you should invest in upgrading to the later version. Yes, it’s about the great new features. But also, most cases, there have been big issues that have been found that have been closed. And again, if you’re not running the latest and the last version, chances are your software is no longer being supported. And that is also a scream at issue.

Dayna Johnson 10:26 

Agreed. I agree with that. So, I have a follow up question. Because okay, I was reading, I was recently doing a segment because I’ve remote in to their practice of software, and I’m around. So one of the things I do look at is what version of Dentrix they’re on. So I know, are they staying up to date? And what version are they on so I can give recommendations for them. So I was doing an assessment. And this has happened multiple times where I noticed they’re on a super old version of Dentrix. Like, right now we’re on 23.3, as of this recording, where it’s 23.3. And this was this office that I did an assessment for they were on like version 7.5 or something like that, which was, which was a couple years ago, several years ago. And I when I mentioned it to them, they said, What? You’re kidding, no, we can’t be that far behind our IT company, we pay them to keep us up to date.

And I see that all the time.

Debi Carr 13:18 

Yep. It’s really important to use a qualified MSP. And you know, you should ask them, ask them some questions. Ask them when their last risk analysis was, every practice should be doing is required under HIPAA to conduct a risk analysis annually. So are your vendors and your business associates? Ask them ask them? You know, how do they bet? Do they do vendor management? Because if they’re claiming that they’re doing vendor management, then you would be on the latest and greatest of dentists and have 10 tricks.

Dayna Johnson 13:54 

Yeah, well, I love what you said about that 12 piece checklist. I would love to see what those things are on that list. Do you have a place where we can find that?

Debi Carr 14:11 

I we just redid our website. So we’re still getting some things up there. But I can give him I can. I’m happy if somebody wants to just email me just put in the subject line with like more information about HIPAA technical. But it’s okay basic things then it’s things like Yeah, but assign unique user to the information system. Now notice I did not say to Dentrix. I say on to the information system. I can’t tell you how many times I hear from IT companies. Oh, well, the doctors complain that it’s going to be too much for them. If they have if everybody has unique user, it’s going to take them too long to get into the information system. And it just it’s too much problem for them. No, it’s not no dental office. And as busy as we are in dentistry, there is no dental office that is busier than a hospital. And guess what, right hospitals have unique user to their information system. And then they have unique user to the practice management, whether it be and there are hospitals that use Dentrix. Believe it or not,

Dayna Johnson 15:27 

I agree.

Debi Carr 15:28 

And so far, it’s not that difficult. It just means that practices have to do them and force their IT or their MSP to do it. And but it’s, it’s about assigning unique user, to each of the employees so that so that assigns a unique name for identifying and tracking user identity. And again, Dentrix is a critical application for us. But there are other applications that are utilized in a practice that have patient information. And if you like, if you go to some of the sensors, some of the X ray imaging programs, you’ll see there’s a whole database that’s exposed, all you got to do is just click on it. And you’ll see the patient name, date of birth and a record number. Anything that can identify a person becomes pH i. So now you have a record number, a name and a date of birth and an image, we have pa TTY. And that is nothing sacrilege to Dentrix, but it’s not in Dentrix. So it’s really important to have those layers of security and unique user is huge. And then the next one is, you know, emergency having backups and log offs and automatic log offs and those kinds of things. But it’s about monitoring and auditing your users. It’s not, it’s not the eyeties job to upgrade the Dentrix that is on the doctor to make sure that they know and that’s why I know Dentrix sends out an update newsletter and lets the doctors know that it’s coming and or that it’s been released. If you’re paying attention, it’s having somebody to pay attention to those releases and making sure that it’s current.

Dayna Johnson 17:31 

I agree. Yeah, there’s about there is new there. Yeah, there are new features right now, that will give you automatic updates, so that you can schedule them to up to date at a certain time of day, you know, so they they’re not updating in the middle of your workday, you know, you could have right update, you know, in the middle of the night, and then you come in the next day and your software is updated. So well. It’s not ideal, you know? Exactly. And but it is up to up to the hardware company that makes sure that the hardware is meets or exceeds the hardware requirements and things like that. Well, I’m looking forward to getting back getting on your website and looking at that checklist and making sure that our practices know where they can find you when they are looking for a cybersecurity consultant, because maybe they don’t have one, or they’ve heard something in the podcast today. Like the risk assessment or, you know, being concerned about a possible breach, you know, I want our audience to be able to find you, and be able to reach out to you via email or via your website. So why don’t you give our audience your email address and your website and I’ll also make sure that it’s on our, our, our description or information on this podcast, so that everybody can find it very easily. But But tell us tell us how they can find you.

Debi Carr 19:05 

You can send me an email at

Dayna Johnson 19:25 

All right, perfect. Well, this has been really great information. I appreciate you being on as our cybersecurity expert. And it was so fun seeing you last week, and I look forward. I know we have so much fun. And so that’s you know, one time a year where we get to connect again and see each other and catch up on on our live and hopefully I’ll see you soon maybe at the ADMC meeting or maybe greater in New York. Maybe we’ll see each other at one of those upcoming events.

Debi Carr 20:04 

Sounds good. Yes, I’ll be in ADMC in August.

Dayna Johnson 20:08 

Perfect. All right, Debi. Well, I appreciate you being on with us today. And so, for everyone out there if you if you found that this podcast this episode today resonated with you, or if you found that maybe some of your colleagues may find it informative and relevant for today’s information, please rate it, review it, share it with your colleagues, your study club, your friend. Your dental practice is down the street. And we really appreciate you being on with us today. And I hope everyone has a great rest of your day. Thank you, Debi. Thank you

Transcribed by

Posted in