cybersecurity stories with Gary SalmanRecently we talked with Gary Salman, CEO of Black Talon Security. Our discussion was lively and full of great stories and tips. There was so much there we decided to break this into two episodes. This is part 1 and next week we will share part 2. Let’s get started on cybersecurity tales!


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Cybersecurity Tales with Gary Salman Part 1 – Ep 270

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

Cybersecurity Tales with Gary Salman – Part 1

There is so much to cover from this discussion the blog posts for these episodes will simply have to be snippets of the conversations with links to jump there if you want more information. I encourage you to listen to the whole interview because the topics were varied and our pace was pretty quick from one to the other.

[04:07] Today we have a guest with us. Gary Salman from Black Talon Security.

[05:49] Gary’s first intro into cybersecurity and law enforcement was back in 2001 when he was running a company handling OMS practice management software. They had installed some pretty high end Cisco Intrusion Protection Systems. And shortly after we installed these devices, my engineer came and he’s like, “hey, man, we got a major problem. The system just locked out most of our users. It detected some type of attempted intrusion.”

They founded Black Talon Security in 2017 mostly because Gary was getting too many calls asking for help or referrals to someone who could help with a cyber attack. The cyber security company was born!

[08:09] It’s a really, really sad situation because I think what happens here is a couple of things. The majority of the companies that service these smaller businesses and smaller health care providers, they don’t understand the laws, i.e. your world data. They don’t understand the state laws. They don’t understand the sophistication of these attacks. And then I think there’s this protectionism as well.

[09:08] Meanwhile, they have no clue what happened. How long were they in the system? Well, as we know, many of these groups have persistence on the network for weeks prior to launching their ransomware attack. Many of these threat groups, almost all the major threat groups, now steal the data first and then hit you with the ransomware. So, if your IT vendor comes in and just “cleans up the mess” and sweeps everything under the rug, you’re fine.

BTSHIGHRESLOGO 1And then your patient data starts showing up for sale on the web. You have a major problem. You have a legal and PR disaster on your hands that you can’t even begin to fathom. So that’s a challenge that we see a lot. And then some of the doctors… they just make poor decisions right there, like, oh, I have a friend that can fix this or I know someone or I’ll try and do this myself and I’ll just pay the ransom. It turns into this horrible, horrible situation that we often get involved with. And they’ve done way more damage from a compliance standpoint and then from a business continuity standpoint than just doing it right from the beginning.

[10:19] I love the ones that engage me. I review everything. And I say, based on what you’ve told me, you have a data breach that needs to be reported. They’re like, we’re going to have to review all that you’ve given us and get back to you. Crickets. We never hear from them again.

There’s a distinct difference between IT and security. And when you don’t understand that, you’re going to need forensics at some point.

[13:49] If you honestly examine the types of groups that are attacking our health care infrastructure right now, this is no joke. These are operations that are generating hundreds of millions of dollars that employ some of the most sophisticated code out there. This isn’t Dave sitting in a basement of Mom’s house in Florida.

[13:49] What really is the difference between what IT provides as “cybersecurity” and what a true cybersecurity vendor is providing?

[18:54] You have to constantly look at it and evaluate, is this working?  Did it miss something? Is it backing up? Can it be recovered? All these things there have to be done, it’s part of the management piece to what you’re supposed to be providing. And a lot of times MSPs will just set it and forget it and then they don’t realize until something happens. Oh, man, this thing hasn’t actually patched in months. They’re relying on those tools and say “Oh well, we don’t have to worry about it now.”

[20:22] I want to see proof that this is working because guess what, five years from now, someone’s potentially going to ask me to prove you were doing your job today, right?

We were told by the sales reps that these things were ransomware proof. I was like, nothing is ransomware proof. That’s the problem.
The criminals go out and buy the same stuff
[21:19] We did a huge breach down in the D.C. area that occurred a couple of months back. A majority of these healthcare providers were sold a backup solution. In every single case we dealt with, we did a lot of those recovery efforts. They had a legit backup solution, not a two hundred dollar hard drive. They plugged in a raid, dedicated backup solution, not getting too technical. Guess what? Every single one of those devices had a documented vulnerability. And when that threat actors hit the system, you know what they did? They scan the network for vulnerabilities like a backup solution… vulnerable. They bypassed all the security measures on those devices and wiped them clean.

[22:14] We were told by the sales reps that these things were ransomware proof. I was like, nothing is ransomware proof. That’s the problem.

[27:49]We just completed a forensic investigation for a specialty practice in the northeast here, and we found twenty different hacking tools on their network. They deployed them two weeks, almost exactly fourteen days before they launched the ransomware attack. There’s a one and a half page list of all the tools that were deployed on their network.

[29:33]His exact words. I’ll never forget this:

You’re telling me I’ve been bringing a blank drive home with me every single night.

And unfortunately, we had to say yes. They had switched IT companies 2 years ago and the new IT company didn’t configure the backup properly. They had no practice management, no H.R., no x-rays, all gonzo. They had a cloud backup, too. The IT company didn’t stop the database service for the backup, so it wasn’t backing up any database files. So, even though the cloud backup is kicking off every night, they weren’t getting any valuable data saved.

They were able to watch patients in the office from the webcams. There was a female doctor in this practice. And when we shared that information, she basically broke down in tears. She’s like, “so when I was sitting at my desk, they were watching me?” If it was during this period of time, then yes.

We’re going to get into a little bit more detail of the scary stuff in the second part of our interview with Gary. And it is kind of like more of the holy crap stuff. We talk about specific stories and examples of what happened, not could have happened, but did happen now.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.