Health IT Security
July 13, 2017
An article that illustrates how one successful phishing e-mail can cause a serious data breach. You can take every step possible to protect your network perimeter, control access and safeguard your patient data but you need to also make sure that every staff member accessing your network is vigilant and doing the right thing at all times as well...
Click here to view the full article.
Edward Kopp – PCIP / Phoenix Dental IT
Phoenix Dental I.T. was very pleased with the turn-out at the WRDC 2017! It was a joy meeting so many fine Dental Industry Professionals. We are certainly looking forward to attending next year’s conference in Glendale!
One of Phoenix Dental IT’s key goals at the convention was to show the ability of a Citrix Solution to render images not only on a practice’s efficiently no only and a local network but even when remotely connected. In order to accomplish this we remotely connected (using a 4G Cellphone Hotspot!) to a Carestream™ Server and displayed X-Rays and 3D Volumes for visitors to the booth. This illustrated the clear image display as well as the ability to manipulate and rotate 3D Images efficiently, even on a slower remote connection when your network is properly configured and installed.
We set up this demo in a “real-world” manner. This included using a low-cost ASUS All-In-One thin client and we deployed the Two-Factor Authentication (2FA) process required by both HIPAA and PCI-SSC.
A surprising outcome was the number of visitors to our booth that asked “why are you looking at your cell-phone?” when we were connecting to the Demo. We explained that we were getting the “second factor” required for 2-Factor Authentication.
Two-Factor Authentication is a simple concept. It is something that you can and should do right away (in both the practice’s procedures and for any sensitive connectivity you do in your personal life such as online banking.) The Basics: In order to remotely log in you need to provide 2 of 3 things.
Something You Know – This would be your User Name and Password
Something You Have – This can be a USB “KEY” or a randomly generated code (most common) that is provided when you remotely connect to the network. The easiest way to do this is to set up an application on your phone to receive SMS Messages or otherwise provide a randomly generated one-time code such as Google Authenticator TM.
Something You Are – This involves biometrics such as fingerprints, retinal scans, etc. Certainly more involved.
“Am I using Two Factor Authentication Now?” – If you are able to remotely connect to your network with just a username and password, you are NOT using 2FA.
If you are required to provide a second item to remotely connect beyond your username & password, such as a text message received on your phone or perhaps you are required to connect a USB Key to the computer you are using, then you may currently be using 2FA.
“How hard is it to install 2FA?” – Not as hard as you might think. Depending on you network’s configuration you may be able to make the necessary changes with the equipment and software that you currently have with the minor addition of a service such as Google Authenticator TM / SMS Passcode TM.
Popular remote access applications such as LogMeIn TM and GoToMyPC TM now provide the option to activate 2FA. YOU must make sure 2FA is activated for every remote user’s account! (These programs provide a second layer of verification by sending a random code to the user’s cell phone via text-message or phone call.)
“If the random code is sent to the same device I use to connect, is that 2FA?” – There is no benefit to this type of setup. If a malicious individual has gained access to your laptop and is able to receive the 2nd Factor for remote connection, it defeats the purpose. This would not meet the requirements of 2FA.
“Will every user at the practice need to enter a random passcode?” – 2FA is a requirement for remotely connecting to your network and is not required when you are physically at the practice and connected to the network. Adding 2FA features does not impact the way your on-site users login.
The time to add 2FA is now! Not using 2FA puts your network and patient data at risk.
Protect you practice’s Operational Remote Access Link Health!
The Department of Health and Human Services is off to a busy start in 2017, having just levied their second hefty fine for HIPAA violations. In this instance, the company in question was Puerto Rican insurer MAPFRE.
Back in 2011, MAPFRE had reported an ePHI incident involving a flash drive that was stolen from the company’s IT department, where it had been left in the open and unsecured overnight. The drive contained the names, social security numbers and other protected health information for slightly more than two thousand MAPFRE customers.
After properly reporting the breach, the company conducted a risk analysis and crafted an action plan designed to prevent such instances from occurring in the future. They presented their plan to OCR, which is the Health Department’s investigative arm, but then failed to implement their new proposed procedures.
When a follow up investigation revealed that the company had not taken the actions they committed to taking, in order to improve the physical aspect of their data security, OCR levied a staggering $2.2 million fine against them.
Last year was a record-setting year for the Department of Health and Human Services with thirteen settlements issued, plus a civil monetary penalty case. If January is any indication, the department looks like it’s going to have a busy 2017 as well.
Once again, the size of the settlement underscores the importance of taking HIPAA regulations seriously, but this particular case also brings to light the importance of taking timely corrective action. In this instance, MAPFRE did everything right except for the last step, when they failed to actually implement the changes they had committed to making. That proved to be a costly mistake. If your business deals with protected health information in any capacity, be sure it’s not one you repeat. Doing so could be far more costly than you realize!
As a practice owner/manager you may have elected to allow some level of “personal access” to the Internet by your team members from the work place. If so, you may be placing your network, patient information and even the practice itself at risk!
If you have “made the call” to allow your team to access the Internet from the workplace; strong measures
should be taken to be certain that under no circumstances will such access run through your business network.
In this day and age most practices provide Wireless Access to their patients. This access is (or should be!) on a separate “segment” from the business network. This is accomplished in a number of ways from creating a virtual LAN on the firewall, a DMZ or even obtaining a separate/dedicated Internet connection for public use. (“Never the twain shall meet” R. Kipling)
If you are set up in this manner, then this “public network” is the one that should be used for “personal use” and NOT the business network.
If your network is NOT segmented this way, you should reach out to your IT Support Staff/Vendor to determine the steps in creating a “public” segment on your network. You should stop all personal use until a “public network” is configured.
We discourage practices from allowing ANY AMOUNT of personal use of their network. Doing so adds an unnecessary risk to the practice and creates a number of compliance issues with HIPAA, PCI-DSS and a variety of other regulations regarding your obligation to protect your patients’ information.
Edward Kopp / (480) 393-0424 / firstname.lastname@example.org / www.phoenixdentalit.com
By: Edward Kopp - PCIP
How many points of vulnerability do you have?
As use of technology continues to expand, the “surface area” vulnerable to attack does as well. It is up to everyone (security professionals, business owners and individuals alike) to act responsibly in their deployment, operation and maintenance of the technology they own and/or use.
According to the McAfee Labs 2016 Threat Predictions Report the following growth is expected over the next 5 years:
When you take the current volume of connected devices and data flow into consideration it is obvious why there is such a major need for security! Add the expected growth in technology balanced against the shortage of experienced security support resources; it becomes clear why each of us needs to share in the accountability for security.
My family just installed an Amazon Echo™ in our home. This member of the “Internet of Things” is not a device type that I would have ever imagined owning 2 years ago. Even though there may not be vulnerability for this device at THIS time, I’ve still expanded the surface area for attack by adding yet another Internet connected device in our home.
As a consumer it’s up to you to make sure that you protect your own data by using it in a responsible fashion, being cautious what you share and with whom AND making certain that wherever you do business (whether "brick & mortar" or online), that the business respects the importance of securing any and all information that you provide.
2-Factor Authentication – The Basics:
2FA requires that you use 2 out of the 3 following “factors” to access your network remotely.
This process is what I do in order access my network remotely:
Factor 1 – I enter my username and password at the login prompt on my laptop when connecting to my network remotely. (Something I know)
Factor 2 – I am then required to enter a code that is provided for me via SMS to my cell phone in a second step. (Something I have)
Note: The SMS code I use in factor two is dynamic changing every 60 seconds. I need to enter that code before it expires. The application provides a timer that displays when a code is about to expire. If it appears that I can’t enter it and hit return fast enough, I simply wait for the timer to reset and use the newly generated code instead.
Let’s say... you’ve stolen my laptop AND I had a moment of weakness earlier today leaving a note with my user name and password in my laptop case; stupid me! Unless you also have my cell phone to receive the code provided in Factor 2, you aren’t going to be able to “crawl” my network. You may have some fun looking at pictures from my last vacation or playing a game of Angry Birds (TM) but that’s about it.
The combination of 2 Factor Authentication, appropriate “screen lock” times and appropriate behavior on my part has greatly increased the security for remote access to my network.
Common sense is still a necessity!
Adding the 2nd factor increases the difficulty involved in using a misplaced, lost or stolen device to hack into a network. Having not only 2 separate factors, but making certain they are provided 2 different ways is a great security measure. This is the major difference between 2 Factor and 2 Step Authentication.
It is estimated that 1 laptop is stolen every minute (over ½ a million laptops a year.) It would be bad enough to be part of that statistic, but much worse if that stolen laptop is used to hack your network!
Is it a requirement for your practice?
“It’s going to cost too much”:
Not really. When balancing the cost of instituting 2FA for your practice against the potential damage caused if someone were to breech your network, you’ll come out ahead. As with anything else, there are different ways to make it happen. Speak with your IT Staff / 3rd Party Tech Support about installing 2FA for your network soon. Ask them for a bid; it shouldn’t cost you anything to get a price.
“Using 2-Factor Authentication is going to be a pain”:
Not really. All I need do is look at my phone and then type in the 6 digit code it is displaying then hit enter. When I weigh that minuscule amount of additional effort against the much higher level of protection I am providing for my network, using 2FA wins, no question at all.
Can I use it at home?
2FA is being offered by more on-line resources frequently. I currently use 2FA with 1 financial institution as well as one of the Social Media sites I use. For residential use, especially those who like to keep a “credential list” on their PC or Laptop, I encourage you to check with your on-line sites to see if they offer this level of security. The only thing that is going to change is that you will need your cell-phone at hand to get the SMS code to enter after the standard User Name and Password.
If your business or home is located in the Greater Phoenix, AZ area and you would like assistance in deploying 2FA for your network; please contact us at (480) 393-0424 or send a message through this site.
From http://www.strategicpracticesolution.com/ - SPSADMIN
Today’s guest post is from Bryan Currier, CEO of Advantage Technologies – Enjoy!
As our dependence on IT systems in dental practices has grown, so has the importance of safeguarding those systems. It has also made those systems a target for malicious use.
THE LIST YOU HAVEN’T SEEN YET
BY JEANNE PARK AT DENTISTRYIQ
You’ve read it all. Generic and repackaged advice such as, “Strengthen your social media strategy,” or “How’s your SEO?” is so prevalent that sometimes it squashes creativity and progression in the dental industry. Being experimental while strictly managing marketing dollars made me realize that we have yet to scratch the surface in terms of really understanding how to increase our patient base.
Everyone within your practice should be constantly “on the lookout” for anything that just doesn’t look right.
Title credit: Bob Dylan
I remember a time (not very long ago) when making or receiving personal calls at work was strictly against company policy (unless there was a family emergency.) If I received a call during my shift, you could count on it being followed up with a quick "conversation" with my supervisor to let me know that it was unacceptable behavior (and that I should be sure to let the caller know.)