Part II in our series of HIPAA and Security Updates from guest author Van Rue:
Anti-Virus & Firewall: Popular freeware anti-virus programs like Avast!, Avira and AVG offer only basic home level protection against older threats, and will not stop more complex or emerging viruses (some clever viruses will just turn of the these programs). Even popular home brands like Norton and McAfee offer only slightly improve protection and often come riddled with bloat-ware that offers a false sense of security. Commercial level solutions used by IT Professionals offer higher level of heuristic protection, which looks for new and modified viruses, or even programs that behave like viruses. I recommend business versions ESET Nod32, Bitdefender, Sophos and Kaspersky. Business editions of these software suites will give you centralized control of all you computers so that no updates or scans are missed, and require a password to disable protection or change settings. It also prevents settings being changed or disabled by users (Is your Anti-virus really running on all your computers?). Many newer viruses don’t damage your computer, they instead track your usernames and passwords and other personal information simply because it pays much better. Business Identity theft is the hot new trend.
If you use a Windows Server it can centrally manage your software Windows Firewall so that one user can’t turn it off, and you don’t have to configure each PC one by one. Set the rules on the Server and it updates all the clients. Optionally, some AV Products are combined with their own Firewall, but I find that although are effective they are often “noisy” with lots of pop-ups that interfere with tasks. I personally use a Windows Server where I can set software Firewall rules for all my computers. Windows built-in Firewall is actually robust, easy to use, and is mostly invisible.
New Secure Passwords: We have all faced the frustration of logging into a site but failing to remember that obscure but very secure password, so we often compromise and use something easy. A great way to create both a strong but easy to remember passwords is by using an easy to remember phrase but substitute vowels with symbol characters. So if you are a Gilligan’s Island fan for example, you could use “G1ng3r@ndM@ry@nn” (for the record, I like Mary Ann better) which is both very secure and very easy to remember. You’re whistling the theme song aren’t you? I just logged into a previous employer’s vendor account using an old password from almost 10 years ago! I left on good terms but even large companies can forget basic security. I could have ordered $10K+ worth of products shipped anywhere I wished. Change your passwords lately? You should change all your key passwords at least once a year or when an employee leaves, but important passwords like banking should be changed at least every quarter.
A great secure site to verify password strength is here: https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx. Make sure wherever you verify your password strength the website name begins with an https: (the “s” stands for secure) and is a well-known company. A clever hacker could learn your new password before you’ve even used it! Yes, the web is that dangerous.
Networks: Many practices use the router their ISP gave them or a home router from a Saturday trip to Best Buy. These home designed products are cheap but don’t offer the level of security your practice needs, especially if you allow guest wireless access to your patients. Often their included hardware Firewalls are turned off while they are configured and never turned back on. Although it’s unlikely your 2 pm patient is snooping your network those signals travel a long way, there may be someone at the Starbucks on the corner who is. To comply with HIPAA and to secure your network you need a business class router that offers a secure hardware firewall, VPN, VLAN, DMZ and Multiple SSIDs for wireless security. Basically they allow your network to have zones with different levels of security. Think CIA and only having a “need to know basis” and you will have a better idea of what those letters do. If you don’t know what these terms mean you need to hire a professional who does. To go to the next level, a UTM Router/Firewall will provide an active level of threat protection by blocking outside access from a specific country, like Romania or Nigeria, and stopping viruses before they even get to your computers. If all this sounds like a lot of money and work, you will have to compare that to logging in right before payday and finding your business bank account completely empty which has actually happened recently.
Windows Server Essentials (formerly Small Business Server) offers you even greater control over device and user access, and can administer Windows Firewall on all your computers in addition other great features. Although cloud services often provide some features once offered only by servers, they don’t offer network security or control over all your devices like a dedicated server can. A professionally configured server may offer your business vastly improved security over an ad-hoc peer-to-peer network or cloud services. It should be considered if you have 5 or more computers in your office.
Most hackers now rely on automated bots that run 24/7 to find holes on weak networks or computers and can “port sniff” thousands of IPs per hour. There is an automated computer somewhere hunting for a small network like yours, and they find you by IP Address not by reputation so your small size is no protection. One practice just lost over $200,000 last month most probably because they were first infected by a virus, which allowed their computers to be hacked, then their email compromised, and all their passwords accessed because the hackers were simply watching everything they did; they had no idea until all their money was suddenly wire transferred overseas and gone forever. You need to be running modern Professional Versions of Operating Systems, robust business anti-virus software, use strong passwords, and have multiple layers of active firewall and network protection to stay both HIPAA compliant and guard your valuable assets.
If this all went over your head, that is OK, no one is an expert in everything. You may need to bring in a Computer Professional who is an expert in small business network security. It takes a large degree of knowledge to configure computers, networks, Wi-Fi and firewalls to provide a high level of security yet still offer ease of use. If you don’t have an IT person now, talk to the OMD practices you work with and find out who they use for their IT work. You may find a professional who is more attuned to the Optical industry. You will sleep much better knowing your data and bank accounts are safe and secure and the HIPAA police won’t show up with a tablet in their hand like Moses coming down the mountain.
Computer viruses don’t grab the headlines anymore simply because they are more after your passwords than crashing your computer. In most cases you just never know they were there until you have credit card charge you didn’t authorize or money is transferred out of your account. Hackers are gaining in sophistication and are partnering with identity thieves to target small businesses, and they are stealing billions. Many Optical practices have been increasingly stung this month alone in a variety of dangerous ways. Although everyone complains about implementing new HIPAA regulations, I am personally glad the law exists to protect my healthcare information, so if seems burdensome to you as provider remember you will one day be the patient. You want your information well protected. With stricter HIPAA standards and increased small business identity theft, there has never been a more important time to upgrade your security practices, devices, software and protocols. The paycheck you save could be your own!
Van Y Rue, is currently a VP at Single Vision Express, an Optical Lab near Seattle WA, but was in a former life thrust into the role of IT rat. He also consults and teaches on Medical Practice Management and Progressive Lens Technology. You can reach him at firstname.lastname@example.org or 425-739-6501.