Keeping a Practice safe from IT risks is an ever-evolving challenge. What was appropriate 3 years ago is not sufficient to protect against current challenges.
Whether you are a new or existing customer, it is wise to conduct routine security audits to make sure your technology infrastructure is taking advantage of the latest security offerings to protect you and your patients’ health information.
Security means many things in a Practice:
- Is every password used in the office strong and safe?
- Are your passwords stored securely in an app?
- Is antivirus software installed on every computer and working?
- Is the Internet firewall properly configured to fight off hackers?
- Are the Windows firewalls enabled on all the PCs and server?
- Are all the Microsoft Windows security patches applied?
- Do the computers automatically lock or log out when no one is using them?
- Staff come and go – but have their user accounts and passwords?
- Is remote access to your network secure?
- Are all the patient data on encrypted hard drives?
- Are any emails with ePHI being sent in encrypted format?
- Are all the backups working and are they encrypted?
- Is the server’s security setup correctly to limit access to files?
- Is the WiFi properly configured to keep out strangers?
- Are the security cameras working and accessible?
- And the list goes on….
Doing security well requires paying attention to all of these aspects, not just the ones that easily come to mind. To make it even more challenging, the list keeps evolving as we must adapt to the emerging threats posed by hackers.
Sticking your head in the sand and ignoring it can be one approach to take since it seems so overwhelming, but this will leave the Practice open to risk and liability. If everyone else does these things and you don’t, and you have an incident, you have not met the peer standard and will be at definite risk.
MME can help. We have solutions. We review where you are, develop an action plan to remedy the weak spots, and then start picking off items one at a time.
Security is Inconvenient
Security, by design, is an inconvenient pain in the a$$. It is meant to challenge the user to confirm who they are and that they are allowed to access a resource. Without the challenge there is no point. People do not like to be challenged. We do out best to simplify the challenges while meeting the goals, but security requires willing participation by your staff. To tighten up security in your Practice you must be willing to set the standard that your team will comply with.
The Motivation You Need
The healthcare industry is under attack. It is under attack by hackers successfully breaching networks like yours and deploying ransomware. Ransomware encrypts all of your Practice’s data and then denies you access to it. Only the hackers have the digital key to unlock it. They take the time to destroy all of your backups before they reveal themselves. They then extort tens of thousands of dollars from you to ‘give’ you back your data. Your Practice is paralyzed. Most people pay. The hackers are millionaires getting richer every day.
Ransomware is the single largest risk to your Practice today. You need to bring your Security up to date to have any chance of defending against them.
The First Step – an MME Security Audit
We need to look under the hood at every aspect of your Practice’s security. The list of what needs checking keeps evolving. If we or another IT company set up your network 5 years ago, or even 1 year ago, what was secure back then may not be any longer.
We call this an MME Security Audit. An audit will determine if your networks’ critical items are up to date and protected. We can accomplish the audit remotely and it usually just takes a few hours to complete.
The overall security in several categories is graded according to our current standards. You will be provided with an easy to understand letter grade from A to F in the major categories.
Categories with grades less than an A will have a recommended plan of action to remedy them. These can be as simple as updating some passwords or a device’s firmware. Sometimes it is more involved, such as suggesting replacement of a PC that is running Windows 7 that is now a HIPAA risk.
Your MME project manager will follow up with you after the audit and discuss what was found and answer any questions. Then together we can start to take action and move forward.
If you would like to start improving the security in your Practice, please contact us. We are ready to get started.
Get a Second Opinion
We hate to say it, but how can you be sure MME caught everything there is to find during our audit? We do our best to keep current on issues, but we are not a full-time, dedicated cyber security company. It is possible we missed something or are not aware of a brand new risk.
To raise the bar further we recommend that you enlist a cyber security company to double-check our work. Most IT people cringe at the thought of having someone else audit them since it might make them look bad. We welcome the opportunity to learn from what was missed. You benefit now and we make our own audits better.
MME is so committed to this new mantra of check and recheck that we have hired a cyber security company to routinely audit our own company’s internal workings. MME has developed a relationship with Black Talon Security (BTS). BTS is an American company focused on the dental industry. Many of their team came from CareStream Dental. BTS is focused on knowing the risks your Practice faces and telling you the naked truth about what needs to be done to mitigate them.
If security matters to you, we recommend that you enlist BTS to review your network after you have had MME do a security audit and worked through the recommendations. When MME thinks things are all buttoned up, that is the time to check our work.
BTS offers their services as a monthly subscription as security is no longer a set and forget challenge. It is constantly evolving and new risks continually appear. BTS will do periodic internal and external audits of your network. They will train your staff about HIPAA and how to defend against email phishing attacks. With your permission, they will share their periodic results with us so that we can work with you to implement improvements.
If you would like to work with Black Talon Security you can reach out directly to Gary Salman (firstname.lastname@example.org) and tell him you are an MME customer looking to get a second opinion. They will take care of you. Or you can just ask your MME project manager to get this started for you and we will get them connected with you. Contact us.