Security Best Practices

‘Secure’ means different things to different people. Keeping your Practice Secure requires looking after all of them. You’re only as safe as your weakest link.

A lot of things go into making a Practice Secure …

MME has developed Security Standards for many aspects of a Practices network. While each is a topic of its own, here’s a summary of each and our approach to it.

Password Security

Passwords are everywhere. Logging into the computer, logging into the Practice management software, logging in never seems to end. A nuisance right? We’re lazy right? So we do probably the worst thing possible, we work around it by using the same password everywhere, and a password we rarely ever change. Does this hit home with you? You’re not the only one. But Hackers KNOW this, and exploit it all the time.

You need to use good passwords. This just got a lot easier since its OK to use words again that we can remember. DumbWagonHorses20 will take 2 trillion years to hack. $2dtgg2# can be hacked in about 20 minutes. Length and small random words is what matters.

You need to use unique password for everything you truly need to protect. Using the new password standard this isn’t too hard to manage. Make up something you can remember about each login. If you shop at Target, how about TargetIsWhereIShop20? For your Windows login at the office IMakeGreatSmiles20.

Learn more about our suggested Gen3 Password standard over on our Blog that has a detailed set of recommendations and a video explaining the plan.

Password Management Apps

You have passwords (and user names) everywhere. If you sit down and count most people have 40 to 100 accounts spread across the office and the Internet. We are often asked “Where is a safe place to keep them all?”. A Post-It stuck on the PC is the worst place!

Many ask if there is a Password ‘App’ that’s safe to use. Yes. We’d recommend using 1Password.com. Recommended by white hat hacker, security expert and someone on the good guys team Troy Hunt, 1Password ticks all the boxes. You setup an account, load the App onto your phones, PCs and Macs, and they can all securely access the 1Password Vaults. 1Password is a subscription software, and comes in personal, family, teams and business editions.

We are also asked if there is a way to limit who can see what in the App. For example, you might want to put ALL the passwords for the Practice into 1Password, but then have only the Financial team and Doctor see some passwords (like banking and Quickbooks), and the Clinic staff to only see others (like Invisalign, etc), and the Doctor can see them all. 1Password’s Team version does just that. You can put passwords into different Vaults, and then allow different people access to the vaults.

1Password also keeps an audit trail of who access, adds, changes and deletes passwords. All good stuff.

This is another Product that MME walks the walk with. We use this to protect our own Corporate passwords.

Let us know if you’d like a little help getting started with it. We can advise you on how to organize the information and help get it setup. Contact Us.

Two Factor Authentication for Logins

Two Factor authentication (2FA) is the technology offered for some types of logins that when you login you get an extra text to your phone with a code you need to type into the login process. This thwarts people stealing your username and password and logging into you account somewhere. They get stopped by the need for the extra code, and you get a text as a clue someone is hacking your account.

Many services have 2FA available as options now. The LogMeIn Remote Access solution described above does. Gmail, Office 365, your Bank, and more all offer it. Sadly the default for 2FA is often that its OFF, and you need to take an extra step to find and enable it. DO THIS! Seek out 2FA for all your online accounts and enable it. This is one of your absolute best defenses locking down an account. A good Gen3 password is one thing, but 2FA is even better. Do both!

Antivirus Software

This need has been around a long time, so long people often just assume its handled. Each Computer in your Practice needs to have Antivirus software. EVERY ONE of them. Not just the ones you think need it, or access the Internet from frequently.

Viruses know to spread laterally within a network now. If the virus gets in at the Reception computer, it ‘looks around’ the network to spot other comptuers, and will move across the network to infect them. Each computer must have its own defenses.

An antivirus program must be up to date. New threats emerge daily, and so must the software update itself frequently. Most update hourly. Keeping them up to date usually means keeping them in some form of subscription.

An antivirus program must be Monitored. When it catches a threat, it needs to tell someone that will followup and investigate. Spotting that Ransomware is starting on the PC but being unable to stop it and not telling anyone is a problem. A good antinvirus solution will have a monitoring console with someone paying attention.

Fortunately implementing all this is inexpensive and easy. MME deploys LogMeIn Antivirus which is powered by well known antivirus company BitDefender. For just $19.99 per year we can remotely deploy and monitor each PC in your network. All of these PCs will then report back to a master console we monitor, and if a virus is detected our support team can reach out to you and follow up. Please Contact Us to get setup.

Windows Firewall

Every version of Microsoft Windows (Server and Workstation) has a built in Firewall to help protect itself. The firewall acts like a shield to other PCs on the network, hiding what’s behind it. Normally a PC on your network doesn’t have any reason to show itself to other PCs on the network, so it can completely hide behind its firewall. This is a good thing if another computer on the network gets a virus that trys to spread, and it looks around on the network and can’t see any other computers (because they are hidden behind their firewalls), the damage is limited to the original computer.

Shockingly we often find many, many PCs have had their built in Windows Firewalls disabled? Why? Third party software support techs often question if the firewall is interefering with their application operation, and when something doesn’t work they will go turn off the firewall to see if that fixes it. If it does, or doesn’t, they often just leave it off rather than taking the time to adjust it for their app. The quick fix. The result is you’d lost a layer of protection.

Fixing this is simple when we find it. We turn the firewall back on, and wait to see what breaks. We don’t know why it was turned off, and all we can do is turn it back on and see if any new problems emerge. You need to be in the loop, so if you find a day later that an application has a problem again, we can work this time to make a limited adjustment to the firewall and keep it on and take care of the app.

Microsoft Updates

Microsoft software is full of security holes. They are continually discovering new issues and releasing ‘patches’ that can be downloaded and installed. You may have heard about them as ‘Windows Updates’. Most Windows computers are configured to automatically check for new Windows Updates daily, and apply them and reboot in the middle of the night (one of the things your PC does at night when you leave it on). This is great, the PC patches itself.

Often we discover PCs that have had the automatic feature turned off, or adjusted in someway where its not applying all the fixes. There can be many reasons for this, from user error to a glitch in the software. Regardless, this is something we want to periodically manually confirm that all updates are applied and the system is updating automatically.

Without doing this you can be leaving the PC vulnerable to exploits that have already been patched. HIPAA mandates that any PC in use at a Practice be fully patched at all times. Sound advice for once that we agree with.

Automatic Locking

When someone isn’t actively working at a computer it should be set to automatically lock the screen after a certain period of time. This is to protect you from leaving a computer logged in with sensitive information on it (i.e. the Practice management app is open) and any stranger can walk up to the computer and access it. Consult Rooms where the patients are left untended waiting on teh Doctor. Any workstation in the office after hours when the Janitors are doing their work. We’ve caught this going on in the past.

You can’t depend on your staff to remember to close out of all applications and logout of the computer before they leave. That whistle blows at 5pm and they are outta here!

Windows has a built in feature where it will ‘lock’ the screen after a certain period of inactivity. Usually set to about 15 minutes. When you come back to the PC, you’ll need to enter your password again to unlock it. Not unreasonable for the protect it provides.

Many Practices or Staff work to defeat this. This think its a hassle (which it is, remember I said Security is a PITA). They turn the feature off, or set the lock time to be many hours. This isn’t good. We can see adjusting the Clinical PCs to not lock for an hour, or a Sign In computer to not lock for 2 hours, but most computers should be set to a reasonable threshold of about 15 minutes.

Discuss this with your MME Project Manager to find the right balance of convenience and Security for these settings in your Practice.

Staff Come & Go

Staffing turn over is a part of any business. Sometimes they leave on good terms, sometimes not. What do you do about security when they leave? Did they know the passwords for the WiFi? If so they can sit outside in their car with a laptop and still access the network. Did they know the logins to the Practice Management? The Banking? Do they know passwords used by other staff members (many Practices share common passwords)? Did you disable their logins?

When someone leaves the Practice you should immediately roll all the passwords they knew. Many don’t because of various reasons:

  • They just don’t think about it
  • They don’t think the person will do them harm
  • They don’t know the extent of what needs to be changed
  • They don’t know how to do it
  • They think its a nuisance so this ignore it

All reasons, but none that will justify allowing an attack to happen. We find this all the time, sometimes dozens of old user accounts still active in a network.

MME will work with you to review the lists of users and discuss the findings with you. You can identify the ones no longer needed, and together we can coordinate a proper changing of all the other passwords.

If you’ve had a staff member leave and haven’t done this with us, please Contact your MME Project Manager and we can get started right away.

Brute Force Account Lockout

Imagine that one of your staff has left under less ideal circumstances. Or the Janitor is a bit too curious and is trying to get into your computers to poke around. Or a hacker is beating on the network trying to breach the Servers Administrator account.

Rather than letting a bad actor repeatedly try password after password trying to guess the login (a Brute Force Attach), we can setup the computers to automatically lockout the account they are banging on after a certain number of attempts in a period of time. For example, after 5 failed logins within a 5 minute time period. By automatically turning off the account, it guarantees to stop the person getting any further guessing.

Rarely would your staff accidentally trip this threshold, and if they did then they really don’t know the password anyways. We can also setup the account to automatically unlock after a set period of time (typically 30 minutes) so you won’t need to call MME Support to unlock it.

Over the years we’ve found this to be highly effective at stopping attacks. Attacks we don’t even know about until we see the notices that the accounts locked out or your calls that its locked but it wasn’t you trying.

This feature is included in Microsoft software, but surprisingly its turned off by default. It only takes a couple of minutes to enable. We’ll be happy to discuss it with you and set it up for your Practice. Please Contact Us.

WiFi Configuration

Most every Practice has WiFi. Many have separate WiFi zone for the Public (patients) and for Private (your staff).

The Public or Guest zone is typically configured to allow access to the Internet only, and should have no access at all to the Practices Server, computers or data.

The Private zone is typically configured on the same network as the Server and all your PCs. If you connect to the Private zone, you can potentially access the Practices devices or data.

Properly configuring your WiFi systems is crucial. I think they need to be periodically reviewed and adjusted to meet the latest standards, things like:

  • Is the Guest zone really isolated? How do you know?
  • Is the Guest zone on 24×7? Why not configure it to turn it off outside normal business hours.
  • Does the Guest zone have a passphrase required to connect? It should. Many times we find your neighbors using your Guest zone, and your precious Internet bandwidth. Set a password that meets our Gen3 password standard, but is still easy to share with patients and staff. Make something up like WeMakeSmiles20. Change it annually.
  • Does the Guest zone have a throttle? Do you really want kids in the lobby watching 4K video streams from Amazon using all your Internet bandwidth? We can usually rate restrict each users session to a reasonable amount.
  • Do your staff link their phones to the Private zone or the Guest zone? ALL phones should be linked to the Guest zone only. The logic here is that there is no reason for devices like those to access the Server or PCs directly, so why risk connecting a Staff members phone that could be infected to the Private network. Even the Doctors phone just needs to be linked to the Guest zone.
  • The Private zone should be used ONLY for devices that specifically need access to the Server or another device on the Practices network. In reality there are very few things that need this. If you use laptops on WiFi that talk to the server, yes, that’s a good use. If you have Invisalign scanner device that only needs to get to the Internet, link that to the Guest zone.
  • Is the firmware up to date on all the Wireless Access Points. Just like with the Internet firewall devices, manufacturers of these devices are constantly refining the code within them to work better and close security holes. We want to keep these access points fully up to date.
  • Is the Private zone passphrase strong and secure? Have any staff recently left that knew this passphrase? Does it meet the Gen3 password standard? Its probably time to change the Private WiFi zone password and then to just keep it secret except for the very few devices that have a real need to connect to it.
  • Do you have any Rogue Wireless Access Points running in the office. WiFi zones you didn’t realize? Often we discover these. Fancy new printers have ‘WiFi Direct’ setups that are actually WiFi zones on by default that allow anyone to connect. Devices from companies like Invisalign often ship with a basic WiFi access point, and rather than just linking to the Guest WiFi zone someone just plugs in the device it shipped with (which has no security at all). We can run a scan that can detect all the zones in a Practice, and then work with you to track down any that are unexpected.

Too often these are Set & Forget, and they do just keep working. But they represent a real security threat to your network if not well looked after. Please Contact Us and we can discuss with you what’s needed to give them a tune up!

Remote Access

Most Practices have some form of ‘Remote Access’ where the Doctor or a trusted Staff member can work from home, accessing a computer and the data at the office.

Literally the ability to walk right through the Front Door to the Practices network. Obviously this needs to be highly secure to be sure only authorized staff have access and to keep Hackers out.

In the olden days (like 3 years ago) it was commonplace to ‘Open’ a hole through your Internet Firewall to allow a user to use a free piece of software called Microsoft Remote Desktop (RDP) to simply remote control a PC at the office. Worked great. Was also massively insecure when used this way. This was the #1 way hackers were gaining access to Practice networks. Today there is no circumstance where you should have an Open RDP port in your firewall. Just stopping using it doesn’t solve the risk, we need to be sure the configuration is removed from the firewall device altogether.

RDP can be used safely in conjunction with a secure VPN tunnel. A VPN is an encrypted link between your PC outside the office and the network in the office. Think of it as dragging a very long network cable directly to your home. All your communication to the office flows only through this encrypted tunnel, and is safe from hackers. MME typcially uses Watchguard brands Internet Firewalls at Practices we work with, and they include free VPN tools to make this connection. Some configuration is required.

Their is another option to consider that is perhaps more secure. MME utilizes LogMeIn remote access software to be able to remotely connect to and control the PCs in your office to do support work. That same softwware can be used to provide you and your team secure web based access to a PC. RDP requires the VPN and doesn’t have an audit trail. LogMeIn does not need the complexity of the VPN, is fully encrypted, and creates and audit log of which user connected to which PC for how long, etc. This is a wise idea. LogMeIn works on PCs or Macs, and even on devices like tablets and smart phones. There is no extra charge to use LogMeIn for remote access to your PCs, we are offering it as a free benefit. It does take a small amount of initial configuration just to setup an account for your team member and give them access to the specific computer.

If you’d like to use LogMeIn for remote access please Contact your MME Project Manager to get started.

We have a few online training guides to help you as well:

Internet Firewall – You need a Smart One

The Intenret Firewall is a device that sits between all the computers on your office network and the Internet. If you have Internet access at the office, you have one of these.

Their job is to allow all your comptuers and devices to get out to the Internet, and to keep things from the Internet crawling back into your network to do bad things.

Not all Firewalls are the same. Sure, they all let you get out to the internet, but its the “Protecting You” part where they differ massively.

Simple (Dumb) firewalls know just enough to let you out to the Internet, and will stop only the most basic of bad things getting back into your office.

Smart Firewalls do more. Some can watch for what’s trying to get in and detect bad behaviour. Others know that you don’t normally allow traffic from Russia or China to communicate with your Server, so it blocks the traffic automatically. Others can actually look at the URL’s you are surfing to and stop you before you accidentally open a link that contains a Virus.

Smart Firewalls are where the best defenses come from today. But there are new security threats discovered all the time. Your firewall should NOT be a set and forget device. It needs to keep up. Keeping up might mean several things:

  • Have an active Subscription with the manufacturer that allows it to be kept up to date with a database of threats to monitor (most Smart Firewalls are sold this way and have annual subscriptions for these services)
  • Have their firmware (internal programming code) regularly updated. Manufacturers are continually refining this and provide the updates for free as long as the device is under subscription. Takes some skill to install.
  • Are all the Security features for the Firewall actually turned on and fully configured? Often support techs turn features off to experiment to see if that fixes some other issue inside the Practice, and then don’t take the time to renable or adjust the setting properly afterwards.
  • Have there configuration critically reviewed periodically to challenge if any security holes are still needed. i.e. Can we remove the RDP access settings?
  • Does it have the processing power to undertake all these tasks without slowing down your access to the Internet. The basic models can keep up with a basic Internet Service speeds (like 25×5 Mbps) but struggle if there are 15 users working actively trying to use a 150×10 Mbps connection. It just can’t process all the scans fast enough. Upgrading the device to a more powerful model might be needed.

Smart Firewalls from even 2-3 years ago are miles behind on what can be done to defend a Practice today. A Firewall today can dynamically watch each packet of traffic from every device in your office, and when it ‘senses’ some shenanigans it doesn’t understand, it can immediately act. Even if it hasn’t been programmed to know that specific threat, it can recognize it as a threat based on what’s going on. This is one of the tools we need to stop Ransomware in its tracks.

Because Smart Firewalls are no longer ‘Set & Forget’ Devices, MME is changing the way we approach them. We no longer suggest just buying the device, installing it, and forgetting about it until something makes us think about it. We are now recommending that our clients purchase their firewall as a ‘Managed Service’ from us. Essentially you are paying a monthly fee for the device, and MME will take care of everything else on an ongoing basis with dedicated monitoring and a team to look after them. Our hope then is that we stop more problems before they start, and we can always be sure your Smart Firewall is as smart as it can be.

Learn more about our Managed Firewall Services.

Server File Security Settings

If you share a folder on your network it has some form of access security attached to it. This access control can limit who can see and access the files. This is something you want to have setup correctly. Ideally it is configured to allow your staff to get to files, but not strangers.

Far to often we discover that a third party tech support person has dumbed the permissions down so that Anyone can access Any files (Any/Any). Another one of these lazy steps they take when troubleshooting a problem with their software. Really, really not safe. Any stranger that can get onto the Private WiFi zone can then see, and delete, any files.

Reviewing the Server’s shares and their assigned permissions is what’s needed. If something irregular is found, we can tighten up the security again. But, we’ll all want to be aware of a change like that in case it breaks something again. When the discovery of something broken is made, this time we can be included in the fix and ensure that the Any/Any doesn’t return and that they make specific adjustments to allow their software to run.

Backups and Encryption

Part of your Security plans must include recovery from a disaster, natural or man made. We’ve discussed our backup philosophy extensively here in Services. It points out that backups need to be monitored and tested to be sure they are ready when and if they are needed.

MME includes this monitoring and testing in our Proactive Server Maintainence program. You can learn more about it here.

One key element about any Backup in the Practice is that it must be encrypted to meet the guidelines of HIPAA. If the backup is lost or stolen, it must be encrypted to not be considered a breach.

The various tools MME uses to perform backups can be enabled for encryption.

Drive Encryption

Do you have any electronic Protected Health Information (ePHI) on your Servers or computers? Of course you do. Every single device probably does. People often suggest that the workstations don’t, but you can’t prove the negative. A computer stolen from a Practice is assumed by default to be a breach unless you can prove it had no information on it (how do you do that), or that its hard drive was encrypted. Just like with backups, if the hard drive is encrypted you are in Safe Harbor, and its not a breach.

5 years ago encrypting all the hard drives in a Practice was difficult and impacted performance. The good news is that today with Windows 10 and fast SSD hard drives, this is very simple to do. Microsoft now includes its encryption software ‘BitLocker’ in Windows 10 Professional. Enabling bitlocker takes only a few minutes, and we need to be very good about storing the encryption keys safely. Both other than that its set and forget.

The problem is not everyone has thought to do this. Checking the PCs on your network is the first step. If none or only a few are BitLockered, its just time to cleanup the rest. Please Contact your MME Project Manager to find out more.

Email Encryption

HIPAA mandates that any ePHI that is transmitted over the Internet must be encrypted. Whether you are a fan of HIPAA or not, this makes good sense. No one wants to accidentally leak a patients information onto the Internet or deal with the Breach this represents.

Implementing encrypted email isn’t that simple. It has to be encrypted from the moment you create it until its received by the recipient. You only control the begining part of that transfer, everything in between is outside your control.

Several solutions exist that we have used including Send Inc., Protected Trust, and Office 365 with Azure encryption. Its the latter that MME uses most since is simple and affordable.

If you’d like to start implementing please Contact your MME project manager to learn more.

Security Cameras

Security cameras play various roles in a Practice, from safety to training. More modern systems record to a device on the network called a DVR or NVR. Even more modern cameras record direct to the Internet (and kill all your bandwidth, but that’s another story). Keeping these systems secure and updated is essential. Often they are just another Set & Forget device until they stop working, a discovery that’s usually made when they are needed most. We would suggest looking after the following on a regular basis:

  • Like the firewalls and wireless access points, network connected cameras and NVRs have firmware inside of them. Their manufactures are continually refining the code and issue updates. Most require some skill to apply. All these devices should be routinely updated with the latest firmware.
  • The passwords for these devices should be a unique Gen3 password. It should not be openly shared with staff. It should be kept in a safe place like your 1Password app.
  • You should periodically check that the cameras are all working and you can retrieve historical footage going back far enough that you think is reasonable. Just open the apps and take a few minutes to browse your cameras and recordings.

While MME doesn’t pretend to be a security camera specialist, but we know a fair bit about them and can often help. We even install one brand of camera and NVR in simple circumstances. If you need a little help with your Security Cameras, please Contact Us.