Wednesday, October 19, 2016

Ten HIPAA Security Tips Saving Small Practice’s Time, Money and Reputation


This article was submitted by contributing author, Vic Berger.

My business practice focuses on helping organizations understand their risks related to security. Cyber Security is one risk every organization struggles with. Small businesses face the same types of risks as bigger companies but lack the staffing and resources to respond the same as a large organization. I am frequently asked by small business owners “What cost effective recommendations would you make for my business to make it more secure?” Here are my top ten recommendations for small businesses when dealing with information security.

1.                  Have A Written Security Policy
Every business needs a good written information security policy. This is the basis for your security plan, as well as your legal safety net when something happens. There is no single action a company can take that is more important. Yet this is often the first issue I find in audits of companies of every size, and in every sector.  The plan needs to be well written; read and understood by every employee in the company; and consistently maintained.  There are numerous templates and examples of security policies on the internet. Many consulting companies will tailor a stock plan to suit your organization.

2.                  Encrypt Everything
The first rule of I.T. security is “no solution is perfect 100% of the time”. You cannot always trust prevention methods to keep your data safe. The only way to consistently assure the protection of your data is to encrypt it so it cannot be read. This is especially important with cloud or internet based storage accounts. Dropbox, Google Drive, OneDrive, Box, and Egnyte are all great tools, but no cloud provider will guarantee the security of your data, and all have recently been breached. My basic rule of thumb is: if it is on the internet, consider it public access unless you have encrypted it. You can encrypt your cloud storage using a simple to use (and free for personal use) encryption program from nCryptedcloud that supports Dropbox, Box, Google Drive, OneDrive, and Egnyte available at https://www.encryptedcloud.com/  You can also use a portable USB format hardware encryption and key management device from BlackSquare called Enigma, at www.blacksquaretechnologies.com for personal and small business encryption on portable devices, computers, and cloud accounts.
  
3.                  Protect Your Website
Current information security statistics indicate that 85% of all websites have one or more significant security vulnerabilities. I apply patches to my websites almost daily to keep up with newly discovered vulnerabilities. There are three basic types of websites, with three different recommendations based on what you use:
A.      A static web page with basic company information that doesn’t change. Your biggest risk is disruption or defacing of this type of website. Your hosting provider or ISP will take care of the service disruption. For defacing, keep a good site backup and do a complete CLEAN restore as soon as possible (hackers leave behind gotchas).
B.      An interactive or dynamic web site with user content and/or e-commerce. Often these are created using a standard Content Management Software (CMS) package like WordPress, Joomla, or Drupal.  These are best left to a professional company to update and manage if possible. If you must do it yourself, get a good book on securing your type of CMS. Subscribe to the vulnerability notification feed for your CMS type (all of the common solutions have this). Check your website against new vulnerabilities often.
C.      A site dedicated to internet e-commerce or a highly interactive site where users log in to access content.  Hire this one out! Do not try to do this yourself unless information security is your core business, or you have an I.T. staff with specialized training and certifications in internet security.

4.                  Data Backups
I see irreplaceable data lost almost every day. I have seen it in government agencies, fortune 500 companies, and in every industry vertical. It can be from a data breach, a hardware failure, a natural disaster, or from human error. Whatever the reason, there is no excuse for not having good backups. You should have at least one full data backup per week. More if your data changes frequently. Store the backups offsite, and somewhere safe.  I suggest the granite vault at Perpetual Storage www.perpetualstorage.com, it is the safest storage site in the country. You should also buy a GoBox and store everything you would need to rebuild your business after a major disaster.

5.                  Avoid Consumer Grade
If you can buy an I.T. product at a local box store, electronics retailer, or office supply store it is probably consumer grade, and not designed for business. This includes firewalls, routers, wireless access points, servers, storage, networking devices, tape drives, or anything that protects, moves, or manages your data. Yes, commercial grade is more expensive, for a reason: It Is Commercial Grade! Consumer grade security equipment was designed to protect a few ports and protocols commonly used by consumers. Business applications use different ports and protocols. It either does not run behind consumer grade equipment or you have to poke holes in your security to make it work. Consumer grade security is also easy to breach. Commercial grade uses much better security methods, and is consistently tested. Call your local I.T. reseller and ask them what they recommend.

6.                  Know Your Risks
Knowing what you have, that would be of value to someone else, helps you determine what to focus on to protect. Do you have sensitive or privileged data? Is your data unique or valuable? Are there government regulations like HIPAA or Sarbanes-Oxley that affect your industry? Are customers or consumers ever given access to your data? How many employees do you have, and what risk areas do they create? Beyond what is already addressed elsewhere in this whitepaper, as a minimum you need: Antivirus (web search free antivirus), Anti spyware (web search free anti-spyware), and a good security shell for your organization (Try Arellia www.arellia.com). If you have customers that are EVER by your work computers you need an anti-keystroke logging solution (StrikeForce www.strikeforcetech.com). Your mail and web should have mandatory content filters (either through your ISP or your firewall).

7.                  Plan For BYOD
BYOD stands for bring your own device. This is a huge shift in the government and corporate sector, but probably business as usual in small businesses. Small businesses often use what they have, even if it is a personal device. This is increasingly creating security issues. What your employees, knowingly or unknowingly, have on their devices, and what they do with them in their own time is now brought into your environment. This can open up security holes as well as create liability issues. Make sure that BYOD is clearly defined and covered in your security policy. There is technology that can restrict the security vulnerabilities of personal devices, so ask your local I.T. reseller for assistance. Finally, make sure your employees clearly understand your expectations and limits where BYOD is concerned.
 
8.                  Who Is Guarding The Sheep
This applies whether you are a fortune 500 company or a small business. I.T. administrators have great power. They can view privileged information, and have an extremely high level of system access and control, more than even the owners and senior executives of the company. This is a great responsibility, but also a huge temptation. It is very common to discover that I.T. administrators have been inside payroll files, HR files, or other personal or sensitive material. A good security shell like Arellia (see #6) creates log files to review, but that means that someone has to faithfully do this. Again, start with policy and clearly define responsibilities and expectations. Two person integrity is always prudent where money and manpower permit. And as always, rule #2 applies: Encrypt everything!

9.                  Physical Security Is Information Security
Theft is about opportunities, and criminals use them very effectively. Data from a stolen laptop is easier to obtain than hacking. Why brute force passwords when you can easily install a keystroke logger. A screwdriver to the back door is as good as a key if there is no other security. You must have good physical security policies and practices to have good information security. Cameras are effective and have become reasonably cheap. Programs that wipe stolen devices are commonly available. Keeping sensitive information and records locked away after hours deters opportunistic thieves. Think like a criminal, and then protect yourself from what you would exploit.

10.              Know When To Call For Help
             I am a passable plumber, marginal carpenter, and just plain dislike auto mechanics. I can do all three if required but usually end up spending more time, effort, and money than what I had intended. I can tackle small jobs but I leave the major projects to the professionals. I.T. Security is a highly specialized field with significant training and experience necessary to operate at a professional level. Your whiz kid nephew, who is good with computers, does not have that level of training or the required experience. This is especially important when there is an incident. Less than 3% of all I.T. professionals have the security experience and certification necessary to handle a data breach. I leave significant plumbing, carpentry, and auto mechanics jobs to the professionals, leave your major I.T. security issues to the professionals as well.

This article was submitted by a contributing author:
Vic Berger
CEO, Opsis Technologies
855-99OPSIS


For more information on protecting your office regarding this issue or additional HIPAA, OSHA, HR, and Medicare resources, please visit our web site: http://www.hcsiinc.com or email support at: support@hcsiinc.com.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner