Secure processes are effectively standardized procedures (expressed as policies) that revolve around the way your office handles day-to-day activities, and there are a number that can make your practice safer. These policies should all be documented. That will both encourage consistent behavior in following the policies and give you something to attest to your office’s security practices should you encounter an investigation or audit through the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR).
One of the most important steps you can take is to keep your software up-to-date. It’s a straightforward yet absolutely crucial step to safeguarding any individual computer, server or network. The vast majority of malware targets flaws in software that have already been discovered and fixed. If the updates fixing those flaws have been put in place, the attacks will fail to penetrate your system and effectively bounce off since the weaknesses they’re looking to exploit won’t be there. Moreover, any software that is no longer being updated by its developer (like the Windows XP operating system) should be replaced at once.
It’s also critical to change the default settings on your equipment. Basically anything that has a password and just works right out of the box will have a default password (and sometimes a default username) an attacker can look up easily. Apple products, for example, typically use “Alpine.” A good place to start is with the router connecting your office to the Internet. In addition to the password concern, there are a number of steps that should be taken to secure it. While routers often do the job of connecting you to the Web effectively, they are also vulnerable to a number of different attacks if they aren’t set up (aka “configured”) properly. For example it’s unfortunately all-too-common for an older wireless router to use WEP (which stands for “Wired Equivalent Privacy”) protection. This is a serious problem because WEP encryption was cracked over ten years ago – a hacker with minimal skills can easily break into any network using it. Instead, make sure your router is using a current encryption, like WPA (“Wireless Protected Access”) with the Advanced Encryption Standard (AES) or WPA2. WPA2 should be on any equipment manufactured since early 2006. The type of encryption a router is using is often written right on it. If it isn’t, you can check – and often change – it on the router’s online configuration page.1
A process known as operating system (OS) hardening involves removing any unnecessary software and functions from the computers and servers in your office. While it may not seem like that big of a deal if no one is using the software or function, a hacker can still go through any of them to get inside your network. Less software, etc. means fewer potential weak spots for an attacker to target.
Your computers should be shut down at the end of the day. Electronic attacks only work against computers that are powered up.
Data encryption should be a given for an office handling Protected Health Information (PHI). While the full-disk encryption we discussed in Part I certainly can’t hurt, file-based encryption is better at safeguarding the data stored within your network. A critical aspect of storing sensitive encrypted data is the secure storage of the decryption keys (referred to as “key management”). While HIPAA’s Breach Notification Rule doesn’t apply to encrypted data, that isn’t the case if the thieves also make off with the decryption keys to unscramble the data they’ve stolen. In information security circles, key management is often viewed as the potential weakest link in an otherwise well-executed encryption scheme,2 and there is additional information available on best practices for key management.3
The data on your system should be backed up regularly. Properly maintained backups prevent potentially catastrophic data loss in the event of an accident or malicious destruction. This is especially important when dealing with sabotage, ransomware, etc. The backups should be multi-tiered (i.e., use different types of storage methods in case one of them fails) and be offsite. If there’s a fire, flood, etc., onsite backups can be destroyed along with everything else. They should also be encrypted to the extent the system data is encrypted (if not more). The backup process should not be mindless repetition. An altered or destroyed file can be inadvertently saved over an important file if the integrity of your files isn’t checked.
Hackers will naturally target the people using your network, so it’s important your secure processes include the human element of security, too.
For starters, the fewer admin (administrator) accounts on your network, the better. Like the administrative accounts noted in the computer and laptop section in Part I, network admin accounts allow full access to your equipment and files, including the ability to download, modify and delete programs. If an attacker is able to gain access to one of those accounts, he or she can cause tremendous damage to your system. To keep this from happening, keep the number of admin accounts on your system as limited as possible and add extra protections for those accounts like two-factor authentication (discussed in the password section below).
Have regular security awareness training for everyone in the office. Topics covered should include security and privacy of PHI, phishing attacks (which we discuss in the next section), and safe Web browsing. There are a number of sources available to help you devise a training plan.
Be mindful of the effect of office turnover. An ex-employee should never be able to access your network. This includes dentists, hygienists, office managers and everyone else. Immediately rescind network, remote and building access for any ex-employee immediately after (or even while) he or she leaves, regardless of reason.
On a side note, always log out of any online services and accounts when you aren’t using a computer or mobile device and use a password-protected screensaver or passcode. Otherwise, anyone with access to your computer or device can read your email, take your money, impersonate you to your contacts, etc.