Additional Network Concerns

Let's talk about a few additional network concerns. For starters, using the cloud, which is increasingly common nowadays. In effect, that's when patient data is stored and processed outside your office. "The cloud" as it's called, is basically just a marketing concept describing a computer located somewhere else. That's the entire concept, start to finish. That's "the cloud," just a computer somewhere else. If you were looking at basically old network diagrams, which I know everyone does in their spare time, they used to actually draw the Internet as a little cloud on the side of the diagram. That's actually where the concept comes from. I'm not kidding. So anyway, typically a vendor, will manage the patient data, which will then be stored in a data center that the vendor will contract with. Now some key things here, business associate agreements with cloud service providers are an absolute must.


And any vendor reluctant to sign one should be avoided. Don't even bother with, "Yeah, well maybe..." No, they won't sign a business associate agreement. Toast. Gone. Be off with you. Another thing to look at is what's called a service level agreement, which will detail the cloud vendor's responsibilities and your remedies, if needed. And this should include: is the cloud vendor or the Data Center HIPAA compliant certified? Does the standard data hosting agreement with the data center detail steps taken to achieve that HIPAA compliance? And is the staff both of your vendor and of the data center trained to properly handle PHI? And also is the PHI stored and or processed outside the US because that can result in additional liabilities. I don't want to try and give you an opinion right off the bat, but that that could be some other problems if it's somewhere else.


I mean, just to cut through it all, at the end of the day, your office can be held responsible if this is mishandled, so be sure it isn't. Next up just quickly, the Internet of Things which is increasingly common nowadays. This can refer to a smart appliances or other IoT devices that connect to the Internet through your network. And this includes connected medical devices. And once again, default settings on these are often insecure. So if you can change passwords, that's a great idea. And keep in mind, a medical device or a smart fridge is often going to need software updates for 20 years or so if that's something you need to keep in your network for quite a while. So while they can be useful, no need to load up on a ton of them if you don't actually need them. So let's talk for a moment about email because a lot of scams actually began with email.


One thing in particular is Office 365, which is Microsoft's all on office software. Since Office 365 tends to stay up to date on its own. One of the ways that attackers will target it is to send you a message that looks like just straight up gibberish and there'll be a note in there saying, "Oh, can't read the message. Well you should enable macros." And macros are basically task automators and MS Office. And keeping them disabled is actually a good thing because when these attack emails come in, if you enable the macros that actually sets the attack in motion. So it's a good idea within your network to disable macros across the board. If you have specific use for them, you can use them in those instances, but as a general thing, leave them off. Because like I say, it's a nice avenue of attack.


Now, email itself... Well, I'll give you an information security cliche. It's referred to "as a secure, as a postcard written in pencil." What I mean by that is that email, generally speaking, can be read and altered pretty easily by anyone handling your email, sort of like post office personnel who can look at the postcard and change it - once again, written in pencil. Now the reason for this is the way email works effectively is: let's say you hit "send." It then goes to the email server in your office, which then sends it out through the router - again, broken up into little pieces going out across the Internet - and it's going from router, to router, to router, to the recipient. Think of that like... You ever skip a flat stone over a pond? It's sort of like that, you know, skip, skip, skip, skip.


That's sort of how it's working as it's going through. And the thing is if it's unencrypted, anyone who's got it passing through can stop it, change it, switch it around. And of course that's a huge issue if there's any PHI in there. Obviously if you don't have to send PHI in an email, don't. Now given today's technology, you should never hesitate to use encrypted email. This is because encrypted email software nowadays is pretty easily available. I'll put a link in the notes of reviews for various encrypted email services because they have different properties. You can see which one happens to be a good fit for you, but definitely, definitely use it. Now let's talk a little bit about physical security. That's physically securing your network assets. Actual office intrusion, someone physically getting in, that may sound weird. It's not unheard of. There have been instances of theft where, I know there was one some years ago with a dental practice in Missouri, which I believe was bankrupted after a single laptop was stolen from their office with 9,000 patient records on it.


So just like I say, just something to keep an eye out for because at the end of the day, even if they don't steal something, physical access also typically means very easy network access if someone can physically get to your stuff. And there's also literally damage or destruction. What if something is set on fire by accident? What if somebody drops something? You want to make sure your stuff is secure. Now what are your protective measures against this? Well, for starters, lock your office. This also includes the servers, once again, the centralized computer within your office network. You want to have that in a locked room, often referred to as a server closet. Now what about your building itself, where your office is located? Do you have specific protective measures? Is there an alarm system? Is there card key access? For that matter, is there street exposure and lighting?


What I mean by that is can someone sneak in and not get seen? If it's in a wide open street where it's well lit, that's a bit less likely. Now another thing to do is at the end of the workday, make sure all the computers in the office are turned off. I know it's tempting to save stuff. Keep in mind when you're working on something, as long as you save it, your computer will hold on to everything. Browsers for example, will hold on to all of your tabs. If you shut off, you restart, all of your tabs come right back up. Now one thing to do with that, when you turn them off, also you want to have something referred to as "full disk encryption" on the computers. Now what that is is an encryption that only engages when the computer is turned off and it just encrypts everything on it. That way, should it get stolen, once again, gibberish. One other thing - just mentioning in passing - passwords. They're useful. Don't write them out and leave them somewhere obvious like under your keyboard or the top right side drawer of your desk on a post-it or something. Attackers who were physically in the office will look there first. And also, in terms of card keys, or physical keys for that matter, to your office, make sure if anyone leaves the practice, regardless of reason - friendly or no - make sure you get the card key and physical key back as soon as they go. Don't wait for that one. And for all of these things, you want to have written policies backing them up just to make sure. Like I say, it's a consistent process. So if somebody leaves the practice: this is exactly what happens, in what order.


That way it's always the same thing. A few unexpected weak spots which pop up, believe it or not, printers and copiers. Yeah, I know. They actually have little hard drives. So when something prints through it, that's actually saved on that little hard drive before it prints. So when you are returning it, because often printers and copiers are leased, you've got to make sure that's wiped. So make sure that data is cleared off before you send it along. And also if you recycle - nicely done - firm recycling bins can obviously hold pretty valuable stuff. So you've got to make sure that information is shredded. And believe it or not, there's a difference in types of shredders. The really secure ones are called cross-cut shredders which sort of do it diagonally as opposed to straight shredders, which could theoretically be pieced together because dumpster diving actually does exist.


I know you see it in bad movies, but it's really a thing because once again, protected health information can be valuable. Another risk to keep to keep in mind is something called misconfigured equipment. Configuring is basically how you set something up. So let's say for example, you have a firewall guarding the outside of your firm and it's misconfigured to accidentally allow traffic from somewhere bad to come into your network. So you've got to make sure that's configured or set up correctly because misconfigured equipment can really expose you to a lot of danger you have no idea about. Also office guest WiFi access, usually for patients sitting in your waiting room. If you have that, kudos, that's a cool thing. I'm sure your guests like it. Just make sure that doesn't connect to the rest of the network because if someone can get in there and go from that and get into the rest of your data, that's really dangerous.


And now as we just mentioned before, can ex-employees access your network? Once again, immediately rescind access for any ex-employee at the moment, he or she leaves. Also account passwords and what are called the VPN (which is virtual private network), I would call, decrypts. It's basically a way of communicating. It's a very secure, we'll talk about that in a little bit. Those should never be saved on a computer, especially in the file named "password" or any variation thereof, or sent in plain text to an intended recipient or even yourself. The reason for this is that attackers will immediately search these things. And if you go on your own system and just search for "password," some very interesting things may pop up. So it's always best not to do that. And one of the things to keep an eye out is connected third party systems. Because if you're connected to a system that is insecure an attacker can go through that to get to you. There was a very large data breach a few years ago against target and target was actually not breached directly.


The attacker went through an HVAC (heating ventilation and air conditioning) vendor of Target's and went in through that and got to their system that way. So another thing you want to do is, once you've actually started defending stuff, you want to test your defenses to make sure they actually work. One thing you want to do sort of earlier in the process is something called network mapping and enumeration. That basically is just getting an idea of what the network for your office actually looks like so you can defend it. It's really hard to protect something if you don't know where stuff is. And enumeration is basically just keeping sort of an updated list of what every device and every computer with access - where is it, what's it connected to, what level of access does it have, that sort of thing.


And then, once you've got some idea of what you're trying to defend, you want to engage in two basic things. One called vulnerability assessments, the other called pentesting. Vulnerability assessments are performed with a scanning tool which basically scans the network and, in effect, these scans, will look at what software's running where, how open is a given thing to the open internet or other parts of the system and will see how up to date everything is and how protected or shut down it is. And the scans should be performed from both inside and outside your network to identify vulnerabilities to both the internal threats and external threats. Because the more you shut it down, the better. The vulnerability assessments will typically come with reports, which - they're not exactly scintillating reading - but make sure that the vendor doing it for you is properly prioritizing, letting you know, "here are the really dangerous things" and then they'll do follow-up reports. The idea is from one vulnerability assessment to the next one, you want to make sure that you're having less and less vulnerabilities. So as they point things out and you fix them. Now penetration testing is a little bit different. That basically is sort of like having your own hacker, good guy hacker, basically, try to break into your system. And he or she will try and break in either technically or using social engineering, which is basically tricking their way in, to find out if they can get in then theoretically so can an attacker. So the idea is they're finding a way in that you then can shut down behind them so an attacker can't use it. Just keep in mind with penetration testing, they just have to find one way in. So they're not looking for everything, they're looking for one way in. For that reason, it's a much more effective thing to use once your network is actually developed a bit and defended. Because basically if you're trying to find one way in, it's a lot more useful to learn that if you've got like a battened down fortress rather than an open air gazebo where it's like, "yeah, I walked in, I can walk in over there, over there, over there." That's not as helpful.

Cloud Storage

  • Using “The Cloud” means patient data is stored and processed outside your office.
    • Use a Business Associate Agreement (BAA) with cloud service providers
    • Service Level Agreement (SLA) details the cloud vendor’s responsibilities and your remedies, if needed
    • Don’t forget: You are a Covered Entity under HIPAA and you can be held responsible for the actions (or inactions) of a Business Associate like a cloud service provider

The Internet of Things (IoT)

  • “Smart” appliances and other IoT devices can connect to the Internet through your network (including connected medical devices)
  • Default settings are often insecure and need to be changed


  • Many scams begin with email
  • Unencrypted email can be read (and altered) easily by anyone handling it
  • Given today’s technology, you should not hesitate to use encrypted email

Physical Access

  • Physical access to your office, network and network devices can lead to theft, damage or destruction of computer hardware and/or data.
  • Protective measures include:
    • Locking your office (including the server closet)
    • Turning off computers at the end of the work day
    • Using passwords to secure your data


  • Be sure to retrieve any card (or physical) key from any departing employees (as soon as they go).
  • Disable access to your network and network devices for any departing employees
  • Change or disable passwords for all shared accounts


  • Networks often have unexpected weak spots that attackers can exploit. These include:
    • Printers and copiers
    • Dumpster diving
    • Misconfigured equipment
    • Office guest Wi-Fi access
    • Connected third party systems (vendors, consultants, etc.)
  • Testing your network defenses will allow you to find vulnerabilities before an attacker can use them against you. Well known testing methods include:
    • Vulnerability assessments (performed with a scanning tool), and
    • Pentesting