HIPAA Security Ideas - Part 5
Backups
(Volume 41)

Have you ever thought about a parachute?  It’s a nice invention.  Could you imagine having to wear one all the time?  It would be cumbersome and awkward, but could you imagine not having one when jumping from an airplane?  Computer backup systems are the same way.  They can be a nuisance and a bit of a bother, but like a parachute, when you need one nothing else will do.

I have seen so many cases over the years where clients blindly put tapes into their backup units, assume they work and the next day switch tapes and just go about their business.  As a matter of sound business practice, you need to test and verify your backups to make sure that they are actually backing up your data properly and the information is without errors.

Under HIPAA security rules, not only are you required to perform regular backups, but you are also required to test and verify that the backup was successful.  But you must also have a procedure to make sure you can restore the data and you must also have a provision to make sure you keep a copy safe and off-site.

Conventional tape backups are fairly easy to use but making sure that they are meeting the contingency requirements of HIPAA can be a laborious effort for your staff and may even be beyond what the staff can do themselves.

To every HIPAA problem there seems to be a HIPAA solution.  Actually, this solution has been around for several years but is now finding a new niche in the medical field, especially in small offices.  It is web-based backup services.  There are many companies offering this service.  The way they work is as follows: special client backup software is installed on your computer.  This software runs a batch every night just like a tape would.  The backup client takes your backup and compresses and 128-bit encrypts its.  It then sends it to a remote server, where it is received and processed.  The remote server opens the files and verifies the data against a known copy in your folder.  The server then recovers a file from your backup to ensure its integrity.  The remote server now puts together a report with all of the vital information about your backup and E-mails you a report.  Every morning you have an E-mail confirming that your backup has taken place, was successful and is fully restorable.

These services are very inexpensive, as low as $25 a month.  They address several points of concern in HIPAA security compliance.  They provide a safe, hands-off approach to backing up your data; they keep your data safe and off-site; they provide you with documentation that you are meeting and exceeding the HIPAA mandates; and they relieve your staff of the responsibility of performing the backups themselves.

HIPAA Security Ideas - Part 4
Firewalls
(Volume 38)

In the last few articles I discussed preventing unauthorized access to your computer workstations via Biometrics, I discussed protecting your data from malicious software via Anti-Virus software and I discussed protecting discarded PHI via shredders.  In this article I will discuss one of the most overlooked pieces of security, Firewalls.  Firewalls are designed to prevent unauthorized access to your computers from the web.

The broadband explosion has provided Internet users with a better, faster solution than the traditional dial-up connections we've been used to over the years.  That's the good news.  The bad news is, broadband connections have some drawbacks, the most serious of which is the fact that they are "always on."  A connection that never shuts off is a hacker's dream.  Hackers like "always-on" connections like DSL, cable modems and T1 lines because they're always there and they're predictable.  This isn't to say that broadband connections are bad.  Quite the contrary: Broadband is a great technology.  Users just need to make sure they're using the appropriate level of protection that a firewall solution can offer.

Without a firewall in place, hackers can access your PHI and either use it for their own purposes or disseminate it to the world at large.  A hacker in your system can have other serious consequences. For example:

Lost Data - What if someone deleted data on your offices' network?  What if you didn't have that data backed up?  How much would that cost you?
Down Time  What would it cost in terms of labor to restore lost or damaged data?  What would be the cost in lost productivity, having an office full of employees sitting around waiting for the computer system to be restored?
Computer Jacking - Do you like impersonators?  Well, hackers who get control of your computer can launch attacks against other networks using your computer.  When the cyber police find out, guess who they're going to be looking for? 

Attacks like those previously mentioned occur in many forms.  Some are minor while others create havoc and do a lot of damage
 
Firewalls are a great way to protect your practice’s computers from intruders.  They're designed to defend against attack by implementing a series of rules that permit, or deny, traffic to pass between your network and the Internet.  Based on the way these rules are set, the inbound and outbound flow of information maybe extremely tight or very relaxed.  The trick is to maintain a balance between your practice’s need for security and your employees' need to get their work done without interference.

Firewalls are absolutely necessary and are not very expensive.  I would strongly suggest having the firewall installed by an expert.  While anyone can take it out of the box and plug it in, the trick is to configure it properly.  Otherwise, it becomes a useless piece of hardware sitting on your network not protecting you, and only providing you a false sense of security until your network is compromised.

HIPAA Security Ideas - Part 3
Anti-Virus Software and Operating System Patches
(Volume 37)

Anti-Virus software is essential in today’s computer environment, so much so that I tell clients to not even bother running their PCs if they are not running up-to-date virus software.  Why?  Because viruses are so prolific that in a very short time you WILL get one.  Anti-virus vendor watchdog groups are reporting that new virus activity was up 17.5 percent over the past six months, and viruses getting are more sophisticated, with more sophisticated targeting.

Just to demonstrate this fact for my clients, my anti-virus program has an audible alert option that I can switch on for demonstration purposes; it goes off every time a virus attempts to enter my system.  When activated, it will beep every 5 to 10 seconds all day every day, that’s how bad things are.

Some users believe it won’t happen to them or they can’t afford the software or the update subscriptions.  My response is, you can’t afford not to have it.  The cost of repairing a system after being infected will cost much more than even the most expensive anti-virus software; plus you can’t even put a monetary value on the cost of lost data.  I consider the money paid for anti-virus software to be part of the operating expense of a computer, just like electricity is.

In just the last two weeks we have had some real nasty viruses make their presence felt.  We had the Backdoor.Prorat which is a backdoor Trojan Horse that gives its creator full control over your computer, by opening port 58343.  Due to the high number of infections, this virus has been upgraded to a Category 4 from a Category 3 threat.

Another one we just had to deal with is W32.Bugbear.  It is a mass-mailing worm that also spreads through network shares.  It is polymorphic and also infects executable files.  It also possesses keystroke-logging and backdoor capabilities and attempts to terminate the processes of various antivirus and firewall programs.

Under HIPAA security requirements you are required to safeguard your systems from outside intrusion, and failing to do so is a violation.  Virus attacks and outside hacks are considered “common knowledge” and you are responsible to implement procedures to prevent intrusions.  Just installing anti-virus software is not enough.  You must configure it so that it will quarantine the virus and /or delete it.  You need to also make sure the virus patterns that the manufacturer provides are up to date. You also need to know how and when the manufacturer updates its virus tables.  For example, Norton has an auto-update capability built into its software.  The thing to know about Norton is that even though you are doing an update every day, Norton only updates its server every Wednesday; so the rest of the days of the week you are not getting anything new.  In order to get the new daily update you have to go manually to the Norton site and manually download the daily update. This is important because the Backdoor virus was deployed to exploit this fact and it came out on Thursday and infected many systems, before users were able to get the new updates.

The key is to know your anti-virus software and very specifically how it functions and any limitations it may have.
 
Once you have your anti-virus software installed and configured and getting its updates, you’re done, right?  Wrong.  There is another key component that must also be done: that is updating your operating system.  Microsoft Windows from 95 on has a Windows update feature that goes out to the Microsoft web site and gets all of the latest patches for your version of Windows. This is critical because many viruses are written to exploit vulnerabilities in Windows.  Even though you have anti-virus software, if you have critical holes in Windows you are still subject to getting a virus. The anti-virus software also depends upon the Operating system being secure.

You should be checking for Windows updates on a daily basis.  In Windows 98 and later, Windows has a scheduler feature whereby Windows will automatically go to the Microsoft update site and find any new critical updates and download them for you.  It will then have a little pop-up alert letting you know that the updates are downloaded and ready to be installed.

Be safe: stay current with your Windows updates and anti-virus updates.

HIPAA Security Ideas - Part 2  
Biometrics
(Volume 34)

Does anyone remember the Lunar Space program of the ’60s?  There were so many technologies developed for that program that eventually made their way into everyday life; can anyone say Teflon?  Likewise, biometrics has evolved from the security needs of the government to the consumer market.

Biometrics is any security device that uses unique physical attributes of the users to identify themselves. There are currently face scanners, palm scanners, retina scanners and fingerprint scanners on the market today.  For our purposes I will contain this discussion to fingerprint scanners.  The fingerprint scanners are the least expensive of the biometric devices yet still offer outstanding security.

The way the fingerprint systems work is as follows.  The scanners come bundled with security software that acts as an overlay on your desktop.  The software intercepts the log in procedure and requires a fingerprint input in order to proceed.  The software also has a registration process that scans each person’s fingerprint and digitally records the fingerprint as an algorithm, so it never keeps a "picture" of your actual fingerprint.  The scanning software then works in conjunction with the Windows operating system security and allows you to assign rights and permissions to each user.  It is really a fascinating piece of technology.

Now for the sixty-four-thousand-dollar question: what does this have to do with my practice?  The answer is HIPAA.  Under the security rules that were just finalized and become mandatory in April of 2005, you are required to secure all your computers by the following means:

1) Each user has their own unique log in name and password of a minimum of 6 characters.
2) No users shall know or use another person's password.
3) The passwords must be changed at least every 90 days.
4) The passwords must have the proper access level assigned to them based upon the person’s job function.

The reality of the situation is that if you use complex passwords and change them frequently, people will forget them; then the system administrator has to redo their account and set up a new password.  Worse yet, if they can't remember the password, they will write them on a sticky note and put them where they can find it easily, like on the screen.  Also, in a small office, people are close and share information and they will share their passwords.  By using the fingerprint scanners you eliminate all of that and actually make logging in fast and easy.  The person just touches the fingerprint scanner and in about a second they are logged in.  It takes no thought, just press and go.  The scanner's software knows who it is that is logging in and gives them the rights and permissions that they are supposed to have.  You can't lose your password, you can't forget it, and you can't give it to someone else.

This is an outstanding way to provide security to your computer system; it impresses the patients and the staff and best of all, it is inexpensive, less than $150 per scanner.  If you'd like more information about it, contact me or visit our web site.