A Story about the Risks of “Non-Vaccination”
On a recent appointment, I met with a pediatrician to perform a network review. In our preliminary meeting, we discussed the issues they were having and I was certain I’d find a pretty sick network. My suspicions were correct.
It’s our practice to schedule a follow up appointment after the report of findings has been written and risks weighed. During this meeting, the pediatrician told me about the struggle she having with unimmunized children coming into the practice. She was very concerned about how to care for these children without putting her staff and other patients at risk. The pediatrician was very passionate about this subject and demonstrated a thorough understanding of how these non-vaccinated children were at risk themselves and putting others at risk.
As the conversation turned towards her internal network and the issues that were plaguing the practice’s technology, I realized there was a direct link between immunized children and properly secured networks. When properly “vaccinated” both resulted in diminished breaches, health-wise and data-wise.
With all of the security breaches in the news lately, I’ve been investing considerable time and energy in understanding HIPAA Compliance laws so that I can effectively secure our medical clients’ networks. I’d also recently enlisted a HIPAA Security Firm to perform a Risk Assessment on our company. So, network security and privacy laws were close to my mind during this meeting.
This physician understood the risks of unvaccinated children and could easily articulate the danger inherent to the child and to those around him or her. Sadly, however, she did not see the importance of “vaccinating” her own network and diminishing the risk she was imposing on her practice, staff and patients.
A recent study showed that 44% of healthcare organizations have experienced a data breach. Specifically speaking in the medical industry here are some implications to an unsecured network.
1. Unsecured networks put patient records at risk.
2. Unsecured networks allow for the bad guys to use your network as a proxy to hide themselves to infect other networks.
3. Improperly designed networks rob hundreds of man-hours of efficiency from the medical practice as well as lower morale.
4. Improperly designed networks often do not have a viable backup solution for patient data and will affect the care of patients and ultimately the viability and longevity of the practice.
5. Unsecured networks put the practice in a high-risk position in regards to HIPAA regulations and fines.
6. Embarrassment and loss of trust from clients when reporting a security breach.
I am aware of all of the added pains the new health care laws have put on the healthcare industry. This is of the primary reasons I wanted to fully understand the rules so that I can help employ practical solutions. Below is a list of some very practical solutions that will go along way in securing your network.
1. Setup your network properly in the first place. Install a Domain Controller on the network to manage your data in a central place, the access your users have two that data, and be able to set automated complex password changes every 90 days.
2. Deploy a proper Email solution. Email is a small business’ greatest risk. Only allow your corporate email to be checked from the office. Block all other types of email traffic. Also employee a good encryption on your email that has PII.
3. Deploying a UTM (Unified Threat Managed) Firewall that is managed by professionals. A properly installed firewall will filter out Intrusions, Viruses, Spyware as well as control Web Access.
4. Install Managed Desktop Security software. Every device on the network needs to have a local Security Software that alerts if an infection happens.
5. Encrypt all mobile devices. All devices that leave the physical security of the network need to have some form of Mobile Device Management (MDM) Solution that will allow for data encryption, remote password change and ultimately remote wipe if necessary.
6. Deploy a Remote Management and Monitoring Software. All computers need to have their Microsoft Security Updates run consistently as well as have all of their software monitored with alerting if new software is installed or uninstalled.
7. Deploying a Managed Disaster Recovery System. Patient data is one of the most valuable assets of a practice. Not only to continue the practice but also in order to give good care to patients. An encrypted off-site backup that is monitored for success and failure daily is necessary.
Although I was unable to educate this particular physician my hope is that this blog will help others. In one regard, just as it is our duty to vaccinate our children, it is also our duty to vaccinate our network. Failing to do so puts ourselves as well as others at risk.
Phillip D. Long
Business Information Solutions, Inc.