Security Awareness Training: A necessary & Powerful tool to protect patient data

(As published in the November/December 2018 issue of MediNews)

Over the past several years, I’ve spent considerable time with clients working to develop better IT policies when it comes to things like Acceptable Use, Privacy, Security, and Incident Response.  These policies are all important and necessary, because if you don’t properly equip your staff with rules and guidance on the expectations for their handling of technology and by extension sensitive data, you can’t expect them to act responsibly.

View More »

Phishing Testing: Building Your Human Firewall

Phishing is becoming a major threat vector for organizations all around the world.

Phishing is the exercise of sending illegitimate emails designed to elicit a response from the end user, whether that’s clicking on a link that infects them with malware or tricking the user into volunteering information that they normally would not provide like a password or some other information that is useful to the attacker.

Frighteningly, all signs are pointing to the fact that phishing attacks are becoming more prevalent by the day. According to Webroot, nearly 1.5 million new phishing landing pages are being created monthly.

So why is phishing so popular? I can think of a few reasons.

View More »

KRACK Wi-Fi Vulnerability – What You Need To Know

In light of the headline-making news regarding the major flaw on WiFi networks, dubbed “KRACK”, which stand for Key Reinstallation Attack, we wanted to take a moment and communicate a few important facts to keep in mind regarding this specific flaw.

View More »

7 Things To Consider When Creating An Acceptable Use Policy

One of the early steps in establishing a culture of risk management with your staff is creating a suitable Acceptable Use Policy. Before I get into how to approach this policy, let’s review how this policy is defined.

View More »

5 Ways To Protect Your SMB From Fundamental Network Security Risks

As someone who has worked in the Managed Network Services space for over a decade, there are certain behaviors I notice when it comes to security planning. Every so often, a major security incident occurs that makes headlines, and the media cycle begins. Decision makers at organizations, who are typically business experts and not technology experts, often react with questions about what they are doing to fight this specific threat. Are they doing the right thing? What else could they be doing? How exposed are they?

View More »

Budgeting Your IT Investments: Cloud vs. Onsite (MGMA MediNews)

WE ALL AGREE THAT it is essential to the operations of modern medical practices,
but I find that often these investments in technology are reactionary.
Ten to 15 years ago a major push for moving to Electronic Medical Records
(EMR) inspired a number of practices to make significant investments in
IT infrastructure that most of them had never considered before. It was a
brave new world for most practices, and decision making was often done in
a spur of the moment fashion. Even more disconcerting was the fact that
many of the investments from these early adopting practices ended up being
overhauled for a variety of reasons, many of which had to do with not
“right sizing” the solution in the first place. Needless to say, this was not a
pleasant experience to be a part of, either internally or as a service provider
like I have been. The costs were out of control, unpredictable, and stressful
to deal with.

View More »

Making a Shift to the Cloud? Time to Reevaluate Your Security!

Chances are if you are reading this article, you have already moved some, or perhaps most, of your IT infrastructure to the cloud. While most organizations spend lots of time, energy and money developing strategies for integrating their important data and workflow to the cloud, they usually don’t worry about security and risk management strategies until after the migration. In fact, many organizations assume that it’s okay to maintain their existing strategy they were using before the move.

View More »

Encouraging Compliance through Staff Management (MGMA MediNews)

EVERYONE WHO MANAGES staff in a medical environment immediately becomes
a key decision maker when it comes to HIPAA compliance, whether
they realize it or not. Many data breaches do not occur because of technical
failures that come from a conscious attack on security systems, but by the
failures of personnel to properly control the access to patient health information.
Practice managers hand the keys to the vault of patient data to staff
members every day. Just like money in your bank account, sensitive data has
a real value, and anyone with access to it holds a serious responsibility.

View More »

Do You Know Where Your Data Is? Prove it!

Many IT decision makers look at assets as hardware, but really they should consider why they have the hardware in the first place.

These decision makers remember the very significant investments they made in servers, PCs, firewalls, and so on in order to deploy that new CRM or Electronic Medical Records System. They think of the tens of thousands of dollars they spent just to get their system functional. It’s understandable then that the memory of this investment makes many decision makers forget why they invest in these systems in the first place, which is to gather and manipulate data for critical organizational functions. So the real asset they are protecting is that data.

View More »

Proactive vs. Reactive Compliance Management (as featured on Tripwire)

Much of my time spent working is focused on performing technology assessments against some kind of baseline. Most of the time, these are specific government or industry standards like HIPAA, NIST, ISO and PCI. But when some of my clients reach out to me about evaluating their environment in light of these standards, it’s often done out of a feeling of obligation in which they are reacting to some kind of demand from whoever is overseeing their work.

View More »