Archive for the ‘IT Security’ Category:

Secure Business Mobility with Office 365

Securely Work Anywhere with Office 365
Image Source

Mobile and Remote Employees can put business data at risk.

Most businesses have employees that often work away from the office desk. Employees work from home, on the road or even roam the office/retail floor with mobile devices. Businesses also implement BYOD (Bring Your Own Devices) to give employees flexibility to work from anywhere. Unfortunately most businesses do not have a security strategy for their business mobility.

Without a secure business mobility strategy, business data and devices are at risk of theft. Businesses also need to provide a consistent work experience for employees in and out of the office. Employee productivity can be impacted when employees have to work with different applications outside the office.

Securely Enable Business Mobility with Office 365

Office 365 provides employees maximum flexibility to work anywhere, while business can maintain control of business activities. It also helps businesses manage and protect company’s devices, data and budget while simultaneously giving companies a competitive advantage.

Employees can use a mix of business and personal devices to access business applications such as Word, PowerPoint, Excel and Outlook. It also provides consistent experience across Windows, iOS and Android desktops, laptops, phones and tablets

Office 365 Business Premium has built-in security features and fully installed versions of Office apps on employee’s choice of desktop, tablet, or phone. This provides improved collaboration across devices so teams in different locations can work together more efficiently. Employees can also hold “face-to-face” meetings from any location through Skype for Business, improving teamwork and boosting productivity.

Businesses can have more control of their data and devices by using Office 365 E3 and Enterprise Mobility Suite plans.

Office 365 Enterprise E3 includes everything in Business Premium and advanced capabilities for data protection and compliance tools. This helps businesses maintain regulatory compliance while employees work away from the office.

The Enterprise Mobility Suite (EMS) can protect company assets while enabling workers to stay productive from practically anywhere. It provides capabilities for securely managing mobile devices and applications.

Contact us to find out how we can help your business securely implement business mobility.

Do I Need A Server For My Small Business?


I get asked this questions quite a bit, especially by new business owners. A lot of current businesses also want to get rid of their office existing server and move to the cloud.

Moving an office server to the cloud is always an option with the right internet bandwidth and large enough budget but this post is about exploring the need for onsite server in a small business.

Before deciding on whether a server is needed or not, below are some of the uses/benefits of a server in a small business are:

  • Line of Business Application Requirement.
  • User authentication for computers (Active Directory)
  • File server for business data.
  • Backup location for computers.

A few factors need to be considered before this question can be accurately answered. I will list the factors below and later explain how it impacts the sever or no server decision.

1) Regulatory Compliance
2) Employee Assigned Computers.
3) Employee Size
4) Line of Business Application.

1) Regulatory Compliance: Compliance requirements like HIPAA § 164.308(a)(4)Information Access Management requires each employee have a unique user ID for all Information Systems, so employee activities can be logged and audited on each system. This can be done without a server (Active Directory) but a server makes the management of user IDs and password a lot easier than managing each user on each computer.

2) Employee Assigned Computers: If your employer have permanent assigned computers then you will only need to manage one or maybe two logins on each computer. This becomes more complicated if employees roam between available computers like a Doctor’s office. Imagine managing different credentials for 10 employees on 10 computers, this quickly becomes an avalanche of IDs (100) to manage. An active directory server makes this easier to manage, by  managing all 10 IDs from one server.

3) Employee Size: User authentication is a little easier to managed for a business with five or less employees. Even with regulatory compliance and non-assigned computers, you will be managing at most 25 IDs on five computers for a five person company.

4) Line Of Business Application: If your primary line of business (LOB) requires a Server to function, then you will need a server. There is no away around, you might be able to go with a cloud server but it still depends on the LOB and your internet bandwidth.

After considering all the factors listed above, my answer to question varies from business to business. If your business is not affected by any of the criteria above, then you can do away with an on-site server or at least move to the cloud with a cloud server.

CyberSecurity Tips


Cybersecurity Statistics Sheet
eBook – Cybersecurity Tips for Employees
Quick Tips – 5 Ways to Stay Secure Online
NIST – Small Business Information Security Fundamentals.

Managing Cybersecurity Risk Using the NIST Cybersecurity Framework.

Who is the NIST (National Institute of Standards and Technology):
The NIST is a federal agency within the US Department of Commerce. It was tasked in 2013 to develop a voluntary framework for reducing cyber risks to critical infrastructure.

What is the NIST Cybersecurity Framework:
This is a voluntary guidance to better manage and reduce cybersecurity risk in organizations. It was designed to promote risk and cybersecurity management communications between internal and external organizational stakeholders.

The framework was designed to be used by organizations of various types and sizes. Each of the framework components (Framework Core, Profiles, and Tiers) can be used in a variety of ways to address the needs of an organization. Some of the ways are:

  • Communication with stakeholders within an organization.
  • Sharing of cybersecurity expectation with business partners and suppliers.
  • Mapping of the framework to current cybersecurity management processes.
  • Using the framework as a planning tool to assess risk and current practices.

Framework Components and how they are used.
Framework Core:
This is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.These activities are grouped by five functions:

  • Identify assets in the organization.
  • Protect identified Assets in the organization.
  • Detect anomalies and events.
  • Respond appropriated to detected anomalies.
  • Recover from anomalies.

The framework core give organizations an overview on how cybersecurity risks should be managed from the beginning to the end.

Framework Profile:
These are the cybersecurity goals an organization is aiming to achieve based on their business needs selected from the framework categories and subcategories. The profile allows an organization to determine its current cybersecurity risk level and develop a way to reduce the risks.

Framework Tiers:
These provides an organization a way to assess how it views cybersecurity and the processes in place to manage cybersecurity risks. The tiers range from Partial (Tier 1) to Adaptive (Tier 4). The tiers assist an organization in determining how closely their cybersecurity risk management processes are aligned with their business.

Overall the framework provides a plan for an organization on how to address cybersecurity risks.

5 Steps For Protecting Patients Data (PHI).

According to Health IT Outcomes security breaches cost healthcare $6 billion annually. Patients medical records are now 10 times more valuable than credit card numbers to hackers. Hackers monetize patients medical record in different ways and the market is for it is growing. Protecting your patients’ data should be a high priority at your practice. We have listed some steps below to get you started.

Assign a security officer. Most businesses, especially small ones do not have anyone in charge of IT security. The security officer handles all the security related issues or works with a contracted IT firm. A security officer also provides the employee with a resource for any security related questions.

Perform a Risk Analysis. Details of a Risk Analysis can be found here. A risk analysis reveals potential holes in your IT infrastructure hackers can use to steal patient data. Once the holes are revealed you need to take steps to address these holes.

Employee Training. Employee blunders is the second leading cause of HIPAA breaches. Employees need to be trained on the right way to handle patients data and the impact if its not handled with the highest security.

Inventory of Equipment/Software Storing Patient Data. Most business do not know all the places patients data is stored. You can only protect patient data if you know where its stored. You should also restrict access to the data based on job responsibilities.

Install Technical Safeguards. You need to technical safeguards in place that prevents hackers from gaining access to your network. Most businesses have some in place but they are either not monitored, reviewed or updated. This responsibility can be handled by your assigned security officer or outsourced to an outside firm. Some technical safeguards are listed below:

  • Firewall.
  • Antivirus.
  • Software Patches.
  • Backup and Recovery.

The steps listed above should you get you started. Achieving HIPAA compliance is not as hard when you prioritize protecting your patients’ data.

Do I Need A Business Associate Agreement (BAA)?

We discussed HIPAA Business Associates in our last post and listed some examples you might have in your Practice.

If you have Business Associates, then HIPAA requires you have Business Associate Agreements (BAA) in place. A Business Associate Agreement is a contract between covered entity (CE) and a business associate (BA) that details the permitted and required use of protected health information (PHI) by the business associate.

A business associate contract is a required implementation in the HIPAA Administrative Safeguards. Some details of a business associate contract are:

  • Establish permitted use and disclosure of PHI by the BA.
  • Provide that the BA will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  • Require the BA to implement appropriate HIPAA safeguards to protect PHI.
  • Require the BA to report any PHI breaches to the covered entity.
  • Require the BA to ensure that any subcontractors it engages that will access PHI agree to the same restrictions apply to the business associate.

Having the right business associate contract in place can potentially protect your organization from breaches caused by a Business Associate.

A business associate agreement is a legal contract between two parties and should be treated as such. The contract should be reviewed by your lawyer to make sure you are protected as much as possible from any Business Associate mishaps.

The department of health and human services (HHS) website has a sample business associate contract you can modify to suit your practice needs.

Getting Started With HIPAA Compliance

As a healthcare practice you cannot ignore your compliance with the HIPAA Security Rule. HIPAA Security and Privacy Rules were created to protect patients’ protected health information (PHI). HIPAA violations can result in penalties of $100 to $50,000 per violations and total fines can be as much as $1.5 million if the violation is due to willful neglect.

A data breach can be financially costly to your practice and may also impact your patients if PHI lands in the wrong hands. A data breach can as simple as a lost laptop containing patient information.

Being HIPAA compliance is not an easy task but shouldn’t be ignored either. I have listed four steps below to get you started with your HIPAA compliance.

Risk Analysis
A Risk Analysis is the first step towards HIPAA compliance. This is used to discover potential risk and vulnerabilities to the confidentiality and availability of electronic protected health information. The risk analysis should be documented and any discovered vulnerabilities should be addressed. If you have already conducted a risk analysis then review and update yearly.

Implement Administrative, Physical and Technical Safeguards
There are certain safeguards that need to be implemented by covered entities to protect PHI. The safeguards are broken down into there types (Administrative, Physical and Technical). Some safeguards are required and some are addressable. All the required safeguards need to be implemented, if you choose not to implement the addressable safeguards then you need document why not.

Employee Training
Most HIPAA violations are caused by employee negligence. HIPAA safeguards require you train your employees, send occasional security reminders and monitor you employees to make sure there are not causing HIPAA violations.

Business Associate Agreement
If you employ any company/contractor that has access to PHI, then they are considered business associates.
You need to have a Business Associate Agreement in place that requires them to comply with HIPAA Security rule. A business associate agreement can potentially protect your practice from HIPAA violation caused by the business associate.

The steps listed above should only be considered as a starting point towards your HIPAA compliance. HIPAA compliance is an ongoing process that needs to be constantly monitored and reviewed to fit your practice.

Computer Security and Protection

I spent the better part of last week removing viruses and spyware from a local business’s computers. Half of the computers in the office were infected with a virus. The only reason the others were not infected was because the users were either on vacation or the computers had not been used recently.

Unlike some businesses I have come across, the business owner had antivirus software installed on the computers but nobody was responsible for keeping the computers secure and protected. You can have the best antivirus software but if you are not monitoring the antivirus software, running regular scans and making sure the virus definitions are updated then new and unknown viruses are bound to infect your computers.

Regular antivirus scans should be done at least twice a week or preferably everyday if you can. This makes sure viruses are removed from your computers before they cause any damage. The most important thing is to make sure the virus definitions of your antivirus software are up to date. If your antivirus software virus definitions are not up to date then your antivirus software does not have any information about the virus and its unable to protect your computers against it. An updated virus definition gives you the maximum protection against computer viruses out there.

The total cost to remove the viruses and save most of his business data  cost more than two year’s worth of our managed security service.

Antivirus and anti-malware software are just one step in protecting your computer network. Employee training is another important aspect. Your employees should be trained not to open emails and/or attachments from email addresses they do not recognize. This is the number one way viruses bypass antivirus software and enter your network.

Our managed security services not only protects your computers but we regularly assess your computer network for security vulnerabilities. We recommend/implement ways that make your network secured and protected.

Contact Us today for a free security assessment and how we can protect your computer network.

Windows XP and HIPAA Compliance.

It is no longer news that Microsoft will be ending support for Windows XP on April 8th 2014. If this is news to you, you can read up on it on my previous blog or at Microsoft.

As noted in my blog post, you are potentially exposing yourself to security and compliance risks if you are still running Windows XP after April 8th. Healthcare providers need to be aware of potential HIPAA/HITECH violation that could result from this.

HIPAA has not explicitly stated Windows XP systems will not be compliant after April 8th. However after April 8th Microsoft will no longer provide security patches and other updates to Windows XP operating system. Any Windows XP systems on your network will be in violation of HIPAA Security Rule Section 164.308(5)(ii)(B)

Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.”

It is possible to still use a Windows XP system in your practice after April 8th and be HIPAA compliance but I do not recommend this. The Windows XP systems should be stand alone systems and not connected to any network. You also have to make sure patient’s PHI (Protected Health Information) are not stored on the system. This is only recommended if you have an old software/program that will not run on newer operating systems.

HIPAA violations is not the only thing to worry about with Windows XP end of support. You also need to think about potential hackers and viruses that will exploit vulnerabilities in the operating system once support ends. Windows XP has been around for more than 12 years, that’s more than enough time to find all the vulnerabilities in it.

To Do List:

  • Start by performing an IT audit of your organization to find out how many Windows XP systems you have.
  • Perform a software audit on these systems and find out if they are compatible with a newer operating system (Windows 7/8/8.1).
  • Decide on which operating system (Windows 7/8/8.1 or Linux) to upgrade to. Windows 7 has the look and feel of Windows XP and most software/programs are compatible with it.

Contact us to assist in migrating your systems.

Windows XP Support Is Coming to an End.

Support for the second most popular version of windows is coming to an end. Windows XP will no longer be supported by Microsoft after April 8th 2014.

Windows XP is my favorite version of Windows operating systems so much so I still have a couple of old and reliable computers running on it. I did everything I could to stay away from Windows Vista; I actually drove around DFW metroplex back then searching for a windows XP laptop. I completely skipped the Windows Vista upgrade and went directly to Windows 7 when it was released. I don’t think I was the only that felt this way because Microsoft released Windows 7 less than 3 years after Windows Vista release. Considering Windows Vista was released about 6 years after Windows XP, Windows 7 was released pretty early.

All of my clients still have at least one computer running Windows XP and rightfully so. You can’t beat the reliability, compatibility and familiarity it has gained over the last decade. It is estimated about 40% of small business are still running at least one Windows XP computer. Unfortunately Microsoft has decided to end support of Windows XP after 12 glorious years.
What Does Windows XP End of Support Mean?
So what does end of support of Windows XP mean? Well, your Windows XP computer does not stop working on April 9th 2014 but you need to start thinking of migrating to a modern computer with a newer Windows version. The most important thing you need to be aware of is that Microsoft will no longer provide security patches and updates. This exposes you to security and compliance risk, especially with the recent virus attacks and new HIPAA/HITECH compliance requirements. Also your line of business (LOB) software and hardware vendors will likely stop supporting versions of their software on Windows XP systems.

How Do I Migrate Off Windows XP?
As a small business owner, you should at least migrate your critical systems still on Windows XP to either Windows 7 or 8 before support ends on April 8th. If your current Windows XP systems meet the minimum requirements of Windows 7, you can purchase and install Windows 7 professional on them. However, it might impact the performance of systems due to increased resource requirements of Windows 7. If your systems do not meet Windows 7 requirement, you should consider upgrading to a completely new system.

We are available to assist you with the migration while limiting the downtime and impact to your business. Contact us today for a free windows XP migration assessment and readiness check.