Title: Security Starts with the CEO Practical Security Considerations for the Orthodontic Practice
1Security Startswith the CEOPractical Security
Considerations for the Orthodontic Practice
Technology Integrationand Securityfor the
Orthodontist CEO
- Steven P. McEvoy
- MME Consulting, Inc.
- 2006 The Orthodontist as CEO Conference
- Sunday Feb 12, 2006
2Security
- Often Misunderstood
- Neglected
- Off by default
- Inconvenient, slows you down
- Youre not Wells Fargo
- No-one thinks about it (until )
- Simple approaches can make a big difference
3Security
- Thought of in many forms
- Physical
- Operating Systems (i.e. Windows)
- Practice Management Applications
- Firewalls
- Others ..
4Security Starts at the Top
- Baseless without CEO mandate
- CEO must establish consistent and standard
expectations - Trickle down effect
- If you ignore it, they will too
5Cannot be Delegated
- The mandate for security cannot be entirely
passed off - No one appreciates security, and the staff will
not appreciate whomever imposes it - It has to start with the CEO, the staff will
respect it and tow the line
6No Hollow Threats
- Security doesnt work unless everyone
participates, all the time - Should be a written policy
- Should have repercussions if ignored
7Seek a Realistic Balance
- Complete Hardened Security would be a pain in the
- We are not guarding the missile launch codes
- Need to seek a realistic balance based on
considered judgment
8Considered Judgment?
- What does HIPAA want?
- You tell me!
- Practical steps to protect patients private
information - Targeted more at Medical and Dental got caught up
- Learn more at www.hipaa.org
- See the AAOs legal council position at
www.aaomembers.org
9Peer Standards
- What are your peers doing now?
- Passwords in OS and PM Apps
- Internet Firewalls
- Starting to think about it in all aspects (even
if not acting) - Giving HIPAA lip service mostly
10Security
- Lets get into the practical steps you can do now
to make a big difference - Most of this will cost little if anything other
than your time
11Simple stepstowards Security
Words of CautionTightening Security can be
inconvenient. It can break stuff, so be prepared.
12Operating System Security
- Your operating system (OS) is Windows, Mac or
Unix - Built-in security that can prompt for a username
and password when the computer is turned on - Windows 95/98/ME may look like it has security,
but its wide open. - Keeps the honest people out
13Survey Windows Versions
- Windows 95/98/Me?
- Windows 2000?
- Windows XP?
- XP Service Pack 2 Installed?
14Windows XP SP2
- How long did it take to download?
- Can be as much as 266MB
- 20 30 minutes or more by DSL, hours by dial-up
modem
15How long can a naked PC survive directly
connected to the Internet?
- Connected directly by DSL, Cable, Wireless or
Modem - No Windows XP SP2
- Not even logged in, just on
- Days? Weeks? Months?
16Internet Survival Time
Less than 20 minutes!
Source Internet Storm Center SANS Institute
isc.sans.org
17And you thought that was bad
- No built in defense for Pre-XP Operating Systems
- Connecting a non-XP SP2 laptop wirelessly at a
public Internet Hot-Spot is all it takes
18Insights into the mind of a Computer Guy .
- Weve determined the cause of your computers
problem is the dreaded I-D-10-T error
I-D-10-T IDIOT
19Make sure that all user accounts that can log
into a computer, including the local
Administrator account, have a password. Anything
is better than blank, and HIPAA requires it.
If you have a dedicated server at the office,
implement Windows Domain Security.
20A good password is a non-dictionary word,
contains at least one number and a case change.
Ideally it would be 7 characters or more. CowBoy9
is a good password, your childs first name is
not. See binder notes for how to change.
21Install Windows XPService Pack 2
Microsoft has included a personal firewall in
Windows XP (Home and Pro). It was OFF by default
with the original version of XP and in
SP1. Downloading and installing SP2 will enable
it and Automatic Updates. Microsoft is finally
getting serious about security.
22Software Firewalls
A firewall by definition is designed to keep the
chaos on one side of the wall from reaching the
other side. Your PC is on one side, and the rest
of your practice network and/or the Internet is
on the other. Nothing is allowed in, but
everything is normally allowed out. Only as good
as the software itself.
23Firewall Exceptions
- Enable the Exceptions you need.
- You need to consider
- Remote Access
- Security Keys
- SQL Settings
- This is not trivial issue
- Consult your software vendors for specifics
24Get Microsoft WindowsCritical Updates
Windows operating systems have programming bugs
that may make it possible for others to take over
your computer or to launch viruses. Critical
updates and service packs help fix these bugs. If
your computer tells you that there are critical
updates available for your computer, you should
install them. See binder notes for how to get
them.
25Which Updates to Install?
- Criticals Always
- Windows XP If needed
- Driver Updates with Caution
26Enable Automatic Updates
- Turn on Automatic Updates
- Let the system update itself automatically
everyday - Only Applies the Critical Updates
Learn more online _at_ http//www.microsoft.com/athom
e/security/update/bulletins/automaticupdates.mspx
27Lock the PCwhen you walk away
- Protect your PC when you walk away
- Use Windows-L to lock the console
- Enable lock on screen saver
- When someone returns, the Windows password is
required to continue working - Prevents unauthorized people from walking up and
sneaking on a PC when you are away for a moment - See the binder notes for details
28Insights into the mind of a Computer Guy .
- "Do you mean the letter zero
- or the number?"
29Practice Management Software
- Most every application has its own internal
username and password system to control access to
patient information - This is the Last Line of Defense
30PM Software Security
- Rarely does a practice put effort into this,
everyone can usually do everything - Pleeeeese, spend the half day learning and
configuring, your PM vendor support team will
help - Fingerprint readers (Biometrics) are emerging to
make this a bit better
31PM Software SecurityUser Rights
- Receptionist
- Schedule
- Treatment Coord
- Schedule
- Financials
- Clinical Staff
- Treatment Card
- Manager
- Financials and Adjustments
- Control Security
- Doctor
- Complete Access
32Backup
- You do backup right?
- How do you know that your backup worked?
- One of the dirty jobs in a practice, like taking
out the trash.
33What does Backuphave to do with Security?
- What do you do with your tapes? Each tape has a
complete copy off all your practice data on it,
and must be controlled. - What if your office is cleaned out, your off-site
tape is your last copy of the patients
information, you need to have it.
34Backup Safety Tips
- Keep the onsite tapes stored in a small media
safe lock box - Keep your offsite tape in your control (you have
an offsite right?) - Enable password security in your backup job to
require a password to do a restore - Use built-in password security in the data files
of applications like Quickbooks and Excel
35Document your Network
- Do you know where your data is?
- Do you know who the users are?
- Do you know all the passwords?
- Who knows what passwords? You need to know in
case someone leaves. - Keep this information under lock and key, and
keep the key to yourself.
36Physical Controls
- HIPAA wants this
- Useful to thwart theft of data, keeping honest
people honest - Simple Physical Controls
- Office alarm system
- Server in locked inner room with limited access
- Server locked to the desk
- Server front cover locked
- Lock your tapes and external drives
37Internet SecurityWhy connect your Practice to
the Internet?
38Many Good Things
AAO/ABO
39Bad Things Galore
Hackers
SPAM
Spyware
40Internet Security
- Practice Safe Surfing
- Use a Firewall
41Use a Firewall
If you connect to the Internet, you need a
firewall. If its for a business, get a hardware
firewall. Do not just rely on Windows XP
built-in firewall. A hardware firewall is also an
ideal choice for home. If you use dial-up
Internet access, a software firewall (such as XP
SP2) would be a good start.
42Firewall Recommendations
- A basic hardware firewall costs only 55
- (i.e. Linksys BEFSR41)
A hardware firewall with VPN and wireless
connectivity costs 160 (i.e. Linksys WRV54G)
43Use Antivirus Software
Antivirus software should be installed on EVERY
PC, not just ones considered likely to get a
virus. A virus that gets into a network can move
quickly to any other PC on the network if
unprotected. This not very hard to do today.
44Update your Antivirus Software DAILY!
Installing the software is only the first
step. Configure the antivirus software to
automatically update itself everyday. This is
usually not the default setting. If you aren't
doing this, you have no protection against a
virus that was released yesterday if the last
time you updated was a week ago.
45Antivirus Recommendations
- A great choice for Office or home, about 34 per
PC
A good choice for home, about 44 per PC
46SPAM
Spam is defined by Webster's as Unsolicited
e-mail, often of a commercial nature, sent
indiscriminately to multiple mailing lists,
individuals, or newsgroups junk e-mail
47Spam Facts
- Its Really Annoying
- 85 of email traffic flowing on the Internet is
SPAM - Its illegal in many states
- Often leads to Spyware
- Its a fact of Internet Life
48Stopping SPAM
- Our best chances at reducing SPAM come from
- Not giving out your email address to strangers
- Never unsubscribe from SPAM emails (this will
confirm you exist to them and they will send even
more) - Using SPAM filtering software to sort it out for
you
49Spyware
- Relatively a new beast in town
- Utilizes and controls your computer without your
knowledge, acquiring information about you, your
habits, etc. - a.k.a. Ad-Ware
- Is becoming a major issue for computers
everywhere (Home and the at the Practice)
50Spyware Infested PC
51Spyware Infested PC
52Spyware Infested PC
53Spyware Symptoms
- Uncontrolled Pop-ups
- Computer is slowing down
- You can hear the hard drive always working, even
while idle
54Spyware Prevention
- Anti-Spyware and Ad-ware Software
- No clear best of class
- Ad-Aware
- PestPatrol (now owned by CA)
- Microsoft Malicious Software Detection Tool
- Symantec Antivirus Corporate Ed.
- Install a Popup blocker
- Prevention is best Be Spyware Aware
55Be Spyware Aware
- Dont be suckered by popups, close using the X or
Alt-F4 - Free software really isnt free
- Use Business PCs for Business Purposes
56Summary
- Lead the charge to security in your practice
- Use Passwords, and choose good ones
- Apply Windows Updates
- Turn on Automatic Updates
- Install XP SP2
- Enable Windows XP Firewall
- Lock your PCs when away from them
- Use PM embedded Security
- Configure PM Security Roles
- Backup your data and protect it
- Know your network by Documenting it
- Physically secure your data by locking it up
- Use Antivirus Software Everywhere
- Automatically Update Antivirus
- Use a Hardware Firewall
- Dont give out your email
- Use a SPAM Filter
- Be smart about Spyware
Even if you think you have it covered, review
your systems!
57Thank You!
- steve_at_mmeconsulting.com
- Presentation Online at
- www.mmeconsulting.com/presentations
See you in Las Vegas at the AAO 2006!
58(No Transcript)
59Wireless Networking
- Ahhh, wireless. Utopia for the cabling impaired.
- Not a fad, its here to stay
- Built-in to many new devices
- Hot spots are everywhere, and your office too!
- Not ready for business prime time
60Wireless Standards
- 802.11b - 11 Mbps - 150 feet
- 802.11a - 54 Mbps - 50 feet
- 802.11g - 54 Mbps 150 feet
- .b and .g use 2.4GHz
- .a uses 5 GHz
- Betamax vs. VHS
- We hedge and buy a/b/g WAPs, and rely on .g
61What is Wireless Good for?
- NOT for use with primary business PCs
- Tablets
- Doctors Laptop
- Waiting Room Hot Spot
- Put up a small sign
- Inexpensive
- Sexy
- Start using it, just in the right capacity
62Insights into the mind of a Computer Guy .
- People pay us to tell them to reboot their
computers
63Insights into the mind of a Computer Guy .
After a thorough evaluation we have determined
that the Problem Exists Between Keyboard And
Chair
64Insights into the mind of a Computer Guy .
The different classes of technology
Software
Skinware
a.k.a. Wetware, Meatware, Liveware