Security Starts with the CEO Practical Security Considerations for the Orthodontic Practice

1
Security Startswith the CEOPractical Security
Considerations for the Orthodontic Practice
Technology Integrationand Securityfor the
Orthodontist CEO

• Steven P. McEvoy
• MME Consulting, Inc.
• 2006 The Orthodontist as CEO Conference
• Sunday Feb 12, 2006

2
Security

• Often Misunderstood
• Neglected
• Off by default
• Inconvenient, slows you down
• Youre not Wells Fargo
• No-one thinks about it (until )
• Simple approaches can make a big difference

3
Security

• Thought of in many forms
• Physical
• Operating Systems (i.e. Windows)
• Practice Management Applications
• Firewalls
• Others ..

4
Security Starts at the Top

• Baseless without CEO mandate
• CEO must establish consistent and standard
  expectations
• Trickle down effect
• If you ignore it, they will too

5
Cannot be Delegated

• The mandate for security cannot be entirely
  passed off
• No one appreciates security, and the staff will
  not appreciate whomever imposes it
• It has to start with the CEO, the staff will
  respect it and tow the line

6
No Hollow Threats

• Security doesnt work unless everyone
  participates, all the time
• Should be a written policy
• Should have repercussions if ignored

7
Seek a Realistic Balance

• Complete Hardened Security would be a pain in the
  
• We are not guarding the missile launch codes
• Need to seek a realistic balance based on
  considered judgment

8
Considered Judgment?

• What does HIPAA want?
• You tell me!
• Practical steps to protect patients private
  information
• Targeted more at Medical and Dental got caught up
• Learn more at www.hipaa.org
• See the AAOs legal council position at
  www.aaomembers.org

9
Peer Standards

• What are your peers doing now?
• Passwords in OS and PM Apps
• Internet Firewalls
• Starting to think about it in all aspects (even
  if not acting)
• Giving HIPAA lip service mostly

10
Security

• Lets get into the practical steps you can do now
  to make a big difference
• Most of this will cost little if anything other
  than your time

11
Simple stepstowards Security
Words of CautionTightening Security can be
inconvenient. It can break stuff, so be prepared.
12
Operating System Security

• Your operating system (OS) is Windows, Mac or
  Unix
• Built-in security that can prompt for a username
  and password when the computer is turned on
• Windows 95/98/ME may look like it has security,
  but its wide open.
• Keeps the honest people out

13
Survey Windows Versions

• Windows 95/98/Me?
• Windows 2000?
• Windows XP?
• XP Service Pack 2 Installed?

14
Windows XP SP2

• How long did it take to download?
• Can be as much as 266MB
• 20 30 minutes or more by DSL, hours by dial-up
  modem

15
How long can a naked PC survive directly
connected to the Internet?

• Connected directly by DSL, Cable, Wireless or
  Modem
• No Windows XP SP2
• Not even logged in, just on
• Days? Weeks? Months?

16
Internet Survival Time
Less than 20 minutes!
Source Internet Storm Center SANS Institute
isc.sans.org
17
And you thought that was bad

• No built in defense for Pre-XP Operating Systems
• Connecting a non-XP SP2 laptop wirelessly at a
  public Internet Hot-Spot is all it takes

18
Insights into the mind of a Computer Guy .

• Weve determined the cause of your computers
  problem is the dreaded I-D-10-T error

I-D-10-T IDIOT
19

• Use Passwords

Make sure that all user accounts that can log
into a computer, including the local
Administrator account, have a password. Anything
is better than blank, and HIPAA requires it.
If you have a dedicated server at the office,
implement Windows Domain Security.
20

• Choose a Good Password

A good password is a non-dictionary word,
contains at least one number and a case change.
Ideally it would be 7 characters or more. CowBoy9
is a good password, your childs first name is
not. See binder notes for how to change.
21
Install Windows XPService Pack 2
Microsoft has included a personal firewall in
Windows XP (Home and Pro). It was OFF by default
with the original version of XP and in
SP1. Downloading and installing SP2 will enable
it and Automatic Updates. Microsoft is finally
getting serious about security.
22
Software Firewalls
A firewall by definition is designed to keep the
chaos on one side of the wall from reaching the
other side. Your PC is on one side, and the rest
of your practice network and/or the Internet is
on the other. Nothing is allowed in, but
everything is normally allowed out. Only as good
as the software itself.
23
Firewall Exceptions

• Enable the Exceptions you need.

• You need to consider
• Remote Access
• Security Keys
• SQL Settings
• This is not trivial issue
• Consult your software vendors for specifics

24
Get Microsoft WindowsCritical Updates
Windows operating systems have programming bugs
that may make it possible for others to take over
your computer or to launch viruses. Critical
updates and service packs help fix these bugs. If
your computer tells you that there are critical
updates available for your computer, you should
install them. See binder notes for how to get
them.
25
Which Updates to Install?

• Criticals Always
• Windows XP If needed
• Driver Updates with Caution

26
Enable Automatic Updates

• Turn on Automatic Updates
• Let the system update itself automatically
  everyday
• Only Applies the Critical Updates

Learn more online _at_ http//www.microsoft.com/athom
e/security/update/bulletins/automaticupdates.mspx
27
Lock the PCwhen you walk away

• Protect your PC when you walk away
• Use Windows-L to lock the console
• Enable lock on screen saver
• When someone returns, the Windows password is
  required to continue working
• Prevents unauthorized people from walking up and
  sneaking on a PC when you are away for a moment
• See the binder notes for details

28
Insights into the mind of a Computer Guy .

• "Do you mean the letter zero
• or the number?"

29
Practice Management Software

• Most every application has its own internal
  username and password system to control access to
  patient information
• This is the Last Line of Defense

30
PM Software Security

• Rarely does a practice put effort into this,
  everyone can usually do everything
• Pleeeeese, spend the half day learning and
  configuring, your PM vendor support team will
  help
• Fingerprint readers (Biometrics) are emerging to
  make this a bit better

31
PM Software SecurityUser Rights

• Receptionist
• Schedule
• Treatment Coord
• Schedule
• Financials
• Clinical Staff
• Treatment Card

• Manager
• Financials and Adjustments
• Control Security
• Doctor
• Complete Access

32
Backup

• You do backup right?
• How do you know that your backup worked?
• One of the dirty jobs in a practice, like taking
  out the trash.

33
What does Backuphave to do with Security?

• What do you do with your tapes? Each tape has a
  complete copy off all your practice data on it,
  and must be controlled.
• What if your office is cleaned out, your off-site
  tape is your last copy of the patients
  information, you need to have it.

34
Backup Safety Tips

• Keep the onsite tapes stored in a small media
  safe lock box
• Keep your offsite tape in your control (you have
  an offsite right?)
• Enable password security in your backup job to
  require a password to do a restore
• Use built-in password security in the data files
  of applications like Quickbooks and Excel

35
Document your Network

• Do you know where your data is?
• Do you know who the users are?
• Do you know all the passwords?
• Who knows what passwords? You need to know in
  case someone leaves.
• Keep this information under lock and key, and
  keep the key to yourself.

36
Physical Controls

• HIPAA wants this
• Useful to thwart theft of data, keeping honest
  people honest
• Simple Physical Controls
• Office alarm system
• Server in locked inner room with limited access
• Server locked to the desk
• Server front cover locked
• Lock your tapes and external drives

37
Internet SecurityWhy connect your Practice to
the Internet?
38
Many Good Things
AAO/ABO
39
Bad Things Galore
Hackers
SPAM
Spyware
40
Internet Security

• Practice Safe Surfing
• Use a Firewall

41
Use a Firewall
If you connect to the Internet, you need a
firewall. If its for a business, get a hardware
firewall. Do not just rely on Windows XP
built-in firewall. A hardware firewall is also an
ideal choice for home. If you use dial-up
Internet access, a software firewall (such as XP
SP2) would be a good start.
42
Firewall Recommendations

• A basic hardware firewall costs only 55
• (i.e. Linksys BEFSR41)

A hardware firewall with VPN and wireless
connectivity costs 160 (i.e. Linksys WRV54G)
43
Use Antivirus Software
Antivirus software should be installed on EVERY
PC, not just ones considered likely to get a
virus. A virus that gets into a network can move
quickly to any other PC on the network if
unprotected. This not very hard to do today.
44
Update your Antivirus Software DAILY!
Installing the software is only the first
step. Configure the antivirus software to
automatically update itself everyday. This is
usually not the default setting. If you aren't
doing this, you have no protection against a
virus that was released yesterday if the last
time you updated was a week ago.
45
Antivirus Recommendations

• A great choice for Office or home, about 34 per
  PC

A good choice for home, about 44 per PC
46
SPAM
Spam is defined by Webster's as Unsolicited
e-mail, often of a commercial nature, sent
indiscriminately to multiple mailing lists,
individuals, or newsgroups junk e-mail
47
Spam Facts

• Its Really Annoying
• 85 of email traffic flowing on the Internet is
  SPAM
• Its illegal in many states
• Often leads to Spyware
• Its a fact of Internet Life

48
Stopping SPAM

• Our best chances at reducing SPAM come from
• Not giving out your email address to strangers
• Never unsubscribe from SPAM emails (this will
  confirm you exist to them and they will send even
  more)
• Using SPAM filtering software to sort it out for
  you

49
Spyware

• Relatively a new beast in town
• Utilizes and controls your computer without your
  knowledge, acquiring information about you, your
  habits, etc.
• a.k.a. Ad-Ware
• Is becoming a major issue for computers
  everywhere (Home and the at the Practice)

50
Spyware Infested PC
51
Spyware Infested PC
52
Spyware Infested PC
53
Spyware Symptoms

• Uncontrolled Pop-ups
• Computer is slowing down
• You can hear the hard drive always working, even
  while idle

54
Spyware Prevention

• Anti-Spyware and Ad-ware Software
• No clear best of class
• Ad-Aware
• PestPatrol (now owned by CA)
• Microsoft Malicious Software Detection Tool
• Symantec Antivirus Corporate Ed.
• Install a Popup blocker
• Prevention is best Be Spyware Aware

55
Be Spyware Aware

• Dont be suckered by popups, close using the X or
  Alt-F4
• Free software really isnt free
• Use Business PCs for Business Purposes

56
Summary

• Lead the charge to security in your practice
• Use Passwords, and choose good ones
• Apply Windows Updates
• Turn on Automatic Updates
• Install XP SP2
• Enable Windows XP Firewall
• Lock your PCs when away from them
• Use PM embedded Security
• Configure PM Security Roles
• Backup your data and protect it
• Know your network by Documenting it
• Physically secure your data by locking it up
• Use Antivirus Software Everywhere
• Automatically Update Antivirus
• Use a Hardware Firewall
• Dont give out your email
• Use a SPAM Filter
• Be smart about Spyware

Even if you think you have it covered, review
your systems!
57
Thank You!

• steve_at_mmeconsulting.com
• Presentation Online at
• www.mmeconsulting.com/presentations

See you in Las Vegas at the AAO 2006!
58
(No Transcript)
59
Wireless Networking

• Ahhh, wireless. Utopia for the cabling impaired.
• Not a fad, its here to stay
• Built-in to many new devices
• Hot spots are everywhere, and your office too!
• Not ready for business prime time

60
Wireless Standards

• 802.11b - 11 Mbps - 150 feet
• 802.11a - 54 Mbps - 50 feet
• 802.11g - 54 Mbps 150 feet
• .b and .g use 2.4GHz
• .a uses 5 GHz
• Betamax vs. VHS
• We hedge and buy a/b/g WAPs, and rely on .g

61
What is Wireless Good for?

• NOT for use with primary business PCs
• Tablets
• Doctors Laptop
• Waiting Room Hot Spot
• Put up a small sign
• Inexpensive
• Sexy
• Start using it, just in the right capacity

62
Insights into the mind of a Computer Guy .

• People pay us to tell them to reboot their
  computers

63
Insights into the mind of a Computer Guy .
After a thorough evaluation we have determined
that the Problem Exists Between Keyboard And
Chair
64
Insights into the mind of a Computer Guy .
The different classes of technology

• Hardware

Software
Skinware
a.k.a. Wetware, Meatware, Liveware