3 Mistakes You’re Probably Making With Your Data Backups

Click the link below to read our article on Sally McKenzie’s Newsletter.

http://www.thedentistsnetwork.net/newsletters/print/edwards/printedwards196.html

Years ago, a pastor told a story about when he preached the same sermon to his congregation over and over, every Sunday week after week. The message was about the principles of tithing. After many weeks someone from the congregation finally asked him, “Pastor, when are you going to preach on something other than tithing?” The Pastor simply replied, “When you start doing it.”

You can apply that same idea to data backups. Everywhere you look, IT companies are “preaching” the simple steps to data security. Repetitive information, over and over, and yet we still encounter the heartache of business owners who didn’t think it applied to them – and the end result of data loss was very painful.

You shouldn’t depend on luck to protect your data. That’s why I’m going to preach to you 3 common missteps dental offices make with data backup that you might be making.

1. Not Verifying your Backup – How Much are you Willing to Lose?
Most of the time your backup solution works as planned, but not 100% of the time. To avoid an extremely avoidable ugly surprise, check the backup daily and make sure the data you “THINK” is being backed up is actually where it should be.

How frequently should you backup? That depends on how much you are willing to lose. If you could lose a week of data, then backup weekly. If the thought of that puts you into fits, then backup daily and redundantly to the cloud. Your cloud solution should be HIPAA compliant and savvy enough to have redundant systems and backups of your data. Cheap offsite backups like Mozy or Carbonite are either not HIPAA complaint or are very cumbersome with their recovery solution, costing you expensive down time.

What if you had to store your life savings in your office, who would you trust to check on it every day to ensure it was all still there and nothing was missing? The same trust factor should apply to the individual verifying your data backups. If you wouldn’t trust them with your life savings, you shouldn’t be entrusting them with the viability of your backup results. It’s your livelihood, not your employee’s. If you lose all your data, they’ll just move on to another job. You lose. No amount of money can get your data back once it’s gone.

2. Depending on Employees to Save and Backup Data to your Server
Many dental offices only back up their server; the problem is, employees often keep a LOT of critical documents and data on their workstations that are NOT being backed up. The right thing to do is automate your backups so ALL devices and data are backed up without depending on someone’s memory. You should be backing up ALL of your data and checking the results of EVERY backup. I’ve seen it time and time again where someone installs software on a workstation such as an accounting or time clock program and makes the assumption that the backup solution will automatically back it up.

3. Having a Single Point of Failure and Not Choosing the Right Tool for the Job
If you’re still using outdated tape drives (and we hope you’re not) you might discover that nobody can remember the password to access the data on it. Or there may be only one person in the organization who knows where your data is being backed up and how to access it. A smart move would be to walk through a couple of “what if” scenarios to see if you actually have what you need to recover your data. Having a good, reliable backup and disaster recovery plan are essentials for every business that should be installed and maintained by a pro. After all, if you knew there was a chance you could fall out of an airplane, would you want the cheapest parachute strapped to your back? Of course not – and that doesn’t mean you need to spend an arm and a leg for the most expensive one either.

Remember, an ounce of prevention is worth a pound of cure. Make sure the data you “think” you backed up is actually happening. Just an accidental bump in the night can stop backup functionality. So don’t be like the congregation – “listen” and “start doing”. Find out what mistakes you’re making and correct them. Don’t wait to find out your computer backup is incomplete when it is most needed.

Dan Edwards is the CEO and Founder of PACT-ONE Solutions, one of the largest IT companies in the USA dedicated specifically to the needs of the dental professional.

He can be reached at dan.edwards@pact-one.com

Posted in backup, BDR, Cloud, HIPAA, HIPAA Omnibus, HITECH | Leave a comment

Flaw in Apple iPhones, iPads and Macs could allow a hacker to beat encryption

FYI… Get those Macs, iPads and iPhones updated

iPhone and iPad upgrade to iOS 7.0.6 This update requires a wi-fi connection to install. Takes about 10-20 minutes.
Settings
General
Software Update
Download & Install
Accept License

http://news.yahoo.com/apple-says-security-flaw-could-allow-hackers-beat-012356290–finance.html

Apple security flaw could allow hackers to beat encryption

By Joseph Menn

By Joseph Menn
SAN FRANCISCO (Reuters) – A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.
If attackers have access to a mobile user’s network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.
“It’s as bad as you could imagine, that’s all I can say,” said Johns Hopkins University cryptography professor Matthew Green.
Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited.
But a statement on its support website was blunt: The software “failed to validate the authenticity of the connection.”
Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.
Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.
After analyzing the patch, several security researchers said the same flaw existed in current versions of Mac OSX, running Apple laptop and desktop computers. No patch is available yet for that operating system, though one is expected soon.
Because spies and hackers will also be studying the patch, they could develop programs to take advantage of the flaw within days or even hours.
The issue is a “fundamental bug in Apple’s SSL implementation,” said Dmitri Alperovich, chief technology officer at security firm CrowdStrike Inc. Adam Langley, a senior engineer at Google, agreed with CrowdStrike that OS X was at risk.
Apple did not reply to requests for comment. The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple’s stature and technical prowess.
The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.
Friday’s news suggests that enterprising hackers could have had great success as well if they knew of the flaw.
(Reporting by Joseph Menn; Editing by Ken Wills and Robert Birsel)

Posted in Encryption, security issues, Security risk | Leave a comment

LogMeIn Free Migrating to Paid Only

LogMeIn Free Migrating to Paid Only
After 10 years, LogMeIn’s free remote access product, LogMeIn Free, is going away.

LogMeIn Free will now be a “paid only” offering (read in full here). Their portfolio of “free” and “premium” remote access with be unified into a single offering.

You will be receiving a notification the next time you open LogMeIn Free giving you a 7-day grace period to upgrade. Pact-One realizes this change may not be warmly welcomed. Due to this sudden shift, we want to introduce you to a solution that will provide an alternate option for you.

Call us to find out how we can save you money over the standard LogMeIn paid offering.

Posted in Technology | Leave a comment

Bonus Christmas Video, “It was more than mere fun, miracles do happen when we all work as one.” WestJet employee.

The Canadian airline WestJet decided to do a “Christmas Miracle” video for its 2013 annual holiday video. The goal was getting 200,000 views, if it hit the number then it would donate flights to charity. As of 12/20/2013 it had 31 Million Views.

The idea behind the video was simple, but it took 175 WestJet employees to pull the whole thing off. WestJet set up a video feed so passengers outside of boarding gates for two Nov. 21 flights to Calgary could tell Santa Claus what they wanted for Christmas.

While those two flights were in the air — each was about four hours long — WestJet workers scrambled to buy everything the passengers had asked for. They ran to Best Buy and a nearby mall to buy cameras, phones, socks, underwear, and even a big-screen TV. They bought Ken dolls for the women who had asked for husbands. They bought toy cars for those who had requested a new car.

In all, they wrapped 357 gifts, labeled them and sent them down the baggage carousel to unsuspecting passengers. The result? A fun, heartwarming video that might even make Ebenezer Scrooge tear up a bit.

Happy Holidays!

In case you missed it, here is WestJet’s 2012 video.

Posted in Holiday | Leave a comment

Beware of phone calls from Microsoft or Windows

There has been a rash of calls over the last year to businesses claiming to be from Microsoft or Windows. They claim to notice issues with your computer and offer to help. Please read the link below and never offer access to your computer.

http://www.nbcnews.com/technology/were-windows-anatomy-cold-calling-scam-6C10631331

Posted in HIPAA, HIPAA Omnibus, HITECH, malware, security issues, Security risk | Leave a comment

Happy Thanksgiving from PACT-ONE

Posted in Holiday, Uncategorized | Leave a comment

HIPAA Security Rule offers just a little leeway

Thank you to Mike Semel and 4medaproved for allowing us to share this valuable information.

Everyone complains that the HIPAA Security Rule is inconvenient— which it is— but it doesn’t mean you can break the security rules in your medical office any more than you can break security rules at airports, government buildings, and sporting events. Here are a few examples of the HIPAA Security Rule Required and Addressable controls that we see medical practices ignoring on a regular basis.

The HIPAA Security Rule’s Implementation Specifications are identified as being Required or Addressable. Addressable specifications are sometimes confused as being Optional, which is not true.

The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.” If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision.

http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html

Required Controls

These controls are firm and you have no way to avoid them.

Unique User Identification – Required

No shared logins and passwords are allowed by the HIPAA Security Rule—none. All systems that provide access to electronic Protected Health Information (ePHI) must be able to track users and what files they create, access, and modify. This includes IT staff and outsourced IT providers that access systems housing patient information.

Risk Analysis – Required

The very first requirement in the HIPAA Security Rule. HIPAA doesn’t say much but the Office for Civil Rights (OCR) offers guidance for smaller practices and the National Institute of Standards and Technology (NIST) has a free 95-page guide. Beware… the Meaningful Use Office of the National Coordinator (ONC) says, “It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.” If you want to pass an audit think twice about doing this yourself. Most HIPAA fines are based on a missing, old, or incomplete Risk Analysis.

Risk Management – Required

Many practices stop at the Risk Analysis and put it on the shelf in case of an audit. The HIPAA Security Rule requires you to document the actions you are going to take to reduce your risks or deal with them.

Disaster Plan

““Establish (and implement as needed) procedures to restore any loss of data.” Think less than more. While common sense says every medical organization and business should have a plan to survive a disaster, the HIPAA Security Rule only cares about access to patient data. Document how you will recover access to your data and you will comply with the HIPAA Security Rule. Document how you will communicate with your staff, work from an alternate site, and operate after a disaster, and your organization will survive.

Business Associate Agreements – Required

The HIPAA Security Rule in 2005 did not give the HIPAA enforcers power to penalize Business Associates for breaches. This all changed with the HIPAA Omnibus Final Rule in 2013. Business Associate Agreements with new wording are required. Covered Entities are liable for the compliance of their Business Associates, and their Business Associates’ subcontractors. Don’t stop with the paperwork. Since you are liable you should validate that your vendors and their vendors actually comply with HIPAA.

Audit Controls – Required

While everyone thinks their patient data is housed exclusively in their EHR system, it is all over the place—server folders, laptops, desktop computer hard drives, portable drives, and smartphones. The HIPAA Security Rule requires that access logs be created and stored for six years. To do this your network must be a Domain, not a Workgroup.

Addressable (not Optional!) Controls

If you don’t think these are reasonable for your organization, you must identify a suitable alternative and document the reasons for your decision. Ignoring Addressable controls is a HIPAA Security Rule violation and is likely to cause a reportable data breach.

Encryption (data at rest) – Addressable

Encryption = No Data Breach. With all the reported data breaches why this isn’t Required by the HIPAA Security Rule is beyond me. Encrypting data is not expensive and a device with encrypted data that is lost or stolen is not reportable. Recently Advocate Health Care in Chicago had four computers stolen and breached 4 million records. A Missouri Orthodontist had their server stolen and breached 10,000 records. Would you rather pay millions of dollars to notify patients and pay fines or a lot less to encrypt your devices? Don’t stop at laptops—encrypt everything from thumb drives to servers.

Automatic Logoff/Lockout – Addressable

“This is so inconvenient!”

“It slows our practice down!”

“It’s such a pain to keep logging in!”

Deal with it, since the alternatives are pretty ugly and expensive to keep patients from having access to an unlocked computer with access to patient records. You could leave the patients in the waiting room while the doctor waits for them in the examining room. You could hire ‘watchers’ to sit in each examining room all day to ensure that patients don’t touch the computer. Be reasonable. Automatic logoff/lockout is far easier and much less expensive. This also extends to remote sessions from home.

Bottom Line

My advice is to consider all HIPAA Security Rule Implementation Specifications Required. You will be compliant, more secure, and reduce the risk of a reportable data breach, millions of dollars in costs, and tons of grief.

Please contact us at PACT-ONE to help guide you through what you need to do to comply with the new HIPAA rules.

Posted in HIPAA, HIPAA Omnibus, HITECH | Leave a comment

Gifts for Deployed Armed Forces Families

We are helping collect gifts for families of deployed airman. Please assist us by dropping off or shipping unwrapped presents to our office prior to Dec 11th located at:
105 No. Pecos Rd., Suite #115
Henderson, NV 89074
Your donation is much appreciated by our dedicated Armed Forces and all of us at Pact-One!

Posted in military | Leave a comment

Watch for hackers with Smart TV’s, Webcams and Baby Monitors

Click the link below to learn more about how the hackers are finding their way into your home via your smart devices.

http://earlystart.blogs.cnn.com/2013/10/21/experts-are-learning-how-to-break-into-web-cams-and-tvs/?sr=fb102113webcames430p

Posted in security issues, Security risk | Leave a comment

Urgent Notice – Adobe’s recent password hacking worse than initially feared

Urgent Notice,

The recent Adobe account theft that occurred in October is worse than originally disclosed. Based on new findings the passwords were not securely hashed (hidden) which can be, and have been, revealed. (see: http://www.csoonline.com/article/742570/adobe-confirms-stolen-passwords-were-encrypted-not-hashed)

To see if your email was in the database at Adobe check against this site: http://adobe.cynic.al/

I recommend changing the password there and anywhere else you use the same password. Immediately. This is another example of why using the same password in many places is risky. Most people don’t think much about their password at Adobe, but use the same one as their personal, work, and bank credentials. I strongly recommend against this. Create unique passwords everywhere and store them securely (such as in an encrypted KeePass database or using LastPass).

Below is the link to Adobe’s official information.
http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html?promoid=KHQGF

Sincerely,

Dan Edwards

Posted in HIPAA, HIPAA Omnibus, HITECH, security issues, Security risk | Leave a comment