If you’re a healthcare services provider who utilizes mobile devices in daily operations, you need to ensure the patient data stored and handled by those devices are safe and private. Let's take a look at mobile data security and some of the ways you can keep your sensitive patient information secure.

Why does data security matter so much to healthcare providers?

As a healthcare provider, you’re subject to regulations by the Health Insurance Portability and Accountability Act (HIPAA), which governs how medical data is stored, accessed, and transferred. HIPAA’s objective is to protect patient privacy.

Under this regulation, you’re required to take security measures to ensure your patient data -- including those handled by mobile devices -- are private and secure. If your practice suffers a data breach or fails to comply with HIPAA regulation, you will be subject to heavy fines ranging from $50,000 to $1.5 million.

Some tips to help you stay compliant

It's important to make sure your IT policies and practices adhere to HIPAA standards, and the following is what you have to do:

Risk assessment:

This is required under the HIPAA Security Rule. You must regularly audit your entire IT infrastructure, including the equipment and systems that store, transmit, or handle electronic Protected Health Information (ePHI) as well as your company policies.

Data encryption:

Even though encryption for data “at rest” isn’t required by HIPAA (only data “in motion” is governed), encryption is one of the best ways to ensure data privacy and security. It’s crucial to protect your patient data on all mobile devices with end-to-end encryptions.

Anti-virus software:

All mobile devices need to have the latest versions of antivirus software installed.

Information Access Controls:

It’s recommended that you allow only devices that have security controls to connect to your healthcare data network, and all devices must be scanned before making the connection. For certain data -- especially one that is highly confidential -- you can prevent it from being accessed by certain staff or being downloaded into individual devices.

It’s also a good practice to keep your employees’ personal and work data separate, so when you eventually have to delete ePHI from their devices, you can do so without wiping out your employees’ personal contacts and apps.

In case your employees’ devices are lost or stolen, you also need an app that allows you to remotely delete data stored on mobile devices.

No to SMS:

Never pass ePHI and other critical information via Short Message Services (SMS) since SMS networks are not secure. If you need to send short messages, use secure text messaging apps instead.

Employees:

You need to enforce a secure password policy within your workplace, which compels your employees to create and maintain strong passwords. As for applications, since many apps may contain malware or security flaws, you also need to control which apps your employees can download.

What’s more, public Wi-Fi networks are highly insecure, which means your employees need to be aware that accessing data via these networks are not safe and, if unavoidable, they must use VPN when accessing the data, and use secure text messaging apps to communicate via public networks to avoid communications being intercepted.

It’s also recommended to have regular security awareness training seminars and build a strong, security-focused culture. When an employee resigns, you have to delete ePHI from their devices and terminate their access rights to data immediately.

Healthcare IT security is complex and the stakes of non-compliance are high. This is why it's important to partner with an experienced IT provider who can help protect your data and ensure your practice is compliant with HIPAA standards. Contact us today!

The post Healthcare providers and mobile devices appeared first on Complete Technology Resources, Inc..

A fundamental flaw with WiFi networks has recently been discovered by two security researchers. According to their reports, the KRACK vulnerability renders advanced encryption protocols useless and affects nearly every wireless device. Read on to find out more about KRACK hacks and how you can defend against them.

What is KRACK?
Simply put, KRACK, short for ‘key reinstallation attack,’ allows hackers to bypass WPA2 -- a security protocol used by routers and devices to encrypt activity -- and intercepts sensitive data passing between the mobile device and the wireless router, including login details, credit card numbers, private emails, and photos.

In extreme cases, KRACKed devices can be remotely controlled. For example, hackers can log in to your surveillance systems and shut them down.

What’s worse, Internet of Things devices -- like smart thermostats and IP cameras -- rarely receive security fixes, and even if some are available, applying patches are difficult, as these devices tend to have complex user interfaces.

The good news, however, is you can do several things to mitigate the risks.

Download patches immediately
According to recent reports, security patches have already been released for major platforms, including iOS, Windows, and Android. Router manufacturers such as Ubiquiti, Mikrotik, Meraki, and FortiNet have also issued firmware updates, so make sure to install them as soon as possible.

Although IoT patches are rare, consider getting your smart devices from reputable vendors that push out updates regularly. It’s also a good idea to contact a managed services provider to install the updates for you.

Use Ethernet connections
Some wireless routers don’t yet have a security patch, so while you’re waiting, use an Ethernet cable and disable your router’s wireless setting. Turn off the WiFi on your devices as well to make sure you’re not connecting to networks susceptible to KRACK.

Stay off public networks
Free public WiFi networks -- even ones that are password-protected -- in your local cafe should also be avoided because they usually don’t have holistic security measures in place, making them easy targets for cybercriminals.

Connect to HTTPS websites
If you do need to connect to a public WiFi hotspot, visit websites that start with “HTTPS,” and stay away from ones that are prefaced with “HTTP.” This is because HTTPS websites encrypt all traffic between your browser and the website, regardless of whether the connection is vulnerable to KRACK

Hop on a Virtual Private Network (VPN)
You can also use a VPN service to hide all network activity. Simply put, VPNs encrypt your internet connection so that all the data you’re transmitting is safe from prying eyes.

Although the potential impact of a KRACK hack is devastating, security awareness and top-notch support are the best ways to stay safe online. Want more security tips? Contact us today.

The post Watch out for the huge KRACK in WiFi security! appeared first on Complete Technology Resources, Inc..

For years, we’ve been told that strong passwords include three things: upper and lower-case letters, numbers, and symbols. And why wouldn’t we when the National Institute of Standards and Technology (NIST) told us they were the minimum for robust passwords? Here’s why and how it involves you.

The problem

The issue isn’t necessarily that NIST advised people to create passwords that are easy to crack, but it did steer people into creating lazy passwords, using capitalization, special characters, and numbers that are easy to predict, like “P@ssW0rd1.”

This may seem secure, but in reality, these strings of characters and numbers could easily be compromised by hackers using common algorithms.

To make matters worse, NIST also recommended that people change their passwords regularly, but did not define what it actually means to “change” them. Since people thought their passwords were already secure with special characters, most only added one number or symbol.

NIST essentially forced everyone, including you and your colleagues, to use passwords that are hard for humans to remember but easy for computers to guess.

The solution

One cartoonist pointed out just how ridiculous NIST’s best practices were when he revealed that a password like “Tr0ub4dor&3” could be cracked in only three days while a password like “correcthorsebatterystaple” would take about 550 years.

Simply put, passwords should be longer and include nonsensical phrases and English words that make it almost impossible for an automated system to make sense of.

Even better, you should enforce the following security solutions within your company:  

• Multi-factor Authentication - which only grants access after you have successfully presented several pieces of evidence
• Single Sign-On - which allows users to securely access multiple accounts with one set of credentials
• Account Monitoring Tools - which recognize suspicious activity and lock out hackers

When it comes to security, ignorance is the biggest threat. If you’d like to learn about what else you can do to fortify security, just give us a call.

The post Secure your passwords now appeared first on Complete Technology Resources, Inc..

No business owner wants their customers’ data leaked, but no matter how well your prevention plan is, the unexpected can happen. And when it does, what will determine the fate of your business is how well you respond to it. So before you start planning an incident response, read the following story and recite this: Don’t walk in the footsteps of Equifax.

What happened to Equifax?

Equifax, the huge American credit agency announced in September 2017 that its database was hacked, resulting in a leak of tons of consumers' private data, including personally identifiable information of around 143 million US citizens. It included names, social security numbers, addresses, birthdates, and credit card and driver’s license numbers.

Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.

Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, which is actually a fake site.

Fortunately for Equifax’s customers, the fake phishing site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more embarrassment.

So what did Equifax do wrong?

One of the huge mistakes Equifax made in responding to its data breach was setting up a new website to give updated information to its consumers outside of its main domain, equifax.com.

Why? You first need to know that since the invention of phishing scams, phishers have been creating fake versions of big companies’ websites. That’s why so many major corporations buy domains that are the common misspellings of their real domains.

You should also know that phishers can’t create a web page on the company’s main domain, so if Equifax’s new site was hosted there, it’d be easy for customers to tell whether the new page was legitimate and not be fooled by a fake domain name.

What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.

Don’t repeat Equifax’s mistake

Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defense plan, you also need to have the right incident response plan in place.

So what you should do after you’ve discovered the leak is, first of all, be upfront with your customers and notify them as soon as possible.

You also need to establish a message that includes the following information:

• How the leak occurred
• How the leak could affect your customers
• How you will prevent future attacks
• What your company will do to support affected customers

You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary domain name.

As we’ve seen from Equifax, an incident response plan that's robust is a must. Feel free to talk to our experts about how you can come up with an acute one -- so you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeemged reputation at all.

The post Equifax’s Leak: lessons learned appeared first on Complete Technology Resources, Inc..