- Encrypt your computing devices. UNIX, Linux, Windows and Apple iOS all have encryption baked in. Loss of portable USB drives and laptops have led to high profile breaches; this article is a good example. HIPAA requires encryption of data at rest and in motion; encrypting the entire drive ensures that half this is met as well as being good security practice.
- Windows Bitlocker is the native solution provided by Microsoft. It requires a TPM chip in the computer to work. If your computing device doesn’t have this chip, check out the last bullet point for another option. Without a TPM chip you can also use a USB drive as a physical token. Just remember to back those keys up somewhere.
- Apple iOS encryption is available for the all devices including iPad and iPhone.
- Almost all of the UNIX and Linux flavors offer their own encryption support depending on the build. More than likely this is the Encrypting File System (EFS).
- Diskcryptor can encrypt external and internal drives. If your computer doesn’t have a TPM chip Diskcryptor is an effective replacement.
- Encrypt your data as it moves. You have less control of some of this. The EHR system that a doctors office uses should encrypt the data as it moves from computers to servers. What you need to be sure of is not using unencrypted services to move data around outside of the system. This is the other half of the HIPAA encryption requirement. Don’t use email or FTP for information that is sensitive. Don’t send sensitive information over HTTP on the internet, HTTPS ensures that the data is encrypted. Don’t be afraid to step back and say no when security trumps convenience.
- Patch everything. Computers and mobile devices have made huge advancements in making patching easier but when was the last time your updated your printer? Printer? Exactly.
- Patch and upgrade firmware for printers. If you have a large number of printers HP and other manufacturers often have management tools. HP Web Jetadmin is a great example.
- Patch and upgrade firmware for network switches and routers
- Enable automatic patching for the operating system and applications
- Change the password on everything. If it doesn’t have a password; set one. Finding default passwords is an easy way in for an attacker. But it is just a teleconference system. For you it teleconference system, for us it is just a specialty computer that we can attack and then use it to attack everything else. How easy is it to find passwords? This is our list of default passwords that were slightly harder to find that a google search.
- Turn that thing off. I know that the Internet enabled coffee maker in the break room is ubercool. You don’t need it. The free program that updates you on the weather every 26 seconds. You don’t need it. Everything that you have running on a network and on a system is another potential way in for an attacker. Configure printers to only have what you use; they are shipped to work on most networks out of the box not to be secure. Go through the list of programs that came preinstalled on your computer…wow right?…you can remove most of those. It will free up space and make you a little safer.
- Create a secure culture in your business. This is trickier than the technical fixes. You want your employees to understand why they shouldn’t plug their personal laptop into the company network. Your employees should recognize phishing and social engineering attacks. While we can provide training and assistance this has to come down from the top of an organization. Set the tone that security is important and it will become important. We understand that your company doesn’t make security but security helps keep you from losing money. Computer security is just a part of the risk management that you do for your company everyday.
*All external links open in a new window.