Security Tips - Layered Security - Layer 1 of 7 - Windows Updates!

Layered security is a necessity. No single layer will protect you from all of the cyber-threats out there. In fact, no multi-layer will protect you 100% of the time either but each layer reduces the threat factor exponentially. So here's part 1 - Windows Updates! Old hat but the Wanna Cry infection a few weeks ago illustrated that they still aren't always given the priority they deserve. 

Stay safe!

NeoCloud Consulting - Tech Tip - Do Windows Updates!

WannaCry Ransomware+Worm - Actions to Take

WannaCry is a ransomware/worm attack at a scale that we haven't seen in almost a decade. This is the first attack of it's kind that combines ransomware with a worm as its delivery method. Read more about the attack here. I'll do a followup blog post about the specifics but the most important thing right now is to make sure that your computers are properly updated. 

The patch that closes the vulnerability that this worm exploits was released in March. If your Windows Updates are current then you are fine. If you aren't sure, you can check by following these instructions for Windows 7/Windows 10. Please note that these aren't my videos but am sharing them for the sake of time.  

Windows 7: https://www.youtube.com/watch?v=jXMLp4WR9U8

Windows 8: https://www.youtube.com/watch?v=XLOnAmXhxrw 

Window 10: https://www.youtube.com/watch?v=1IA97wUjjRE

Microsoft has even produced patches for Windows XP and Server 2003. You can get more information about those updates by clicking here.

But seriously, if you're still using Windows XP/Server 2003 we REEEEEALLY need to talk... :)

If you have any trouble with any of these procedure, please contact us and we'll be happy to help!

--Jay

Security Warning Wednesday - The April HIPAA Hammer

HHS is on a roll! In April there were two settlement agreements announced on two different sides of the spectrum. I don't think anyone was too sure how HHS was going to proceed in this arena after the appointment of Tom Price but early indications seem to be full steam ahead.

The first settlement agreement was for $31,000. Not a huge fine by OCR standards but a sizable amount of money nonetheless. The noteworthy part of this offense is that the investigation started at the Business Associate level -- not at the practice itself. However the findings at the Business Associate lead to an investigation of the practice. The reason for the settlement? The investigation found that the practice started disclosing PHI to the business associate without a Business Associate Agreement in place. The vendor was storing legacy printed medical records.

The second settlement agreement was for quite a bit more: $2,500,000. This was a more classic incident - a stolen employee laptop that contained ePHI. However, OCR really brought the hammer in this instance. The company was missing technical safeguards on the laptop. In addition, their HIPAA policies and procedures had never been finalized and were sitting in a draft status. Roger Severino, director of OCR was quoted as saying that the disregard for security was a major factor in this fine.

Moral of the stories? It's more important than ever to have finalized HIPAA policies & procedures and to have documentation that your employees have reviewed them. Be sure to have technical safeguard in place and a police for mobile laptops/devices that access ePHI. And finally, be sure to have Business Associate Agreements in place with all 3rd party vendors who access PHI. 

All of these things can seem overwhelming for a small practice but never fear! NeoCloud Consulting has a comprehensive HIPAA Compliance package. All implementations start with a Risk Assessment to find any policy gaps and fix them. Our web-based system also automates employee attestation, policy review, training and more! The technical safeguards are a part of our managed service packages as well. Whether you're a Covered Entity or a Business Associate, we can help protect your business from compliance issues!

If you'd like to know more about our offerings, please contact us!

 

Monday Morning Cup of Coffee - Don't Pay the Ransom!

Ransomware is a big deal. It locks you out of your data, negatively affects your business continuity and in the case of HIPAA-bound entities creates a reportable event that can open you up to further investigation by HHS. A ransomware attack at the "right time" 

Why why not pay the ransom if your data is encrypted? Because it's become more and more frequent for payment to be made and the data NOT be encrypted. Since payment generally has to be made in the form of Bitcoin - which is untraceable - the ransomware issuers don't really have to send a decryption key and it's becoming more common that they don't. Most people only consider paying in the event that data loss is catastrophic so this is a doubly crippling situation. 

The best defense against ransomware is to be proactive in your protection measures. Here are our top recommendations to protect yourself against having to even consider paying a ransom: 

  1. If you have a file server, make sure it's being backed up at least nightly and be sure that all files are a part of that backup. 
  2. If you have files on local computers, make sure those files are being backed up as well. There are cloud solutions that backup in real-time that would allow almost instantaneous recovery of local files. 
  3. Institute a strong SPAM filter. Most ransomware attacks are initiated from outside of the country and by blocking email coming from those countries you can avoid a lot of problems. 
  4. Education is key! Educate all employees to never open attachments in emails from unknown sources and to question strange emails from known sources.
  5. Antivirus is not as effective as it is for other types of attacks but some advanced packages are now able to use heuristics to detect behaviors and stop a ransomware attack from happening. This is only mildly successful but every bit of protection can help!
  6. Keep your systems updated! Most current ransomware implementations exploit the human element but that doesn't mean that future incarnations will not exploit technical vulnerabilities. Patch, patch, patch!

A proactive, layered approach is always the best practice when it comes to cyber security. Investing in the right systems before an attack can make all of the difference in how quickly and effectively your business can recover when an attack happens!

If you have any questions on ransomware, cyber security or how NeoCloud Consulting helps protect our clients from ransomware and other threats, contact us today!

Monday Morning Cup of Coffee - SPAM Protection

Any cyber security plan worth its salt is multi-layered. Long gone are the days where an anti-virus app alone can protect you. At NeoCloud Consulting we provide at least a 7-layer protection plan for our clients. I say "at least because" as more layers become appropriate, we evaluate and implement as necessary to keep our clients safe from harm. No system is 100% effective but our best-in-class security plan allows us to protect, detect and if necessary recover from any security threat. And we have had a 100% effective rate with our clients since implementing our layered approach.

One of those layers is SPAM protection. Why is that important? Because an effective security plan must protect any avenue in which a virus, malware or ransomware can get into the network and email is one of the most prolific. We provide AppRiver's award winning SecureTide with all of our plans. SecureTide not only filters out SPAM but also allows us to filter out viruses, malware and other file types before they even get to your mailbox. We can also perform advanced functions such as preventing email from specific countries. This is an important part of malware prevention because many attacks initiate from countries from which you would otherwise not receive email.

All of the filtered email is collected in the SPAM filter and if a legitimate email is stopped, it can be released by an administrator once deemed safe. The SPAM filter also has the added benefit of caching email in the event of an email server downtime. We provide Microsoft Office 365 email boxes to all of our clients so while email downtime should never occur, it's good to know that important business email will not be lost in the event of an issue.

In closing, an effective security plan MUST contain multiple layers and it must protect all network ingress points. Email is one of the most prolific ingress points available to attackers and a quality SPAM filter should be the first line of defense against viruses, malware, ransomware and the like. It's extremely cost effective (free on one of our managed plans!) and will pay for itself many times over with just the first ransomware it prevents from infecting your network. 

If you have any questions or comments about SPAM filtering, AppRiver SecureTide or NeoCloud's 7-layer security plan, please contact us and we'll be happy to discuss!

O365 Thursday - Microsoft Teams

One of the best parts of Office 365 is the constant development around the platform. Microsoft is constantly adding new features and apps which are included in the subscription. It can sometimes be difficult to keep up with all of the new things being added. Today I'm going to talk about Microsoft Teams.

Microsoft Teams were rolled out about a month ago. Teams are a new way of collaborating in the Microsoft space. They allow the entire company or just a small group of people to collaborate on a "project". I put project in quotes because it doesn't have to be a finite project with a start and end date but can be an ongoing operation as well. 

The base of Teams is a chat window. The chat is persistent and searchable. Files can be shared in the window or new tabs linking directly to the files can be created as well. This is a screenshot of a Team that I created for the purposes of this blog post: 

As you can see from the picture, the Team chat allows for emojis, GIFs and stickers so people's personalities can shine through. Also notice the tabs along the top. These can be added at will for quick access to many different objects. In this case I shared this website and an Excel file as show here:

Website Tab

Microsoft Team Excel File Window

There is a desktop app for Teams but they can also be used from the web and mobile apps. The data in Teams is encrypted in transit and at rest and is SOC1 & 2 compliant so it there should be no compliance issues to worry about using the product. 

For the official word from Microsoft on Teams, check this link

We believe in Microsoft Office 365 so much that it is included with all of our managed service plans and help our clients use it to the fullest. If you have any questions or comments about Office 365, Microsoft Teams or anything else, please contact us and we'll be happy to help!

Until next time!

--Jay

True Facts Tuesday - Earth Day Edition

FACT: Earth Day is Saturday, April 22, 2017

BONUS FACT: We only have one Earth so we'd better keep it clean!

Happy Earth Day!

In years past we've always been challenged with the right way to dispose of old computer gear. PCs, flat panel monitors, laptops, etc can't just be thrown into the regular trash so in most businesses there is a deep, dark, hidden closet bursting at the seams with old computer gear. That is until I met my friends Dell and Greg at Urban E Recycling.  They will recycle pretty much any electronic you have(no CRTs) FREE OF CHARGE and even come pick it up! Scheduling a pickup is as easy as giving them a call or filling out a form on their website. Compliance requirements? No problem! They provide certificates of destruction if needed and also have a mobile hard drive shredder to take care of data protection issues on the spot! They cover most if not all of the Greater Tampa Bay area but please contact them for specifics. BONUS: If you want to drive out to their shop they will let YOU shred your own hard drives! Stress relief at it's finest watching that machine just demolish an old hard drive. They also have NO minimums so if you have an old PC lying around or a room full of gear, contact them to reclaim that space and get it all cleared away! Did I mention that it's FREE?!

So on top of electronics recycling here are a few more tips:

  1. Develop electronic approval processes. Applications like Microsoft SharePoint and Microsoft Flow can be used to convert paper forms into electronic processes. This makes the processes more efficient, more convenient and and eliminate unnecessary paper usage
  2. Print using the "draft", "fast" or "efficiency" modes. This will not only print faster but save ink/toner. These modes are suitable for most print jobs unless presentation-quality output is desired. 
  3. Power Management. Set the power management feature in Windows to "Power Saver" in order to save energy. This can be easily found in Windows 8+ by typing "Power Plan" into the search bar or in the Control Panel for Windows 7.

All of the above can be done for your home or for your business. NeoCloud Consulting is dedicated to providing the most green computing possible for our clients. All of the above services are included with our managed service plans. We can even provide a monthly update to estimate how well your power consumption is doing on monitored devices month-to-month:

This allows us to measure not only the power savings but also the true dollar savings realized by adopting more efficient power practices. We have seen significant power and dollar savings simply by automating the power features of all computers at a client site.

If you have any questions or comments about recycling electronics, digitizing approval processes, printing, power management, or any of our other IT services offered in the Greater Tampa Bay area please contact us today!

Monday Morning Cup of Coffee - HIPAA Risk Analysis

Good morning!

Last week HHS announced a new settlement for 2017. This time around they fined health center Metro Community Provider Network $400,000. The center reported the breach of 3,200 patient records in a phishing incident. The interesting part of the story is the reason they were fined. OCR found that the center took necessary corrective action related to the reported incident which is good! However during the course of the investigation it was discovered that the center failed to conduct a risk analysis until a month after the incident occurred. That is bad and what ultimately cost them $400k. You can read the official press release here. That's a whopping $11.8M in resolution agreements and civil penalties for HIPAA violations through the first four months of 2017. 

The moral of the story is to make sure to do a risk analysis! Once done this should be repeated periodically (we suggest annually) or whenever a major system change happens within the business. Being technically compliant is not enough -- all of the proper documentation has to be in place in order to be considered compliant. That includes annual employee training, annual policy reviews, etc. This is true not only of Covered Entities but of Business Associates as well. And make no mistake, when a breach occurs your full compliance program will be audited, not just the portion related to the breach. 

Effort is such a huge part of what is considered before OCR levies a HIPAA fine. A business with a small gap in their compliance program could be fined as little as $100 per incident. However if that same business is grossly negligent and has done nothing to address its compliance, the same offense can be fined at a rate as high as $50,000 per incident. There is a good write up of the full details here but needless to say it isn't a risk that any business should take. 

NeoCloud Consulting offers an amazing HIPAA compliance service to help both covered entities and business associates achieve, maintain and illustrate compliance. I encourage you to download our HIPAA Compliance checklist here to do a quick self-evaluation. If you have any questions about risk assessments, HIPAA compliance in general or would like to discuss our compliance services, please contact us today!

Have a great week!

--Jay

O365 Thursday - Microsoft Flow

Microsoft Flow is a relatively new platform from Microsoft that allows you to build automated workflows between applications. These workflows are called "Flows" for short. Flows can connect all sorts of data sources together to make life easier. So for instance, you could create a Flow that automatically sends a text message when you get an email from a VIP client. Or a flow that automatically creates an Outlook task when an email is flagged for follow up. Or even automatically add an event from your Google calendar to your private Outlook calendar. The possibilities are really endless and things can get very complex with conditions that branch off into different actions but even basic Flows can help save a lot of time. 

Microsoft provides a bunch of templates to get you started. You connect your accounts and provide some basic information and the Flow is ready to go. We're going to build an interactive toy today. I'm going to show you how to build a flow that you can interact with to see how it works in real-time. 

I've created a sample flow that will write any tweet with the hashtag of #NeoCloudFlowDemo into an Excel document. Give it a try and let me know what you think! The flow runs every 5 minutes so once you tweet, wait it out and then check the document by clicking here. In coming weeks I will demonstrate how I created this flow and other examples of production Flows that we've developed for our clients. In the short term, here's a screen shot of what this Flow looks like in the Flow Designer:

Creating and maintaining Flows for our customers is included as part of our Concierge IT Service. We create Flows that help make your life easier. There is no additional charge for this service!

If you'd like to learn more about Flow, have any questions or comments, or would like more information about our services, please contact us today.