IT security is an ongoing responsibility for firms that deal with any kind of sensitive information. HIPAA law requires medical organizations and their business associates that access or process patient data to meet stringent data safety and security guidelines. These rules offer specific suggestions for added security, divided into three broad categories: Technical safeguards, physical safeguards and administrative safeguards.
These categories are helpful not just for those subject to HIPAA but for all businesses that conduct periodic surveys of IT security fitness. If you handle sensitive data such as credit card numbers, Protected Health Information (PHI) or sensitive financial information, then your firm should be one of them! At least once a year, give your firm an IT security checkup using the following list of questions.
- Is there a hardware firewall in place?
- Is it still supported by the manufacturer?
- Does it have a current warranty?
- Is there a current subscription that includes
- intrusion detection?
- gateway anti-virus and anti-spyware?
- web content filtering?
- application intelligence and control services?
- Are you backing up data and securely getting it off-site to a secure location? Can you recover this data quickly in the event of a disaster?
- Do you have sufficient physical security measures in place to prevent theft of equipment (camera systems, locks on doors, keycard entry)?
- Do you have an accurate and up-to-date asset inventory list for all network equipment?
- Is there Anti-Virus/Malware software on all network nodes (servers, desktops, laptops)? Is it a paid version from a known vendor such as McAfee, Symantec, Trend Micro, Kaspersky, etc.? Is the subscription active and up to date?
- Are all the Operating Systems in place still supported by the manufacturer (Windows XP and Microsoft Server 2003 are not)?
- Is there a routine and scheduled patching interval for all software operating systems and applications on the network?
- If there is a wireless network in place, does it utilize WPA2 standards? Do you use a complex password? Are Guest and Private networks separated?
- Do you employ encryption on mobile devices (laptops)?
- Can you wipe mobile devices in the event they are lost/stolen?
- Do you employ network monitoring tools to alert IT staff to potential threats and data breaches?
- If you provide remote access to the network, are access and usage protocols based on best practices rather than sheer convenience?
- Do you perform an annual risk analysis?
- Do you have a password policy in place for end users? Is it complex? Do you require end users to change it on a regular basis?
- Do you have exit policies and procedures in place to ensure that access to data is secured when an employee is terminated or resigns?
- Do you restrict access to data based upon staff job descriptions and security clearance?
- Do you have an MDM (Mobile Device Management) policy/system in place?
- Do you provide education/training of your staff on network security?
- Do you screen and background check your employees?
- Do you have change management procedures in place? Can you audit and document changes?
The answers to these questions should all be yes. If they’re not, you now have a list of first steps for improving IT security.
Like your annual physical, this checkup is only a starting point – think of it as a screening tool, not a complete workup. Used this way, it can be an important tool for spotting potential problems and assessing the overall health of your firm’s IT security.