By Richard Stokes

IT security is an ongoing responsibility for firms that deal with any kind of sensitive information. HIPAA law requires medical organizations and their business associates that access or process patient data to meet stringent data safety and security guidelines. These rules offer specific suggestions for added security, divided into three broad categories: Technical safeguards, physical safeguards and administrative safeguards.

IT Security CheckupThese categories are helpful not just for those subject to HIPAA but for all businesses that conduct periodic surveys of IT security fitness. If you handle sensitive data such as credit card numbers, Protected Health Information (PHI) or sensitive financial information, then your firm should be one of them! At least once a year, give your firm an IT security checkup using the following list of questions.

Physical Safeguards

  • Is there a hardware firewall in place?
    • Is it still supported by the manufacturer?
    • Does it have a current warranty?
    • Is there a current subscription that includes
      • intrusion detection?
      • gateway anti-virus and anti-spyware?
      • web content filtering?
      • application intelligence and control services?
    • Are you backing up data and securely getting it off-site to a secure location? Can you recover this data quickly in the event of a disaster?
    • Do you have sufficient physical security measures in place to prevent theft of equipment (camera systems, locks on doors, keycard entry)?
    • Do you have an accurate and up-to-date asset inventory list for all network equipment?

Technical Safeguards

  • Is there Anti-Virus/Malware software on all network nodes (servers, desktops, laptops)? Is it a paid version from a known vendor such as McAfee, Symantec, Trend Micro, Kaspersky, etc.? Is the subscription active and up to date?
  • Are all the Operating Systems in place still supported by the manufacturer (Windows XP and Microsoft Server 2003 are not)?
  • Is there a routine and scheduled patching interval for all software operating systems and applications on the network?
  • If there is a wireless network in place, does it utilize WPA2 standards?  Do you use a complex password? Are Guest and Private networks separated?
  • Do you employ encryption on mobile devices (laptops)?
  • Can you wipe mobile devices in the event they are lost/stolen?
  • Do you employ network monitoring tools to alert IT staff to potential threats and data breaches?
  • If you provide remote access to the network, are access and usage protocols based on best practices rather than sheer convenience?
  • Do you perform an annual risk analysis?

Administrative Safeguards

  • Do you have a password policy in place for end users? Is it complex? Do you require end users to change it on a regular basis?
  • Do you have exit policies and procedures in place to ensure that access to data is secured when an employee is terminated or resigns?
  • Do you restrict access to data based upon staff job descriptions and security clearance?
  • Do you have an MDM (Mobile Device Management) policy/system in place?
  • Do you provide education/training of your staff on network security?
  • Do you screen and background check your employees?
  • Do you have change management procedures in place? Can you audit and document changes?

The answers to these questions should all be yes. If they’re not, you now have a list of first steps for improving IT security.

Like your annual physical, this checkup is only a starting point – think of it as a screening tool, not a complete workup. Used this way, it can be an important tool for spotting potential problems and assessing the overall health of your firm’s IT security.

 

Richard StokesRichard Stokes

With 17+ years working in the technology sector in a combination of outside sales and strategic consulting, Richard is committed to delivering the right solutions and services for clients and business partners.

rstokes@network1consulting.com or 404.997.7652

Network 1 Consulting is a 17-year-old, IT Support company in Atlanta, GA.  We become – or augment – the IT department for professional services companies: law firms, medical practices and financial services firms.  Our IT experts can fix computers – but what our clients really value is the industry-specific best practices we bring to their firm.  This is especially important with technology, along with regulations and cyber threats, changing so rapidly.  We take a proactive approach to helping our clients use technology to gain and keep their competitive advantage.

Leave a Comment