4 minutes read

Data security remains near the top of the list of worries for information technology teams and decision-makers. As phishing attempts are getting more creative and difficult to discern, employee training and frequent IT security reminders are more important than ever.

Yet, ultimately, no matter how vigilant your staff is, there is always the risk of human error (after all, we’re human!) These two technologies can bring peace of mind by acting as your security safety net in case someone accidentally clicks something they shouldn’t have.

One Wrong Click Doesn’t Always Mean DOOM

Formerly known as whitelisting – now referred to as allow-listing – this technology can block ransomware, viruses, and other threats. The way it works is simple in theory, but admittedly can be time-consuming to get set up and monitor ongoing.

Allow-listing technology starts by blocking ALL programs and applications from running in your information technology environment. Permissions “allow” specific trusted software to run within the IT infrastructure, while everything else remains blocked.

While this means no one internally or externally can accidentally or deliberately run malicious programs or scripts, it also puts restrictions on what IS allowed, by whom, in what scenarios.

Barriers to Allow-listing Technology

While the protection offered by this technology is considered one of the most comprehensive security measures, there are some important considerations to keep in mind:

1. Allow-listing technology cannot solve or prevent every security risk. It needs to be one aspect of a broader security strategy.
2. Allow-listing technology can be administratively intensive.

Broad-view, Comprehensive Security Strategy

A comprehensive security strategy addresses many types of vulnerabilities – from the age of your hardware to data encryption to There isn’t one foolproof solution or policy that covers everything long term.

Frankly, the landscape changes so frequently that security needs to be an ongoing priority with the built-in reviews to ensure best practices in policy and practice. Assigning a team to be accountable for this oversight – either internally or outsourced – is a good idea.

Starting with a strong foundation – based on a checklist like this – can help ensure your security strategy focuses on the right technologies.

Allow-listing vs. Block-listing

While there are plenty of block-listing (formerly known as blacklisting) technology solutions in the form of anti-virus or anti-malware solutions, each organization’s allow-list looks different.

Block-listing technologies essentially use a list of URLs, file types, and coder signatures to identify things to block. If you think like a cybercriminal, you’d realize, all this is doing is creating a list of what to avoid, so they use automation to make subtle changes to bypass detection. In 2019 there were 24,610,126 “unique malicious objects” according to Kaspersky Labs.

An allow-list needs to represent the unique information technology environment for each organization. That means establishing a pre-determined set of approved software applications and scripts.

Allow-listing is an Administratively Intensive Process

The allow-list prevents anything not on that list from running – even it was successfully downloaded but creating that list can be a lot of time and work. It can also cause frustration to end-users because it blocks applications that are not on the approved list.

That said, allow-listing is still one of the most comprehensive approaches to securing your information technology environment, and it also:

• Stops most ransomware, viruses, and other threats from running in your environment;
• Enforces organizational security
• Ensures compliance with HIPAA, NIST, and other regulations.
• Partner with an MSP: A trusted MSP can be your security partner to get your allow-listing strategy in place and perform the maintenance to keep it current.
• Consider a semi-automated solution: If you have the internal team and resources available to manage the process, there are several options for allow-listing technologies that are partially automated to ease the burden of building an allow-list by hand. Some of these solutions include ThreatLocker and Microsoft’s AppLocker.

Password Breaches

The second common human error related to security is password management. Despite the number of experts that advise against it, most people use one password for multiple logins, overlapping personal and professional devices, and access points. Unique passwords for each login are often a challenge for users to recall quickly, causing frustration and loss of productivity. However, secure password management technology is now readily available and widely used. It also requires careful research and an ongoing commitment to consistently using the technology for it to work effectively but allows for unique passwords and better user protection. In the future, we may be able to eliminate the use of passwords permanently, but until that happens, a password manager is a great solution.

Many successful attacks trace back to the attacker having a valid user account – i.e., a working password – and gaining access to the environment that way. There is a technology that is a safety net in this area too — multi-factor authentication (MFA) (originally referred to as “two-factor authentication”).

Multi-factor Authentication Software

MFA protects your account even if someone has guessed or stolen your password. It works like this: after entering a legitimate password and before granting access to an account, the technology confirms your identity. MFA requires you to engage with an auto-generated confirmation link, phone call, one-time passcode, push notification, or text message to your personal device to authenticate your identity. The common downside with MFA is, by design, that it will be much more challenging to gain access to your account if you don’t have the other factor available.

Focus on What’s Within Your Control

There isn’t a single technology that will stop a determined attacker. Your only control over the matter is making it as difficult as possible to penetrate your environment. An attacker is often working on several – even hundreds – of targets simultaneously to see where the most accessible opportunities are. That said, the more barriers there are, the more likely a criminal will deem an organization as requiring too much effort. While they will move on, there’s always another attacker ready to take their place. Allow-listing technologies and multi-factor authentication are two ways to create formidable barriers that can dissuade some attackers. These two technologies are two of our recommended security technologies. Contact us to review the full security checklist.

3 minutes read

COVID has shifted the world in unexpected ways, particularly when it comes to data security. The rapid transition to work-from-home (WFH) made it challenging for most businesses to keep up with policy and technology updates that support a WFH model. It didn’t take long for hackers to figure that out.  

Cyber attacks are on the rise, particularly in the healthcare sector. One report from C5 Capital alliance indicates a 150% increase in attacks on healthcare systems in the first quarter of 2020. 

Healthcare Systems Under Pressure

Given the tremendous strain the pandemic is putting on healthcare systems and healthcare personnel, it’s understandable they might fall behind on regular IT maintenance. At Path Forward, our team of healthcare IT experts works hard every day to make sure our clients are protected.

Here are three common mistakes that create fundamental security vulnerabilities:

1. DELAYING UPDATES: The dreaded notification: “You have system updates. ”   

It may seem like a nuisance to run system or software updates. It takes time and typically requires a full re-start. But this is one of the easiest ways for attackers to compromise your systems. 

Vendors push out updates and patches for a reason. They know there is a vulnerability or bug in a product you are using, and they are providing the patch to address it as quickly as they can. However, publishing the update to customers also increases awareness of the vulnerability with potential attackers.  

It’s essential to run these updates as soon as possible. While time is of the essence, sometimes there can be concerns that the patch could interfere or break a workflow unique to your environment. The ideal first step is to test the patch in a test environment. If that’s not possible, be sure you are prepared and backed up before running the updates. With good backups, you can restore your data to the pre-update version if something goes wrong with the patch. 

*KEY TAKEAWAY:  Prioritize updates and patching. Respond to vendor updates within 24 hours, or as quickly as you can while keeping a reasonable risk to avoid breaking production systems and workflows. Test the patch in a test environment when possible. 

2. OUTDATED EQUIPMENT: It’s not about keeping up with the Jones’.

Equipment is expensive – no matter if you’re considering buying a new SAN, laptops for the organization, or even just a new smartphone.  

It’s natural to approach these expenses as long-term investments. The downside is the definition of the long-term might be shorter than you hoped.  

Don’t kid yourself into thinking you can humbly get by with older equipment that “still does the job.” New equipment is not about getting the latest and greatest functionality. It’s about staying current and safe. 

Using equipment and software past its end-of-life date is a much bigger security problem than most people realize. Manufacturers regularly age-out older versions of their products, meaning they no longer provide updates and critical security patches. Having these outdated components in your environment significantly jeopardizes your system security and voids the effectiveness of any other security measures that are in place.  

*KEY TAKEAWAY:  Plan for the manufacturer’s end-of-life timeline. It’s typically published at least a year in advance, and many vendors publish lifecycle information to help with planning upgrades and budgeting for those expenses. Consider leasing options if your budget doesn’t allow for purchasing.  

3. CHASING SECURITY SOLUTIONS: Monitoring system entry points can be like herding cats.

Since COVID, most companies rely on remote workforces. It’s more common than ever to have a single employee accessing your network from several different devices – smartphones, laptops, tablets, etc. Each of these devices represents an endpoint, essentially an entry point where an attacker could gain access to your systems. Endpoint management software helps centrally monitor and evaluate all devices to ensure security and software updates. 

A common misperception is that a combination of endpoint management and anti-virus software is enough to manage the risk of any intrusion. This is not the case, as proven nearly every day over the last six months as the healthcare industry is the favorite target for attackers. 

Another misperception is that the newer the software, the better the security. Many companies make it a priority to have the latest and greatest solutions and are continually changing their systems. They often overlook the internal talent, skillsets, training, and dedicated resources needed for maintaining these tools. Human monitoring and analysis of threats are critical. Internal security teams have so many competing priorities; it’s challenging and expensive to dedicate the resources needed and stay constantly aware of the latest threat data. 

Managed detection and response (MDR) is an outsourced service that combines the human expertise with automated threat detection to effectively monitor, collect, analyze, and respond to threats as they are discovered. 

*KEY TAKEAWAY:  Endpoint Managed Detection and Response (EMDR) is currently the best technology available for quickly detecting a breach before it creates a noticeable malicious impact. EMDR provides exceptional forensic information should a breach ever occur, which helps in reconstructing events to identify where extra security is needed.
 

A Security Effort is Never Finished

At the end of the day, managing the security of your data and environment is an ongoing effort. It requires careful and constant evaluation and oversight. It also requires a reliable backup and recovery plan.  

The above recommendations are part of our Minimum-Security Requirement Checklist. You can download the checklist here. If you’re interested in talking with one of our security experts for an evaluation or discuss your security needs, please reach out here. 

3 minutes read

If you don’t have strong data protection in place today, you are underestimating some serious risks. So far, in 2020, ransomware attacks have already cost healthcare practices nearly $160 million – and we’re only halfway through the year.

In the healthcare sector, ransomware is responsible for shutting down clinics, hospitals, and severely affecting patient care. The implications are dangerous during normal times, and to navigate this during the COVID pandemic carries exponentially more risk.

All Types of Businesses are Targets

Healthcare isn’t the only alluring target for cybercriminals. City governments and municipalities are getting hit too and with an unfortunate rate of success. Small businesses are also a favorite target, with 71% of ransomware attacks targeting small businesses. These attacks are expensive. By the end of 2019, the average ransomware payment topped $80,000, which explains why 1 in 5 businesses hit with ransomware go out of business.

No entity or industry sector is off-limits. The reality is, your company is also at risk, just like the ones making news headlines.

Risks Go Beyond Ransomware

Ransomware is just one of the many factors that can stop your business in its tracks and turn your world upside down. Hardware failure, application failure, file corruption, human error, and Mother Nature are all real risks that require immediate consideration. Robust data protection is as critical to your business as healthy financials.

Staying Protected

The reality is that even with protection, there are risks. It is critical to understand those risks and minimize them with a balance of solutions that are the right fit and cost to your company.

Here are some questions to guide you in determining the best solution for your environment:

1. What are your goals for RPO/RTO ?
2. What are your goals for data retention?
3. Are your backups encrypted?
4. Is your protected data stored in more than one place?
5. If so, can your backups run from a secondary location?
6. Are all of your critical applications protected?
7. Does your company have a disaster plan?
8. Are your backups application-aware?

The Right Stuff

Your backup environment is not a book on a shelf that you can look at every few years. Like your production environment, it is continuously and rapidly changing. Think of it more like a virtual data center. Putting backups in place and waiting for failures is not adequate protection. You can’t pick out a solution, set it up, and consider it complete. It is something that needs to be continuously managed, just like your production data.

Validation

Automated backup validation can’t be 100% trusted. If you are not manually validating your backups regularly, it is the same as not being backed up at all. Often, important aspects of the technical environment are overlooked. It’s crucial to validate backups for:

• All applications including cloud applications
• EMR, SQL databases
• O365 environments

Don’t wait for a disaster to find out how well your validation process is working. It’s essential to know your company or healthcare practice is completely protected before a disaster strikes. The best way to navigate these risks and headaches is to partner with experts who solely focus on data protection, as opposed to it being one item on a long to-do list for an internal team member.

Key Partnerships

The best partners understand your business, are transparent about your risks, invested in your success, and 100% focused on data protection. That’s what the Patient Shield team at Path Forward does 24/7, 365 days of the year.  We have a team of certified engineers that solely focus on your data protection, security, and risk management. Our team protects petabytes of data in unique environments, has experience restoring thousands of files and servers, and has brought companies back from the brink of disaster when it seemed impossible.

Backup Your Desired Normal

Backups are more than just peace-of-mind; they are your path back to “normal” after a data disaster. Make sure what you are backing up is the version of normal you would want to restore. Chances are if you aren’t very comfortable with your protection today, it’s time to really understand your risks and consider bringing in a partner.

Contact us to learn what a custom-tailored solution looks like for your business.

2 minutes read

With summer upon us, it’s no wonder we’re feeling the urge to expand our work-from-home (WFH) office to the great outdoors – or at least to our backyards (WFO = Working from Outside). But are you equipped to do that seamlessly and securely?  

Maintaining productivity and professionalism is an important part of being successful when working from home. When venturing outside, the Wi-Fi signal will often start breaking up the further we roam from the router. Is there a way to have reliable Wi-Fi in your backyard? 

Path Forward’s IT AV team is ready with answers to this and more.  Our experts design, install and serve the AV needs for residential, commercial and construction projects. Here are answers to the questions we are asked most frequently. 

I have great Wi-Fi in my house but why doesn’t it work well in my backyard?

Sometimes strong Wi-Fi indoors does not translate well when going outside.  When you walk outside your wireless device is trying to communicate back to your Wi-Fi router through brick, wood, and drywall. These walls are barriers that will derogate your signal.  The best way to fix this issue is to install an Outdoor Access Point (APs).   

How is an Outdoor Access Point different from adding extenders between my router and my yard?

First, let’s establish a common definition of extenders. Extenders, or repeaters, essentially boost the range of your signal by establishing a new wireless connection away from your router. The upside is that extenders are simple to install and there are many choices of products, representing a broad range of price points. The downside is the loss in signal strength – sometimes with as much as a 50% reduction bandwidth. There’s also a higher probability of interference with other devices.  

Most of the Outdoor APs we install are to customers who initially tried using extenders but got frustrated by the inferior signal strength. Bandwidth is a hot commodity for most households now, with so many competing priorities – streaming music, videos, conference call meetings and more. 

Outdoor APs are hardwired so they provide a signal strength and bandwidth equivalent to standing indoors, right next to your router. A professional AV installer uses Cat6 wire to directly connect your router to the Outdoor Access Point.   

Path Forward IT outdoor APs include a 3×3 antenna array and Fast Roaming which can allow you to enjoy Wi-Fi up to 200 feet away from your home. We are also careful to install all outdoor APs on an unobtrusive exterior wall that is not in plain view.   

Will my Wi-Fi still be secure outside?

Our outdoor Wi-Fi still includes WPA2 security which is the most secure Wi-Fi encryption to date.  If needed, Path Forward  data-contrast=”auto”>can program Access Points with schedules for when outdoor Wi-Fi will be turned on or off. 

Why should I use a Path Forward IT Access Point instead of one I find online?

All networking equipment installed by Path Forward IT is remotely monitored by Path Forward IT.  If there are issues with the network equipment Path Forward will receive notifications and can respond accordingly. Also, as new Firmware is released (which improves things like security, reliability, etc.) Path Forward will be notified that there is new Firmware available for your device and will remotely update it for you. 

Ready to improve your outdoor Wi-Fi?

Set up a consultation with a Path Forward IT AV expert today! 

3 minutes read

How many passwords do you currently keep track of? Maybe 20, 30, or more than 50? It can feel like hundreds because we use them constantly. Passwords allow us to access almost everything we do in a day – whether it’s for work or listening to music. As of 2019, the average American maintains passwords for 27 online accounts (Harris poll). (Other studies, commissioned by commercial interests, report an average of upwards of 80+ passwords per person.)

Regardless of whether you fall on the low or high end of that range, it’s a lot of passwords. Despite all the available guidance and tips for creating strong passwords, studies show people’s habits generally fall short.

Everyone probably knows a friend who got locked out, unable to access their email, social media or other personal online accounts. Then that person spent days on the phone with tech support trying to prove their identity.

Why Do People Struggle with Personal Password Security?

• People don’t want to relinquish control of their passwords. The first commandments we learn when establishing our online presence< are: “Don’t share your password with anyone. Don’t write your passwords down.” There’s a built-in distrust in tools like password managers. Pew Research Institute reports that only 3% of internet users rely primarily on password managers.
• It’s hard to remember a lot of different passwords. People want to make passwords easier to remember, so they use patterns, change one character in an existing password, or reuse passwords for multiple accounts. A security survey conducted by Google found 65 percent of people use the same password for multiple or all of their accounts. This data is quite surprising given the hundreds of articles published each year advising against exactly that.

Online Security: Stay Ahead of Hackers

With so many people working from home now, it can feel like we’re online most of the day. It’s more important than ever to be mindful of how we protect our own little personal sphere in a way that minimizes the risk of having our identity compromised.

Four Steps to Keeping Your Identity Safe

1. Change Your Mindset: Cue from your employer. Most employers have robust password management processes and multi-factor authentication (MFA), so you’re probably already using these technologies and processes. Following the lead from the IT experts at your company is free security advice that we could extend into our personal lives, but somehow, we view it as separate from our personal life.

2. Adopt These Two Solutions: 

• Password Manager or Vault. Password management technology is now more available and mainstream than it used to be. It also requires careful research and an ongoing commitment to consistently using the technology for it to work effectively. In the future, we may be able to eliminate the use of passwords permanently, but until that happens, a password manager is the best solution.  
• Multi-factor Authentication (MFA). MFA protects your account even if someone has guessed or stolen your password. After a password is successfully entered and before granting access to an account, the technology confirms your identity. It requires you to engage with an auto-generated confirmation link, phone call, or text message to your personal device to authenticate your identity.

The common downside with MFA is, by design, it will be much more difficult to gain access to your account if you don’t have the other factor available.

MFA is only available when a company has built it into their website. Use this technology whenever a website or business offers it.

3. Enlist Expert Advice: Selecting and setting up a password manager requires careful consideration for ensuring a proper set up because the risks for doing it wrong are significant. If the explanations sound too technical, enlist a tech-savvy friend or a professional for additional guidance.

If you are using an MFA that sends a token to your phone and plan to buy a new phone, the MFA security app will not restore from a backup automatically. Be sure to find out how to restore your MFA security app before turning off your old phone.

4. Have a Good Recovery Plan: Your rescue plan will include your most critical password for protecting your online identity. Whether it gets you into your password manager (preferred!) or your primary email account, this one password deserves your very best effort in applying every best practice.

Stay Dilligent

Keep in mind, the first line of defense in protecting your personal online identity is to stay alert and be aware of scams and suspicious links. While user-error certainly isn’t the root cause of all account breaches, it is an area of risk. It’s also important to be sure to follow best practices for password creation. With diligence, strong passwords and technologies like a password manager and MFA, you can significantly improve the security of your online identity.

3 minutes read

Compliance is daunting enough in a year without a pandemic. This year we’ve faced constant change:  telehealth privacy issues, entire departments working from home, redesigned processes, and worldwide phishing attacks that take advantage of confusion and change. Through it all, our regulatory and reporting deadlines are knocking at the door.

It can be hard to stay focused on both the urgent and the important. Your compliance team can help you prioritize and manage your regulatory and contractual to-do lists.

Balancing Act

As a compliance officer and compliance advisor, I work with our internal team and with healthcare practice clients to help prioritize obligations and to balance operational improvements with financial realities.

Many healthcare practices have seen a significant financial impact from Covid-19. Resources and time are in short supply.  So this to-do list focuses on some fundamental compliance work. You can also download a more detailed checklist here.

5 Ways to Protect Your Healthcare Practice

1. Update your risk assessment and business continuity/ disaster recovery plans.

Heavyweight champ Mike Tyson famously said, “everyone has a plan until they get punched in the mouth.” No matter how good your plans were before Covid-19, chances are that things haven’t gone as planned. Update your plan with what you learned. What went well? What were the unexpected challenges? For example, prevention is much less expensive than remediation, so make sure your plan includes security patches are up to date.

2. Revisit your monitoring and auditing standards.

Given all the changes in 2020, it’s easy to overlook your regular checks and balances, even something as routine as reviewing your bank statements. Keeping an eye on your billing and collections is critical. So is making sure you continue to meet payor and regulatory standards, whether it’s commercial insurance, state filings, or Medicare. Your compliance team can help you prioritize and perform your internal controls.

3. Update your policies and procedures.

Many practices didn’t have formal standards for teleworking or telehealth sessions before Covid-19. Maybe your information systems usage policy doesn’t prohibit unsecured wireless networks, or maybe your annual risk assessment didn’t include employees working at home. Standards that made sense before the pandemic will still need to be reviewed. Again, use what you learned over the past few months. Many policies need revisiting considering a more robust work-from-home and telehealth arrangement for physicians and staff.

4. Catch up on due diligence for new vendors.

Have you added a new telehealth vendor, or did you outsource billing or printing services? Have your existing vendors kept up with training, background checks, and other compliance requirements?  Keep in mind that CMS and other payors—as well as your cybersecurity insurance policy—may require proof that you kept up on your due diligence.

5. Don’t sleep on (or during) HIPAA and compliance training.

HHS did not address mandatory compliance training in its Covid-19 guidance. We have to assume that training deadlines haven’t changed. If you added new staff during the past few months, the clock is ticking for HIPAA and CMS training. Don’t forget that insurers and states may require additional training, too. Training will only get harder to schedule as we get closer to December 31.

Anticipate the Next 3 Steps

While it’s not clear yet whether recent changes to compliance requirements are going to become permanent, it’s important to prepare for them as though they will. Enforcement of security measures will adapt to meet changes in technology, and we know telehealth is here to stay in one capacity or another. Temporary HIPAA allowances for Covid-19 disclosures have spurred discussions on how we share information on other threats to public health.

Investing time now to evaluate your compliance plan will pay dividends and keep the important from becoming urgent. If you need guidance, please reach out to me. We offer free compliance consultations to help healthcare practices sort out what needs to be done to #comebackstronger.