Top 5 Mistakes Chiropractors Make with Their Digital Security

WEBVTT 1 00:00:01.159 --> 00:00:04.280 Welcome to another episode of catch up with CAIRA touch. I'm one of your 2 00:00:04.320 --> 00:00:07.790 host Dr Tammy Howard. In this episode we're going to talk about the top 3 00:00:07.950 --> 00:00:12.669 five mistakes that chiropractic offices make with their digital security. Joining me today is 4 00:00:12.789 --> 00:00:16.510 Aaron Jones. Aaron is the director of it here at Cairo touch and, 5 00:00:16.629 --> 00:00:21.070 amongst the many responsibilities he has here, helps to ensure the security of our 6 00:00:21.109 --> 00:00:24.820 internal systems so we can provide the highest level of service to our clients. 7 00:00:24.859 --> 00:00:28.019 Hi, Aaron, thanks for joining us. Hi, Timmy, glad to 8 00:00:28.059 --> 00:00:31.219 be here. I know when you and I first met to discuss this idea 9 00:00:31.260 --> 00:00:35.969 of doing a podcast on digital security, we realize pretty quickly how large this 10 00:00:36.130 --> 00:00:40.369 topic can get and also how scary it can sound to people at times. 11 00:00:40.810 --> 00:00:45.369 Small Business owners have so much on their minds already and digital security is not 12 00:00:45.649 --> 00:00:49.210 always at the top of that list. Well, you're absolutely right, Tammy. 13 00:00:49.210 --> 00:00:52.920 It is a very scary topic. I know it is a big topic 14 00:00:53.119 --> 00:00:56.799 and so much to take action on. Can you dive into one of the 15 00:00:56.840 --> 00:01:00.359 first common mistakes that Chiropractic offices make? Sure? I think this is very 16 00:01:00.520 --> 00:01:07.349 common in fact, and that is when users of any network go to set 17 00:01:07.390 --> 00:01:11.269 up the parameters of their network. Often they'll get through the naming of the 18 00:01:11.349 --> 00:01:15.310 network and that's about it and they won't look any deeper into the settings. 19 00:01:15.430 --> 00:01:19.180 Are Certainly the security options. They might set up a password, but very 20 00:01:19.299 --> 00:01:25.180 often there will be a wireless network that is either unsecured or protected only by 21 00:01:25.180 --> 00:01:29.500 a very weak password, and that is just so common that that it's essentially 22 00:01:29.579 --> 00:01:34.329 leaving the door open to any would be attacker to jump on the network that 23 00:01:34.409 --> 00:01:40.609 might also host a lot of really important critical systems and make them vulnerable to 24 00:01:40.689 --> 00:01:44.969 attack. Yeah, I know oftentimes you'll go into businesses and they'll have like 25 00:01:45.049 --> 00:01:49.280 a guest account that's available. Is that something that is generally more secure? 26 00:01:49.400 --> 00:01:53.680 If there is a guest network, it can be. The concept of a 27 00:01:53.760 --> 00:02:00.680 guest account first allows guests inside that business to connect to the Internet without having 28 00:02:00.680 --> 00:02:06.469 to input a password. The second consideration there is to isolate or put those 29 00:02:06.549 --> 00:02:10.150 users of the network into a bubble and keep them away from the sensitive resources 30 00:02:10.270 --> 00:02:14.189 on the business network. Right. So, if it's set up properly, 31 00:02:14.469 --> 00:02:19.819 then a guest network is absolutely a safe thing to provide to visitors to the 32 00:02:19.860 --> 00:02:23.979 business. An important thing to turn on is wireless guest isolation. It's a 33 00:02:24.020 --> 00:02:30.330 pretty common feature in most routers and that wireless guest isolation essentially does just what 34 00:02:30.449 --> 00:02:35.810 I was suggesting. It puts those guest Internet users in a bubble where they 35 00:02:35.849 --> 00:02:38.169 can't see or touch anything else on the network. Most people, if you 36 00:02:38.289 --> 00:02:43.449 like, understand that they shouldn't have unsecured wireless networks, so it's interesting to 37 00:02:43.490 --> 00:02:47.680 see that that's still a common mistake that people make. What is the large 38 00:02:47.960 --> 00:02:53.400 concern there is that somebody can gain access through that to your sensitive data. 39 00:02:53.879 --> 00:03:00.189 That's exactly right. You would be surprised to learn how easy it is for 40 00:03:00.430 --> 00:03:05.430 attackers, with the sophisticated towels that are winely available now, to get into 41 00:03:05.590 --> 00:03:09.469 essentially whatever they'd like to through your network. And a lot of times even 42 00:03:09.509 --> 00:03:15.460 a secured wireless network will have the password to the network posted somewhere visibly within 43 00:03:15.580 --> 00:03:21.620 the office. So if someone is on Your Business Network, they are able 44 00:03:21.780 --> 00:03:27.099 to collect things like user names and passwords, Ip addresses to sensitive systems, 45 00:03:27.330 --> 00:03:30.610 they can see packets of information passing back and forth and they can in fact 46 00:03:30.889 --> 00:03:36.569 impersonate other users from within that network. So there are just a number of 47 00:03:36.650 --> 00:03:42.319 dangers there and it's really important to keep outside actors off of Your Business Network. 48 00:03:42.800 --> 00:03:46.080 Don't leave those passwords posted visibly. Huh, that's absolutely right. But 49 00:03:46.319 --> 00:03:50.719 also, I would say, in addition to keeping them secret, change them 50 00:03:50.800 --> 00:03:58.189 often right, because those passwords certainly can be given out to non employees in 51 00:03:58.349 --> 00:04:00.710 the event that someone needs to jump on the network and perhaps they are a 52 00:04:01.189 --> 00:04:06.270 vendor partner or maybe they're a family member of an employee. You might end 53 00:04:06.310 --> 00:04:12.580 up spreading the password around more broadly than you intended to. So Changing Your 54 00:04:12.620 --> 00:04:17.699 Business Network Password often is good policy, and certainly keep from posting it publicly. 55 00:04:18.300 --> 00:04:24.220 That's a good sigling into another common mistake that we see people make graves 56 00:04:24.410 --> 00:04:30.529 the we password security, or maybe not changing passwords quite as often as they 57 00:04:30.529 --> 00:04:32.689 should be. There are so many things that we rely on passwords for, 58 00:04:33.050 --> 00:04:39.160 and password fatigue is real, having to remember so many different passwords for the 59 00:04:39.240 --> 00:04:43.800 different systems that you interact with on a daily basis. The most important thing 60 00:04:43.839 --> 00:04:47.720 to do is to think about password policies. What is it that you want 61 00:04:47.879 --> 00:04:54.069 to pursue in terms of passwords security? Do you want to have passwords that 62 00:04:54.110 --> 00:04:59.430 are unique for all of your critical business systems, meeting your password isn't dolphin, 63 00:04:59.509 --> 00:05:01.910 one, thouusand nine hundred and eighty five across every system that you connect 64 00:05:01.949 --> 00:05:06.579 to. That's certainly a great place to start, but thinking through those different 65 00:05:06.660 --> 00:05:13.500 expectations and writing them down into a password policy is really the first step. 66 00:05:13.819 --> 00:05:16.699 Without a standard to follow, you can't expect all of the people who have 67 00:05:16.819 --> 00:05:21.209 access to your critical data and your critical systems to fall in line. Well, 68 00:05:21.250 --> 00:05:24.810 now that you've told everyone my password, I'm going to have to go 69 00:05:24.889 --> 00:05:29.290 and change it. Hoops, how'd you know I love dolphins? I know 70 00:05:29.410 --> 00:05:35.079 that something that you've hopped on quite a bit is using longer phrases or pass 71 00:05:35.160 --> 00:05:40.560 phrases. Can you talk a little bit about some of that for our listeners? 72 00:05:40.600 --> 00:05:46.120 Absolutely so. There is conventional wisdom with regards to password security, but 73 00:05:46.240 --> 00:05:50.990 the important thing to note is that that wisdom is always changing. There is 74 00:05:51.230 --> 00:05:59.550 an organization and the National Institute of Standards and Technology that keeps uptodate standard or 75 00:05:59.589 --> 00:06:06.420 recommendation for password strength for just generally Internet security practices, Best Practices for things 76 00:06:06.500 --> 00:06:12.899 like passwords, for things like remembered tokens and other things that software systems and 77 00:06:13.100 --> 00:06:18.810 users might employ to secure their systems and data. Those rules are always changing 78 00:06:18.970 --> 00:06:26.490 and in fact the recommendations evolve as humans adapt to this password fatigue. One 79 00:06:26.529 --> 00:06:30.769 of the things that we do is we end up relying on the same mechanisms, 80 00:06:30.889 --> 00:06:34.399 we fall back on the same patterns when we're required to change passwords very 81 00:06:34.519 --> 00:06:42.000 often, and we do more often reuse passwords across even very critical systems. 82 00:06:42.680 --> 00:06:46.759 If we have to change these passwords and they have to adhere to a certain 83 00:06:46.079 --> 00:06:51.750 minimum strength. So mist, the National Institute of Standards In technology, acknowledges 84 00:06:51.829 --> 00:06:58.470 that the best thing to do is to have different passwords across different critical systems 85 00:06:58.709 --> 00:07:02.740 and make them longer phrases. A pass phrase that is easy for the human 86 00:07:02.819 --> 00:07:09.300 to remember but harder for an attacker to crack. Essentially, a password is 87 00:07:09.339 --> 00:07:13.220 harder for an attacker to crack if it is longer. The way that a 88 00:07:13.300 --> 00:07:19.370 password is cracked is generally not by human hands but by computers iterating through hundreds, 89 00:07:19.529 --> 00:07:25.410 thousands, millions of different possibilities, and the longer your password is, 90 00:07:25.810 --> 00:07:29.769 the less likely it is that they will ever attain a hit on your password. 91 00:07:30.240 --> 00:07:33.120 So by using a longer pass phrase, you make it much less likely 92 00:07:33.199 --> 00:07:39.439 that that password will be cracked and you can also make it somewhat memorable for 93 00:07:39.560 --> 00:07:44.120 the system that you're signing into, and I think this brings up something that 94 00:07:44.389 --> 00:07:47.149 I know you are planning and talking about today as well, but some of 95 00:07:47.189 --> 00:07:55.149 the human as a risk factor conversation where employee may be of your companies using 96 00:07:55.269 --> 00:08:01.939 the same password for personal items as they are for the business. So talk 97 00:08:01.980 --> 00:08:05.220 a little bit on that if you would. It's so common. One of 98 00:08:05.259 --> 00:08:11.620 the main ways that passwords will be compromised is because a username and password combination, 99 00:08:11.889 --> 00:08:16.290 or even the identity of a person, which may have several user names 100 00:08:16.329 --> 00:08:20.810 associated with it, either on the dark web or in the possession of some 101 00:08:20.930 --> 00:08:24.290 attacker, can be correlated to passwords they're using for much more important systems. 102 00:08:24.490 --> 00:08:30.800 So let's say, for example, your paypal password gets compromised, or perhaps 103 00:08:30.800 --> 00:08:35.279 your password on pinterest gets compromised. If you're using the same password and same 104 00:08:35.360 --> 00:08:41.590 naming convention on a very critical business system, then essentially the other system is 105 00:08:41.669 --> 00:08:46.110 already compromised as well. It's just a matter of time before that combination is 106 00:08:46.230 --> 00:08:50.990 tried. So the most important thing to remember is that every business system should 107 00:08:52.389 --> 00:08:58.779 be treated as unique. You're not protected if you have one strong password that's 108 00:08:58.820 --> 00:09:03.580 used with one lag on across all really critical business systems, and certainly I 109 00:09:03.659 --> 00:09:11.769 would strongly advise against using the same password in your personal accounts as you do 110 00:09:11.929 --> 00:09:15.129 in your business accounts. So don't change my password to iile of dolphins one 111 00:09:15.129 --> 00:09:18.049 thousand nine hundred and eighty five and use that across all accounts. Right. 112 00:09:18.490 --> 00:09:24.600 Just make sure you change the ease two threes in dolphins forever. Exclamation. 113 00:09:24.639 --> 00:09:31.799 A lot of chiropractic offices don't tend to run their own email systems. They'll 114 00:09:31.840 --> 00:09:37.200 rely on something like Gmail account or hotmail account. So talk a little bit 115 00:09:37.240 --> 00:09:41.990 about unmanaged email systems. In what we should be looking for is kind of 116 00:09:43.110 --> 00:09:46.509 best practice. there. It's very easy, especially for small businesses, to 117 00:09:46.629 --> 00:09:52.789 rely on email addresses that can be obtained for free, with very little effort, 118 00:09:52.019 --> 00:09:58.620 through public email systems like Gmail and hotmail. The problem largely comes in 119 00:09:58.179 --> 00:10:03.539 because there's no administrative control of those email systems. You can't and force the 120 00:10:03.580 --> 00:10:09.889 password policy that you just wrote, so you have no ability to deactivate or 121 00:10:11.129 --> 00:10:16.809 forward or control a personal email address that your staff member who just left Dis 122 00:10:18.129 --> 00:10:22.639 gruntled might have used. Because of that, I would recommend looking at one 123 00:10:22.679 --> 00:10:28.960 of three options for upgrading the way you do email. One of the easiest 124 00:10:28.000 --> 00:10:33.080 ways to upgrade from a public email system is to look at a business email 125 00:10:33.360 --> 00:10:39.029 system through the same provider. So let's say your staff is comfortable with Gmail. 126 00:10:39.549 --> 00:10:43.429 Buying into a g suites account, or essentially a business level google account, 127 00:10:43.909 --> 00:10:50.019 will allow an administrator to provision and control email addresses. Those email addresses 128 00:10:50.100 --> 00:10:54.740 can have password policies enforced that will match top to bottom throughout the organization, 129 00:10:56.299 --> 00:11:01.539 and user accounts can be enabled or disabled based on the status of the user. 130 00:11:03.220 --> 00:11:09.169 There's another level that can be attained by managing your own private email system. 131 00:11:09.570 --> 00:11:15.970 That can take the form of a hosted email service or a selfhosted email 132 00:11:16.330 --> 00:11:22.559 server. Those last two options are certainly more complex than a g suites or 133 00:11:22.600 --> 00:11:26.080 office three hundred and sixty five business account, but all three of these options 134 00:11:26.200 --> 00:11:33.909 allow far greater control over the email users and the routing of the email and 135 00:11:35.269 --> 00:11:39.470 all things having to do with the security of that email account. A lot 136 00:11:39.470 --> 00:11:45.190 of times that something that's not necessarily considered when creating these gmail accounts and things 137 00:11:45.230 --> 00:11:48.580 like that. They are going to lose control over that if the staff leaves, 138 00:11:48.659 --> 00:11:52.500 so that's a really important business consideration for offices. So thanks for talking 139 00:11:52.539 --> 00:11:56.220 about that. The next point that I want to talk about it I know 140 00:11:56.299 --> 00:12:03.330 it's one of your favorites because you have control over this within Cairo touches some 141 00:12:03.409 --> 00:12:07.850 of the staff training around security principles. So, for listeners on the phone 142 00:12:07.929 --> 00:12:13.690 that aren't we're Aaron helps to keep us on our toe. Is Er a 143 00:12:13.809 --> 00:12:16.799 care touch around security principles and one of the things that he does for us 144 00:12:16.919 --> 00:12:24.240 is yearly staff training on this topic. And so talk a little bit about 145 00:12:24.720 --> 00:12:28.960 some of the reasons that you've picked up the staff training piece for Cairo touch 146 00:12:30.269 --> 00:12:35.470 and what the major areas are that you feel should be focused on. Definitely, 147 00:12:35.110 --> 00:12:39.669 in addition to being director of it, I also we're the hat of 148 00:12:39.870 --> 00:12:45.580 compliance officer for our organization, and you're right that one of the most important 149 00:12:45.820 --> 00:12:52.500 facets of it security is the human element. The people who are actually pulling 150 00:12:52.539 --> 00:12:58.379 the levers, pushing the buttons and managing the sensitive data and systems that are 151 00:12:58.419 --> 00:13:01.370 so critical to your business are the ones on the front line. There are 152 00:13:01.409 --> 00:13:07.490 the ones that are at most risk of making a mistake or being attacked. 153 00:13:07.769 --> 00:13:11.570 And when I say being attacked, I mean that quite literally. Fishing attacks 154 00:13:11.730 --> 00:13:16.639 through email and other means are very common and they're meant to trick users. 155 00:13:18.159 --> 00:13:20.919 So one of the most important things to do is to make sure that the 156 00:13:22.080 --> 00:13:26.919 users inside your organization know that these attacks are coming. They know what they 157 00:13:26.039 --> 00:13:33.230 look like, they can characterize them and predict what they're going to look like 158 00:13:33.429 --> 00:13:37.669 and feel like, but also to continually remind and build up a culture of 159 00:13:37.909 --> 00:13:45.220 security awareness within your organization. If every single person on your team is vigilant 160 00:13:45.659 --> 00:13:52.379 and aware and defending the organization against it attacks and other threats, then it's 161 00:13:52.620 --> 00:13:56.129 very likely that you'll have great success. But if even one person in your 162 00:13:56.169 --> 00:14:01.690 organization is much more relaxed than the others, then you've got a weak link 163 00:14:01.730 --> 00:14:07.090 in the chain. So not only is it really important to acknowledge that humans 164 00:14:07.129 --> 00:14:11.720 are probably your biggest risk factor, but also you should be conducting regular training, 165 00:14:13.000 --> 00:14:18.840 training on that only HIPPA and the protection in classification of protected health information, 166 00:14:20.240 --> 00:14:24.669 but also just it risks and it security in general. Doing that training 167 00:14:24.710 --> 00:14:28.389 at the point of bringing on a new hire and also just annually is great, 168 00:14:30.029 --> 00:14:35.789 but what we find to be as powerful is regular, unexpected security reminders 169 00:14:35.230 --> 00:14:41.539 that can snap people back into awareness of a particular threat that they might have 170 00:14:41.700 --> 00:14:46.980 grown a little bit more relaxed against. The fishing attempts now seem to be 171 00:14:46.419 --> 00:14:54.049 much more complex than before. They're becoming much more sophisticated in their attempts now 172 00:14:54.529 --> 00:14:58.370 with SMO those fishing emails and things that will go out. So having that 173 00:14:58.450 --> 00:15:01.450 regular reminder to kind of be on your toes, it's really good. It 174 00:15:01.490 --> 00:15:05.809 helps me, at least I know. So what happens if all else fails? 175 00:15:07.399 --> 00:15:13.919 So something fails in our attempts and we have a disaster, whether that's 176 00:15:13.960 --> 00:15:20.159 a natural disaster or some type of a technology disaster, what are the important 177 00:15:20.200 --> 00:15:24.070 systems that we should have in place for that? There are a number of 178 00:15:24.149 --> 00:15:30.750 different ways to approach this topic. The idea of disaster recovery often revolves solely 179 00:15:30.750 --> 00:15:33.990 around where is the backup of my data? How do I get my data 180 00:15:35.110 --> 00:15:39.299 restored after x, Y Z might occur, but very little time is often 181 00:15:39.379 --> 00:15:46.980 spent on understanding the steps between the failure and the recovery, and that's really 182 00:15:46.019 --> 00:15:52.490 where all the meat of this discussion is. Disaster Recovery and contingency planning is 183 00:15:52.529 --> 00:15:58.970 multifaceted because there are many different types of systems and many different levels of criticality 184 00:16:00.009 --> 00:16:03.720 of data that you have to contend with. Not Everything that you had before 185 00:16:04.360 --> 00:16:10.320 a crash, a flood, a tornado is critical to have back on the 186 00:16:10.360 --> 00:16:14.000 other side of it. That may be an ideal state, but understanding what 187 00:16:14.120 --> 00:16:18.480 the most critical things are can often lead to you protecting at a much higher 188 00:16:18.519 --> 00:16:22.429 level those things which are more critical. So that's an important for a step, 189 00:16:22.629 --> 00:16:26.389 really documenting what you have, whether it's data, whether it is a 190 00:16:26.509 --> 00:16:33.419 piece of software or some specific configuration that you need to recreate, and then 191 00:16:33.580 --> 00:16:37.059 making sure that you have a plan for putting that back in order, from 192 00:16:37.139 --> 00:16:41.179 most critical to least critical. The second thing that I think is important, 193 00:16:41.179 --> 00:16:47.210 after you've documented what you have and what you want to get back, is 194 00:16:47.289 --> 00:16:52.490 to think through different scenarios that might realistically happen. If you are somewhere where 195 00:16:52.490 --> 00:16:56.250 it is completely impossible for floods to occur, you don't need to have a 196 00:16:56.289 --> 00:17:02.200 flood contingency plan, but thinking through all of the realistic scenarios, however unlikely 197 00:17:02.320 --> 00:17:07.079 they might be, and then ranking those again by likelihood, by risk. 198 00:17:07.119 --> 00:17:11.519 Right. So we want to look at the impact versus the likelihood and wherever 199 00:17:11.559 --> 00:17:15.349 we see a hot a peak in the cross section of those two things. 200 00:17:17.109 --> 00:17:19.869 That's a risk to you, right. So you want to have a contingency 201 00:17:19.910 --> 00:17:22.990 plan for everything that might be likely to happen, and certainly this could be 202 00:17:23.029 --> 00:17:29.150 computer failure, it could be cyber attack, it could be theft, it 203 00:17:29.269 --> 00:17:32.900 could be a natural disaster. Each one of these things puts you in a 204 00:17:33.019 --> 00:17:37.460 different position with regards to recovery and if you go through and make a plan 205 00:17:37.700 --> 00:17:41.700 for each one of them in it can often lead to a much better outcome 206 00:17:42.019 --> 00:17:47.569 when one of those things might occur. It might be beneficial for our listeners 207 00:17:47.650 --> 00:17:52.690 to have somewhere to seek out information beyond to this podcast. So, with 208 00:17:52.930 --> 00:17:56.490 that said, is there any specific resources that you would find helpful to point 209 00:17:56.529 --> 00:18:02.519 our listeners to for continuing their education on this topic? There are a ton 210 00:18:02.559 --> 00:18:08.680 of resources available online for both it security and specifically healthcare it security. The 211 00:18:08.759 --> 00:18:12.829 first thing that I would recommend that listeners do is head to Cairo touchcom. 212 00:18:14.190 --> 00:18:18.150 We have a resources section at Cairo touchcom, slash resources, which has several 213 00:18:18.430 --> 00:18:23.390 security ebooks. You can just search security ebook there and those are a good 214 00:18:23.430 --> 00:18:29.059 place to start. But also there's a wealth of information available at health it 215 00:18:29.660 --> 00:18:33.619 Dotcov. That information is far reaching. It certainly is not specific to Chiropractic, 216 00:18:34.059 --> 00:18:38.420 but it does answer a number of the questions that you might have as 217 00:18:38.539 --> 00:18:42.890 follow ons from the topics today. Excellent. Well, thank you so much 218 00:18:42.890 --> 00:18:48.529 for joining us today and giving us all of this wonderful information on how to 219 00:18:48.730 --> 00:18:52.130 protect offices, and thank you all for catching up with Cairo touch. Make 220 00:18:52.170 --> 00:18:57.319 sure to tune in every week on spotify, itunes or Cairo touchcom backslash podcast 221 00:18:57.440 --> 00:19:00.039 to listen to our latest episodes.