October thru December are critical months for security assessments. There is no “blue print” for the perfect security assessment. I have listed 10 tips for a good security assessment. If you can follow these, you will cover everything you need to protect your practice.
10 Tips for a good Security Assessment
- Conduct a thorough risk assessment every 6 months. I know it may only be required annually, but it is best practice as far as I am concerned.
- Evaluate the environment – people take this for granted. They don’t realize the security holes in the environment, such as view-able screens, unlocked doors, poor ventilation in server rooms, etc.
- Users – You need a way to monitor your users and their activity. Make sure you have some good audit controls in place.
- Servers and Local Computers – Make sure they are patched and have the latest antivirus and anti spyware.
- Firewall – You may want to do some penetration testing or an external vulnerability scan.
- Email – constantly evaluate email, and spot check for ePHI that has been sent inadvertently.
- Wireless – You want to make sure you have good wireless security in place.
- Business Associates – do you have BAA’s for anyone who has access to your systems?
- Remote Access – Do you check on users who remote into your servers, and your ePHI?
- Lastly, do you use file-share programs like Dropbox, Google Apps, etc? If so, they need to be evaluated for security.
Staying secure it not easy, but if you keep up regularly, it does not have to be a full time job. Basically, get all your ducks in a row, and monitor them on a regular basis.
If you need help with your security assessments, contact Tier3MD.
Tier3MD is an IT support group for medical practices, and is headquartered in Atlanta, GA.