EPHI Information Breach Concerns

As most of our health care Clients are probably already aware, a VNA here in Connecticut was in the news recently and it wasn’t good news.  A nurse’s laptop was stolen from her car.  The laptop contained information on around 12,000 patients. 

Almost immediately, we started getting inquiries from some of our health care Clients asking about the security of their laptops.  I decided to write this blog post to respond to these inquiries in a fashion that will hopefully help all our health care Clients.

First, laptops should be encrypted.  Encryption insures that if a laptop is stolen or lost the information on the hard drive cannot be accessed by taking the drive out of the laptop and trying to access it in another device.  Having a laptop encrypted means that if a laptop is stolen or lost you would not have to report it as required by HiTech/HIPAA.

Covered entities and business associates must only provide the required notification if the breach involved unsecured protected health information.  Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. 

We use TrueCrypt, a free open source encryption tool to encrypt devices.  There are some things to know about encrypting laptops.  First, it is time consuming.  Encrypting a brand new laptop can take 2 or more hours depending on the size of the hard drive and the speed of the laptop.  It can take 4 or more hours on an older laptop.  It can also affect the performance of the laptop, especially older laptops that are already running slow.  Once the laptop is encrypted, the user will need to enter two passwords to start the laptop up.  (there are several variations on how data can be encrypted)  If the encryption key is lost, the data on the laptop is lost (we have processes in place to make sure the key is not lost)

Now come the hard facts.  A large portion of the laptops we work on have the password attached to the laptop somewhere.  Do you know if that is happening in your practice?  If the password is exposed you have no security, even if the laptop is encrypted.  Also, if the device is left logged on when it is being moved from location to location, you don’t have security either.  If the laptop is lost or stolen, one simply needs to open the laptop and all the data is exposed.  Again encryption doesn’t matter.

We have been getting inquiries as to whether an organizations laptops are encrypted or not.  While this is a good question to ask, I’m afraid that you should already know the answer to the question.  Also, this is not the only question to ask.  What are your security policies relative to the laptops and your EPHI in general?  Are your nurses and other staff aware of the policies and are they following them?  What are the consequences if they don’t follow them.  What happens if there is a breach?  Does everyone in your organization know what the protocol is?  If the media is asking questions, do you have a protocol in place?  When was the last time you changed passwords? Do you have an inventory of all your devices?  How often is it checked to see if anything is missing? etc., etc.

Unfortunately, security and ease of use are not synonymous. Security can be painful.  We have to remember complex passwords and follow rules that make our jobs just a little more difficult.  However, it is imperative that security be taken seriously today, in our personal and professional lives.  We do not want to be the next security related news story.

Feel free to contact us if you would like to review your security status.

How To Use Signatures in Outlook 2010

Microsoft provides some great resources to help users learn how to use their products.  From simple How-To documents to videos and even live training.  I will publish some of these resources on this blog. 

In this multimedia training module you will learn how to create and use professional (or not) looking signatures in Outlook 2010.  The concepts are similar for earlier versions of Outlook but may be slightly different.

One note I would add to this session.  Outlook, Outlook for Web Access and Outlook mobile do not use the same signature template.  You must create a signature in each of these Outlook modes.  The session does discuss setting up a signature in Outlook for Web Access.  You will need to use your mobile phone email application to create your “mobile” signature.

Be sure to click the next button to get through the whole session.

Use E-Mail Signatures in Outlook 2010

No More Pre-Installed Windows XP on New Laptops/Workstations/Netbooks

Today is the 1 year anniversary of the release of Windows 7.  And it is also the first day that Microsoft is no longer allowing Windows XP to be preinstalled on any workstations/laptops/netbooks. 

For the most part, our Clients have been switching to Windows 7 when buying new workstations and laptops.  We have seen very few issues.  The phase out of Windows XP has been publicized for quite some time now, so it should be a shock to no one.  It’s time to move forward!

Largest Windows Update Release Ever

On Tuesday, Microsoft released its largest set of security patches ever.  Patches for 16 security related issues were released.  10 of these patches are rated critical, 5 are rated important and 1 is less critical.  We have begun our testing process and will start releasing the updates to our Monitoring Plus Clients on Monday October 18th.  More detailed information on these patches can be found here. 

Allscripts and McKesson Post 2010 ICD-9 and HHRG Updates

Both Allscripts and McKesson have posted their 2010 ICD-9 and HHRG updates for their home care solutions.  These updates must be install as close to 10/1/10 as possible to avoid OASIS rejection and incorrect claim submittal.  We have scheduled time to install the updates for our Clients.  More information can be found on each vendor’s Client Support Portal.

Microsoft Releases 9 Security Patches for September

Microsoft releases security patches on the second Tuesday of every month.  The quantity of patches varies month by month.  For September, there are 9 patches.  4 are rated Critical and 5 are rated Important.  Patches are provide for all supported Windows platforms.  (Currently Windows XP SP3 and above) We have started our testing process and will begin rolling the patches out to our Monitoring Plus Clients as soon as testing is completed.

More information on this month’s patches can be found here.

Upgrade Office 2007 to Office 2010 For Free

If you purchased Office 2007 after March 5 and before September 30 2010 you are probably eligible to upgrade to Office 2010 at no charge.  But you only have until October 31, 2010 to request your free upgrade.  You can find the details here.

Office 2010 adds many new features especially in Outlook.  However, there are a few menu changes that can be frustrating at first.  File formats between the 2007 and 2010 versions are the same.  We would suggest Clients that are eligible go ahead and upgrade.

Windows XP Downgrades Going Away

Ever since Windows Vista came out, Microsoft has allowed OEMs (companies that build computers) to downgrade new computers to Windows XP if the customer wanted to.  There were compatibility concerns and just general dislike of Windows Vista, so most customers opted for this option.  When Windows 7 came out Microsoft continued to allow OEMs to downgrade new systems to Windows XP even though Windows 7 has been much better received by businesses.  As we are an OEM ourselves, we have been able to install Windows XP for Clients that requested it.  We are however, seeing more and more Clients move to Windows 7 with very few issues.

Microsoft has announced that OEMs may no longer downgrade new computers to Windows XP after October 22, 2010. This means that Dell, HP, SSGI and other OEMs will not be able to provide computers with Windows XP installed.  This is what we have been preparing our Clients for for quite some time now.  If you have not begun testing Windows 7 in your environment, you need to start as soon as possible.  If you have Line of Business software vendors that are not yet supporting Windows 7 you need to push them to get moving.  Otherwise you will be painting yourself into a corner.

Now, for the interesting part of the news.  Even though OEMs are not allowed to downgrade new computers to Windows XP, the purchaser themselves can do it as long as the new computer is purchased with Windows 7 Professional or Ultimate.  In addition, if a company has a volume license agreement for Windows 7, they may still downgrade to Windows XP.

Now, the issue is going to be that new computers may not run Windows XP very well.  For instance, drivers will most likely not be created for new hardware functions such as wireless devices. new peripherals, etc.  So even though you might legally be able to downgrade, you may not technically be able to downgrade.  As I mentioned last week, support for Windows XP SP2 has expired.  The last Service Pack for Windows XP is SP3 and support for it, and thus Windows XP will end in 2014.  But hardware issues are sure to start becoming problems almost immediately now.

The bottom line here is that it’s time to start migrating to Windows 7.  Clients that have started using Windows 7 have not had many issues at all.  However, the move does require doing some analysis.  We can help with that if necessary.  Realize that Windows 7 and Windows XP computers can live on the same network without problems. Generally we do not suggest trying to upgrade older computers to Windows 7.  Instead, Clients would start the Windows 7 migration when purchasing new computers. 

It’s time to get moving on this.  If you wait too long your business operations could be affected.  Give us a call if you have any questions.

Microsoft Ends Support of Windows XP SP2

Microsoft is ending support of Windows XP Service Pack 2 today.  This means that Microsoft will no longer provide updates, including security updates for this version of Windows XP.

So what do you do?  First, you can simply upgrade Windows XP to Service Pack 3.  (Make sure you complete a full backup BEFORE installing any updates).  Second, you can upgrade to Windows 7.  Generally speaking however, we do not suggest trying to upgrade to Windows 7 on older computers.

You can find Windows XP SP3 here. Note that it is about 320M. 

How can you tell what Service Pack your Windows XP is running?  Right click on My Computer.  Click on Properties.  You will see your version of Windows XP in the upper portion of the window.

Keeping up with security updates is very important nowadays.  If you are not running Windows XP SP3, you need to get going!

Security Issue With Microsoft Help Function

A security flaw has been discovered in the Windows Help system.  Generally, if you hit the F1 key in Windows, you will get a help screen relative to the function you hit the F1 key on.  A programming flaw can allow this function to run a script file that can do harm to the workstation.

A potential exploit to this flaw can be made by creating a rogue page on a website.  While the visitor is browsing the site, they can be requested to hit the F1 key while on the web page.  This in turn can trigger the malware.  Depending on how the malware is designed, various things can happen.

Microsoft is working on a fix to this flaw.  In the meantime, users should be warned not to hit the F1 key on any websites.  Generally speaking, it is unusual to have to hit the F1 key for any purpose on a website.  Windows 7, Vista, Server 2008 and Server 2008 R2 are not affected.

All the Security In The World Starts With YOU

I was just reading an article that indicated in a recent study, 50% of user passwords are easily guessable.  Do you know what the most popular password is?  123456 yes, that’s 123456.

I have been working with several Clients this week helping them with PCI compliance.  Tough stuff.  Ports on firewalls, encryption, properly update software, policies, etc, etc, etc.  And guess what, it’s all worthless!  If we can’t get users to create and use secure passwords, we can just stop all this other stuff and stop kidding ourselves.  Our business and personal data will never be secure.

I had a conversation with someone yesterday that told me he did not need a firewall at home because he is using a MAC.  He just wanted to be able to connect to the corporate network remotely.

As business owners and managers, we have not done our job educating our workforce on security related issues.  (Not to mention educated ourselves)  As individuals we are not taking security serious enough.  Data is lost and business/personal identities are stolen every day.  We need to do a better job with this stuff.  The most basic building block of any security strategy is the password.  It’s certainly not the only thing, but it is the foundation.  You can have all the security devices you want in your home.  If you leave the key in the front door, you’ve wasted your time and money.

By the way, what are your passwords?  

Problem with a Windows Update

One of the Windows Updates released Tuesday is causing BSODs and making the device not bootable.  The Update is MS10-015.  I have disabled the update on our monitoring system.   So Clients that get the updates from us will not be affected. However, Clients that self update could have problems.  So far it looks like only Windows XP is affected and it appears that the affected machines may be in fact infected with malware that causes the problem.  Microsoft has pulled the update from Windows Update and Microsoft Update.

Office 2010 Pricing and Requirements

Office 2010 is expected to be released by June of this year.  From everything I am reading and seeing, I believe that the June date is accurate and that it may even ship sooner.  The product looks pretty good as it is right now.

There will be 4 versions of Office 2010

Home and Student	$149.00
Home and Business	$279.00
Professional	$499.00
Professional Academic	$99.00

These are retail prices.  There will be upgrade pricing and of course quantity discounts.   And lower, OEM pricing when Office is purchased with a new computer.

For most of our Clients, either the Home and Business or the Professional version will be what you would purchase.  Home and Business includes Word, Excel, PowerPoint, OneNote, and Outlook.  The Professional version includes all that plus Publisher and Access.

The requirements for Office 2010 are pretty much the same as for Office 2007.  The processor needs to be at least 500Mhz, memory needs to be at least 256M and available disk must be at least 2.5G.  Of course, these are not what we would suggest by any means!  Our minimum configuration is 1.5GHz processor, 2G memory and 5G available disk space.

Office 2010 will be available in both 32 and 64 bit versions.  The 32 bit version will run on Windows versions back to XP SP3.  While the 64 bit version requires at least Windows Vista SP1.

Office 2010 is a very nice product.  There are a lot of enhancements and I believe it is easier to use than previous versions.  I will be posting info on each of the Office 2010 modules here over the next couple of months.