Category: Blog

8 Steps to Mobile Device Security for Senior Care Environments

Posted on by CT Team

National Cybersecurity Awareness Month, observed each October, promotes heightened awareness of the importance of computer security issues. This year’s theme is “Own IT. Secure IT. Protect IT.”

The first — Own  IT — refers to taking responsibility for security. While much of the focus of the messaging is on individual security, there are some timely reminders for business environments as well. This is especially true for our FIT Solutions customers who use mobile tablets to access EHR and other clinical systems.

Your internal network contains protected health information, and for HIPAA compliance, you must be absolutely sure that any connected devices are secure. Here are the best practices we recommend:

  1.  Secure Your Wi-Fi.
    This is vital for LTPAC environments. Offering Wi-Fi to patients and their guests is a standard business practice, and is essentially an expectation.  Keep the guest Wi-Fi on a network that is separate from the clinical network, and establish a firm policy to prohibit your staff from sharing the clinical network password with patients or guests. Business-class Wi-Fi access points allow you to set up separate networks and prevent cross-traffic between them. If your staff brings their own smartphones to work, only allow them to access the guest network. You might offer them a third and separate network that allows some access, but still prevents their devices from accessing clinical data. Given the possibility of an unsecured device leading to a breach of patient data, you simply must allow only devices that you can directly control and secure to access medical records.
  2. Require Endpoint Security Software.
    Any device that connects to your network is an endpoint with access to your network’s data. PCs are no longer the only vulnerable point; Android devices are especially susceptible, and criminals are increasingly targeting tablets running iOS. Make anti-malware software part of the standard configuration, and set it to trigger regular updates.
  3. Fortify Your Logins. 
    A tablet or other device that has access to medical data must be locked with a passphrase to prevent unauthorized use by visitors who might pick it up. In addition to a strong password policy, the best practice is to enable multi-factor authentication for any access to the clinical network. These measures protect you against unauthorized use of the device as well as against criminals guessing passwords or using stolen credentials to gain access. In addition, hide the SSID so you’re not broadcasting the name of the clinical network.
  4. Mandate VPN Use.
    Mobile devices can be susceptible to eavesdropping. Take advantage of the strong encryption offered by a VPN by implementing a VPN for access to the clinical network if the device needs to leave the secure network. Look for one that also supports multi-factor authentication to protect the VPN logins.
  5. Protect Against Malicious Apps.
    One of the biggest mobile-device risks is applications that pose as something useful or fun, but are actually designed to steal data. Establish policies that limit or block the use of third-party software on your clinical devices.
  6. Develop and Require a Secure Configuration.
    Establish a standard, secure configuration for devices that connect to the clinical network.  This includes requiring a lock code or password for access, preventing access of other wireless networks, and either hiding the device from Bluetooth discovery or, better still, disabling Bluetooth altogether.
  7. Enable Remote Lock and Wipe.
    Be sure you are able to remotely lock the device to prevent its use if it is ever lost or stolen. Ideally, the devices don’t store any data at all and are only used to access or update the patient records. But if they do hold any data, or as an extra measure of protection, ensure you can wipe the data from the device as well. If the device is found, you can simply re-image it from a backup.
  8. Conduct Mobile Security Audits.
    Hire an outside firm to annually audit your mobile security and perform penetration testing. Testing using the same mobile devices that you use in your environment will uncover potential issues before a criminal discovers them.

We encourage you to use National Cybersecurity Awareness Month to take a serious look at your security and address any shortcomings. If you would like assistance implementing these measures or an evaluation of your HIPAA compliance posture, FIT Solutions is here to help. Call us today at 888-339-5694.

Windows 7 End-of-Life (EOL): How to Maintain HIPAA Compliance

Posted on by CT Team

You may soon be facing a HIPAA compliance headache on the workstations in your healthcare facility. Microsoft support for Windows 7 and Windows Server 2008 ends on January 14, 2020. 

No more security patches will be issued after that date. This puts those operating systems at odds with the HIPAA administrative safeguards, which include the specification for “protection from malicious software,” specifically “procedures for guarding against, detecting, and reporting malicious software.”

The end of support means that workstations running those operating systems will be unpatched against new exploits, leaving them highly vulnerable, and therefore, out of HIPAA compliance.

If you are still running those older operating systems, you’re not alone. Many companies still have Windows 2008 servers and Windows 7 workstations in their environments. While these operating systems are ten years old and newer systems are certainly better, organizations keep using them. They are very stable and continue to do their jobs well. But the longer you hang onto them, the greater the risk to your organization.

First, let’s talk about the risks, and then how to alleviate them without having to purchase all-new systems at once.

Lessons from Past Compliance Audits

After a data breach occurs, history shows that regulators conduct a thorough audit of the affected organization’s entire environment. They look at everything. Although the breach was caused by an employee walking out with a thumb drive that was lost or stolen, every other instance of non-compliance that the auditors uncover is subject to a fine, even if it had nothing to do with the breach. Organizations that have been found using Windows products that were past their end-of-life — such as Windows XP — have been fined for that in the past. Undoubtedly, Windows 7 and Server 2008 will be no exception.

Considering the Alternatives

Under the language of the HIPAA rule, specifications are listed as either required or addressable. “Protection from malicious software” is an addressable specification. That gives organizations a bit of wiggle room. Complying with an addressable specification involves evaluating the risk, considering the measures to mitigate it, coming up with a reasonable alternative that is equivalent, and documenting it. (That’s the short version; here’s the official source on how to meet an addressable specification.)

Let’s say you find it impossible or at least extremely cost-prohibitive to replace all of your out-of-compliance operating systems by January 14. You could address the HIPAA specification by updating a set number of systems every month between now and the end of 2020, until all have been updated. In the meantime, you implement an Endpoint Detection and Response (EDR) monitoring system to keep an eye on the unpatchable systems, as well as use encryption on the systems that hold personal health information (PHI).

Hopefully, you have already performed this sort of analysis across all of the HIPAA specifications as part of your overall compliance effort. HIPAA requires you to perform a risk analysis, have a risk management plan, and document them both. Those are the first documents an examiner will want to see.

At FIT Solutions, we can advise you on all of the aspects of IT that impact your ability to comply with HIPAA. That includes helping you with your risk management and risk assessment plans and documentation, as well as assisting with your Windows 7 and Windows Server 2008 end-of-life planning.

Call us today at 888-339-5694.

Business Continuity for Senior Care: How an SD-WAN Protects Your Patients

Posted on by CT Team

Your nursing home or skilled nursing facility likely relies heavily on your Internet connection for delivering patient care.

If your electronic health record (EHR) or electronic medical record (EMR) system is hosted in the cloud, staff access to patient treatment plans, physician orders, medication dosages and other critical information depends on a reliable Internet link. Plus, if you rely on voice-over-IP for your telephone systems, that’s another system that is absolutely critical for patient care. It’s needed for making 911 calls, timely communication with physicians, receiving urgently needed lab results, and the many, many other types of medical information that are routinely handled by phone. What happens if your primary Internet connection fails?

Regulatory Considerations

Regulators are keenly aware of the importance of communication. That’s why Internet uptime is woven into the fabric of healthcare regulations that deal with business continuity and disaster recovery, specific to senior care, at the state and federal levels.

Addressing those requirements is vital for protecting your patients and your organization. Fortunately, there’s a relatively new technology that’s ideal for managing redundant Internet links and providing intelligent failover. SD-WAN stands for Software-Defined Wide Area Network. It’s a mouthful that boils down to a simple idea: using software instructions to intelligently choose between multiple wide area network connections (that is, multiple Internet connections) when sending or receiving data traffic.

Out with the Old — In with the New

Here’s why an SD-WAN is better than the old approach to providing redundant failover. The old method for a backup Internet connection was to maintain one connection as the primary and designate another as secondary. This was an all-or-nothing proposition: The secondary sat idle until needed. The setup required regular testing to verify the secondary was still functional.

An SD-WAN allows both connections to serve as the primary. The software intelligently chooses between the two connections based on various factors, such as the type of traffic (voice or different types of data) and the capability and quality of the connection (available bandwidth, latency and similar parameters). Two or more connections can be actively used, and when one link goes down, the traffic passes to the other automatically and immediately. Here’s how well it works: If you initiate a voice-over-IP call, and then unplug the connection, the SD-WAN switches to the other connection with little or no hint of an interruption in the conversation.

Rather than the secondary connection sitting idle, it can be put to use and effectively increase the available bandwidth. The pooled bandwidth and redundancy make it possible to choose less expensive connections, such as combining a cable and DSL connection rather than more-expensive fiber circuits. If you procure the two connections from different providers, then you’re protected if either provider experiences an outage. The SD-WAN will ensure that access to critical systems will remain.

Modern SD-WAN implementations can be configured without entering traditional network parameters such as IP addresses or port numbers. This makes an SD-WAN especially attractive to organizations that have multiple sites, as is often the case in senior care. SD-WAN technology masks the complexities of maintaining redundant connections and switching them across multiple sites. It just works, which is what we all want from our technology.

At FIT Solutions, we work as advisors to our senior-care clients on multiple aspects of IT. Assistance with the technology aspects of your backup, disaster recovery and emergency preparedness plans is a key part of the offering. We know the legal and regulatory requirements you face, and can provide recommendations on administrative practices, technological implementation and support, or active management of your systems. We can help you determine whether SD-WAN technology — and which of the available options — is right for you. Call us today at 888-339-5694.

Public Wi-Fi Security for Senior Care: 4 Tips for Keeping Patient Data Safe

Posted on by CT Team

As the baby boom generation enters the Senior Care market, skilled nursing, assisted living and other facilities that serve to the senior population face a new challenge.

They have to meet the technology-access expectations of tech-savvy patients and their families. Wi-Fi access is now an essential part of the service mix for residents and visitors.

Since these are healthcare facilities, though, HIPAA compliance and patient-safety issues are even more paramount. Roaming caregivers require their own Wi-Fi access to electronic health record (EHR) or electronic medical record (EMR) systems. Monitoring, alerting and other systems that directly support care delivery might also connect via Wi-Fi. Unsecured guest and resident devices connecting to the same network as medically critical devices present a huge risk.

Here are four tips for safely making Wi-Fi available for senior patients and residents, visitors and guests while preventing compromises and addressing the compliance issues.

1.  Use business-class Wi-Fi technology to segregate the networks. Business-class technology allows you to use separate Wi-Fi SSIDs to isolate networks. At minimum, create one for resident/guess access and one for caregivers/staff. Put the guest network in a DMZ or otherwise isolate its internet access and block access to the staff network. (Business-class technology is a must in a senior-care facility for reasons other than security. It generally delivers more-robust coverage than consumer-grade devices, including support for multiple access points.)

2.  Enforce policies to keep the staff passphrase secure. Staff might be tempted to share their password with guests and residents, especially if the resident Wi-Fi enforces bandwidth throttling that limits data consumption. Discourage passkey-sharing by requiring a longer and more-complex passphrase for the staff network, while making the guest passkey shorter and easier to remember and enter. The best practice is to enact a written policy that prohibits sharing the staff passkey with residents or guests, or connecting their devices to the staff network.

3.  Hide the Wi-Fi SSID for the staff network. By not broadcasting the SSID, it won’t show as a connection option. Moreover, if you don’t share the SSID with the staff, they won’t be able to connect any device on their own. This means IT personnel may need to occasionally help with getting equipment connected, but this is often easier than having to change the passkeys on all the devices later because residents are found to be connecting to the staff network.

4.  Add an extra layer of sign-on security. Consider one or both of these options. MAC address filtering allows pre-authorized devices — and only those devices — to connect to the staff network. It can be difficult to administer, however. A much more effective and seamless approach is to use a single sign-on solution (such as Okta or Onelogin) that allows access only when a user enters their staff email address and password.

Of course, there’s more to compliance with HIPAA, HITECH and other regulations than just securing Wi-Fi access, but the tips above deal effectively with one of the biggest vulnerabilities that senior care facilities face.

If you would like to know more about security in a senior care setting, we’re here to help. You can learn more about FIT Solutions managed IT services for healthcare by calling us at (888) 339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!


  • 888-339-5694
  • 2635 Camino Del Rio South, Suite 306
    San Diego, CA 92108