Top 5 Mistakes Chiropractors Make with Their Digital Security

Welcome to another episode of Catch up with ChiroTouch. I'm one of your hosts, Dr. Tami Howard. In this episode, we're going to talk about the top five mistakes that chiropractic offices make with their digital security.

Joining me today is Aaron Jones. Aaron is the Director of IT here at ChiroTouch, and amongst the many responsibilities he has here, he helps to ensure the security of our internal systems, so we can provide the highest level of service to our clients. Hi, Aaron.

Thanks for joining us.

Hi, Tami. Glad to be here.

I know when you and I first met to discuss this idea of doing a podcast on digital security, we realized pretty quickly how large this topic can get, and also how scary it can sound to people at times. Small business owners have so much on their minds already, and digital security is not always at the top of that list.

Well, you're absolutely right, Tami. It is a very scary topic.

I know it is a big topic and so much to take action on. Can you dive into one of the first common mistakes that chiropractic offices make?

Sure. I think this is very common, in fact, and that is when users of any network go to set up the parameters of their network, often they'll get through the naming of the network, and that's about it. They won't look any deeper into the settings or certainly the security options.

They might set up a password, but very often there will be a wireless network that is either unsecured or protected only by a very weak password, and that is just so common that it's essentially leaving the door open to any would-be attacker to jump on the network that might also host a lot of really important critical systems and make them vulnerable to attack.

Yeah, I know oftentimes you'll go into businesses and they'll have like a guest account that's available. Is that something that is generally more secure if there is a guest network?

It can be. The concept of a guest account first allows guests inside that business to connect to the internet without having to input a password. The second consideration there is to isolate or put those users of the network into a bubble and keep them away from the sensitive resources on the business network.

So if it's set up properly, then a guest network is absolutely a safe thing to provide to visitors to the business. An important thing to turn on is wireless guest isolation. It's a pretty common feature in most routers.

And that wireless guest isolation essentially does just what I was suggesting. It puts those guest internet users in a bubble where they can't see or touch anything else on the network.

Most people, I feel like, understand that they shouldn't have unsecured wireless networks. So it's interesting to see that that's still a common mistake that people make. What is the large concern there?

Is that somebody can gain access through that to your sensitive data?

That's exactly right. You would be surprised to learn how easy it is for attackers with the sophisticated tools that are widely available now to get into essentially whatever they'd like to through your network. A lot of times even a secured wireless network will have the password to the network posted somewhere visibly within the office.

If someone is on your business network, they're able to collect things like usernames and passwords, IP addresses to sensitive systems, they can see packets of information passing back and forth, and they can in fact impersonate other users from within that network. There are just a number of dangers there, and it's really important to keep outside actors off of your business network.

Don't leave those passwords posted visibly, huh?

That's absolutely right, but also I would say in addition to keeping them secret, change them often because those passwords certainly can be given out to non-employees in the event that someone needs to jump on the network and perhaps they're a vendor partner or maybe they're a family member of an employee. You might end up spreading the password around more broadly than you intended to. So changing your business network password often is good policy and certainly keep from posting it publicly.

That's a good segue into another common mistake that we see people make, right? The weak password security or maybe not changing passwords quite as often as they should be.

There are so many things that we rely on passwords for and password fatigue is real. Having to remember so many different passwords for the different systems that you interact with on a daily basis, the most important thing to do is to think about password policies. What is it that you want to pursue in terms of password security?

Do you want to have passwords that are unique for all of your critical business systems? Meaning your password isn't Dolphin 1985 across every system that you connect to? That's certainly a great place to start.

But thinking through those different expectations and writing them down into a password policy is really the first step. Without a standard to follow, you can't expect all of the people who have access to your critical data and your critical systems to fall in line.

Well, now that you've told everyone my password, I'm going to have to go and change it.

Oops.

How did you know I love dolphins? I know that something that you've harped on quite a bit is using longer phrases or pass phrases. Can you talk a little bit about some of that for our listeners?

Absolutely. There is conventional wisdom with regards to password security. But the important thing to note is that that wisdom is always changing.

There is an organization, the National Institute of Standards and Technology, that keeps an up-to-date standard or recommendation for password strength, for just generally internet security practices. Best practices for things like passwords, for things like remembered tokens, and other things that software systems and users might employ to secure their systems and data. Those rules are always changing.

In fact, the recommendations evolve as humans adapt to this password fatigue. One of the things that we do is we end up relying on the same mechanisms. We fall back on the same patterns when we're required to change passwords very often.

We do more often reuse passwords across even very critical systems if we have to change these passwords and they have to adhere to a certain minimum strength. NIST, the National Institute of Standards and Technology, acknowledges that the best thing to do is to have different passwords across different critical systems and make them longer phrases, a pass phrase that is easy for the human to remember, but harder for an attacker to crack. Essentially, a password is harder for an attacker to crack if it is longer.

The way that a password is cracked is generally not by human hands, but by computers iterating through hundreds, thousands, millions of different possibilities. The longer your password is, the less likely it is that they will ever attain a hit on your password. By using a longer passphrase, you make it much less likely that that password will be cracked, and you can also make it somewhat memorable for the system that you're signing into.

I think this brings up something that I know you were planning on talking about today as well, but some of the human as a risk factor conversation where an employee maybe of your company is using the same password for personal items as they are for the business. Talk a little bit on that if you would.

It's so common. One of the main ways that passwords will be compromised is because a username and password combination, or even the identity of a person which may have several usernames associated with it either on the dark web or in the possession of some attacker, can be correlated to passwords they're using for much more important systems. Let's say, for example, your PayPal password gets compromised, or perhaps your password on Pinterest gets compromised.

If you're using the same password and same naming convention on a very critical business system, then essentially the other system is already compromised as well. It's just a matter of time before that combination is tried. The most important thing to remember is that every business system should be treated as unique.

You're not protected if you have one strong password that's used with one logon across all really critical business systems. Certainly, I would strongly advise against using the same password in your personal accounts as you do in your business accounts.

Don't change my password to iLoveDolphin1985 and use that across all accounts.

Just make sure you change the e's to threes in Dolphins Forever!

A lot of chiropractic offices don't tend to run their own email systems. They'll rely on something like a Gmail account or Hotmail account. Talk a little bit about unmanaged email systems and what we should be looking for as the best practice there.

It's very easy, especially for small businesses, to rely on email addresses that can be obtained for free with very little effort through public email systems like Gmail and Hotmail. The problem largely comes in because there's no administrative control of those email systems. You can't enforce the password policy that you just wrote.

You have no ability to deactivate or forward or control a personal email address that your staff member who just left disgruntled might have used. Because of that, I would recommend looking at one of three options for upgrading the way you do email. One of the easiest ways to upgrade from a public email system is to look at a business email system through the same provider.

So, let's say your staff is comfortable with Gmail. Buying into a G Suite's account, or essentially a business-level Google account, will allow an administrator to provision and control email addresses. Those email addresses can have password policies enforced that will match top to bottom throughout the organization, and user accounts can be enabled or disabled based on the status of the user.

There is another level that can be attained by managing your own private email system. That can take the form of a hosted email service or a self-hosted email server. Those last two options are certainly more complex than a G Suite's or Office 365 business account, but all three of these options allow far greater control over the email users and the routing of the email and all things having to do with the security of that email account.

A lot of times, that's something that's not necessarily considered when creating these Gmail accounts and things like that, that you're going to lose control over that if the staff leaves. That's a really important business consideration for offices. Thanks for talking about that.

The next point that I wanted to talk about, and I know it's one of your favorites because you have control over this within ChiroTouch is some of the staff training around security principles. For our listeners on the phone that aren't aware, Aaron helps to keep us on our toes here at ChiroTouch around security principles. One of the things that he does for us is yearly staff training on this topic.

Talk a little bit about some of the reasons that you've picked up the staff training piece for ChiroTouch, and what the major areas are that you feel should be focused on.

Definitely. In addition to being Director of IT, I also wear the hat of Compliance Officer for our organization, and you're right that one of the most important facets of IT security is the human element. The people who are actually pulling the levers, pushing the buttons and managing the sensitive data and systems that are so critical to your business are the ones on the front line.

They're the ones that are at most risk of making a mistake or being attacked. When I say being attacked, I mean that quite literally. Phishing attacks through e-mail and other means are very common, and they're meant to trick users.

One of the most important things to do is to make sure that the users inside your organization know that these attacks are coming. They know what they look like. They can characterize them and predict what they're going to look like and feel like.

But also to continually remind and build up a culture of security awareness within your organization. If every single person on your team is vigilant and aware and defending the organization against IT attacks and other threats, then it's very likely that you'll have great success. But if even one person in your organization is much more lax than the others, then you've got a weak link in the chain.

Not only is it really important to acknowledge that humans are probably your biggest risk factor, but also you should be conducting regular training. Training on not only HIPAA and the protection and classification of protected health information, but also just IT risks and IT security in general. Doing that training at the point of bringing on a new hire and also just annually is great.

But what we find to be as powerful is regular unexpected security reminders that can snap people back into awareness of a particular threat that they might have grown a little bit more relaxed against.

The phishing attempts now seem to be much more complex than before. They're becoming much more sophisticated in their attempts now with some of those phishing emails and things that will go out. Having that regular reminder to be on your toes, it's really good.

It helps me at least, I know. What happens if all else fails? Something fails in our attempts and we have a disaster, whether that's a natural disaster or some type of a technology disaster.

What are the important systems that we should have in place for that?

There are a number of different ways to approach this topic. The idea of disaster recovery often revolves solely around, where is the backup of my data? How do I get my data restored after XYZ might occur?

But very little time is often spent on understanding the steps between the failure and the recovery. That's really where all the meat of this discussion is. Disaster recovery and contingency planning is multifaceted because there are many different types of systems and many different levels of criticality of data that you have to contend with.

Not everything that you had before a crash, a flood, a tornado is critical to have back on the other side of it. That may be an ideal state, but understanding what the most critical things are can often lead to you protecting at a much higher level those things which are more critical. So that's an important first step, really documenting what you have, whether it's data, whether it is a piece of software or some specific configuration that you need to recreate, and then making sure that you have a plan for putting that back in order from most critical to least critical.

The second thing that I think is important after you've documented what you have and what you want to get back, is to think through different scenarios that might realistically happen. If you are somewhere where it is completely impossible for floods to occur, you don't need to have a flood contingency plan. But thinking through all of the realistic scenarios, however unlikely they might be, and then ranking those again by likelihood, by risk.

So we want to look at the impact versus the likelihood, and wherever we see a peak in the cross-section of those two things, that's a risk to you. So you want to have a contingency plan for everything that might be likely to happen, and certainly this could be computer failure, it could be cyber attack, it could be theft, it could be a natural disaster. Each one of these things puts you in a different position with regards to recovery.

And if you go through and make a plan for each one of them, it can often lead to a much better outcome when one of those things might occur.

It might be beneficial for our listeners to have somewhere to seek out information beyond this podcast. So with that said, is there any specific resources that you would find helpful to point our listeners to for continuing their education on this topic?

There are a ton of resources available online for both IT security and specifically health care IT security. The first thing that I would recommend that listeners do is head to chirotouch.com. We have a resources section at chirotouch.com/resources, which has several security ebooks.

You can just search security ebook there, and those are a good place to start. But also there's a wealth of information available at healthit.gov. That information is far reaching.

It certainly is not specific to chiropractic, but it does answer a number of the questions that you might have as follow-ons from the topics today.

Excellent. Well, thank you so much for joining us today and giving us all of this wonderful information on how to protect offices. And thank you all for catching up with ChiroTouch.

Make sure to tune in every week on Spotify, iTunes, or chirotouch.com/podcast to listen to our latest episodes.

‍