Secure your Network AND Empower your employees

Network security must balance the need to protect your network and patient data from outsiders while enabling your staff who depend on it to perform their jobs to do so efficiently and without obstacles. Too often companies focus only on the first objective, creating a network that frustrates and limits the very people it was established to serve. With today’s technology reliant business models, there is simply no room for downtime or compromised information. It’s a common goal that IT professionals share and enjoy implementing. Keeping people out and locking things down challenges us, and no one likes a challenge more than a “tech-head”, including myself.  However, let’s not forget that our first objective is to provide technology to our users, our customers, so they can get their job done. 

Here’s a simple example of network security impeding the work of the business user who is depending on the network to get their job done.  Since my days as a systems / net admin, I’ve had the joy of working closely with hundreds of information departments helping them implement and use Rock-Pond Reports and other Rock-Pond products at their home infusion organization. This usually involves using industry standard tools like WebEx, GoToMeeting, and CrossLoop. It’s about the only way for outside vendors to work with customers to provide software support, and is often time a standard part of meetings both internal and external. So what’s one to do when these types of tools are completely blocked by an organization. It causes frustration and time waste for both parties. Usually these tools aren’t specifically blocked, but there are strict network policies in place that prevent these types of tools for functioning.

Another example is the security and spam filters that are implemented for email systems.  How many times have you sent and E-mail not only to find that the recipient never received it? Or you were supposed to get a critical E-mail that never arrived? I find myself sending an E-mail with an attachment, and then immediately sending another E-mail without an attachment asking if they have received it!  The average user is not sophisticated enough to manage black lists and white lists on their machine and do not have access to these lists that are blocking email at the server level.  As IT Professionals we must find a way to secure the email system from unwanted email while letting the email and attachments through.

Finally, consider the changes that are rapidly taking place in the area of social media (Facebook, Twitter, LinkedIn, etc.) and the amount of content that is delivered through digital media that requires a user to have FLASH installed and the ability to hear sounds on their computer.  I worked with a company that made sure all of their users not only had sound cards but headsets so they could access training videos that helped them with their job.  However, the process of putting this in place challenged many IT rules that were obstacles to getting work done in a changing workplace.  If key vendors and companies you work with have effective Facebook pages, your staff should be able to access them.  It was not that long ago that many companies did not want employees to have Internet access at their desk.  We’ll have to find other ways to manage our employees than denying their access to key technologies that will empower them to be smarter, more efficient and more connected with others. 

Now don’t get me wrong, there are reasons these things are locked up. They are abused, sometimes insecure, and are easiest to deal with by simply blocking them. The home infusion industry has to comply with HIPAA as well as their accreditors. There’s no room to have your CPR+ database leaked to the Internet, or your HomecareNet financial reports up on a WebEx screen not knowing who’s on the other side.  The data stored in your SQL Server database from these systems contains private informaiton and it is your responsibility to protect it. 

So here is our challenge; make these technologies all co-exist on your network without rendering it open to attacks, viruses, information leaks, and downtime while empowering your employers through the access to the data and systems to get them the information they need and connect with the people they need to connect with to provide safe patient care. It can be done, and your going to get a lot of credit for it, and see results. The technology exists today to safely allow modern services to be utilized while maintaining safety through automatic alerts, logging, and monitoring. New operating systems like Microsoft Windows Server 2008 R2 are helping making it easier by introducing firewalls that are smart enough to separate good and bad traffic. Network hardware is allowing for the virtualization of your networks to segment your sensitive data from the rest of your network where more vulnerable tools are being utilized. So that’s your challenge, start with the following:

1. Enlist your users to educate you on why types of tools they already use, what types of tools they want to use and cannot, and how you can help make them more productive.
2. Look at the technology you already have, such as operating systems and network hardware, and determine if they have built in security features you arn’t already using.
3. Examine your internal auditing processes and determine if you can identify potential compromises more quickly.
4. Research the Internet to find out what others are doing to protect their networks and users. The information is out there.

Most importantly, spend time talking with your customers (as IT people we usually refer to these people as “users” but they are really our customers) and find out if they are having trouble getting access to the systems, websites and data that they need.  Often they won’t tell you, they’ll resort to inefficient alternatives and talk bad about you behind your back.  If your system is hacked or experiences a security breach, it is definitely your responsibility.  It is equally your responsibility to make sure your customers are able to access the data and systems they need to get their job done.  How are you doing?

Understanding Remote Access

Never has accessing your home or work computer from anywhere in the world been as easy as it is right now. With built-in remote features in Microsoft Windows and Apple Mac OS X as well as hundreds of third-party applications, there isn’t much you have to do expect actually do it. Every great technology innovation seems to come with even more risks that need to be paid attention to. The problem is that these remote access solutions are so simple to implement and use that often times the security vulnerabilities that they open up are overlooked.

Remote Desktop, sometimes referred to as Terminal Services, is Microsoft’s technology for allowing users to connect to a remote Windows system. Once connected to the remote system, it’s as if you were sitting in front of it. It’s obvious why this can be a problem if not done using a secure channel. This can be as easy as enabling Remote Desktop on your Windows 7 workstation, or as complex as an IT department configuring a single server to provide a virtual desktop to multiple users at the same time with heavy security policies in place called Group Policies. Remote Desktop has never been more secure as it is today with Windows 7 and Windows Server 2008. It’s been updated to include modern security techniques such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) as well as the ability to only allow clients to connect securely. Most organizations today only allow remote desktop connections once connected to a secure and encrypted virtual private network (VPN) decreasing the security vulnerability significantly.

You may have heard of, or even used Citrix. Citrix is similar to Remote Desktop but takes things a bit further. In addition to offering the same level of security and encryption benefits, it also allows for the “publishing” of specific applications rather than the entire desktop. This enables IT administrators to provide users with access to only the applications that they need. Many home infusion users will find that when they are using CPR+, HomecareNet, or Ascend remotely, they will connect to a Citrix server first. You may think the application is running on your PC, but it’s safely running at the office just as if you were at work!

Apple provides something called Apple Remote Desktop for Mac OS X, which allows Mac users to connect to their systems remotely. Not only that, Microsoft releases “Remote Desktop Client for Mac” which enables Mac users to connect to Windows systems remotely. Citrix also provides a Mac OS X client that enables the same functionality. Most VPN servers also provide some way for Mac users to connect, this give Mac users big hope for using their systems in a work environment!

Finally, there are lots of third party remote access application, such as CrossLoop, RealVNC, and GoToMyPc. These can be useful to quickly access other people’s system as well as your own through secure channels facilitated by the companies themselves. These often are perfect solutions, and inexpensive, for the home user who needs to access their home computer from work, or on the road.

If you’re a user, ask yourself the following question:

• What types of things do I need to access remotely?
• Does my organization facilitate the remote access that I require?
• How can I take remote access into my own hands using third-party applications like CrossLoop, RealVNC, and GoToMyPc?

If you’re an administrator:

• How can I take advantage of the built-in capabilities I already own, such as Remote Desktop, and extend that to my users?
• What types of applications and services do users need to access?
• What types of vulnerabilities do I open up when extending applications and services to remote users?

Being productive from wherever you are is not a convenience anymore, it’s a requirement. Keeping security and safety in mind is a must for both the user and the administrator, luckily technologies being developed every day are helping make this much easier.

Need some help? Rock-Pond works with remote systems every day, and faciliates remote access to people as well. We can help you navigate all of these options and opportunities.

File Transfer Methods – Not All The Same

In the middle of an already complicated computer world lies the age old requirement of being able to get files from one place to the next. It sounds simple on the surface, but with so many security and performance related issues popping up over the past few years, file transferring is more complex, and riskier than ever. Not only do you have to worry about making sure files get from here to there without picking up a virus, but you have to make sure that the only eyes that see them are those who were intended to. Now throw into the mix the fact that files today are significantly larger than ever before containing videos, pictures, presentations, and data.

The average user, especially the traveling user, argues that they are limited to what they can do, which is generally attaching files to an E-mail. This works, sometimes, but is starting to become obsolete with the massive amounts of spam & content filtering as well as file size limitations mandated by either the sending or receiving organization.

During the initial planning stages of Rock-Pond Connect, a tool developed by Rock-Pond Solutions to manage the deployment of report templates to its customers, several file transfer methods were looked at. The most significant goal of the project was to provide a way to quickly and safely transfer files while maintaining compliancy with the majority of organizations’ IT guidelines. This immediately threw out our good old friend FTP. FTP stands for File Transfer Protocol and is as old as network protocols get, dating back to 1971. It’s insecure, lacks encryption, as well as authentication. Most organizations’ networks don’t even let it in or out of the firewall, and it’s certainly not HIPAA compliant. SFTP was later released with a goal to build in greater security, encryption, and authentication. SFTP is in line with the popular “SSH (Secure Shell)” protocol which is the industry standard for accessing remote Unix-like operating systems. There’s also FTPS, which is an extension to the FTP protocol that adds support for Transport Layer Security (TLS) and Secure Sockets Layer (SSL). Don’t forget that you can always throw your files on a USB stick to accomplish the same task, but now there are new risks, like losing the stick itself! Luckily, there are applications (often times provided with the USB stick) that let you encrypt the data with a password in case of it being lost or stolen. The web is a popular file transfer method, also supporting TLS and SSL, but is mostly uni-directional, meaning the user is usually only pulling files to their system rather than sending them to another. Luckily, Rock-Pond’s requirement for Rock-Pond Connect was only uni-directional, from us to the client.

We ended up coming across a version control system called SubVersion, a quickly growing client / server version control system that efficiently synchronizes files between two or more systems while maintain history and backups. We compared it to our requirements, and it matched up perfectly. We weren’t in need of encryption as the files we are deploying are simply templates, not data. Even if we needed encryption, SubVersion can operate over the TLS / SSL HTTPS protocol.

One of the biggest selling points for us was the fact that our customers could get files from us using an “incremental” approach, meaning they only get what’s been changed since the last time they synchronized with us. This was important to maintain a small bandwidth footprint for ourselves as well as our customers. In addition, transfers take place quickly, and can repeat often.

As I work with home infusion providers around the country, one commonality that I come across is people’s desire to put files “somewhere else”, just in case. Not only that, people are often on a workstation and then traveling using a laptop. Often times a home infusion provider needs to be able to effectively get files back and forth with the company providing them reimbursement services, usually containing sensitive information.

SubVersion, though not a traditional file transfer protocol, has a place in each of these scenarios. For a backup solution, users can synchronize their files to a remote central repository for safe keeping with the ability to revert back to old revisions if need be. No more sudden panics because you accidently delete a file. For the traveling road warrior, you can synchronize your files to a central remote repository from your workstation and quickly pull them down on your laptop. When done with your laptop, synchronize your files and pull them down to your workstation. Two computers, same files. Lastly, to provide files to an outside organization, such as your home infusion reimbursement center, setup a remote repository and synchronize just the files that the reimbursement center should get. They can do the same allowing for a seamless sharing of files over a secure channel.

While there are many options, too many to talk about in this single blog post, SubVersion has met Rock-Pond’s needs well, both from an everyday internal use to a full customer file deployment solution. Look at your own file transfer needs and ask yourself these questions:

• Do you require encryption and fine grain authentication?
• Do you need to transfer files over the internet, and how often?
• What types of people do you need to share files with? How secure are their systems?

Establish file transfer policies and procedures and continue to audit them with today’s ever-changing technology developments. It’s easy to get your files from here to there safely and has never been so important.

Collector Reporting Quandary

As I’m scrambling to get myself back into full work mode on Jan 4th, I answer my phone to a billing manager who is in a state of panic because all of her HomecareNet collector reports have suddenly stopped working. This was a major show stopper as these reports define what each of the collectors are responsible for during their work day.

Needless to say, I thought it was strange that these reports would just quit on her. They had recently performed an upgrade of their HomecareNet system and they were convinced this was the problem. I contacted Healthcare-Automation to find out if any work had been done in the collector areas of the system to find out that nothing had been changed in the version they upgraded to.

I put the issue aside for the moment so I could let my brain come up with some answers. Just as suddenly as her collector reports stopped working, the probable cause of the problem rushed to me. Effective Dates. I called her up and asked her if the ending effective date on her responsibility rules was 12/31/2009, and it was. A quick change to that date and her reports were back up and running.

So the next time something suddenly stops working, blame the system after you look at all the logical reasons it may have happened in the first place, however small the oversight may be.