Customers with regulatory compliance requirements

[LAconsult]

Not sure I've got the right forum but here goes..
I'm hoping there is someone out there who has provided tech consulting to customers within industries like health, finance etc who have regulatory compliance requirements. I'd like to gain more insight into how organizations like FINRA and HHA, as well as compliance regulations like HIPAA/SOX affect how tech consultants provide their services. Specifically, in the financial realm under the FINRA umbrella what are some best practices to ensure compliance is continually being met? Do we go "all out" with a top of the line router featuring intrusion detection, encrypted network, antimalware/antivirus - or would a basic router with some security features some security features suffice?

Are there any RMM tools out there that help to achieve compliance?
Any security auditing programs that are better than others?

Thanks in advance for any advice.

 

[RichmondTech]

I am registered with FINRA so I can be an associated person working at one of my customer's office. The process itself is easy as from what I recall it was just a background check and fingerprints. I'm starting to mention my registration in order to add more financial planners to my customer mix.

As far as compliance is concerned, they have their own auditors come in and if anything needs fixing on the tech side I come in and fix it. We've had one issue in my time with this customer and it was resolved to the satisfaction of the auditor.

While I'm familiar with HIPAA, I don't have any certification or detailed knowledge on the subject. When I work with my medical customers I just make sure I don't pay any attention to patient info or make sure it can be seen by other people. Just see what your customer's auditor wants and fix any issues as they come up.

 

[Tony_Scarpelli]

18 years surving every sort of medical office, I've worked with about twelve medical offices from doctors, dentists, medical insurance providers, preferred Doctor provider networks and even a pharmacy or two. I have even worked in about 20 hospitals, recovery centers and surgery specialty shops in the Midwest on their pyxis systems that are like little atms in hospitals that dispense drugs to the nurses on each floor rather than their going to the pharmacy.

The only security training I got was not to leave the room, when the class 1 drugs were accessible because I had the machine taken apart for repair. You will not do this unless you get a contract to service these machines and then you get a background check as you have easy access to all the drugs in the hospital.

As a systems integrator, VAR, IT consultant you really have very little to do with any special requirements as far as technology goes. That plays if you are a developer and you write a program using the data. It's like working in a law office, do not leak any information, don't take any papers out of the office, don't leave the machine in your car unlocked while you are eating a pizza hut. But how you set things up is pretty much identical to any business with best practices security.

It is common sense security. If it has the ability to use a password then use them. Give each employee a different password, don't let a group of people use the same password (this is common in dentists offices). I prefer seven digits mixed upper lower case and numbers. I have never had a client call about an unsuccessful compliance audit.

You can use MS products, peer or server with passwords, I've used $50 wireless linksys routers with no problem. Their proprietary software is what holds the HIPPA information, to transfer payment information to insurance companies and social security and it always has its own security/encryption and you do not interface with it at all, so no need to worry about it. Just do the normal stuff, secure wireless connections with pass phrase. If you want to get real anal you can setup the mac address of the clients and pass phrase in the wireless router so no one can hack from outside.

Remind your clients to use passwords built into their software and to change them from time to time or when an employee leaves.

If anyone has any specific information that is in writing that adds to or contradicts my understanding, please post links so that we call can learn from it.

 

[LAconsult]

Thanks to you both for the good intel! What originally got me going on this subject in the first place was the FINRA site, specifically business continuity/disaster recovery rules they have (unable to post link due to 15 post minimum rule but if you google "FINRA Business Continuity" you're sure to find it.
I suppose this can be accomplished with some contingency planning and a good offsite backup solution that encompasses a primary server. As the majority of daily routine for the office I will potentially be working with are cloud-based, the continuity planning should not be too hard. I will probably do another post in regards to backup if I can't find any existing posts because there are soo many companies out there doing BDR now.

 

[srqtech]

I worked in the IT department for a large medical company for 5 years. I can touch on some of the questions regarding HIPAA. There is very limited specific information on what the exact requirments for HIPAA are. I have been looking into getting certified but the certifications I found seem to be sketchy (I found a Certified HIPAA security and privacy expert). The problem with it is that all the references I find on it refer back to the same training site. Now to answer a few questions about the orignal question about compliance and such. A few of the things you absolutely need to watch is if the system has PHI (Private Health Information) it has to be encrypted. If they use the company email to discuss PHI it has to be encrypted. There needs to be both onsite and offsite back up of servers holding PHI which needs to be encrypted. All log ins and attempted log ins to the network need to be tracked. Written policies need to be in place for disaster recovery or security breach to start. There are more but that is a start.

I had a call from a local medical office two weeks ago and went in to do a site survey last week. I wrote them a proposal to come in and get there IT infrastructure to where it would be compliant. The proposal came in at an estmated 53 hours labor and they would need to purchase a server to act as a domain controller. A few of the many things they need corrected follow. The network is running peer to peer. They are using Carbbonite to back up the one server but it is not backing up the SQL database. The onsite back up is not encrypted. They are using personal email for office business. I actually have a 30 point check list of things to check and what part of the code they correspond to which I would go through with them.

Now that I have looked at this medical office I realiazed that there is definately a need for an IT company to specialize in small medical offices in this area (Sarasota Florida where there are a ton of medical offices). I now have to figure out the best way to market it. I wanted to get the certifications but I am not sure they are ligit. That being said they would have valuable information and I could list it on my marketing material.

 

[FoolishTech]

If you want to get real anal you can setup the mac address of the clients and pass phrase in the wireless router so no one can hack from outside.

Agree with everything but this. I used to be anal like that. Then a friend of mine cracked my MAC address restricted wireless router in like 2 minutes... It seems the MAC addresses allowed are actually transmitted somehow. I don't pretend to know the details, it just happened, and I witnessed it. Then of course he spoofed it and that was that.

To the OP, just do what you gotta do. I've only worked in spots where HIPPA compliance was an issue, but it just meant I had to setup a VPN for them to remote desktop into their work computers. No biggie.

 

[732914TECH]

Agree with everything but this. I used to be anal like that. Then a friend of mine cracked my MAC address restricted wireless router in like 2 minutes... It seems the MAC addresses allowed are actually transmitted somehow. I don't pretend to know the details, it just happened, and I witnessed it. Then of course he spoofed it and that was that.

To the OP, just do what you gotta do. I've only worked in spots where HIPPA compliance was an issue, but it just meant I had to setup a VPN for them to remote desktop into their work computers. No biggie.

i agree, ive used a linux boot cd called backtrack that allowed me to crack a WEP password, and while using it i could see the MAC addresses of the devices in the area as well

 

[Slaters Kustum Machines]

Yeah, WEP is a joke with MAC filtering or not, especially if you have Backtrack. Always WPA2, and strong passphrase. I can crack a WEP in about 30 seconds on my test routers.