Possible Opportunity for Dental Office

[Velvis]

What cyber security stack would you guys recommend for a dental office with 11 PCs running M365 and Eaglesoft?
I have never worked with a dentist before.

Thanks!

 

[Diggs]

Have you worked medical before? Familiar with HIPPA? (Sends shivers down my spine....)

 

[YeOldeStonecat]

Fast running server...10 gig switch interface to server.
Fast running network
Fast workstation

Dental offices have software that....needs speed.

You want "business continuity" backup...like Datto/Axcient.

HIPAA....HIPAA HIPAA HIPAA.

M365 Business Premium for a minimum license. Stack on Entra ID P2.
Fully leverage conditional access
Get that 365 tenant security score up above 60, above 70...shoot for 80.

Fast response times needed....xray imaging stops working, etc. Need to get them back up and running quick.

Credit card processing....gotta keep that going. I have worked with a small dentist office that ran Patterson Eaglesoft..many years ago. They closed, the other dental offices we manage run on Dentrix and Dexis. Sometimes their credit card service gets sleepy.

Many dental offices open early, taking appointments starting at 0700....so be ready for that.

Set them up on a professional cybersecurity training...one of those "monthly" trainings that's documented with individual employee tracking.

Pretty much their cybersecurity insurance will provide a list.

 

[Velvis]

Fast running server...10 gig switch interface to server.
Fast running network
Fast workstation

Dental offices have software that....needs speed.

You want "business continuity" backup...like Datto/Axcient.

HIPAA....HIPAA HIPAA HIPAA.

M365 Business Premium for a minimum license. Stack on Entra ID P2.
Fully leverage conditional access
Get that 365 tenant security score up above 60, above 70...shoot for 80.

Fast response times needed....xray imaging stops working, etc. Need to get them back up and running quick.

Credit card processing....gotta keep that going. I have worked with a small dentist office that ran Patterson Eaglesoft..many years ago. They closed, the other dental offices we manage run on Dentrix and Dexis. Sometimes their credit card service gets sleepy.

Many dental offices open early, taking appointments starting at 0700....so be ready for that.

Set them up on a professional cybersecurity training...one of those "monthly" trainings that's documented with individual employee tracking.

Pretty much their cybersecurity insurance will provide a list.

Thank you. Very helpful.

How does the Business Premium work with regards to a single computer with multiple users vs in a normal office where a computer is tied to a specific person/account?

Do you recommend something beyond a premium license for endpoint protection?

 

[Markverhyden]

single computer with multiple users

That is an absolute fail if it's one login if audited. Every user must have their own credentials so each users' activities are tracked and logged. You can have one machine but each user must log in separately. I guess, technically, you could have each one logged in and then use switch user so each one accesses their login space.

If you are doing this you really need to make sure you have E&O which will cover this type of business.

 

[Velvis]

That is an absolute fail if it's one login if audited. Every user must have their own credentials so each users' activities are tracked and logged. You can have one machine but each user must log in separately. I guess, technically, you could have each one logged in and then use switch user so each one accesses their login space.

If you are doing this you really need to make sure you have E&O which will cover this type of business.

I am not sure how they login, but I guess I didn't picture each hygienist specifically logging into windows as they popped in and out of the operating areas between patients. Would that be a realistic SOP?

Any recommendations for E&O coverage?

 

[britechguy]

I guess I didn't picture each hygienist specifically logging into windows as they popped in and out of the operating areas between patients. Would that be a realistic SOP?

Strictly from observation of what goes on at my own dentist's office, no, it's not realistic. I've yet to see an instance where a machine that sits as a "dental workstation" is not used, as needed, by whichever member of the treatment team needs to pull up records to consult, or update current treatment records, without any logging in and out by that individual treatment team member. But, and it's an important but, for the most part it's customary for each practitioner to have their own dedicated space for things like dental hygienists, so they might be logged in to their own workstations. But when the dentist comes in and wants to pull something up, I've never seen him log in separately.

Where individuals each have their own device, and that's typically a tablet or laptop, then individual login, and only by the person who is "the user of that device" is very common.

It comes down to another of those "tool to task" things.

 

[Markverhyden]

I am not sure how they login, but I guess I didn't picture each hygienist specifically logging into windows as they popped in and out of the operating areas between patients. Would that be a realistic SOP?

Any recommendations for E&O coverage?

Travelers and The Hartford are two very well known underwriters for business policies. The Hartford did my WC and Travelers my GL.

On each user logging in? Yes I understand that these policies have to interface with the real world. Each hygienist had their own chair with a work station. The other chairs handled the rest.

So the staff's too lazy to follow procedures to protect the business? Tell the owner(s) to talk to their underwriter(s) to understand the consequences of failing an audit post incident. Most likely they'll be told they'll not be covered for anything. Insurance companies are not here to help us. They're here to generate a profit for their investors so payments not mandated by policies will not be made. That worked for the practices that I did work for years ago.

 

[britechguy]

@Markverhyden

I'm not going to disagree with anything you've said, as that's what I'd do.

That being said, I don't know of many tiny businesses, including medical offices, that do not do "whatever's most efficient" and hope for the best when it comes to very low probability incidents. But that's a business decision, and one I don't have any direct influence upon.

I simply was reporting what I've observed, and observed more than once. And when it comes to medical practices, unless they do give each practitioner their own laptop or tablet, there's never going to be the slightest hope of constant login/logout or login/switch user scenario on shared equipment. Insurance (as in medical) and practice managers dictate "patient throughput" and it's insanely high. I was really upset when my own PCP, who held out decades longer than most, finally gave up his truly private practice and sold to Sentara. He's still my PCP, but it's clear that he does not have the wherewithal to spend as much time as he thinks as he needs with each patient, which is what he did when independent. If there is less than one-to-one computer to staff ratio, sharing is simply inevitable.

 

[YeOldeStonecat]

Thank you. Very helpful.

How does the Business Premium work with regards to a single computer with multiple users vs in a normal office where a computer is tied to a specific person/account?

Do you recommend something beyond a premium license for endpoint protection?

"shared login"...meaning..several different people logging into the same computer as the same user...is frowned up.
HIPAA (and most other compliance standards) want to see a unique login "per user".
You can have several people log into the same computer...at different times....each with unique logins.

Bob logs in as Bob
Julie logs in as Julie
Brenda logs in as Brenda...etc.

But you should not have Bob log in as "FrontDesk"...and Julie also log in as "FrontDesk".....etc.

M365 Business Premium supports "Shared Computer Activation"...so several different people can uniquely log into the same computer...and that Office install will properly support each users profile.

This is a fact driven by HIPAA, not opinion.

 

[Velvis]

Strictly from observation of what goes on at my own dentist's office, no, it's not realistic. I've yet to see an instance where a machine that sits as a "dental workstation" is not used, as needed, by whichever member of the treatment team needs to pull up records to consult, or update current treatment records, without any logging in and out by that individual treatment team member. But, and it's an important but, for the most part it's customary for each practitioner to have their own dedicated space for things like dental hygienists, so they might be logged in to their own workstations. But when the dentist comes in and wants to pull something up, I've never seen him log in separately.

Where individuals each have their own device, and that's typically a tablet or laptop, then individual login, and only by the person who is "the user of that device" is very common.

It comes down to another of those "tool to task" things.

So how does something like business premium for security purposes work for a shared device?

"shared login"...meaning..several different people logging into the same computer as the same user...is frowned up.
HIPAA (and most other compliance standards) want to see a unique login "per user".
You can have several people log into the same computer...at different times....each with unique logins.

Bob logs in as Bob
Julie logs in as Julie
Brenda logs in as Brenda...etc.

But you should not have Bob log in as "FrontDesk"...and Julie also log in as "FrontDesk".....etc.

M365 Business Premium supports "Shared Computer Activation"...so several different people can uniquely log into the same computer...and that Office install will properly support each users profile.

This is a fact driven by HIPAA, not opinion.
View attachment 17729

The other thing I just thought about is they have an on-premises server as the doctor isn't a fan of cloud-based stuff. (Although they use M365 for email).
Is it possible to take advantage of business premium security features while using an on-prem server for the dental software?

 

[YeOldeStonecat]

So how does something like business premium for security purposes work for a shared device?

The other thing I just thought about is they have an on-premises server as the doctor isn't a fan of cloud-based stuff. (Although they use M365 for email).
Is it possible to take advantage of business premium security features while using an on-prem server for the dental software?

Business Premium adds many services that do not care if you're hybrid joined, AzureAD registered, or azure AD joined.

https://www.microsoft.com/en-us/microsoft-365/business/microsoft-365-plans-and-pricing

Conditional Access is a huge feature I don't want to manage any business client without.
Having the additional Defender protection for inbound spam, phish, safe links, safe attachments, anti impersonation...features I do not want any business to be without
Enforcement of MFA via conditional access...something I don't want to manage a client without
Entra P2 adds important "risk" features I'd not want to support a more risky (compliance) business...without
InTune...actually helps keeps costs lower because you can "automate more". Many IT people fail to grasp that, so they're not able to education the client on....well, yes..this costs more, but...I do things much quicker so in the end it saves you money because there is less labor from my side". Not to mention, proof of...setting up many important security features that compliance requires (proof as in...InTune configuration profiles...and their logging..to show proof things are done).