Possible Opportunity for Dental Office

[Velvis]

What cyber security stack would you guys recommend for a dental office with 11 PCs running M365 and Eaglesoft?
I have never worked with a dentist before.

Thanks!

 

[Diggs]

Have you worked medical before? Familiar with HIPPA? (Sends shivers down my spine....)

 

[YeOldeStonecat]

Fast running server...10 gig switch interface to server.
Fast running network
Fast workstation

Dental offices have software that....needs speed.

You want "business continuity" backup...like Datto/Axcient.

HIPAA....HIPAA HIPAA HIPAA.

M365 Business Premium for a minimum license. Stack on Entra ID P2.
Fully leverage conditional access
Get that 365 tenant security score up above 60, above 70...shoot for 80.

Fast response times needed....xray imaging stops working, etc. Need to get them back up and running quick.

Credit card processing....gotta keep that going. I have worked with a small dentist office that ran Patterson Eaglesoft..many years ago. They closed, the other dental offices we manage run on Dentrix and Dexis. Sometimes their credit card service gets sleepy.

Many dental offices open early, taking appointments starting at 0700....so be ready for that.

Set them up on a professional cybersecurity training...one of those "monthly" trainings that's documented with individual employee tracking.

Pretty much their cybersecurity insurance will provide a list.

 

[Velvis]

Fast running server...10 gig switch interface to server.
Fast running network
Fast workstation

Dental offices have software that....needs speed.

You want "business continuity" backup...like Datto/Axcient.

HIPAA....HIPAA HIPAA HIPAA.

M365 Business Premium for a minimum license. Stack on Entra ID P2.
Fully leverage conditional access
Get that 365 tenant security score up above 60, above 70...shoot for 80.

Fast response times needed....xray imaging stops working, etc. Need to get them back up and running quick.

Credit card processing....gotta keep that going. I have worked with a small dentist office that ran Patterson Eaglesoft..many years ago. They closed, the other dental offices we manage run on Dentrix and Dexis. Sometimes their credit card service gets sleepy.

Many dental offices open early, taking appointments starting at 0700....so be ready for that.

Set them up on a professional cybersecurity training...one of those "monthly" trainings that's documented with individual employee tracking.

Pretty much their cybersecurity insurance will provide a list.

Thank you. Very helpful.

How does the Business Premium work with regards to a single computer with multiple users vs in a normal office where a computer is tied to a specific person/account?

Do you recommend something beyond a premium license for endpoint protection?

 

[Markverhyden]

single computer with multiple users

That is an absolute fail if it's one login if audited. Every user must have their own credentials so each users' activities are tracked and logged. You can have one machine but each user must log in separately. I guess, technically, you could have each one logged in and then use switch user so each one accesses their login space.

If you are doing this you really need to make sure you have E&O which will cover this type of business.

 

[Velvis]

That is an absolute fail if it's one login if audited. Every user must have their own credentials so each users' activities are tracked and logged. You can have one machine but each user must log in separately. I guess, technically, you could have each one logged in and then use switch user so each one accesses their login space.

If you are doing this you really need to make sure you have E&O which will cover this type of business.

I am not sure how they login, but I guess I didn't picture each hygienist specifically logging into windows as they popped in and out of the operating areas between patients. Would that be a realistic SOP?

Any recommendations for E&O coverage?

 

[britechguy]

I guess I didn't picture each hygienist specifically logging into windows as they popped in and out of the operating areas between patients. Would that be a realistic SOP?

Strictly from observation of what goes on at my own dentist's office, no, it's not realistic. I've yet to see an instance where a machine that sits as a "dental workstation" is not used, as needed, by whichever member of the treatment team needs to pull up records to consult, or update current treatment records, without any logging in and out by that individual treatment team member. But, and it's an important but, for the most part it's customary for each practitioner to have their own dedicated space for things like dental hygienists, so they might be logged in to their own workstations. But when the dentist comes in and wants to pull something up, I've never seen him log in separately.

Where individuals each have their own device, and that's typically a tablet or laptop, then individual login, and only by the person who is "the user of that device" is very common.

It comes down to another of those "tool to task" things.

 

[Markverhyden]

I am not sure how they login, but I guess I didn't picture each hygienist specifically logging into windows as they popped in and out of the operating areas between patients. Would that be a realistic SOP?

Any recommendations for E&O coverage?

Travelers and The Hartford are two very well known underwriters for business policies. The Hartford did my WC and Travelers my GL.

On each user logging in? Yes I understand that these policies have to interface with the real world. Each hygienist had their own chair with a work station. The other chairs handled the rest.

So the staff's too lazy to follow procedures to protect the business? Tell the owner(s) to talk to their underwriter(s) to understand the consequences of failing an audit post incident. Most likely they'll be told they'll not be covered for anything. Insurance companies are not here to help us. They're here to generate a profit for their investors so payments not mandated by policies will not be made. That worked for the practices that I did work for years ago.

 

[britechguy]

@Markverhyden

I'm not going to disagree with anything you've said, as that's what I'd do.

That being said, I don't know of many tiny businesses, including medical offices, that do not do "whatever's most efficient" and hope for the best when it comes to very low probability incidents. But that's a business decision, and one I don't have any direct influence upon.

I simply was reporting what I've observed, and observed more than once. And when it comes to medical practices, unless they do give each practitioner their own laptop or tablet, there's never going to be the slightest hope of constant login/logout or login/switch user scenario on shared equipment. Insurance (as in medical) and practice managers dictate "patient throughput" and it's insanely high. I was really upset when my own PCP, who held out decades longer than most, finally gave up his truly private practice and sold to Sentara. He's still my PCP, but it's clear that he does not have the wherewithal to spend as much time as he thinks as he needs with each patient, which is what he did when independent. If there is less than one-to-one computer to staff ratio, sharing is simply inevitable.

 

[YeOldeStonecat]

Thank you. Very helpful.

How does the Business Premium work with regards to a single computer with multiple users vs in a normal office where a computer is tied to a specific person/account?

Do you recommend something beyond a premium license for endpoint protection?

"shared login"...meaning..several different people logging into the same computer as the same user...is frowned up.
HIPAA (and most other compliance standards) want to see a unique login "per user".
You can have several people log into the same computer...at different times....each with unique logins.

Bob logs in as Bob
Julie logs in as Julie
Brenda logs in as Brenda...etc.

But you should not have Bob log in as "FrontDesk"...and Julie also log in as "FrontDesk".....etc.

M365 Business Premium supports "Shared Computer Activation"...so several different people can uniquely log into the same computer...and that Office install will properly support each users profile.

This is a fact driven by HIPAA, not opinion.

 

[Velvis]

Strictly from observation of what goes on at my own dentist's office, no, it's not realistic. I've yet to see an instance where a machine that sits as a "dental workstation" is not used, as needed, by whichever member of the treatment team needs to pull up records to consult, or update current treatment records, without any logging in and out by that individual treatment team member. But, and it's an important but, for the most part it's customary for each practitioner to have their own dedicated space for things like dental hygienists, so they might be logged in to their own workstations. But when the dentist comes in and wants to pull something up, I've never seen him log in separately.

Where individuals each have their own device, and that's typically a tablet or laptop, then individual login, and only by the person who is "the user of that device" is very common.

It comes down to another of those "tool to task" things.

So how does something like business premium for security purposes work for a shared device?

"shared login"...meaning..several different people logging into the same computer as the same user...is frowned up.
HIPAA (and most other compliance standards) want to see a unique login "per user".
You can have several people log into the same computer...at different times....each with unique logins.

Bob logs in as Bob
Julie logs in as Julie
Brenda logs in as Brenda...etc.

But you should not have Bob log in as "FrontDesk"...and Julie also log in as "FrontDesk".....etc.

M365 Business Premium supports "Shared Computer Activation"...so several different people can uniquely log into the same computer...and that Office install will properly support each users profile.

This is a fact driven by HIPAA, not opinion.
View attachment 17729

The other thing I just thought about is they have an on-premises server as the doctor isn't a fan of cloud-based stuff. (Although they use M365 for email).
Is it possible to take advantage of business premium security features while using an on-prem server for the dental software?

 

[YeOldeStonecat]

So how does something like business premium for security purposes work for a shared device?

The other thing I just thought about is they have an on-premises server as the doctor isn't a fan of cloud-based stuff. (Although they use M365 for email).
Is it possible to take advantage of business premium security features while using an on-prem server for the dental software?

Business Premium adds many services that do not care if you're hybrid joined, AzureAD registered, or azure AD joined.

https://www.microsoft.com/en-us/microsoft-365/business/microsoft-365-plans-and-pricing

Conditional Access is a huge feature I don't want to manage any business client without.
Having the additional Defender protection for inbound spam, phish, safe links, safe attachments, anti impersonation...features I do not want any business to be without
Enforcement of MFA via conditional access...something I don't want to manage a client without
Entra P2 adds important "risk" features I'd not want to support a more risky (compliance) business...without
InTune...actually helps keeps costs lower because you can "automate more". Many IT people fail to grasp that, so they're not able to education the client on....well, yes..this costs more, but...I do things much quicker so in the end it saves you money because there is less labor from my side". Not to mention, proof of...setting up many important security features that compliance requires (proof as in...InTune configuration profiles...and their logging..to show proof things are done).

 

[Velvis]

So I finally got on site and they just have a local default user for each computer and then they login into the dental software individually.

 

[frase]

Hope you have a great lawyer firstly.

 

[britechguy]

Hope you have a great lawyer firstly.

Why would he need one? I can't be responsible for the business processes chosen by my clients, and particularly if they never even consulted me about them.

This is something that really needs to be understood: scope of practice and locus of decision making. If either thing is outside what we have been contractually involved in, it's out of our hands.

 

[phaZed]

So I finally got on site and they just have a local default user for each computer and then they login into the dental software individually.

I picked up a small dental office last year that's in a similar situation. The gentleman that was doing their IT passed away. It was a pretty rough-and-tumble operation when he left. Same story - no documentation, missing password and usernames, no backups. It's turned into a $15K project to get everything back as it should be. They're, "HIPPA Unknown, but probably not." until we switch over to a new VM Server we control.

Hope you have a great lawyer firstly.

When an IT is coming into an existing network, the only thing we can do is provide recommendations and quotes to help become HIPPA compliant. It's up to the practice to heed our advice.

Where IT Shops get in trouble is when they claim HIPPA compliance but didn't deliver on either- their IT assessment, or their IT solution. So, the problem really is when 'you' as the paid IT, tell the practice, "Yes, you are HIPPA Compliant"... and they're not.

 

[britechguy]

So, the problem really is when 'you' as the paid IT, tell the practice, "Yes, you are HIPPA Compliant"... and they're not.

Which is why I don't touch the role of HIPAA compliance officer. I wouldn't mind implementing what someone who has that expertise says must be implemented, but I'm not making any of the choices that "guarantee" compliance. And even were I to implement them, it's up to someone else to audit, afterward, to certify compliance. I will never make the definitive statement that an organization is HIPAA compliant. Not a part of my job, never will be.

 

[frase]

Hope you have a great lawyer firstly.

Just meaning if the OP has not worked for any health organisations, lots of guidelines and protocols etc. To be aware of all the legalities if a breach were to occur to the organisation; a waiver so to speak as cybersecurity firms can be breached.

 

[YeOldeStonecat]

Caution should still be heeded...for the incoming IT/MSP.
Come out of the gates documenting the "lack of compliance".....and make sure you notify the client of...steps it will take to move forward towards compliance. Keep that "notification" on file for yourself. At least get the client to agree to some form of POAM (plans of action and milestones)....to work towards compliance.

If a breach happens, EVERYONE that supports that "client"....will get hauled into court by the lawyers. Yes...the IT guy can "probably/hopefully" make a case for defense....BUT...do you really want to get sucked into the huge and expensive time sink of a law suit?

So start documenting what is not very secure....advise the customer of your findings and suggestions.....and keep copies of those suggestions to show that you did inform them of what should be done.