by Felicien | Oct 5, 2018 | Education
Everyone has Wi-Fi. We all expect to see it wherever we go, and most of us have more than one Wi-Fi-enabled device. Grocery stores, fast food restaurants – even your mechanic has Wi-Fi. But does that mean you REALLY need it in your school? Isn’t it less secure than wired?
To answer the first question: “Don’t be coy.” You know how backward wired-only connections look. You’re either a Luddite or unbelievably cheap trying to avoid the expense and work of building a new network. You are now out of time. The government itself says you need Wi-Fi, and in this 2017 report plainly states that a reliable, fast wireless connection is a necessity on par with other utilities such as gas, electricity, or water.
As to the second question: Well, no. Not so much anymore. With advances in encryption, Wi-Fi networks that are properly safeguarded offer security comparable to that of wired set-ups. If you still prefer to use wired internet for select devices, such as a handful of desktops and a designated copier/printer/fax machine, you can enjoy the advantages of a wireless network. Wired is a bit faster and more reliable than Wi-Fi, but this is more because of how easy it is to ensure that only a handful of users are on that hard-wired data line. Employees must literally be plugged into a wired network, so there is no issue of people overloading it by all signing on and demanding bandwidth at once.
So the advantages of wired over wireless can really be solved by properly planning out the wireless network. From there, advantage is all wireless: portability, ease-of-use, and, if you plan for it, scalability.
Why use a scalable wireless network?
Setting up a scalable wireless network means looking at the present with an eye to the future. You know that you’ll potentially have more students or employees, or even more devices per person, or more demanding apps. If you’ve built scalability into the network in the first place, you’ll easily adapt to the increased demand on your connectivity. Re-wiring not only costs money, it’s disruptive. Contractors can come out when school is not in session, but off-hour calls often cost more. To do everything more or less at once, having access points ready for later expansion allows for a nearly seamless expansion when it becomes necessary.
Adding people in will not be a matter of climbing around above the ceiling tiles, drilling holes in walls, but just a matter of entering a new user and password and updating the server. Oftentimes, it won’t even cost anything to do it.
Scalable Wi-Fi Saves Budgets In Situations Where:
Schools are growing
Private or charter schools with variable populations
Schools under construction, adding more devices as they go
Anyone in the current technological climate where new innovations increase user numbers every year
Variable income
BYOD programs
Factoring in the potential for future expansion will pay off in the long run when the entire network doesn’t require a re-design within a couple of years. By planning for scalability, using multi-purpose devices that can handle increased connectivity and streaming demands, you are ensuring that the initial investment pays off. The more manageable maintenance budget will be easier to get approved, and you can plan for a complete overhaul when it becomes truly necessary, rather than prematurely, due to an initial refusal to plan for growth.
Devices Are Everywhere
Smartphones have risen in popularity at a pace that’s nearly alarming for its potential ramifications. In fact, the amount of active mobile phone subscriptions in the US is 349.9 million – more than the total US population of 325.3 million. These consumers are using their phones for far more than phones. They’re on apps that often require data usage, which allows for less memory and storage use on their phones. Even apps that do not apparently require internet connection often do for this reason. People have grown to rely on their phones as a connection to their families, coworkers, and also as a means of keeping themselves organized, of keeping their emotional well-being up through habit-changing apps, diaries, and more.
As the mobile devices, we use speed towards true ubiquity, it will not do to simply watch as the tide rises. Plan for the eventuality of increasing connectivity needs by designing a scalable wireless network. This direction offers better services for the future, along with lower overall budgetary requirements. It removes some of the stress of growing. All school administrators understand the need to reduce stress and lower the budget.
by Felicien | Oct 5, 2018 | Education
Health information technology is more talked about than really understood. Part of the reason for this is that providers and their staffs usually interact with a restricted subset of health IT – the Electronic Health Record (EHR), the radiology imaging system, the billing system, and so forth. Only the organization’s IT staff and Chief Technology Officer (CTO) are in a position to see the big picture. Even they may not see all of it. This blog post tries to cover at least the larger components of Health IT.
What’s The Most Important Piece?
The EHR is arguably the central component. In an ideal system, all the information a provider or patient wants, from demographic information to lab results to radiological images to records of office visits should be there. Making the EHR the centerpiece is one way to avoid “siloing” of information that makes research and analysis difficult or impossible. If the EHR is complete, every other component—statistical reporting, radiology, billing, appointment scheduling, and lab results are present, and can be used to drive other systems.
This, of course, is an ideal situation. One barrier to accomplishing this is money. Putting in a new EHR system can cost a lot. Recent figures for installation are around $33,000 per full-time physician. Maintenance runs $1,500 per month per full-time physician. A hospital system with 500 physicians is looking at a minimum of around $17 million for initial installation and around $9 million for annual maintenance.
If the system is hosted in the cloud, storage, input, and “egress” fees (sending data to the providers for use from data stored in the cloud) have to be considered. Cloud hosting can run around $165 per “seat” per month, where “seat” is a computer linked to the cloud. Assuming an employment of 3,000, this will run around six million dollars per year. But cloud hosting may well be cheaper than buying and maintaining hardware and paying a large IT staff. Cloud hosting offers better security and offloading a lot of IT headaches as well.
What Are Some Other Components?
There will be radiology and lab subsystems, at least, plus billing and accounting. How tightly these are integrated into the EHR system and the cloud will vary. Analytical systems may include big data handling and artificial intelligence. Of course, if a physician is a hospital employee or a member of an affiliated group, it makes sense for their in-office IT systems to be integrated with, or be part of, the hospital IT operation.
What’s So Great About AI?
Artificial intelligence (AI) is still in its infancy. Studies have shown that AI systems are better at reading radiology imagery than human radiologists, and of course better at catching prescription errors and medication conflicts. But many legal questions, particularly about liability, remain unanswered. In addition, AI is intelligent only within a limited sphere. It will be far into the future before AI is able to display the kind of general intelligence that a human physician can bring to a patient.
What AI is good for now is dealing with well-defined tasks and helping to narrow down the “unknown unknowns” – interactions, sources of error, and opportunities for improvement that humans would never have suspected. Their principal role in the near term most likely will be relieving the “cognitive overload” that all physicians, no matter how narrow their specialty, have to deal with.
What Are Patient Portals?
Patient portals – interfaces, usually web-based, are systems that allow patients to see their lab results, talk to their providers, make appointments online, find providers, and do other things that patients would normally do over the phone. If properly designed and implemented, they can have a major impact on operational efficiency and patient satisfaction. On the other hand, a patient portal that is too complex and too clunky to be easily used can drive patients away.
What Are The Incentives For Using All This Stuff?
The Affordable Care Act (ACA) and the Health Information for Economic and Clinical Health Act (HITECH) provide billions of dollars for providers who implement EHR and other health IT systems and “meaningfully” use them. They are a de facto requirement for any provider which receives Federal funds, which is virtually all of them.
What Are The Downsides?
The biggest one, of course, is the expense. Even though it is large, it may well be cheaper than maintaining one’s own equipment and IT staff. It also permits renting out a lot of headaches. The downside is that, for HIPAA purposes, one has to devote as much attention to the vendor’s security practices as to one’s own. Also, system modifications and customizations necessarily involve the vendor’s staff and consulting services, which may be very extensive.
And, of course, there is training. This is not so much expensive as extensive. The example of one Pennsylvania health system that changed EHR systems three times in one year probably represents an extreme outlier, and training the entire staff three times in one year was no doubt a task worthy of being avoided if at all possible.
Finally, if the organization is moving from primarily paper-based systems to health IT, the organization’s culture needs to be adjusted, and the transition may be wrenching. Still, the advantages of health IT outweigh the disadvantages, and all providers should be making the switch as soon as possible.
by Felicien | Oct 5, 2018 | Education
Are you aware of a potentially serious data breach involving Facebook?
According to many top news outlets, 50 million users accounts may have been impacted and Facebook now faces potential huge fines in the EU.
Read more at https://www.theguardian.com/technology/2018/oct/03/facebook-data-breach-latest-fine-investigation.
Need steps to protect your Facebook account? Here’s an interesting article containing steps to protect your personal information and security. https://www.experian.com/blogs/ask-experian/facebook-data-breach-how-to-protect-yourself/
We are continuing to follow this news and will update more on our blog as we learn more.
by Felicien | Oct 4, 2018 | Education
When you think of cybersecurity, protecting credit card numbers or government files might come to mind, but your students’ PII (Personally Identifying Information) is a target for hackers, too.
Young people make great targets because they’re a clean slate. They’re not using their identities to get a mortgage or credit card or anything, so no one is checking up on them. They also have a tremendous amount of personal information being shared – including medical, mental health, contact information, and performance evaluations in academia and sports or the arts – and it’s being saved in various, often poorly secured, locations. And finally, but perhaps of the highest utility to hackers, children are great targets because people will do ANYTHING to protect them.
It CAN Happen Here
If you’re thinking to yourself that you live in a quiet small town with no crime, no draw for a terrorist plot, think again. Yours might be the ideal spot to stage a crime like this. Look to a small Montana school district Columbia Falls in Flathead County. Home to nearly 16,000 students, the district’s parents and administrators received text messages and a seven-page letter containing threats, repeated references to Sandy Hook, creepy quotes, and claiming that the FBI could not help anyone.
Hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur, security experts said. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” said Christopher Krebs, a senior official at the Department of Homeland Security, at a recent mayors’ conference in Boston. “You’re not special.” Source: WSJ
This came seemingly from nowhere, but as the extortionists explained, the choice was deliberate: the district had vulnerabilities that made it easy to gain access to confidential files. With all of the other concerns that educators have, it can be easy to overlook securing digital information properly. You may not even understand the threats that exist, and it’s hard to find qualified Information Technology professionals willing to stick it out for the comparatively low salaries school districts offer.
2017 Cyber Terrorism Attacks
A recent FBI briefing regarding attacks across the country at multiple school districts describes a terrifying ordeal: people all over the district awoke to find text messages informing them that their students’ information was up for ransom. Hackers had taken advantage of vulnerabilities in web-facing district servers to extract student PII (Personally Identifying Information). Victims received physical threats, were told that this information would be used for bad ends unless the district paid a ransom.
The extracted Information included:
Parent, guardian, and student phone numbers
Education plans
Homework assignments
Medical records
Counselor reports
Grades or other testing records
The hackers also demanded their ransoms in cryptocurrency, making it hard for local authorities to follow the trail (for now).
How Is PII Being Used?
PII can be used to forge false online identities, to launder money or get bad actors into the country. And once the information is out there, how do you safely get the genie back into the bottle? A child’s entire future (financial, academic) or even their physical safety is under threat if their identifying information ends up sold to bad actors. When you hold transcripts, grades, and achievements for ransom, you’re waving the flag at a future that’s quickly disappearing into the distance. Prevention is best. So where are your areas of vulnerability, and how can you shore them up?
Common Vulnerabilities
Phishing Scams
These are communications from supposedly friendly senders meant to entice you to open an email, text message, or oother messages or to click on a link. A “social engineering” hack, phishing attacks are meant to gather confidential or personal information. Make sure graphics look normal, hover over links to read their description, and check for any suspicious formatting or wording.
Phishing attacks can also come by phone. Do not give confidential information over the phone to someone who has called you first. Instead, agree to call the company back from the number that you have in your records. Don’t just click “ok” on an unexpected pop-up.
Non-school devices – your network should be configured to recognize new devices.
Educational apps that store student identifying information
Carefully read through privacy and security information from new software or EdTech websites.
Improperly shared or stored PII
Make sure everything is encrypted and password-protected.
Ignorant or non-compliant personnel – not updating software, not checking edtech vendors out, not understanding what looks or is suspicious, not reporting suspicious activities.
Below is a list of cybersecurity measures you can take:
Research privacy acts like FERPA, COPPA, and the PPRA as well as any state laws regarding privacy and educate staff and faculty so that everyone understands what is expected of educators and vendors of EdTech services.
Do a survey of teachers, librarians and IT staff to see what software is being used in the school, and what information is being collected. It might be helpful to see all in one reports on how much information is being collected, and how many different services are collecting it.
Bonus: if anything happens, you know where leaks may have come from.
If parents want more specific information about these services, you’ll be able to tell them what services or websites their child’s teachers use.
Review the privacy policies of EdTech companies that are being used in your district.
Check for vulnerabilities in your data storage procedures.
Are you updating software when you’re supposed to?
Does everyone have their own passwords to get into high-value/confidential data storage locations?
Do you have a plan for how to react to a breach?
Research school-related cyber breaches.
Back up important data.
If you have evidence your child’s data may have been compromised, or if you have experienced any of the Internet crimes described in this PSA, please file a complaint with the Internet Crime Complaint Center at www.ic3.gov.
by Felicien | Oct 4, 2018 | Education
Federal regulations are usually complex and can have unintended consequences. If you are a lawyer, they are a goldmine both for prosecutors and consultants for clients. When it comes to the Health Insurance Portability and Accountability Act (HIPAA), there are, however, just a few (relatively) simple steps you can take to avoid violations, fines, and bad publicity for your healthcare organization. HIPAA is not a paper tiger. Healthcare organizations have been fined millions of dollars for breaches and violations so far.
Download a very informative infographic here.
What Is A Violation? What Is A Breach?
For once, there’s a nice, simple distinction which does not require a legal mind to understand. The definition of a violation is:
“A failure to do what HIPAA requires to keep protected health information (PHI) secure.”
Basically, PHI is data that HIPAA requires be protected by following the steps suggested below. There are a few simple steps one can take to avoid violations. These are things that you should be doing already to protect data in general. All HIPAA does is specify them. They are:
Records must be secured. This means limiting access to the data that employees and providers need to do their jobs. Records can be secured by passwords, biometric identifiers, swipe cards, fingerprint readers, etc. PHI must be encrypted. Enough said. While you’re at it, what rationale do you have for not encrypting all data?
PHI must be encrypted against hacking and breaches. This means that if there is a breach and encrypted records are stolen, you are still liable. Encryption can be broken, and every method of securing data, except for quantum encryption, which is not generally available, has vulnerabilities.
Devices must be secured. This generally means that portable devices, such as smartphones and laptops that could be lost or stolen must be secured via encryption and passwords or have other limitations on access. The theft of a device should not enable the one who stole it (or finds it) to access PHI. If the chief of surgery leaves his or her smartphone in a cab, there must be a way to remotely erase all data on it.
Finally, employees must be trained, not only on the importance of security, but also on the organization’s specific methods of maintaining PHI.
A breach is disclosure of PHI to parties that are not authorized by HIPAA to access it. A breach has occurred if PHI is accessed by an unauthorized party, even if that data is actually stolen.
How Do I Prevent A Breach?
Train employees on why security is important and how to minimize risks.
Maintain possession and control security on mobile devices.
Enable firewalls and encryption.
Ensure that files are encrypted and stored correctly.
Move towards a paperless operation and properly dispose of paper files.
How Do I Plan Ahead?
HIPAA regulations require that a healthcare organization regularly audit its security and have a risk mitigation action plan. If you take the following steps, you will have gone a long way towards ensuring that your organization can pass audits and show that you have already taken steps toward risk mitigation:
Encrypt PHI both in storage and transmission.
Use secure access controls including strong passwords, access limited to job functions, auto timeouts, and screen locking.
Use firewalls and antivirus software on all desktops and mobile devices.
Keep track of incoming, as well as outgoing, data. Know where data comes from.
Keep your risk mitigation plan updated to deal with new threats. The “threat surface” is constantly changing.
Keep software and firmware updated. Many new attacks are aimed at hardware as well as software vulnerabilities.
Keep employee training up-to-date.
How Can My Organization Respond to Breaches?
Your organization should have a written post-breach action plan that is regularly updated. It is foolish to assume that a breach will never occur. The plan should be updated and reviewed at least annually. What is most important is transparency. HHS needs to be notified. Those whose data has been exposed have to be notified. Your legal staff should be notified. And anything resembling a cover-up should be avoided.
Concealment of a breach is a violation of the law and regulations, and can be guaranteed not to work. Breaches will eventually be exposed, and the delay in reporting them or attempts at concealment will only make the organization look worse than would otherwise be the case.
Any breach – or even detection of an attack – should be used as a lesson for future security efforts. The first task is to figure out what went wrong. Where did your security measures fail? Once that is known, you need to determine the root cause. The root cause is usually a bit of a surprise.
In one case, the organization’s own security efforts were perfect. But it used a cloud vendor whose security practices were much laxer. Data was encrypted and communications between the organization and the cloud vendor were secure and encrypted. But the cloud vendor stored decrypted data on one of its own servers that were not even protected by a password and exposed to the public internet. The lesson here is that security audits should cover both your own organization and all of your vendors.
