Small Business
10 minutes ago, brwainer said:You do know that dental records are covered under HIPAA requirements and other laws pertaining to medical records right? If this were any other small business I'd gladly offer my suggestions, but since this is medical I have to strongly suggest that you hire a consultant who has experience setting up networks that are HIPAA compliant.
Hopping in here..
I run a technology services company in my area, and we have a few clients who are small medical companies (mainly chiropractors) who are also subject to HIPPA compliance. There are not any clear-cut guidelines for HIPPA computer network compliance, but here are some of the basic "best-practices" we've implemented to ensure that you will not get cited for HIPPA violations.
1) All client data MUST (MUST MUST MUST) be encrypted. I recommend a Windows 10 machine with Direct Attached Storage (drobos are GREAT) and Windows bitlocker.
2) Share out client data from a central machine by mapping drives from other machines with credentials (DON'T share the folder to everyone)
3) NEVER store client data on mobile devices. In a best case scenario, client data should be on a single, well protected machine (That locks itself after 1 minute of inactivity)
4) Maintain physical security - put file servers and other network tech in a locked room (or a locked server rack bolted to the floor)
5) Limit network access. Don't leave unused network jacks live, and avoid WiFi for internal networks as much as possible
6) Public WiFi NEEDS to be on it's own connection (having it's own public IP). The easiest way to do this is to put the ISP's modem in bridge mode, and plug in two separate routers. One for public WiFi and one for the company network.
7) All machines accessing client data need to be runnnig a currently-supported version of windows (no XP). Windows 10 is preferred
8) Run a commercial grade endpoint protection suite on EVERY machine. I recommend Sophos Cloud - great security and annual cost is pretty damn low (only like $15 a machine if I remember right)
9) If a device doesn't need to be on the internal network (the network over which client data is shared) than it shouldn't be. Even if you aren't implementing public WiFi, I would have a separate network for phones, tablets, ect.
10) Do not use a NAS. EVER. NEVER EVER. Client Data should only be locally accessible, and should be shared out as mentioned above. This shared folder needs to be accessible only with credentials.
11) ALL machines need to lock automatically after a short period of inactivity. The shorter, the better (no longer than 3 minutes)
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now