Oprah says, "and you get a violation, and YOU get a violation, and YoU get a ViOlation!"

[thecomputerguy]

Holy mother of god, what a consult I had yesterday.

I can't take more clients on but I felt bad so I went since it was a referral.

Situation:

Young couple, both in dental, wife does Ortho, husband does General Dentistry. Husbands business was a purchase, Wife was a fresh build out. Husbands business has a 30+ year history, Wife's is <5 years.

Office:

The office is 2, or 3 offices, with knocked down walls making it one BIG office but there is a carpet separation that divides the two offices making two respective businesses totaling about 25 computers.

Key notes from the consult:

1.) The two offices share the same internet connection. (HIPAA VIOLATION TRIGGER)
2.) Their modem/router/firewall is what was provided by the ISP. (HIPAA VIOLATION TRIGGER)
3.) They share WiFi and Wired where available. (HIPAA VIOLATION TRIGGER)
4.) ALL workstations are home built custom computers, TPM not available so no W11 (HIPAA VIOLATION TRIGGER)
5.) Server is a home built system with two spinners in a Windows SOFTWARE RAID1 running Server 2019.
6.) Wifi for both offices is running off a single Unifi Amplifi + Amplifi range extender (HIPAA VIOLATION TRIGGER)
7.) Wife's office operates entirely off WiFi. Cabling was not run for her build out and her entire office runs off an Amplifi Range Extender
- Wife complains of poor connectivity, NO DUH.
8.) Both offices have a utilize a single email address through Google Apps that is shared across all employees aka info@ (HIPAA VIOLATION TRIGGER)
9.) No MFA on Gsuite Email (HIPAA VIOLATION TRIGGER)
10.) Patient data is being sent to referrals or patients in plain text, no encrypted services, no sharefile. (HIPAA VIOLATION TRIGGER)
11.) Faxes are being sent through old school fax machines (HIPAA VIOLATION TRIGGER)
12.) Mix of VOIP phones for Wife and Copper phones for husband.
13.) Backups on the server consist of the office manager plugging an external in and hoping it does what it does
14.) No cloud backup
15.) No devices are entra joined, everything is in workgroup with full admin priv's, no domain, Workgroup.
16.) Computers are all custom built and not capable of moving to 11.
17.) Current computer bro was inherited and is only break/fix

HOW DO I EVEN QUOTE THIS MONSTROUSITY

I honestly feel like I should come in ridiculously high hoping they just don't accept the quote and move on. Someone is going to have to straighten them out and I'm not sure if I'm the guy for the job. They honestly need a full gutting and I'm not sure if I'm even up to it.

Call it 25 computers, a server, a new network, cabling, new wifi, new networking equipment and what? $60k?

I told them I will not work under a break/fix model and they seem to be aware of how F'd they are they just aren't sure how to move. They could be the perfect client and I could rebuild them from the ground up but I just don't know if I even have that in me anymore.

$60k credit balance that I can draw from and $2k a month?

 

[britechguy]

I'll agree it's a mess. I don't agree with many of your HIPPA VIOLATION TRIGGER statements.

One of the reasons that a very great many medical practices still insist on FAX (and they do) is because it is HIPAA compliant. You also don't need to be on Windows 11 to be HIPAA compliant. HIPAA predates Windows 8

Also, HIPAA doesn't concern itself with wired versus WiFi, but it does with encrypted versus non-encrypted for WiFi in particular. Most medical practices I know of use as much or more WiFi as ethernet, and so long as they have a dedicated WiFi network that has an "adequate" password such that traffic is encrypted in transit, that's enough.

HIPAA compliance is difficult enough without making it more difficult than it need be. HIPAA started in 1996 and the last changes were in 2013. Windows 8.1 (and the technologies that went with it) were "the latest and greatest" when the most recent HIPAA requirements took effect, and Windows 7 still predominated at that time and well past the intro date of Windows 10 in 2015.

 

[thecomputerguy]

I'll agree it's a mess. I don't agree with many of your HIPPA VIOLATION TRIGGER statements.

One of the reasons that a very great many medical practices still insist on FAX (and they do) is because it is HIPAA compliant. You also don't need to be on Windows 11 to be HIPAA compliant. HIPAA predates Windows 8

Also, HIPAA doesn't concern itself with wired versus WiFi, but it does with encrypted versus non-encrypted for WiFi in particular. Most medical practices I know of use as much or more WiFi as ethernet, and so long as they have a dedicated WiFi network that has an "adequate" password such that traffic is encrypted in transit, that's enough.

HIPAA compliance is difficult enough without making it more difficult than it need be. HIPAA started in 1996 and the last changes were in 2013. Windows 8.1 (and the technologies that went with it) were "the latest and greatest" when the most recent HIPAA requirements took effect, and Windows 7 still predominated at that time and well past the intro date of Windows 10 in 2015.

Yeah but if you take this responsibility on, as a professional, it absolutely HAS to be dialed up. If you come in claiming violations you can't half-ass it.

Yes were sending patient data and everyone from the doctor to the janitor has the password to our email.

I get your wired or Wifi comment but these are two different businesses sharing a SAME network with SEPERATE clients that have nothing to do with one another aside from a referral. This network is public and unisolated, and is the same network their patients connect to for in office wifi

 

[Markverhyden]

HIPAA has never been about a specific technology per se. A huge part of it is being able to reliably document what has and is happening as well as have a go to person who is in charge. And just like PCI there can be potential issues which become non-issues when proper compensating procedures have been implemented. All that security stuff has to be turned on and managed.

I can tell you a major problem is not being on AD with tightly monitoring. You not only have to track who is using what when and where. You have to prove each machine is receiving, or not, updates.

How many chairs do the have. That many pc's I'd expect something like 17 chairs give or take.

And to kick things off @thecomputerguy you will need to sign a BAA and also make sure your underwriter will cover you. Everyone else, including Google, will need one as well. Does the potential customer know what will happen with their insurance coverage if they have a breech and are found to be non-compliant? And what triggered this? A compliance audit?

 

[callthatgirl]

I'd do what you said and follow your own policies, if you don't want to take it on, there is nothing wrong with saying you don't want to take them on too. That might get them to say we def want you then. I had that happen before and I did end up taking the job. The guy bitched my rate was more than he made in an hour. We talked for 20 min, I fixed it in 8 min and billed for the whole hour.

 

[britechguy]

It wouldn't really matter if a single access point were shared, were it appropriately broken into dedicated sub-networks, including a separate public one (that wouldn't really be public, strictly speaking, because even that should be set up as a password protected sub-network, where the password for it gets changed at least occasionally).

And HIPAA specifies reasonable precautions (or did the last time I was working with it as a clinician). NSA level security is not necessary to be HIPAA compliant. But "wide open for access to anyone" isn't allowed, either. It's about making something that's reasonably robust against unauthorized access without it having to be locked down so tight that it could not possibly be used in an office.

But I do hasten to add that I do not do HIPAA compliance as an IT professional. There are parts of the IT infrastructure that are needed that go beyond what I want to have to deal with these days. If I were younger, and my work were not a "side gig in semi-retirement" that might not be the case, but I'm not willing to take this level of detail and the necessary IT skills, or ability to hire/oversee those who have them, on.

 

[timeshifter]

$60k credit balance that I can draw from and $2k a month?

Are you saying you'd provide all of the equipment and managed services for a monthly fee? You'd put up $60K then recoup the investment over 30 months?

If you're going to get involved, do it by your guidelines, your way or the highway. Make it so they're just another client doing things the right way. If that's too much for them then that's they're problem.

 

[thecomputerguy]

Are you saying you'd provide all of the equipment and managed services for a monthly fee? You'd put up $60K then recoup the investment over 30 months?

If you're going to get involved, do it by your guidelines, your way or the highway. Make it so they're just another client doing things the right way. If that's too much for them then that's they're problem.

I'd make them make a $60k initial investment in credit that I could draw on for hardware or ... anything really ... then Round it all up to $2k-$3k a month perpetually for support RMM, backup, AV etc.

Basically like ... give me $60k and I'll figure out how to spend it.

 

[YeOldeStonecat]

There's a LOT to a HIPAA audit and compliance...and I've been fortunate enough to sit side by side with a company that does these....
there's a lot to think about.

I'm not going to be the person who does an audit.
But I'm happy to take the basic guidelines..and sit down with a client..and work towards meeting them.

Key with these clients...is not to immediately dismiss them. But...sit down with them and have a discussion to feel out if they're willing to work towards achieving goals. If you can come up with a POA for them (Plan Of Action). Taking steps towards the goal...over time...can be realistic. Where as...trying to shove everything down their throat within 6 months is cost prohibitive.

Easy enough to upgrade their network hardware....with Unifi...not a lot of cost either. Can easily take a single internet connection and wall off two separate networks, proper internal firewall rules between the VLANs and SSIDs.

The server...honestly Windows Server, and *nix, does software RAID just fine. I've had a few software RAID servers throughout my decades....and if a drive tanks, "breaking the mirror" ..swapping a drive...rebuilding the mirror...pretty simple and quick. Since multi core CPUs came out..software RAID doesn't have much of a performance impact at all either. Sure a good hardware RAID controller is preferred...but honestly...nothing horrifically wrong with true software RAID either (now...those onboard fake-RAID controllers...I'm not a fan of)

Backup...yeah, not good.

Need managed AV
Need managed updates
Need managed content filtering (either via the gateway like Unifies new pay for filtering, or...agents on computers like DNS Filter).
Need managed backup
Need managed full disk encryption

Increase security on the email, and by all things that are holy....get MFA on there, and some monitoring/alerting service.

Speaking of the server, what is run on it? What is stored on it? Which dental practice management platform do they use?...and additional services?

Part of HIPAA is "who has access to what"? So...stuff stored on the server...how is it shared, to what users/groups? How does data get in, where does it go, how is it stored, how is it backed up, and through that process, who has access to it along each and every step? Where does PHI fit into all of that?

The fax, as noted above...still trusted, still secure!

I think you just need to sit down with the client and see how realistic they are in working towards the goal, coming up with a POA...and signing that.

Yeah the replacing of workstations is the bigger thing now. And figuring out what to do with that server. Allowing Windows 10 rigs to proceed into November of this year is not good.

 

[britechguy]

The fax, as noted above...still trusted, still secure!

Well, it is so long as no one is misdirecting the FAXes to wrong numbers. Having worked in healthcare for quite some time I can say with absolute assurance that it's amazing how often "something I shouldn't have ever received in the first place" comes shooting out of the FAX machine. And some of it was stuff like legal documents, etc., that we never would have seen had not someone fat-fingered the FAX number on the sending end.

I've said for years that I'd far rather have my stuff sent by email than FAX, as it's a simple matter to encrypt attachments and have them password protected. FAX is a grand PITA and medicine is one of the niches where it remains king.

 

[britechguy]

If you come in claiming violations you can't half-ass it.

BTW, I agree with this 100%. That's the reason I pointed out that much of what you seem to believe is a HIPAA violation is absolutely not a HIPAA violation.

If ever there were a case where accuracy matters, this is it.

You can dial up beyond what HIPAA requires if you so choose, but you can't claim that not doing anything but what is legally required is essential to compliance.

You lose credibility, big time, when someone else (or possibly several someone elses) are called in to make proposals on the same project, none of whom are making incorrect assertions regarding HIPAA compliance.