By Dan Gospe
If you are like most dentists, you’ll need a Windows Domain Server to manage your internal network. As the “brain of your network”, a properly configured Windows Domain Server will achieve HIPAA compliance and enforce robust, network-wide security measures. These security protocols will help protect against viruses and intrusions both from inside, and outside of the network. But, putting a domain server in place isn’t enough to satisfy your security requirements – you’ll need to implement the protocols that you need to secure your patients’ data, and the PCs that access it.
1) Define your Administrators
The first thing you need to do is define your administrator accounts. In general, it’s best to limit your administrator accounts to just 2 – yourself, as the owner of the server, and your managing IT company, if you have one. These are the accounts that will be allowed to make the various changes to the network-wide settings that ensure that everything is as secure as it can be. Also, you should limit the access to these accounts to just yourself and your IT company – a lot of damage can be done unwillingly by using administrator accounts when they aren’t necessary. Most times, when you need to access the server for whatever reason, a Domain Administrator account is not needed – after setup, it’ll be pretty rare that you’ll need to go in and make structural changes to your Windows Domain.
2) Use your Group Policy Settings
Group Policy is the part of the Windows Server that manages and controls the devices attached to your network, and the user accounts that use them. The Group Policy interface is the place where you configure your individual workstations and the access rights for employees. From Group Policy, you set your timeout periods for the various workstations, manage any Control Panel options, and run login/logoff scripts on the PCs on your netowkr. You can also structure your group policy to automatically add printers and mapped drives when a user logs in, which saves time on configuring individual accounts. For example, if you get a new employee and set up a new user account, Group Policy is responsible for setting them up with all of the resources, programs, and printers that they need when they log in for the first time.
Any setting that you can set on the individual workstations, you can push out through Group Policy – from screen savers, to passwords, to network access, and everything in between. Most of the security settings of your network will be controlled through Group Policy. In addition, the security protocols that you enforce can block individuals from making changes to how their PC functions – so, if you get yourself a computer-savvy employee, they won’t have the ability to change their network settings, install unwanted programs, etc. More importantly, this PC-level lockdown breaks the ability for many viruses to cross-contaminate the network, or reap havoc on the data files stored in shared folders.
3) Enable your Password Policies
Each user account should have their own password. Through Group Policy, you should enforce the management of your password protocols – for example, they need to follow complexity requirements, and be changed every 90 days or so. Your Domain Server will be responsible for enforcing these rules, to make sure that passwords are changed on a regular basis.
4) Enable Audit Trails
Detailed audit trails are not enabled by default on a Windows Domain Server – you need to activate them manually. This is a huge HIPAA requirement – you need to know who did what, from where, and when. If you ever have a breach, you’ll need to be able to perform forensics to find out where it came from. Without enabling this detailed logging of what the user accounts are doing, you are dead in the water when trying to figure out what happened after a crisis.
5) Encrypt it, and hide the key
Encryption of your data while at rest is not a HIPAA requirement. However, it is indeed a best practice. All of your data resides on your Windows Domain Server, and if it ever gets stolen, there’s a risk of someone getting in to get the data, even without a password. If you encrypt those drives, it becomes much harder, if not impossible, to get to the data on the server without the proper password. If your password policy is set correctly, any series of failed attempts at logging into the administrator accounts will lock it out until it can be unlocked by a person who has the encryption key available. There is a risk, however, if you lose that encryption key – if it’s lost, you are out of luck and will never get back to your data on a locked system. So keep that key somewhere that prying eyes won’t find it – online, somewhere, with a couple of copies in various places that won’t be available to someone who might steal the server itself. If you have an IT company that set the server up, make sure that they are keeping a secure copy of your key on-file in case of emergency.
6) When Possible, Disable Admin Accounts on the PCs
Many dental software packages, unfortunately, require local admin rights on the PCs. But if you’re one of the lucky ones whose software does not require it, then disable those local admin rights and leave administration to the server.
7) Use Employee User-Accounts, not Computer-Name Accounts
Many times, we’ll find Domain Servers configured where the usernames are the same names as the computers themselves. This doesn’t abide by HIPAA’s requirements to have separate accounts for each employee, and it also defeats the purpose of the audit trail logging discussed above. The main goal of the Domain Server is not only to manage your entire network, but also to keep detailed logs of how your network is being used on an ongoing basis from a user perspective.
8) Make Sure you are Protected
If you have a Domain Server and you’re not sure if it’s configured correctly, get some advice from an IT consultant with knowledge of HIPAA to take a look and activate any security measures that may not be in place.
Dan Gospe is the Chief Operating Officer and HIPAA Privacy Officer at dmi Networking, Inc. He can be reached through the contact form on this site, or in his office at 707-523-5915.