Over the past 16 years, we have seen a lot. Everything from nearly perfect examples of the ‘ideal’ network setups all the way to the other end of the spectrum which is essentially a functioning security nightmare, HIPAA violation and lawsuit goldmine waiting to happen. Here are the 5 most common deficiencies I see in offices we meet with that are very easy to correct.

1. No data encryption: 95% of new clients we meet with are lacking drive/disk encryption on their main storage devices of the ePHI data. There are plenty of products and systems on the market today that can with relative ease be setup so that device can be protected.
2. Too simple or no passwords. This is BIG, and very easy to correct. Having ‘password’ or ‘12345’ as the password to a device that has access to your entire digital data storage is a bad idea. Any competent IT professional should be able to help you implement a password policy in your office that will provide a bit more security.
3. Physical server location. I cannot begin to recall how many offices fail when it comes to the physical setup/location of their equipment in the office. To have your main server/data center at the front desk right out in the open is simply asking for trouble. In less than 10 seconds a thief could break into an office and walk off with ALL your data. Find a secured location within the office with locks on the doors (at least two locked doors) between the server and the outside of your space. Again, fairly minimal cost to have a lock added to an inside door but a big improvement to your security.
4. Non-compliant backup systems. Some offices think they are doing backups, but upon further review the backup is not encrypted, not backing up the correct data or not working at all. A backup software license that is capable of encrypting to the levels that HIPAA requires is often less than a couple hundred dollars. These backup software solutions create log tracking and easy user interface for daily monitoring.
5. No office firewall devices. One of the most common points of weakness we see is not using a business class or any physical hardware firewall device between the internet device and the internal network. This is a relatively low-cost item to add to the network and correct this deficiency.