A Whitepaper by
Dolce Vita IT Solutions LLC
Business Continuity in Chiropractic Environments
Chiropractic environments are typically in smaller office settings and are often more cost-constrained than other medical environments. This means that they are often subject to third-party IT and office management offers which frequently do not protect the practice’s data as well as the owners believe. Based upon experience in assisting chiropractor offices and other small medical practice clients, some guidelines are offered for chiropractic practice owners to follow in order to limit risks to sensitive data.
Sources of sensitive data
The chiropractic environment has several sources of sensitive data which need to be protected, some of which are not necessarily obvious:
Routine patient data in chiropractic practice management software
- Imaging data generated by x-ray or other devices
- Fax images from other medical practices, insurance companies, etc.
- Email relevant to patient information
- Scanned documents such as identification, insurance cards, etc.
- Accounting data
- Business data and documents
Requirements for protecting data
Protection of data in a chiropractic environment does not differ greatly from that in other business environments. To understand some of the risks, consider the most typical ways for data to be lost (or stolen).
- Dumpster diving – a potential source for identity information, and very low risk
- Corruption – if power issues ever occur and if battery backups are older than 3-4 years, this is common as workstations/servers can spontaneously shut down or be damaged by brown-outs (circuit amperage or voltage drops slightly and if not corrected by battery, damage to computers and components can occur over time)
- Theft – any improperly secured wireless can result in unintended access to your systems
- Theft – weak, non-existent, or old passwords on workstations, desktops which do not automatically lock after a configured inactivity period
- Loss – patient or business data not being backed up and accidentally deleted or destroyed
- Destruction – ransomware is a very common way for data to be destroyed
- Loss of access – poor documentation of credentials for every aspect of the information operation
- Workstations have to be connected to the battery backup outlets on a functional uninterruptible power supply (UPS)
- Workstations should have excellent air flow; those placed inside of cabinets must have air holes, etc. in any cabinetry to minimize damaging heat build-up, including fans in some cases. It is best to avoid this scenario by placing workstations on CPU stands on the floor with appropriate cable management
- Carpeted floors increase the dust in an environment, so it is important to use compressed air periodically to clean the internal components on workstations
- Printers and other sensitive electronics must be connected to surge protectors
- All network components such as servers, firewalls, switches, workstations, etc. must be connected to battery backup (verify they are connected to battery-protected outlets)
- All workstations, servers, and network equipment should be in rooms which are reasonably cool (i.e. never more than 72 deg F). Higher temperatures will result in thermal degradation of system boards, etc. over time. Avoid any situation in which workstations or other equipment reside near floor heaters
- Servers, backup appliances, storage appliances, and network equipment should normally be in a physically protected, locked room.
- The building should be locked and alarmed, with an alarm service
- Use of security cameras is recommended with specific attention to doors and windows as well as access to network storage hardware
- Any shredded material should be destroyed by a trusted and certified destruction company
Firewall and Content Filtering
- Typically it is recommended to use a hardware firewall which is a capable Unified Threat Management (UTM) appliance.
- UTM firewall should be licensed and configured for content filtering, gateway antivirus, antispyware, application monitoring
- Firewall should normally be configured to block all outbound ports not required for routine business operations
- All access from the outside for firewall configuration is turned off…there is rarely justification to allow even trusted users to configure the firewall from outside
- Firewall is configured with a complex password, with account lock-out enabled (x failed attempts locks access to the device for a set time period)
It is not uncommon to find practices with residential-quality firewalls and wireless systems, without content filtering or the ability to detect malicious encrypted traffic common with ransomware exploits. This is a situation which should be looked at closely and remediated.
AntiVirus and AntiSPAM
With regards to ransomware, which is one of the most prevalent risks facing businesses, there are a number of important conditions which owners should be aware to ask about:
- Each reputable antivirus software vendor has available technical best practices with recommended settings most likely to protect the client environment. The owner should ask to be shown the current applicable pdf used to configure the antivirus in use.
- Most antivirus is capable of content filtering…it is recommended that this be configured consistent with current best practices, in addition to the content filtering running on the firewall. These settings can be easily tested.
- Anti-SPAM is not as easy to properly configure, and SPAM is the most prevalent source of ransomware risk. It is often recommended that anti-SPAM be cloud-based so that infections are dealt with before they ever land on the client location, and to significantly reduce email system load. It is common for reputable systems to vet out over 75% of inbound email as originating from spammers and other blacklisted sources.
- Anti-spam system should be configured to reject risky attachments consistent with manufacturer best practices
- Best practices for vendors should be reviewed on at least a quarterly basis because manufacturers are continually adding features such as machine learning, etc. to their products
Backups and Business Continuity
It is generally acknowledged in the technology industry that ordinary file/folder backups are no longer adequate for business continuity. It is essential to have a business continuity plan which includes the ability to recover not only files and folders encompassing all of their patient data, but also recovery of imaging data, documents, correspondence, accounting and business planning data, as well as recovery of email. In addition, any critical servers or workstations should be protected at least on-site by imaging software…this allows a failed workstation to have a recent backup image used to restore to new hardware if needed.
Unfortunately it is common to see situations where the only patient data recoverable was that in the chiropractic practice management system. This is only a portion of the data required to be recoverable. It is the business owner’s responsibility to know where all critical data resides, verify that it is backed up, and verify that it is recoverable.
The typical storage situation in chiropractic offices includes two to five workstations, often with one designated as a "server", but which is running a workstation operating system. In the typical case, the data which is critical is spread across a number of devices…if the patient records database is the only data being consistently backed up then there is a problem. To simplify the storage environment it is possible to have scanned documents and other data reside on a server, network-attached storage device or other converged storage. This can simplify the backup protocols as well, resulting in one device with critical data to be backed up.
Recovery Risk Matrix
Once the storage environment is planned, then it is critically important to work with whoever provides the practice’s IT to review its highest-risk, highest probability downtime scenarios, and ensure reasonable steps are taken to protect data as well as ensure that the owner understands the timeframe for recovery of data based upon the current infrastructure. A risk matrix is one of the most useful and dynamic methods used for business continuity planning.
It is useful at this stage to review the distinction between backups and business continuity, because the difference is exceptionally important from a cash flow perspective. The term ‘backups’ is used to describe the fact that a copy or image of critical data is kept on separate media allowing data to be recovered in the event the original media or device is damaged, etc. The term backup does not account for the time required to recover data.
The term ‘business continuity’ is used to describe the practice of backing up data as an image in such a way that it is recoverable in an acceptable timeframe to minimize cash flow impact on a business. This can be critically important and is illustrated by two recent real-world examples.
The client is an educational institution whose primary file server failed late on a weekend due to a failure of multiple hard drives. This required that the drives be replaced and a “bare-metal” recovery be performed to different hardware.
The data recovery for this 1.5TB server required approximately 20 hours for the backup system to complete. The business impact extended from about 0800 Monday morning until about 4 PM Monday, and the school acknowledged no serious impact on their organization.
The client is a high-tech manufacturer serving the oilfield and aviation industries. They had a critical database server fail due to live system modifications being made by an application developer. They had over 50 personnel as well as five 18-wheel transports idled by this data incident, at an estimated downtime cost of approximately $2500 per hour. The business was up and running with a server image in under 30 minutes due to the business continuity system in place. In addition, the server data was restored outside of regular business hours to minimize disruption to the client.
This illustrates the need for owners to understand recovery timeframes and their impact on cash flow. In the chiropractic setting, it can create a significant inconvenience, but usually will not cause a significant cash flow disruption, so long as the data is recoverable. With regards to cash flow impact it is useful to plan around the potential absence of key data for the duration of various recovery scenarios, and to at least plan for work process adjustments to accommodate this and minimize patient care impact.
Example Risk Matrix
A risk matrix is a basic listing which includes a list of all of the significant information repositories, such as patient images, front office scans, patient records, accounting data, etc. Then each repository is used to identify the business impact (i.e. on a scale from 1 to 10, with 10 effectively not allowing business to be conducted or being extremely damaging). Then each repository is evaluated on the likelyhood of damage occurring (again, from 1 to 10). Effectively the risk factor is:
Risk factor = business impact x likelihood
Of course the higher the risk factor, the more it may need to affect how that repository is protected. Businesses should re-evaluate risk factors on at least an annual basis, and should test data recovery on at least a monthly or quarterly basis. Our clients with major potential cash flow impacts are set up with automated testing of their backups on a daily basis.
It is important for chiropractic practice owners to be involved in the appropriate protection of their data. Involvement in identification of all critical data sources and decision making regarding continued availability of that data will serve to reduce risk to the business and can ensure better quality of service for patients. Making assumptions about current quality of service data protection is irresponsible and potentially dangerous for the business and for quality of care. It is easy for business owners to feel intimidated about this process, but their IT service provider should be able to provide assistance to make this a reasonably painless process.
Dolce Vita IT Solutions LLC
About the author: Dolce Vita IT Solutions is an Edmond, Oklahoma based IT consulting firm specializing in providing IT support to small and mid-sized businesses in the medical, insurance, manufacturing, banking, and other business verticals. In business since 2002, Dolce Vita works with businesses from 2 to 500 users. Lane can be reached at firstname.lastname@example.org .