“Hi, we’re from the government and we’re here to
help.” That line, along with any other you care
to add, tells it all. The devil is ALWAYS in the
details, especially when it APPEARS that you
will get something that seems too good to be
true.
When we studied the requirement for MU,
particularly the security portion that was
available at the time, we understood that we
were sorely lacking in some areas.
Instead of ignoring our deficiencies and hoping
the feds wouldn’t show up and see if we were
telling the truth after we attested, or that
they were going to somehow lower the security
requirements they had initially posted, we
employed the services of a reformed “black hat”
hacker to secure our networks. It takes a thief
to catch a thief.
His work is pretty much done remotely or with my
local IT person on the ground if needed. He
provides written reports on vulnerabilities
found after he does a thorough scan(s) and the
measures taken to fix said vulnerabilities. He
will even set up a honey pot if that’s your
desire to toast any intruder’s machines/network
when they try to gain entry. He works very
willingly with your on the ground IT person and
his rates are very reasonable.
Although the current requirements seems crazy
and outlandish to us, to them it’s pretty much
standard bill of fare patching vulnerabilities
and exploits they have used for years to gain
entry to networks other than their own. It’s not
rocket science to these guys. It’s fun,
challenging and an adrenaline rush. Social
security numbers fetch BIG money in Russia,
China and other countries these days. Think
about how many social security numbers you have
somewhere on your network.
How many of those numbers belong to old
vulnerable seniors who are prime targets for
social engineering? Any payroll information on
your network? Any personal information on your
network? Any information on your network you
wouldn’t want others to see? Do you have any
users accessing your network through a wireless
access point? Do you have users accessing your
network from remote locations? STOLEN
INFORMATION=BIG MONEY.
If your practice has an internet connection
with static IP address(s) you are vulnerable.
Simply updating your windows operating system,
using a firewall and antivirus software is
inadequate and akin to patching a gunshot wound
with gauze. Believe me, if they want in, they
will get in and once they are in they leave no
traces. Unless you have someone who knows the
most current exploits and how to look for tell
tale signs of a breech, you my friend have
brought a knife to a gun fight.
We have slept with the devil and not only is he
going to extract his MU money back from you he
is going to paint you as a greedy, evil, lying
cheat who took money to which you were not
entitled and who cares nothing about the
security of patient’s demographics and patient’s
protected health information.
One less provider with the ability to bill the
federal government for health care services he
provides isn’t a bad thing when you are trying
to cut expenses and reduce services. MU money is
without question the biggest honey pot every put
together in history. They set the trap, we took
the bait and now we are hooked.
Mark J. Tuccio, DPM, Jamestown NY,
drtuccio@netsync.net
