Author: Stuart Crawford

What’s The Remote Access Protocol And Why Should I Worry About It?

The Remote Desktop Protocol (RDP) is a means that Microsoft provides for Windows (and Mac) users to access another computer remotely. Remote computer access is often used by IT people to diagnose and repair a problem with a computer. If you’ve ever worked with a company’s Help Desk, then the technician may have asked for remote access to check out your computer. The help desk tech has all the powers and abilities that the user has.

If that user is an administrator (if only one user is authorized on the computer, that user is set up as an administrator by default), they have total control over the remote computer. They may well have total control over the network as well, depending on how the network administrator’s permissions are set up.

So How Does RDP Work?

RDP works by connecting the computer remotely, then controlling it over a local network or the internet. The internet port used for this is 3389. If that port is open in the remote computer’s settings, anyone can potentially connect to it and control it.

The FBI recently warned that hackers are constantly scanning the internet for open RDP ports and selling the access information that they find on the Dark Web. Several types of ransomware and other exploit tools rely on finding open 3389 ports. One security company, Rapid7, found 11 million open 3389 ports on the internet in 2017. There are over 1,000 attempts to find open RDP ports per day.

Obviously, if you don’t know your ports are open, you are not going to be able to protect them. The first step is to make sure that only machines that need remote access are set up for it. Your system administrators can use several methods to make sure that only computers that need remote access have it.

But We’re Covered…Or Are We?

Ah, you say, but we are protected against this kind of attack because we have all our RDP-enabled computers protected by a password. Guess again. If you look, you may well find RDP servers (and servers in general) that are not password protected. Sloppy system administrators (sysadmins) all too often leave the machines they manage unprotected, so they don’t have to remember the passwords to them.

Even if both the servers and the remote machines are protected by usernames with strong passwords, there are two ways that hackers can still access them. One, called a brute-force attack, keeps trying usernames and passwords until it scores a hit. This is known as a dictionary attack.

The other way is to use lists of username/password combinations that are automatically created, bought on the Dark Web, stolen, or some combination of this. The only defenses against this are two-factor authentication or the use of security keys (dongles).

In two-factor authentication, users have to enter a second password, sent by SMS to a smartphone or by email, to log on. When dongles are used, a physical device, such as Google’s Titan security key is used.

Use of biometric identifiers (fingerprints, face scans, retinal scans) is another way of either single-or two-factor authentication (i.e., the user is required to use a password and scan a fingerprint.)

How Bad Is This Problem Really?

Remember, once a hacker gets into your system via RDP, you are probably vulnerable if you do not have two-factor authentication and/or biometric identifiers enabled on all your machines, both Mac and Windows. In any other condition, you are vulnerable. The lists of RDP endpoints being sold on the Dark Web include those stolen from airports, hospitals, nursing homes, and government agencies.

How Bad Could This Get?

So far, the use of RDP as a means of network penetration has been limited to attempts to install ransomware or steal banking, credit card information, and online shopping information.

There is little evidence (remember, we don’t find it unless we look for it or the hackers make a mistake) of any state actors or terrorists using it. But RDP access is really low-hanging fruit for them.

Practically everything runs on computers today, and the vast majority of them communicate over the internet with unencrypted data. Imagine terrorist hackers shutting down first-responder communications systems. They also have the potential to shut down hospital EHR systems or disrupt air traffic control at the airport.

Once we begin to think of the vulnerabilities in our systems, this problem of open RDP ports gets worrisome very quickly. Small wonder that the FBI is warning everyone about it.

In 2017, just one Dark Web site had 85,000 RDP endpoints for sale. It has dozens or hundreds of imitators. We just do not know until the FBI or some other agency finds the Dark Web site and tries to take it down. If you work with a managed IT services company, then it can be worth your while to ask them to check your computers and networks to see whether you have RDP ports open and susceptible.

We know it’s important to have good habits in many parts of our lives, from our work to our daily hygiene. However, quite a few of us forget that we need to have good computer habits, too. Developing wise practices in connection with our computers and smartphones can make our lives much easier and help us to stay much safer on the internet.

Back Up Your Files

One thing that many people fail to do is back up their files. All it takes is one catastrophic computer crash and days or even months of work can be lost. Priceless family photos, fun videos with friends, key work files, and important school assignments that were a work in progress can be lost. Backing up your files isn’t that hard nor is it expensive. And, to make things even better and easier, you have many different options from cloud-based backups (such as GoogleDrive, OneDrive, or DropBox), convenient USB thumb drives, portable hard drives, and even specialized backup drives. A good practice is to make sure your files are backed up daily, or at least weekly.

Keep Your Software Updated

Software updates can be a pain, but they are vital to ensuring that your computer and software runs smoothly. In fact, one of the major reasons that updates are released is to fix bugs and issues that could make your computer vulnerable to cyber threats. Hackers know about these bugs and vulnerabilities. If you don’t allow your system to install the patches and fixes, then you are making yourself a prime target for a cyber attack.

Keep in mind that you don’t have to perform updates in the middle of your work anymore. Most software (and smartphones) will give you options for when the update should take place, so you can choose times when you aren’t busy on your computer.

Be Smart When Using Public Wi-Fi

Public Wi-Fi in places like fast food restaurants and coffee shops can be tempting to use when you need an internet connection, but they can also be dangerous. These public Wi-Fi networks are a common target of hackers, and even hackers with minimal skill can quickly figure out things like your social media credentials and more.

If you do have to use public Wi-Fi, take safety precautions such as turning off network discovery, file sharing, and printer sharing and make sure your firewall is turned on. Don’t be an easy target for hackers.

Make Use of Antivirus Software and Passwords

Would you leave your front door unlocked if you lived in a high-crime neighborhood? Well, the internet is a high-crime neighborhood. Failure to use updated anti-virus software and good passwords is the same as leaving your door unlocked. You can’t afford to make it easy for the wrong people to access your personal and financial information.

Your first line of defense lies in the passwords you choose. Don’t use easy to guess passwords, and don’t use the same passwords for everything. Include letters and symbols with your passwords to make them harder to crack, and add some numbers for good measure.

Your second line of defense, much like a deadbolt for your front door, is anti-virus and firewall software. They don’t have to be expensive in order to do a good job of protecting your computer. It is also vital that you keep your anti-virus and firewall software updated and don’t ignore alerts they provide.

Be Careful with Email

Going back to our analogy of living in a high crime area: if your doorbell rang in the middle of the night, would you fling the door open and invite whoever it was inside? You would probably want to make sure who it was, and even check their ID if they claimed to be some kind of official demanding access to your home. Strangely enough, far too often we inadvertently provide access to individuals with malicious intentions when we click on links in emails without making sure where those emails are really from.

In short, don’t open an email unless you have a good idea of who it is from, and beware of clicking links in emails even if they seem to be from friends. Be cautious about opening attachments, too. In short, be as careful with your email as you are with your front door.

Conclusion

You work hard to keep yourself safe from physical dangers such as criminals and disease. It makes sense that you should work just as hard to keep your electronic devices safe, too. Backing up files (including documents, photos, and videos), keeping your software updated, and being smart when on public Wi-Fi is a good start. Add to that antivirus and firewall software, robust passwords, and the careful use of email and you are on the road to developing excellent computer habits that will keep your files, data, and personal information safe.

The Health Insurance Portability and Accountability Act (HIPAA) is a Federal statute, and associated regulations, that, among other things, control what healthcare providers and other “covered entities” do with “protected health information” (PHI). The HIPAA regulations are fairly straightforward, but there are a lot of them. There is a good summary here, with links to the relevant portions of the Code of Federal Regulations (CFR). This article covers only the basics.

Who Does HIPAA Apply To?

“Covered entities” are health care providers, health plans, and health information clearinghouses. The latter are usually aggregators of health information from hospitals, doctors, and the like. “Protected health information” is any information that relates to an individual’s past or present health status, treatment, and payments for any treatment an individual receives. Past, present, and future healthcare records are covered.

Data falls under HIPAA protection for 50 years after the death of the patient. The form in which the information exists does not matter – it can be written, oral, or electronic. If the information is in electronic form, additional requirements for protecting it apply.

Why Should I Worry About All This?

People are concerned about following HIPPA guidelines and they should be. It’s important to protect the personal and healthcare information of all patients. In addition, the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) can impose large fines and other penalties for HIPAA violations. Hospitals and health systems have been fined in the millions of dollars for HIPAA violations. And HIPAA violations, if they make it into the news media, always create bad publicity.

What Can I Do To Remain Compliant?

Training of staff on HIPAA rules and practices is by far the most important step. The second is making sure that PHI stored in electronic form is protected. That involves things like:

• Using encryption when data is stored or transmitted
• Making sure that staff have only the access needed to do their jobs
• Making sure that access to systems is, at a minimum, protected by strong passwords
• Protecting records with the latest technology such as swipe cards or biometric identifiers

What Do I Have To Do To Conform To HIPAA?

You need to:

• Formulate your privacy practices
• Notify patients of privacy practices
• Obtain consent or authorization when required
• Make sure that your arrangements with business partners meet HIPAA requirements
• Make sure you distinguish your normal health care operations, where consent is not required, from disclosures, where consent or authorization is required
• Make sure you follow the HIPAA “security rule,” which covers PHI in electronic form

It goes without saying that your legal department needs to be involved in all of this. The Notice of Privacy form should inform patients and staff of what your practices and guidelines are. The notice should be given in written form to patients when they are first encountered.

“Arrangements with business partners” concerns companies that may have access to PHI in the course of providing services to a health care provider. These include companies that provide storage of documents, destruction of documents, or electronic handling of documents. You are required to make sure that they understand the HIPAA requirements and conform to them. You can think of it as the HIPAA requirements “flowing downhill” from you to your business associates.

What’s The Difference Between Consent And Authorization?

In many cases, no consent is required. This includes disclosure of PHI for treatment, payment, and health care operations. A covered entity may, but is not required to, seek consent from a patient for these purposes, but it is common to do so.

On the other hand, an authorization is required for any use of PHI other than the ones listed above. An authorization is more formal than a consent, must be written, and must contain several elements, which are covered here.

Authorization is required when the disclosure is for any purpose other than treatment, payment, or health care operations. This includes disclosure to a third party, such as a life insurance company, an employer, or a provider not affiliated with your healthcare organization.

Please note that electronic transmission of PHI is covered by the authorization requirement as well. If authorization to send the information on paper is needed, authorization to send it electronically is needed as well.

What Are The Takeaways?

• HIPAA compliance is not optional.
• Penalties for violating it can be very costly.
• HIPAA applies to PHI in any form – paper or electronic.
• Obtaining consent is generally a good idea; authorizations are required.
• Depending on the services your business partners provide to you, they may be required to conform to HIPAA as well.
• It is always better to err on the side of caution when dealing with HIPAA.

If you still have questions, be sure to visit the HIPAA website. Today, there are many organizations that can help you learn about and comply with HIPAA guidelines. For instance, many managed IT services providers have tools to help with compliance.

Today’s business owners carry many burdens, but tax time can cause a headache like no other. Filing taxes is often a cause of stress for small business owners and those just starting their empires, and with an ever-changing set of rules and regulations to follow, it can be difficult to understand it all. It’s important, though, to pay close attention to changes in tax codes. One change, implemented just this year, is already presenting big benefits for business throughout the U.S.

H.R.1.’s Section 179 was signed into law in January of 2018, marking a change to the previous tax laws followed by business owners throughout the U.S. The IRS 179 Deduction was enacted to help small businesses lessen their taxable income, thereby reducing their tax burden. At its core, the tax code now allows business owners to take a deduction equal to the full purchase price of a qualifying piece of equipment. Not only does this encourage small businesses to invest in new equipment, but to also invest in themselves. Numerous small businesses are already reaping the benefits.

What Does Section 179 Do For Businesses?

Due to its signing, Section 179 will see an increase in deductions from $500,000 to $1 million, while equipment purchases will be subject to an increase of up to $2.5 million. Small businesses ought to take advantage of these new changes by investing in their growth, and one of the best ways to achieve this is through technology.

With these new regulations, businesses are now able to file a deduction equal to the total purchase price of a piece of equipment. Qualifying equipment may include laptops, routers and phone systems, among others. In order to take advantage of these new tax benefits, you’ll need to buy, lease or finance and use your equipment by 12/31/2018.

What Type of Equipment Qualifies?

A wide range of tech items qualify for the deduction, and qualifying equipment doesn’t need to be owned, either. Business owners can still take advantage of deductions even for items that are financed or leased. This includes both hardware and software. One stipulation is that the equipment must hold a service contract for business in order to qualify and that equipment must have been in service between January 1 and December 31 of 2018. If the equipment was purchased under a Capital lease, dollar buyout or cash sale, it still qualifies.

Items eligible for deduction include those that help promote and maintain productivity. To take full advantage of these deductions, businesses ought to invest in equipment with the potential to improve efficiency and security measures. Routers and firewalls, for instance, should be replaced every few years to stay in tune with the most current security standards. Other equipment like scanners and switches, both of which are constantly improved, should be upgraded every few years to maximize productivity. With items like these, newer often means faster, and in a bid for productivity, newer and faster can’t be beaten.

Laptops and ultrabooks are covered by the new tax code, and businesses would do well to frequently upgrade to models that boast longer battery life and other features that can aid in productivity and efficiency. Workstations and additional monitors are also eligible for deductions. To take advantage of this, organizations may want to consider providing a 2nd monitor for employees to further enhance productivity.

This also applies to backup equipment and appliances built for disaster recovery. If your business doesn’t yet have a reliable system in place to keep your business afloat in the event of an emergency, it’s something you should definitely consider.

Other items like storage can also be deducted. Storage Area Networks and Redundant Array of Independent Disks are just two examples of storage systems that are deductible for businesses.

Is There A Bonus Depreciation?

In regard to business tax codes, bonus depreciation can be unpredictable. In 2018, bonus depreciation is being offered at a full 100 %. While the Section 179 Deduction applies to both new and used equipment, the same has not always been the case with Bonus Depreciation. Up until just recently, Bonus Depreciation only covered new equipment. Now, it also applies to used equipment, which has proven useful to large businesses that may surpass the Spending Cap under Section 179, which is currently set at $2,500,000.

Tax codes for businesses can be complicated, but the goal of Section 179 is a simple one: encourage businesses to spend more in order to do more. Businesses large and small would be wise to make the most of these tax benefits and leverage them to plan for the future. A certified accountant can walk you through these changes and help you make educated decisions when investing in equipment for your business.

The phrase, “Technology…you either love it or hate it” is a concept that no longer works in the modern world. In fact, it really is not even relevant. Technology has worked its way into nearly every business. The legal sector is no different. Of course, legal professionals may have held out longer than others.

The contemporary law office barely resembles traditional practices. In fact, technology continues to handle larger amounts of legal work at a greater frequency. This frees attorneys to work on more personal aspects of the job. Unless they are technically-savvy, most lawyers delegate these tasks to support staff. Generally, however, it is only the largest law firms that hire an onsite IT team.

This is why many offices prefer to outsource their IT services.

How Are Resources Utilized When Law Firms Do Not Outsource?

When a firm hires an IT-specific employee, this is a major commitment. This individual becomes a member of the support staff and is paid regardless of whether his or her services are required. Otherwise, if one of the partners chooses to take on the task, it is at his/her financial detriment. He/she would be using the time that would otherwise be directed at serving clients, etc.

Additionally, as new technology is required, the firm would need to personally handle it. The on-staff tech (or benevolent partner) would need to take time, and possibly classes, to learn everything about it. This all results in a bit of a mismanagement of resources, which is especially true when there are other options.

Would the Law Office Incur Additional Fees or Experience Downtime?

When a firm outsources their IT services, the provider takes all the responsibility. They spend the money. They invest in the education, software licenses, training, and certifications. This enables them to troubleshoot and resolve problems with the firm’s computers, Internet, servers, and software issues rather than the firm’s.

Generally, outside IT service providers are made up of a team of experts rather than one overworked technician. This allows them to have a variety of individuals who offer a range of experience and skills. They also have access to more advanced technology and tools. Since it is their primary focus, they have to keep up with all of the latest innovations. Otherwise, they lose their edge.

Since there are many people with different perspectives, team members are able to consult with and advise each other. With so much at their disposal, it makes it much easier to identify and resolve the core problems more quickly. This means that there is little if any, downtime or interruptions for the firm.

Does Outsourcing IT Service Provide Business Continuity?

By outsourcing their IT services, a law firm will receive support 24-hours a day, 7-days a week, and 365-days a year, whether they need it or not. This level of support is not possible from even the most diligent in-house employee. An outside source would also have additional resources available that an inside tech would not have.

Since the work to troubleshoot an issue is outsourced, the rest of the office can go about business as usual. Nothing else changes. In fact, business continuity is one of the primary reasons to outsource. It ensures the law office is able to continue as if nothing is amiss. This makes it a particularly responsible option.

What Are the Top IT Outsourcing Options?

When choosing an outside IT firm for a law office, it is important to take due diligence. There are many options, and they are not all equal. Fortunately, there is a resource that has already ranked the top choices. The Everest Group researches each. This makes a time-consuming personal analysis almost unnecessary.

The Everest Group is a management consulting and research firm that advises businesses around the world. Every year since 2008, the Everest Group has evaluated outsourced IT service providers according to 26 characteristics. These include the technologies they use and the geographies they cover, among others.

The top 10 for the year 2018 include the following IT firms:

• Accenture
• TCS
• Cognizant
• Wipro
• IBM
• HCL
• Infosys
• CapGemini
• DXC Technologies, which is a merger of CSC and HPE
• NTT Data

Although these are the top 10 in this reporting year, there are many reputable providers. The Everest Group keeps tabs on the up-and-comers who may unseat the 10 as well. Checking previous winners provides a more comprehensive picture of who has performed reliably.

In Conclusion

For some law firms, there is peace of mind having their own in-house technician or IT team. Most offices, however, would benefit from outsourcing their IT services. Ultimately, it conserves money, time, and other resources. Rather than researching the various options, a busy attorney would do better to peruse the years of lists compiled by the Everest Group. With several reliable performers on them, there is no reason not to.