CryptoWall Virus Affecting Practices

By Steve McEvoy, Technology Consultant

steveMWe are seeing a fast spreading outbreak of a new virus called CryptoWall affecting many practices.   Similar to the Cryptolocker virus that emerged last year, this virus seeks to encrypt all your precious data on your computer, and hold it for ransom (asking you to send them $500 USD in Bitcoin to get the decryption key).

What makes this virus so alarming is that as of a few days ago ZERO out of nearly 50 antivirus programs were able to detect it. None.

How to protect yourself

Eventually the Antivirus programs will catch up and learn how to detect it, but at this point in time you need to rely on your own wits and acting responsibly.

So far the virus has been arriving as an attachment to an email message (usually a ZIP or PDF file). We’ve seen it claiming to be airline ticket confirmations, monthly statements from the power company, shipping receipts, etc. Avoid ANY email with attachments that you are not 100% expecting. If you receive an email that you are unsure of – DON’T OPEN IT – and contact the sender by other means and confirm that they did send it to you.   Reading the email doesn’t infect your PC, only opening the attachment will.

Signs that you are infected

2The virus needs time to tackle the encryption.   The longer it goes undetected, the more of your data it can encrypt.   You will notice the PC running much slower than normal (since it is using the computers processing power to encrypt your files). You may see files named DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML on the desktop, documents, pictures, mapped drives or any location where you have data saved.


What to do if you suspect an infection

Open the DECRYPT_INSTRUCTION.HTML file and note the time remaining to decrypt your data (they only allow you a short period of time to send them the money before they destroy the data permanently). Once you have that information TURN OFF THE PC. The longer it remains online the more data it can encrypt. Do not attempt to run scans and clean the system, this only buys it more time to encrypt data. Do not connect any external drives to restore backups of data as it will attempt to encrypt your backups when it sees the drives. Contact your IT person IMMEDIATELY for their assistance in recovery.

Encrypting your Laptop

By Steve McEvoy, Technology Consultant

steveMDepending on your interpretation of the HIPAA regulations your Practice’s HIPAA policy (you have one right?) might mandate that Protected Health Information (PHI) on portable electronic devices within your Practice should be encrypted.

Let me interpret that last sentence into English – If there is any chance that you have any information related to your patients on your laptop, it’s probably a good idea to encrypt the laptop to keep the attorneys and HIPAA Nazi’s away in the event that it is stolen or lost.   You probably have your own personal data on the laptop too, so this is good for several reasons.

I would expect that if I could canvas all of you reading this article that 90+% have PHI on your laptop in some form (as minor as an email message) and less than 1% of you will have your laptop data encrypted. I expect that most laptops that get stolen or lost now don’t get reported and the Doctors are just silently hoping it doesn’t get discovered.

You want to encrypt your laptop, but how do you accomplish this?   I’d like to be able to tell you the how to is simple “Just do this…” but I can’t.   Depending on your equipment you have to consider your options. If you invest the time to read through the article below the conclusions at the bottom will get you started on getting this done.

The Background that Matters

Encryption is basically a process where data stored on a computer is scrambled in a pattern using an encryption key.   The process is complicated, but renders the information useless to anyone unless they possess the key.

There are various levels of encryption, you might have heard of it described as 128 or 256 bit encryption.   This is referring to the length of the key.   A key is a string of 0’s and 1’s (binary language) and the bits mentioned describe how many characters there are.   For example, 8 bit encryption would be 2 to the power of 8 possible combinations of 0’s and 1’s, so 256 possible keys if you do the math.   If you used 8 bit encryption it would be pretty easy to just try each of the 256 keys to unlock your data.   Now consider that 128 bit encryption has 3.438 possible keys, specifically 340,282,366,920,938,463,463,374,607,431,768,211,456. That is a lot!   256 bit encryption has 1.1577 possible keys, and is generally considered unhackable (unless you’re the NSA). Fun fact – many banking websites now use 2048 bit encryption!

I’ve heard rumors that the number of bits used matters to HIPAA, but I have NOT been able to confirm for myself.   The rumor goes that 128 bit is NOT good enough for safe harbor. ‘Safe harbor’ meaning that if you lose it you don’t have to report it. It suggests that 256 bit is good enough for safe harbor.     Personally I think any level of encryption will keep your data safe since no one is likely to invest the time or effort to decrypt Dental records. They are going to take your stolen laptop, reload Windows and resell it on eBay or Craigslist for a quick buck.

If we agree that we want encryption and we’ll go with 256 bit, now what? It gets tricky here, so hang in with me.

Your two choices for Encryption

The encryption process (taking your data and mashing it up using the encryption algorithm with your key) takes computing power.   Something has to actually ‘do’ all that work.   That something can be one of two methods generally:

  • Software based encryption that has a little program plugged into Windows that is converting all the information on the fly, and thus this method uses some of your laptops CPU power and memory to get it done.
    • This is great because it is a solution that can work on any computer, in particular those that don’t have the special hardware.
    • On older laptops this can make them feel even slower (noticeably so) and can turn it from marginal to use to no fun at all to use.   Some older laptops just can’t deal with the load. I’ve seen it make a cheap 5 year old laptop nearly unusable.
    • There is some cost to this usually, ranging from free to perhaps $130.
  • Hardware based encryption is a solution where there is a special encryption chip (either on the hard drive storing the data or within the laptop) to do all the thinking. This method doesn’t borrow any resources from your laptop’s CPU or memory.
    • This is great since it won’t slow down your computer, even if it’s an older model.
    • Even new computers or hard drives don’t all have this hardware standard – you need to look for it.   When you order a new Dell or HP business laptop you need to select a hard drive with Opal security.   The cost increase is minimal, typical $20 to $50.

Software encryption is appealing to many since Microsoft began to include BitLocker for free in specific versions starting with Windows Vista.   There are only two versions of Windows Vista/7 that do include it, Ultimate and Enterprise editions. Unfortunately the vast majority of Windows 7 out there is Home or Professional editions. You can do an ‘In Place Upgrade’ of Windows 7 Professional to Ultimate, but it costs ~$130.   The good news comes in Windows 8 – Microsoft now includes BitLocker as standard in both the Pro and Enterprise versions of Windows 8.   So, if you have Windows 7 Ultimate, Enterprise or Windows 8 Pro version on your laptop enabling software encryption is as easy as going to Control Panel and clicking on BitLocker and following the prompts.   Allow from a few hours to 2 days for the initial encryption to complete (knowing you need to leave the laptop alone and plugged in for that period).   Pay close attention to the performance impact after BitLocker is setup. If you can’t notice the difference you are in great shape. If performance sucks afterwards, you can always turn it off and go back to normal again.

It is possible to replace your old slow hard drive with a new drive that includes hardware encryption.   A fancy super-fast Solid State Drive (SSD) with Opal security can be had for as little as $114 now (I am a big fan of the Samsung 840 Pro, and others like Intel make good units). The move to SSD will likely speed up your laptop substantially in general so it might be worth it on its own. Remember to factor in the cost of having your IT person help you copy your old drive to the new one and enable the encryption.

Just because you have an Opal compliant drive installed doesn’t mean it’s turned on.   Something has to work with it to turn it on and provide a key.   Unfortunately Windows 7 Ultimate and Enterprise editions can ONLY do software encryption – they have no idea about Opal drives or what to do with it. The good news is that Windows 8 BitLocker now has the intelligence to work with Opal drives and can control it for you. So, Windows 7 BitLocker you will get Software encryptions only, Windows 8 you can get Software or Hardware if your drive is compliant.

There are more Software encryption options than Windows BitLocker. As with many Microsoft features, BitLocker is sort of the bare bones of what is needed.   Third party companies such as Dell and Sophos have add-in applications for Windows that can do the same thing as BitLocker, maybe even better with less of a performance impact.   Dell Data Protection Encryption (DDPE) is available in several versions, but for about $50 you can add it to any version of Windows and turn on Software OR hardware encryption if you drive is compliant.


None of these personal solutions may be truly 100% HIPAA compliant. If you believe that there needs to be a constant level of electronic auditing to be able to prove that your laptop was encrypted at the moment of loss, you need a better solution. DDPE for example has an ‘Enterprise’ level license that will include this kind of auditing, but at a cost. The individual license cost only goes up marginally, to perhaps $80, but you need to have an armada of Server software running somewhere that does the auditing process and an IT person to set it all up.

Personally I think this is overkill, and if your Practice’s HIPAA policy states that you shall BitLocker 256 bit encrypt, and you do it, just write a letter to yourself (or from your IT person) that states that “On this date we enabled 256 bit Bitlocker encryption on Laptop with serial number 1234, and stored the encryption key in this safe place” and sign it. Keep this document someplace safe.   You could add a periodic audit to this on an annual basis where you check that BitLocker is enabled (remember that it can be as easily turned off as it was to turn on) and document that you checked on the specific date.


Really, really, really read this section and follow its suggestions. It’s based on the school of hard knocks I have personally attended.


If you enable encryption on your laptop I guarantee you this will cause a nightmare for your IT person down the road if you have a hardware failure (like a drive failure, Windows corruption due to spyware or virus, etc). I have lived this multiple times.   Without encryption, IT people have a substantial bag of tricks to try and recover fragments of data from your dead or dying hard drive (most of the time we can get part or all of your data back). With encryption, the drive thinks your IT person is just a bad guy and works to prevent access.   So, all those precious family photos or lectures you’ve prepared are at risk of complete loss.

You need a regular backup of your laptop data. We all know you should be doing this already, but rarely does anyone take the time to do it.   If you are, kudos to you!

My suggestion is to invest in an Internet Backup solution for your laptop in order to keep a near real-time backup copy of your data on your drive.   Other than the initial setup (which is very easy), you don’t need to do anything else. It will just run in the background anytime you are connected to the Internet.   The solutions are cheap now from companies like Carbonite, Mozy and Oak Tree Storage. A personal plan from Carbonite with unlimited storage is just $5 per month now, less than a quad shot vente latte at your favorite coffee shop. [One of you is going to ask “Is an Internet Backup HIPAA Compliant?” and that is a good questions but I don’t have space to answer here in detail other than “Probably Yes”]

Make sure your backup is complete BEFORE you turn on the encryption. An Internet backup might take from a few hours to a few weeks to complete the initial sync depending on how much data you have.

Don’t Lose your Key!

Regardless of what method of encryption you enable, all of the solutions are going to need to store a copy of the encryption key. Some solutions might use a special chip on your laptop called a Trusted Platform Module (TPM chip), and others might want you to attach a USB thumb drive.   If you use a thumb drive, just get a drive specifically for this purpose (they cost as little as $10 now) and then store the USB drive in a safe place (like a safe or lock box). Label the drive what it’s for “Encryption Key for my Laptop” and DON’T carry this drive around or use it like a regular USB key for your files, etc.   Think about it, if you lose the key someone has a critical part of your encryption process.   You might be able to make a copy of the encryption key file in several safe places (like a folder on your laptop that is then sucked up in the Internet backup).

Don’t keep the only copy on your laptop thinking that the encrypted drive is the safest place.   When the drive fails, your IT person will be asking you for a copy and you will be stuck with your keys locked in the car essentially. Another reason you might need a copy on USB key is that some laptops can sense ‘tampering’ and will lock themselves down if they think someone is trying something fishy to hack the encryption. The only way to unlock the drive and get your laptop functioning again will be to present the encryption key.

Encrypt it All or Don’t Bother

Some solutions offer you a way to have just an encrypted folder or similar setup where only a portion of the laptop hard drive is encrypted. It wouldn’t take much of a lawyer to tear you apart on this, essentially requiring you to prove that there was no possibility of there being PHI on the unprotected portion of the drive. Don’t use a half measure – use a solution that encrypts the entire drive.

A Password is Essential

There isn’t much point to encrypting your laptop if you don’t have a good password on your Laptop.   Imagine if your laptop was set to just automatically login without stopping for a username and password.  The thief would have direct access to your data without even needing to consider hacking the encryption.  Make sure you have a strong password.   Check out our previous Blog post on this.

What about Mac’s?

I am no Mac expert so I won’t try to be. A little research with Google points out that the latest versions of the Mac OS now include FIleVault2 (it appears that all you need to do is just enable it).   It will fully encrypt you Mac hard drive at the 128 bit level.   I don’t know if this is Software or Hardware encryption. I am not sure how this will play with Mac’s setup with BootCamp partitions, but I suggest you do a little research or enlist your Mac genius of needed. I’d still advise that you make sure you have a full regular backup in place.

What Would I Do?

Ok, you’ve suffered through the entire article to get to this. Here’s what I would do based on a few scenarios:

  • If I had an older laptop I was ready to replace – get a new laptop with Opal drive included and Windows 8 Pro and then enable BitLocker
  • If I had a decent existing laptop on a Windows version that already included BitLocker, I would just enable Software encryption and know the performance hit will be a little bit but not enough to matter
  • If I had a decent existing laptop on a version of Windows that did NOT include BitLocker and I didn’t want to replace the drive and OS (due to the hassles) I would get a third party encryption application like Dell Date Protection Engine (DDPE) or Sophos and setup software encryption.
  • If I had a decent existing laptop and was willing to upgrade the hardware and OS, I would get a new fancy SSD with Opal drive and then install Windows 8 Pro and use BitLocker to control it.
  • For any of these solutions I would add the Do-It-Yourself auditing to document the setup was completed and periodically review that it’s still enabled.
  • I would be sure to keep one copy of the encryption key on a USB drive in my safe, and another copy in a folder on my encrypted drive that would also get backed up by my Internet Backup plan.

If I had done one of these scenarios and my laptop was lost or stolen, I would rest easy that the data was safe.

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?

Screen Shot 2014-08-22 at 3.44.15 PMThe August 2014 complimentary lecture of the month is now online.  Click the link below to immediately begin viewing:

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?  presented by Dr. J. Martin Palomo.


What is “Big Data” and How Is It Related to the Practice of Orthodontics?

Dr.-Puntillo-PictureBy Anthony M. Puntillo DDS, MSD

Have you heard of the term “Big Data”?  My guess is that for many orthodontists the term is likely a bit like the term “The Cloud.”  They may have a general idea of the concept, but are not entirely sure how it is or will be important to them.  In fact, there is a strong relationship between the two terms that I will discuss later in this article.  First, however let’s look at “Big Data” by itself.  According to Wikipedia “Big data is a blanket term for any collection of data sets so large and complex that it becomes difficult to process using on-hand data management tools or traditional data processing applications.”

In 2009 the United States Congress passed the American Recovery and Reinvestment  Act (ARRA) which included the Health Information and Technology for Economic and Clinical Health Act (HITECH).  [For a detailed summary of this legislation please see Kirt Simmons blog posting from July 9, 2012 “The Electronic Patient Record: How it Affects the Private Practitioner”]. One of the requirements of HITECH is that full implementation of electronic health records (EHRs) for all patients is required by 2016.  The requirements of this act specifically pertain to healthcare providers who participate in the Medicare and Medicaid programs.  That means that currently few dentists are covered by this mandate.  However, this does not mean that we are not being affected.  Since 2009 doctors and hospitals across the country have spent billions of dollars, with the help of government subsidies, converting paper based systems to electronic digitally based health records.  These new digital systems are now collecting vast amounts of valuable data related to patient care.  Much of this information was collected before the legislation, but in a paper non-standardized format that was not easily aggregated and retrievable for meaningful analysis.  The value of all of this collected digital data is only beginning to be fully understood.  Big Data from all healthcare providers is being aggregated and programs to analyze the data are being used to improve the quality, safety, and efficiency patient care.  Hospitals are examining treatment protocols and doctors are making better informed treatment decisions based on the previous care of thousands of similar patients.

As I stated earlier, the EHR requirement of HITECH does not specifically pertain to most orthodontists so why is this important to us?  Many orthodontists have or are now also in the process of converting their practices to paperless systems (without the assistance of the government money).  Several of the orthodontic specific software vendors offer cloud based systems and here is where “Big Data” and “The Cloud” come together.  The aggregation of data from hundreds or thousands of individual private orthodontic practices into cloud servers is beginning to open the door for data analysis (mining).  Just think about how valuable that information can be to our patients and practices.  Most of the research studies published in our journals today involve treatment samples of less than one hundred.  The biannual Journal of Clinical Orthodontics Practice Study generally relies on the input for a few hundred survey responders (out of a possible pool of more than 8,000). Wouldn’t it be helpful for us to know the most efficient type of Class II corrector based on the actual metrics collected from the previous care of thousands of patients treated in practices all across the country or the globe?  Wouldn’t the knowledge that your treatment times/appointments vary significantly from the national or regional averages be useful? There is little question that access to “Big Data” analytics will offer our profession the opportunity to improve treatment quality, safety and efficiency for our patients just as it is beginning to do for the other fields of healthcare.

A New Virus Threat Emerges

By Steve McEvoy, Technology Consultant


There is a new Virus threat spreading quickly across the Internet currently that is particularly wicked.  It’s called CryptoLocker.    I am writing this because I think there is some chance you could be at risk, either with your home PC or work computers.  We had five people call us infected on the first day the virus was out.  Please take a minute and read through this to the end where I suggest what you can do to help prevent getting infected.

The virus’s design has made it so that even current Antivirus products running in your firewall and antivirus software on your PCs aren’t detecting it until it’s too late, if at all.  The antivirus companies are trying to respond, but the virus ‘morphs’ each time it replicates, so its slippery for them to detect and block or quarantine.

What does it do?
In short, the virus is a form of Ransomware.  Once it gets into your PC, it ‘encrypts’ all your personal files and data, and then holds your data hostage for ransom.  In this case they want $300 to provide you with the unlock code to decrypt your files and remove their application.

To motivate the affected user to quick action, they only give you 72 hours to act, then the data is lost forever.

Its design is such that if your IT person then tries to remove it, this will leave your files encrypted forever.

It gets worse.  If your PC has external media like USB hard drives and USB keys attached, it encrypts those too.  Imagine if your Backup drive was attached, it would be encrypted and unusable to restore your data from before the attack.  Even worse, if your infected PC is connected to a network and you have connections to a Server, it reaches out and encrypts the data on the Server too.   If you use a Cloud based storage like Dropbox or Google Drive, it will encrypt the data within those folders as well.   If you use Internet Backup, the backup will pick up copies of the encrypted files.  A giant mess.

What can you do if it happens to you?
If you get hit by this virus – make a note of the time you have left (in the 72 hours) and then SHUT OFF THE PC entirely!  The longer it remains on, the more time it has to search and encrypt more files.   It might be prudent to disconnect the network cable too if you are connected to an office network. Contact your IT person immediately for their assistance in recovery.

Our experiences so far indicate there is no way to simply clean it and recover like other spyware or viruses.  If you have a backup that is safe somewhere (not connected to the infected PC), this is your best option for recovery, but don’t try to recover data to a machine infected with CryptoLocker, it will just destroy that precious backup.   Backups come in many forms, so I can’t tell you exactly how to best use it, but your IT person can.  Its highly likely that you will need to reinstall Windows to your PC, and then restore your data to this Clean PC (huge hassle).  If your Server’s data got infected, you’ll need to restore that data as well.

Your very, very last option is to pay the ransom.  In most Ransomware attacks, paying the ransom does not unlock your data (why would they?).  We have seen reports that people paying the ransom in this particular case has been unlocking the data as indicated.  You are paying criminals, who will just use that money to do more evil things.  Think hard about this before you consider it.   Might it be better to lose the data you ‘sort of need but could reconstruct’ than to propagate this issue and reward a criminal.

How it’s getting in
I can’t tell you for certain how it’s been getting in (which is troubling).  With its ability to slip through the Antivirus filters it comes down to there is no defense (yet) other than you using your smarts.   Reports to date seem to indicate it gets in using one of two methods:

As an attachment to an email message.  Typically something claiming to be a shipping notice or receipt for your review.  A common lure to get you to try and open the attachment to see what it is, and if you open that attachment the virus sets in.

If your computer is already infected with some mild spyware (pop ups, other nuisances) they have found a way to exploit the Spyware’s communication methods to slip in and get started that way.  This doesn’t need a user’s interaction, and is crazy scary.

To Defend Yourself:
Don’t open attachments that come with emails unless you are 100% certain to the validity of the attached file. Meaning you should know who is sending it to you, why they are sending it, and you should have been expecting it.  Even an emailed attachment from someone you know could be a cleverly disguised virus, so be SURE before you open it.  You can always pick up the phone and contact that person to be sure they sent you something.  YOU CAN’T rely on your antivirus software to defend you at the moment.  You have to use your own smarts and avoid things that will trigger it.

If you suspect that your PC has Spyware in any other way (acting weird, slow, pop-ups) contact your IT person to address this immediately.  When in doubt, turn off the PC until your IT person evaluates it.

Keep your Antivirus program up to date on a daily (or more frequent) basis.   (If you are an MME client running Symantec Endpoint Protection, this happens automatically several times per day without your interaction needed.)

Basically, responsible surfing is the best defense.

I wish I had better news, but I thought I would at least give you a heads up for now.

Please spread the word to others in your office.

If you have any questions or concerns, please let me know.

Take Care,

Steve McEvoy
MME Consulting, Inc.
4714 Duckhorn Drive
Sacramento, CA  95834-2592
Toll Free: (866) 419-1102 (ext. 2008)
Fax: (916) 419-1103

A Simple but Costly Mistake: Part 2

By Steve McEvoy, Technology Consultant

Is Your UPS Connected Right?
If you have a ‘Server’ in your Practice (a computer that holds all your precious data), it’s probably protected by a device called an Uninterruptable Power Supply (UPS).  The UPS’s job is to keep the Server running for a short period of time in the event of a power failure.  They are essentially a small battery pack.  Servers shouldn’t just be switched off in a power failure else you run the risk of corrupting data that was in use at the time (like your Management software that runs your Practice).  You could even corrupt the entire Server operating system leaving it unusable.  A properly installed and configured UPS is your protection against this corruption.   I say ‘properly installed and configured’ because in many offices this is not the case.

In Part 1 of this article we covered watching out for Surge Only ports and linking the UPS to the Server with its Communication Cable properly.  Here are the final few issues that you should check on for your Practice.

You Get What You Pay For
A UPS is designed to generate AC power (Alternating Current – same as your building) when your power fails.  They do this using batteries contained within the UPS.  These batteries are like the battery in your car and they store DC (Direct Current) power.  All UPS’s generate AC power from its DC reserves, and this is done with an AC/DC power convertor.  The problem is not all power convertors are created equal, and lower quality units generate a ‘Stepped’ or modified sign wave rather than a pure sign wave that your Server prefers/needs.  They do this because it’s cheaper to make.  A simulated stepped sign wave can cause all sorts of odd problems for your Server.  I’ve seen Servers that don’t power up every time or run at all when on UPS battery power, some that reboot randomly, and other power related issues.  You may not even know you have this issue (yet – until the power goes out).  All of these issues can result in corruption of your data.  You should verify that your UPS is a true sign wave model by looking up the specifications online.  If you need a new UPS verify this prior to purchasing.

Figure 2 – Depiction of a Stepped Sign Wave DC to AC power conversion vs. a true Sign Wave

Figure 3- Specifications of a UPS with a true Sign Wave output

Figure 4 – Specifications of a UPS with a Stepped Sign Wave.  Note the listing of some Surge Only plugs

Batteries Wear Out
Just like your car battery, the batteries within a UPS have a limited lifespan.  I expect them to last 3 to 5 years at the most.  This means that they usually do not outlast the life of the Server.  If your UPS is more than 3 years old it might not be providing the protection you think it is.   In the worst cases, I’ve seen old batteries unable to keep the Server up for more than a handful of seconds, not enough time to allow an orderly shutdown.  If this was the case, you could be risking data corruption.  Many UPS’s have built in periodic self-tests to watch for this problem, and typically will turn on some form of LED saying ‘replace battery’ if it needs servicing.   Personally I recommend that you undertake a ‘calibration’ of the UPS once every six months.   A calibration will simulate a power failure and times how long the battery will last prior to depletion.   Since it’s an actual test, you can trust the result.  If the UPS has insufficient runtime when on battery it is time to do something about it.   Most UPS’s have replaceable batteries, and I would say this is a good option to follow if your UPS is properly installed and configured already as noted above (why have to go through all that setup with a new UPS if you can just rejuvenate your old one).  The battery won’t be cheap, but it will be less than the price of replacing the UPS.  Installing it is usually a fairly simple process, but be sure you do it with the Server OFF and follow the manufacturer’s instructions.   Be sure to recycle that old battery.

Figure 5 – Typical UPS Replacement Battery

Pull the Plug
Once you think you have all these issues in order, you might consider a real life test to be absolutely sure you have it all configured right.   Pull the plug (the main power cord to the UPS) to make the power fail, and watch ALL the results until the Server has shut down properly.  Plug the cord back in and see if it all starts back up.   Make sure that everything that ‘should’ happen actually does.  Do this when the Practice is closed and shutting down the Server won’t be a disruption.  Not the most exciting way to spend 20-30 minutes of your life, but taking the time now to be sure the entire system is working right can give you some peace of mind.

A Simple but Costly Mistake : Part 1

By Steve McEvoy, Technology Consultant

Is Your UPS Connected Right?
If you have a ‘Server’ in your Practice (a computer that holds all your precious data), it’s probably protected by a device called an Uninterruptable Power Supply (UPS).  The UPS’s job is to keep the Server running for a short period of time in the event of a power failure.  They are essentially a small battery pack.  Servers shouldn’t just be switched off in a power failure else you run the risk of corrupting data that was in use at the time (like your Management software that runs your Practice).  You could even corrupt the entire Server operating system leaving it unusable.  A properly installed and configured UPS is your protection against this corruption.   I say ‘properly installed and configured’ because in many offices this is not the case.  Here are the issues that you should check on for your Practice.

Beware of Surge Only Ports
Some models of UPS’s have a combination of Battery protected outlets and Surge protected outlets, and this is where the problems arise.  UPS’s are surge protectors as well as battery backup protection.  In some units the manufactures might provide 3 outlets on the back with full surge and battery protection, and then 3 additional ports with just surge protection (to use for less important peripherals such as a monitor).  These ‘Surge Only’ ports are the problem I want to warn you of.  It’s a simple enough mistake to not realize these ports don’t have the desired battery protection for your Server as you’d expect, and to accidentally plug your Server into one of them.  In a power failure, your Server will slam off risking the corruption you sought to avoid.  The solution is simple:  Check to see if your UPS has a mix of ports, and if so, verify that your Server is plugged into one of the battery protected outlets.  The manufacturer usually clearly labels the ports for you to see.

Figure 1 – Example of UPS with several Surge Only ports.  Notice they are clearly labeled

Don’t Forget the Communication Cable
In the event of a power failure, the UPS can only keep the Server running for some small amount of time (usually 5 to 20 minutes).  Larger UPS’s can run longer (perhaps an hour), but eventually they will run out of battery reserves and shutoff.  To avoid slamming off the Server most UPS’s have a communication cable that can be hooked to the Server (typically via USB) and allow it to ‘tell’ the Server when it’s about to turn the power off.  The Server typically has a small program from the manufacturer installed that is used to ‘hear’ this message from the UPS, and when it does begin an ‘orderly shutdown’ of the Server, essentially the same process as you walking up to the Server and clicking on Shutdown.  Some people think “I can just go shutdown the Server myself if the power fails”, but what about if the failure occurs at night time, or while you are at lunch, etc.?  I see setups all the time where the UPS is installed and the critical cable and/or software aren’t.  Without them, you are just delaying the power failure for a few minutes and the corruption can occur.   Check that your UPS is setup to communicate with your Server properly.

To be continued …
In Part 2 of this article we’ll discuss two more important aspects of your UPS system that are essential to check.

Do You Need Cyber Liability Insurance?

By Dr. Greg Jorgensen
Rio Rancho, NM –

I recently watched the AAOIC’s Annual Risk Management DVD and took the quiz so that I could save 10% on my insurance premium. One of the new topics mentioned was cyber liability insurance. I had never heard of it. What is it and do you really need it?

According to InsureNewMedia, a company specializing in insurance solutions for technology, software, and Internet businesses, (, if you have a website you are legally considered a publisher and are liable for all things associated with it. These include infringements of intellectual property, virus transmission, and email liabilities of all types.

Do you have legal rights to all of the pictures used on your website? How about the content found thereon? The InsureNewMedia story cited an example of a 1999 lawsuit in which a website was successfully sued for improperly displaying a sport celebrity’s name and photograph. The settlement for “fair market value” was $750,000. The legal area of cyber liability is in its infancy and there is no telling what will be included in future lawsuits.

In her article “6 Reasons You Should Have Cyber Liability Insurance,” ( Minda Zetlin explains another common liability that faces small businesses: the breach of the data on our servers. Cyber liability insurance may cover the costs of notifying patients, income lost by the interruption of your business due to a malicious hack, the hiring of a PR firm to repair damage to your reputation, and even fines imposed for HIPAA violations. Zetlin also states that we are legally liable for patient data that is hosted “in the cloud.”

The AAO Insurance Company’s general liability policy excludes issues related to the Internet. If you want to be covered, you will need to invest in a separate cyber liability policy. For more information, call the AAOIC at (800) 622-0344.

I Just Inherited Twenty Million Dollars!

By Dr. Greg Jorgensen
Rio Rancho, NM –

I have exciting news. This will be my last blog post because I am retiring. This past week I received an email from South Africa notifying me that a distant cousin who was pretty high up in the government down there passed away without a will (I would have thought that most millionaires would have wills, but I’m not one to question). Anyway, turns out that I’m his closest living relative and I can lay claim to his entire twenty million dollar fortune just by emailing the trustee (who is an actual attorney) my name, address, social security number, bank account number and routing number, and $2,500 for legal fees. Once he gets that information, he’ll transfer the entire twenty million into my account and I can sell my practice and start traveling!

Obviously, none of us would fall for such a transparent scam as the one described above, and yet within the past month several of our AAO members turned over personal information in an online scam disguised as correspondence from the AAO. Thousands of AAO members received these emails from “” notifying them that they had a security message and needed to access their online AAO profile to resolve the problem. Some very educated doctors innocently clicked the link provided in the email and entered their login information and personal data. The problem was that the AAO never sent that email. It just goes to show that it can happen to anyone.

Phishing is a type of online identity fraud in which criminals attempt to obtain personal information through misrepresentation. Pretending to be trusted businesses or organizations like banks, government, or online service providers (AOL, PayPal, etc.), criminals ask unsuspecting users to provide login names, passwords, and account numbers that can then be used to steal money and services. These requests might explain that there is a problem with your account and that you need to re-set your password. They might tell you that they received your “recent order” and your account has been charged (BTW, if you didn’t place the order, you can just click on the link and enter all of your personal data to cancel it). They may notify you that your account has been placed on hold until you log in. They may just ask you to login to your online account and verify the accuracy of the data. Regardless, there is always a hook that makes you think there is a problem then a request for you to follow a link and give them personal information.

Here are some things you can do to avoid being duped:

  1. Is the email addressed specifically to you or is it generic? Is it to “Dear Dr. Jorgensen,” or is it to “Dear member”? Most phishing schemes involve millions of emails sent to random or collected email addresses where the name of the actual recipient is not known and therefore they are addressed to generic recipients.
  2. Do you even have an account with the bank or business? Many times the criminals will use random email generating algorithms that just happen to create your email address. If you’ve been contacted by the “Bank of America” about a problem but you don’t have an account with them, that is a dead giveaway!
  3. Does the email contain poor or incorrect spelling or grammar? Many phishing attempts originate in foreign countries. The probability of the AAO using bad grammar is decreasing all the time! (haha)
  4. Does the link actually point to the appropriate website? Hover your mouse pointer over (but DO NOT click on) the link provided in the email. Look at the status bar in your email window (usually the lower left hand corner) and see where the link will really take you. The link in the AAO email above read “Secure account log in,” but it pointed to “” This is a way to see in a glance where the click would take you.
  5. Even if you think the email is legitimate, it is safest to go directly to the site yourself. Open a browser, log in to your account yourself without the aid of a link, and then see if the problem or request exists on the actual website.

These are just a few ideas for keeping private information safe. Scammers are trying to exploit every new technology and technique to make a buck. Be careful when you are online. Be equally careful when you receive an Internet link in an unsolicited email.

What Makes a Good Password?

By Steve McEvoy, Technology Consultant

Is your password based on your name or one of your family members?  How about some number related to your birthday?  Your favorite Disney character?  A pet’s name?  The numbers to your home or office?  I’ve seen all these approaches, and unfortunately so have the hackers.

In recent weeks hackers have stepped up their attacks on the Internet.  One of their latest exploits includes using other infected computers as Robots (Bots) to attempt to login to computers connected to the Internet with RDP Remote Access enabled (see my other blog article on the details of this, and how to defend yourself from it).  They can make a try every one or two seconds, easily more than 40,000 tries per day.  They don’t get tired and they don’t give up easily.  If you have a simple password, it increases the chances a hacker could get through.  This is just one of many reasons to have a good password.

What makes up a good password?
The obvious answer is something that no one could guess or reasonably hack.  Five or more years ago, it was generally accepted that a good password included:

  • A mix of upper and lower case
  • At least one number
  • At least 7 characters in length

For example, ‘cowboy’ was a bad password, but ‘Cowboy7’ was a good one.  But alas, in today’s more hostile environment Cowboy7 is now considered a weaker password.
S6&k#)Y3f^dT!a would be a great password, but incredibly difficult for you to remember. 

Somewhere there needs to be a balance between security and functionality.  This is even further compounded by the strong suggestion you should NEVER use the same password in two places, meaning that you will need to remember multiple complex passwords.In my opinion, a stronger password today should include at least:

  • One or more special characters such as !@#$%^&*()
  • At least one number, preferably two or more
  • A mix of upper and lower case
  • At least 7 characters in length, more (10+) is better
  • A non-dictionary word, ideally something totally random 

I suggest inventing some algorithm in your mind to create your passwords.  Start with some totally random thought like “The Quick Brown Fox Jumped Over the Lazy Dog” or “My Car is Blue”.  Then take the first or last letter of each word, such as “TkBxJrLg”.  Now blend in random numbers and syntax, and it might become “Tk5Bx@Jr&Lg”.  Invent your own system in a way that you can remember it.

You should also change your passwords periodically.  Microsoft suggests every 30-60 days.  I don’t know about you, but my brain probably can’t hold that much change and complexity.  I think at least once per year is a good start.

Some resources that you might find handy
Store your passwords in a safe place:  Why try and remember them all when you can store them in a database?  One of many free application to store all your passwords in an encrypted database is called Password Safe.   They have a Windows and Android Smart Phone versions, so you can have your passwords with you wherever you are.  Password Safe also has a nifty feature where it will also generate a hard, random password automatically for you.  If you write it down on paper (gasp), lock it in a safe (seriously).  Don’t put it on a post-it note next to the computer or under the keyboard.

Random Password Generator:  Not feeling creative, and want a computer to generate a really hard random password for you?  One of several free ones available on the Internet is You tell it how long you want the password and if you want symbols, and it generates it for you.   If you use this, remember to document the password somewhere in case you forget (and you will).

Want to learn what Microsoft thinks is a good online password, read it here.

Whatever your password is I hope this inspires you to review it and change it as needed.   Think beyond just your own password, and review EVERY password on your practice network.  Enlist the help of your IT person if needed.

Read more from this author…