real simple February cloud storage

Quotables: How Do I Use the Cloud? (Real Simple)

Check out Anderson Technologies’ recent contribution to the February 2019 edition of Real Simple magazine. Director Farica Chang answers questions about the cloud and how it’s used every day!

“In short, the cloud refers to files and applications that are stored or used on the internet,” Chang says in the Real Simplifier feature.

Read the full article in the print edition of Real Simple, on newsstands February 10, 2019, or through digital retailers (like Amazon or Barnes & Noble) now.

Are you in need of expert IT consulting?  Anderson Technologies is a St. Louis IT consulting firm that specializes in system administration for small businesses.  Let us help you today!  Give us a call at 314.394.3001 or email us at info@andersontech.com.

What are Quotables? This is a category in our posts to highlight any professional publications that benefit from our expert IT consulting advice and quote us in articles for their readers. 

children using tin can phones voip

Ring, Ring! It’s Voice Over IP!

Is it time to modernize your phone systems?

VoIP, or Voice over Internet Protocol, uses your internet connection for phone services. Rather than transmitting a voice signal over separate analog telephone lines, a VoIP user takes advantage of your computer network and the internet already in place to make a voice or video call. You may have heard of your network having an IP address. That’s the same Internet Protocol being used here.

While VoIP has existed for years, previous iterations proved expensive and unreliable, requiring a large investment for an often poor quality service. Businesses hesitate to invest in technology that had a rocky start. So what draws businesses to VoIP today?

In the era of high-speed internet, VoIP is cost-effective, high quality, and enables advantageous features like the continuity of using the same work number while out of the office on your mobile phone. Voicemail transcription to text, mobile apps, enhanced security, and the overhead savings involved in making the switch to VoIP now convince most businesses to drop traditional phone plans.

Is VoIP The Right Solution for My Business?

The answer to this question depends on the needs of, and willingness to change within, your individual business. While VoIP is an efficient solution for most small businesses, it doesn’t meet everyone’s needs.

Signs VoIP Might Not Be Right For Your Business

Jeremy Richardson, an account executive from VoIP provider Vonage, explains, “Some businesses must have direct paging between phones, or actual ‘line’ numbers on the phones. Some of these are not available on VoIP.” If this service is integral to your business operation, there could be problems switching to VoIP.

Another reason you might not want to switch to VoIP is if the traditional system is working just fine. If the existing system is cost effective and functional, there’s very little reason to change. For example, Richardson says, “certain businesses (schools, hotels, retail stores) require a lot of phones that are rarely used.” These businesses can rely on only a few lines without business disruption. Switching to VoIP would be cost-prohibitive in these cases “because in a traditional VoIP set-up, each phone requires its own line.”

However, for a business in which the traditional model isn’t working or is too expensive, VoIP could be the answer.

What Can VoIP Offer My Business?

Investment in VoIP can establish portability, convenience, and professionalism a modest upfront investment.

Easy Transition

Richardson, who Anderson Technologies has worked with on past VoIP installations, says one of the biggest factors preventing businesses from making the switch is overthinking the setup and maintenance of a VoIP system and believing onsite support is necessary: “Many people associate using VoIP technology with having to be very tech savvy.” However, this is not necessarily the case.

VoIP phones often come pre-programmed or are easy to program on-site. “Once plugged into Ethernet,” Richardson says, “the phones and features can be easily adjusted and controlled from a user-friendly online dashboard.” After the initial set-up, the learning curve for these phone systems is far from steep. This is doable for any business, and with a managed services team, this process becomes a breeze.

Flexibility, Portability, Convenience

Using a VoIP app, your cell phone can become a switchboard for any incoming calls to your work lines. In the event of power or internet outage, VoIP keeps your business online. VoIP providers offer “business call continuity and mobile apps to combat this issue,” Richardson says. Depending on your provider, you also have the options of three-way calls, call forwarding, video, and call waiting.

A fully-integrated VoIP system allows the flexibility of communicating any time and any place that has an internet connection—ensuring your customers and employees will always be able to get in touch with you. Some VoIP options include voicemail transcriptions to email or text for when phone calls aren’t convenient. When a caller dials your office number, you’re reachable from that number even if you’re travelling. If you have multiple base camps, like offices in multiple locations, your VoIP phone system can be configured to ring all office lines simultaneously.

Lower Up-Front Cost

In the past, companies purchasing phone systems used to pay $10-25k up front for 20+ users for a PBX (Private Branch Exchange) system, then pay separately for line service. VoIP operates on a different model, eliminating the need to acquire a PBX and instead uses resources in the cloud. VoIP lines may only cost about $20 each, and the price tag usually includes long distance at a better rate than most competitors. Per-line cost often includes each headset, so there are no big, up-front investments for equipment.

High Quality

Price isn’t the only quality that’s improved over time. VoIP used to be known for dropped or poor quality calls, but as the internet becomes faster and more stable, with better network configurations, VoIP is proving itself with clearer calls than even landlines.

Quality of phone calls hinge on internet bandwidth, and setting up your network for Quality of Service (QOS), so it is important to partner with an IT services provider that can ensure your business has the optimal bandwidth for a VoIP network.

Security

While security should be a concern, especially for work on the go, VoIP shouldn’t be considered a significant risk. “Knowing that there’s risk involved with both landlines and VoIP is important,” says Luke Bragg, Senior Systems Administrator at Anderson Technologies. “Neither is ever going to be completely secure, but there isn’t any more risk with VoIP than a landline.” When choosing a VoIP provider on your own or with the help of a managed services partner, look for encryption, redundant network infrastructure, and HITRUST security compliance. These tools allow technicians to quickly identify and resolve issues if any attempted security threats arise.

That’s something every business wants to hear.

But as Mark Anderson of Anderson Technologies says, “To fully utilize the promise of your network, it’s important to invest in the proper tools.”

Does Your Business Have the Proper Tools?

Internet network speed and setup is vital to the success of a VoIP system. Richardson often asks, “Do they have enough speed to support their phones and computers? Is the internet hardwired to the building?” Richardson notes that hot spots, satellite, and microwave internet have proven too unreliable for VoIP, and asks, “Does the business have hard-lined Ethernet to each phone?” While VoIP can potentially work on a WiFi network, this is not a configuration we would recommend.

For instance, if your network isn’t configured correctly, your VoIP call quality will suffer dramatically. You’ll probably need to add bandwidth to support the extra traffic, and VoIP traffic must be prioritized. Cost for this bandwidth shouldn’t be a prohibiting factor, either. Most VoIP systems can function using-100 kbps (kilobits per second) per user, however Anderson recommends 500 kpbs to 1 Mbps (Megabits per second) per user for optimal performance. Internet bandwidth has to be sufficient for not only the phone system, but email, web usage, and streaming. A managed services team can make these adjustments to ensure that VoIP is successful for your business.

Upgrading your internet is vital for quality of service. Your firewall must be set to prioritize phone traffic to ensure that phone conversations aren’t broken up or disconnected when another user begins a major data transfer. VoIP of ten or five years ago often had a reputation for broken or disconnected calls, but with the right bandwidth and configuration, that doesn’t have to be the story for you today!

The best setup, says Anderson, involves establishing a separate subnet from the main network so the phone traffic is isolated and not interspersed with other traffic. The solution for this is a Virtual Local Area Network.

With an upgraded network, VoIP is quickly changing the standards for call quality, flexibility, mobility, and organization.

Would you like to fully utilize the potential of your network? Anderson Technologies can help ensure that you have the proper tools to not only get a VoIP system up and running, but keep it running smoothly and efficiently. Contact us today on our website or by phone at 314.394.3001!

password breach collection 1

Collection #1 Security Breach

Here at Anderson Technologies we like to keep our clients updated on the latest cyber security news. We’ve covered such breaches as KRACK and the Equifax hack in the past, and now we’re reporting on a breaking data breach called Collection #1, which affects nearly 2.7 billion emails and password combinations.

What Exactly Is the Collection #1 Breach?

The Collection #1 Breach was first reported January 17, 2019, by Troy Hunt, a cyber security researcher and operator of Have I Been Pwned (HIBP). Hunt named the breach after the root folder—containing over 87GB of data—that was uploaded to a hacking forum. Comprised of around 773 million unique email addresses and 21 million unique passwords, this information seems to have been gathered from databases of personal information from over 2000 breaches as far back as 2008.

“This number makes it the single largest breach ever to be loaded into HIBP,” Hunt states in his blog post explaining the breach.

While this personal information may not be much use to one-off hacking attempts, the real danger comes with a technique known as “credential stuffing.” Gizmodo explains:

Basically, credential stuffing is when breached username or email/password combos are used to hack into other user accounts. This could impact anyone who has used the same username and password combo across multiple sites. This is concerning as the Collection #1 breach contains almost 2.7 billion combos.

How Do I Know if I’ve Been Impacted?

Thankfully, the easiest way to see if any of your email addresses, usernames, or passwords have been affected by Collection #1 is to use Hunt’s HIBP. You may have even used this resource to know whether or not to change a password after past breaches like Equifax!

Hunt has painstakingly cleaned and entered all data from Collection #1 into HIBP’s (safe) search engine, allowing anyone to securely check if any individual user account information was compromised.

have i been pwned

How Do I Keep My Accounts Safe from Future Breaches?

The nature of these data breaches indicate decoding of previously encrypted account information like email addresses and passwords. Anderson Technologies recommends protecting yourself with multi-factor authentication (MFA), as well as a password manager like LastPass or Dashlane.

“The only way to effectively deal with it is to use MFA,” says Joe Baker, Anderson Technologies Systems Administrator. “I like the MFA standard of something you know and something you have—you know your password, and you have your phone for authentication.

“Everyone should go to haveibeenpwned.com to check their email addresses. For me, after entering my email, I searched for and found my compromised email and old password in a matter of seconds. It’s shockingly easy to get this info once it’s out there in plain text. If it’s something that you care about, protect it with MFA. If you can’t protect the account with MFA, then don’t use that account.”

If you believe information vital to your business has been compromised (current administrator credentials, for example), immediate intervention can help mitigate further security threats. Senior Systems Administrator Eric Dischert suggests the following steps:

  • Update passwords for all affected accounts
  • Temporarily lock all systems until extent of the breach is known and appropriate steps have been taken
  • Ensure proper auditing and logging are running
  • Determine the root cause, impact, and necessary steps to fix
  • Deliver a public announcement (if industry regulations require it) and prepare for corresponding responses
  • Educate employees regarding breach details and lessons learned

As always, consult with your managed services provider to ensure all these steps are completed thoroughly enough to protect your business from further threat. For more information about Collection #1 and the consequences for your personal information, contact us here or at 314.394.3001.

hipaa documentation

HIPAA Part 3: Document! Document! Document!

As you read through the Privacy and Security Rules for HIPAA, you’ll see a pattern that shouldn’t be taken for granted. Nearly all the implementation specifications require some form of policy and procedure documentation. This involves more than the reasoning and justification for how you choose to implement the specifications (though that must be documented as well). These are the policies and procedures that HIPAA expects your business to follow every day.

Organizational Standards

Besides the administrative, physical, and technical safeguards which make up the majority of the Security Rule, there is a lesser known section of safeguards called organizational standards that deal largely with the paperwork required by HIPAA concerning protected health information (PHI) in any form. This section is often overlooked because many of its requirements are addressed in greater detail throughout the Privacy and Security Rules. The four standards in this section include:

  • Business Associate Contracts
  • Requirements for Group Health Plans
  • Policies and Procedures
  • Documentation

This article focuses on the last two standards: Policies and Procedures and Documentation, both of which lay the groundwork for HIPAA compliance. The other two standards shouldn’t be ignored, but they concern only those who: a) are or need a business associate or, b) are a sponsor to a group health plan that provides data beyond enrollment and summary information.

Note: If you work with or are a business associate that works with ePHI and your contract has not been updated since the HITECH Act in 2009 or the Final Omnibus HIPAA Rule in 2013, you will want to review and update all contracts to ensure they meet the current standards regarding business associates.

Standard 164.316(a): Policies and Procedures

Why have an entire standard dedicated to something addressed in nearly every single implementation standard? This standard explains what HIPAA expects from the policies and procedures that a business creates. Specifically, it references the Security Standards’ General Rule of Flexibility of Approach, which is discussed in Part 2 of this series. It also allows for policies and procedures to be changed at any time to adjust to new demands or technologies, as long as all changes are documented and implemented accordingly.

Standard 164.316(b)(1): Documentation

This standard identifies how documentation required by HIPAA is to be maintained. According to this standard and its subsequent implementation standards, all documentation required throughout the Security Rule’s standards, including but not limited to

  • policies and procedures,
  • job responsibilities and duties,
  • risk assessments, and
  • action plans

must be recorded (physically or electronically) and retained for a minimum of six years from the date of creation or when it was last in use, whichever date is later. All documentation must be available to anyone who uses those procedures, and documentation should be consistently reviewed and updated as necessary.

Note: The six-year retention rule only satisfies HIPAA standards. State law may require some documentation to be retained for longer. Always verify what state laws apply to your business, as HIPAA does not supersede many state requirements.

Bringing Your Policies into Compliance

It’s possible your business already has clear policies and procedures in place, but that doesn’t immediately make you HIPAA compliant. You still need to go through each one to ensure it satisfies the implementation specifications it pertains to. If not, policies may need to be updated or new ones added. HIPAA gives businesses a great deal of leeway in how policies and procedures are written, so both updating existing documentation and creating all new materials is acceptable.

What should the policies and procedures say?

HIPAA doesn’t dictate the exact wording of any policy or procedure. It’s up to the business, taking into consideration the Flexibility of Approach guidelines, to determine what policy needs to be implemented. Generally, a policy explains a business’s approach to the subject it relates to.  If the policy concerns removing access from those who no longer work for the company, it could read something like:

At the end of an employee’s last day of employment with [company name], security and/or IT staff will remove that employee’s access to company systems and restricted locations and document the change of access. The employee’s supervisor will verify that all access has been revoked within twenty-four hours.

This offers clear guidance about what the company intends to do to remove access from someone who no longer is allowed to work with PHI. It also provides an implementation timeline, who should implement the policy, and how the company will ensure it gets implemented properly.

The procedure that accompanies the policy would then offer easy-to-follow directions on how those responsible are to implement the policy. A sample procedure may look like this:

Regarding Policy for Removing Access of Former Employees

Duty of IT Staff or Managed Services Provider

  1. Go to [directory] and locate the list of all programs and devices employee had access to according to job title. Check this list against their user account to ensure no programs are missed.
  2. Starting at the top of the list, go through each program and device and remove employee access. For procedures regarding specific programs, see [directory of procedures].
  3. Go to Active Directory and find employee information.
  4. Backup emails and save them to [directory] to be stored for a period of one year before deletion.
  5. Backup any information relating to patient care in appropriate directories. See [directory list] for proper placement.
  6. Disable user’s Active Directory account and change their password.
  7. Document time, date, and your name in the Employee Termination log to indicate all access it removed.
  8. Inform former employee’s supervisor when access removal is completed for verification.

Procedures should be as detailed as possible so that there is no ambiguity or confusion in what needs to be done. It allows newer employees to accomplish tasks they may not have performed before. There may also be multiple procedures related to the same policy depending on the duties of each person. Margret Amatayakul wrote an excellent guide to creating policies and procedures for the Journal of AHIMA (American Health Information Management Association).

Note: Both the Security Rule and the Privacy Rule require policies and procedures to be created. A company can combine relevant Security and Privacy standards into a single policy or create entirely separate policies for the Security and Privacy Rules. Each business should determine what is best for its employees.

Employee Training

Once you have your policies and procedures written and accessible, the next vital step is to train employees on them. HIPAA requires all employees to be trained in the policies and procedures related to their job. This training includes everyone from the maintenance staff to the CEO. Each time a policy or procedure is updated, retired, or replaced, the affected staff must be informed and, if needed, new training should occur.

Of course, maintenance personnel and CEOs won’t need the same kind of HIPAA training, just as IT support doesn’t need the same training as a nurse. HIPAA doesn’t dictate the way training happens, only that it happens. This means big companies that can afford professional training materials can do so, but smaller companies may hold informational meetings, allowing each to train the way that is most effective and makes the most sense for them.

Suggestions for employee training

  • Go through your employees’ job descriptions and separate employees by the level of access they have to PHI.
  • Create training programs for each level of access and/or the duties required in the job description so each employee gets the training suited to their job.
  • Don’t overload employees with policies and procedures that don’t relate to their job.
  • Ensure all training includes how to access the company’s policies and procedures in case employees need to revisit or reference them.
  • Ensure all employees know who to contact if they have any questions.

Sanctions

Along with training employees, HIPAA also requires you have clear consequences for not following the written policies and procedures. The types of offenses should be clearly defined and the disciplinary action enacted for every infraction.

One way a company might dictate levels of disciplinary action would be to clarify whether a break in policy or HIPAA standard was accidental, made through negligence, or of malicious intent. This allows various consequences for the same infraction without being inconsistent. An example would be: a) an employee leaving a workstation unlocked because an emergency situation demanded they respond immediately, b) they consistently forget to lock their workstation even after being warned about it, or c) they intentionally leave a workstation unlocked to allow someone without access to view ePHI. While the problem is technically the same, they don’t all deserve the same consequences. As with everything else, all infractions and disciplinary actions need to be documented and retained for six years.

In 2018, the Health and Human Services Office of Civil Rights reported 279 breaches of PHI, each resulting in at least 500 individuals affected, though often the number was much higher. Policies and procedures may feel tedious to write, but they provide employees with the information necessary to do their job in a HIPAA compliant manner and could prevent a breach of PHI.

For help with developing clear and secure policies for your company’s software and devices, contact Anderson Technologies at 314.394.3001 or by email at info@andersontech.com.

windows 7 end of life windows 10 upgrade

Countdown to Windows 7 End of Life on January 14, 2020

While the world celebrated the New Year, Microsoft enjoyed their own major milestone as Windows 10 was finally declared more popular than Windows 7.  Previous iterations of the Windows operating system couldn’t sway many Windows 7 corporate holdouts (Windows 8 and Windows Vista, for example), but for several years Windows 10 has demonstrated the stability and performance necessary to support business users.

More than half of enterprise machines run Windows 10 today. However, many others still use Windows 7. Experts consider these active machines a security risk—not to mention their poor performance due to aging hardware. Now Microsoft is forcing everyone’s hand.  Exactly one year from today, Windows 7 joins other aged operating systems in “end of life,” placing any machines still running it on a deadline.

What Does This Mean for Your Computer and Your Business?

Windows 7 reaches end of life on January 14, 2020. After this date, Microsoft will no longer develop countermeasures or fixes to address new breaches, exploits, viruses, and attacks, leaving Windows 7 computers vulnerable. Some businesses may require a machine to stay on Windows 7 to run legacy software, but these machines should not be connected to the network as they will be a high-value target, giving hackers easy access to an otherwise secure network.

This deadline is an opportunity. Consider it a countdown to more efficient work spaces, more secure transactions, and features that integrate seamlessly with the Cloud and mobile devices. Speed, usability, and security all see major upgrades in Windows 10—upgrades that can make a huge difference for your business.

With the help of a managed services provider like Anderson Technologies, “end of life” doesn’t have to derail you. Is your business still relying on Windows 7? Contact us today to discuss your options for this important transition.

Order of Operations: Moving and Upgrading the Local 562 Union Network

“It was meant to be.”

This is how Megan Branham, Executive Assistant at Plumbers & Pipefitters Local Union 562, describes the Union’s partnership with Anderson Technologies. The organization was in the process of planning a company-wide move to upgraded facilities and wanted to upgrade their IT at the same time.

Local 562 is split into two distinct halves: Union and Welfare Educational Fund (WEF). Branham’s focus was on the Union side of the organization, but the technology on the WEF side needed to improve as well. The two halves work hand-in-hand, so upgrading technology on both sides was a must. And since Local 562 is growing, they needed more than the one-man IT team that previously managed its systems.

“I knew from the beginning it was an enormous job,” Branham says. “We needed something different, and we needed someone to understand the situation they were walking into.”

Finding the Right Fit

An organization as large as Local 562 requires substantial deliberation when choosing a new vendor to partner with. They gathered quotes from many different managed services providers before making a decision. Many IT vendors had been recommended to various high-level employees, and narrowing down candidates wasn’t an easy process.

Branham knew from her experience troubleshooting Local 562’s day-to-day IT problems that they were looking for a partner that could tackle both the network overhaul required by the move and the everyday “What is XYZ?” questions.

One of the biggest factors was how the new IT vendor would mesh with her team. “You could say we have a lot of strong personalities,” Branham says with a laugh. Many organizations, both large and small, encounter resistance to change at some level; Local 562 was no different.

“From the time we met Mark [Anderson], he was just very calm,” she recalls. “He really understood where I was coming from.” Not all vendors Branham considered had the same presence of mind. “I didn’t get that same feeling from the other companies,” she says. “It felt more like they would have come in, done things the way they thought it should be done, and we’d have to figure it out from there. This is a big deal when you’ve got so many people who are used to doing everything a certain way.”

Anderson Technologies focuses on making its clients an active part of the planning and implementation process, especially during a project when a new partner could easily take control from Local 562’s employees. “Mark [Anderson] also knew that it was important that we were an intricate part of designing how it was going to be, not to change everything we already had,” Branham says. “I felt like every single one of the staff at Anderson [Technologies] was very responsive to that.”

I felt like every single one of the staff at Anderson [Technologies]
was very responsive.”

Managing Expectations

Once the partnership with Anderson Technologies was approved, planning for the move could proceed. The opportunity to take a fresh look at Local 562’s current technological status couldn’t be missed. Anderson Technologies and Local 562 together examined what could be improved – or completely restructured.
“I knew our security was not up to par,” Branham says. With emerging cyber security threats came the importance of an outside team to monitor Local 562’s safety. “I felt it was important to have that third party doing all that for us too; not that it’s all them, but they’re helping us find the right ways to do things.”

A study of Local 562’s dynamics helped Anderson Technologies determine the organization’s greatest needs, even when they were difficult to quantify. While each half of the Union performs some functions in conjunction, separate responsibilities needed to be divided. Branham describes it as “spreading everything apart but still making it easy to work together.” Previous IT solutions had muddled that line. Local 562’s sole business manager delegates operations to directors in the two departments. All of Local 562’s digital infrastructure was housed on one network.

The “separate-but-together” end goal split Union and WEF into their own individual server environments but consolidated all employees under one email domain—uniting the two departments. “I knew that there was a way for us to streamline all these things,” Branham says.

Moving the Operation

The physical move itself was a source of colossal stress for every employee of Local 562. “The Anderson [Technologies] team was very calm, and that’s really what we needed ,” Branham says, “because there was a lot of anxiety on the side of everyone here.” During the week-long move from a property in North St. Louis County to one that’s twenty miles west, Anderson Technologies was on-site through the weekend to create new separate domains, install new firewalls, configure the new servers, migrate user profiles, transfer server data, and put out any fires that happened to arise.

Branham describes how the Anderson Technologies team took every little problem in stride: they “kept it smooth and comfortable, and it was a good process and good flow the way everything worked. [The team was] extremely flexible and that made a big difference in the way that people accepted the change, too.”

The Anderson [Technologies] team was very calm,
and that’s really what we needed.”

Coping with the technical logistics of the move was an anticipated challenge. Branham and the rest of Local 562’s employees expected to be unable to use their computers for an extended period of time during the ten-day move. Operations were planned to resume fully the following week. “I expected we would be back up running on Monday [a week into the move] for sure, hopefully it would get done over the weekend,” Branham recalls, “and I was using my computer on Friday morning. . . . I was floored.” Reducing Local 562’s planned downtime by several days allowed them to adjust to the move and return to work faster than expected.

Anderson Technologies’ partnership with Local 562 continues with dedicated ongoing managed services. “Everything has been very strategically done in a way that I know that it was the right choice for us,” Branham says of Local’s 562’s teaming up with Anderson Technologies for the big move and beyond. “Just the other day, one of our guys was saying to one of the gentlemen from Anderson [Technologies] about how “he never remembers his passwords, etc.” so Eric gave me the name of the program to look into. Just little things like that . . . to make our lives easier.”

If your business is ready to move from outdated headquarters, technology, or methodology, contact Anderson Technologies today for a free consultation.