in HIPAA Headlines by John Brewer

What’s the point of all the policies?

Many, especially in smaller practices feel policies and procedures are merely a harassment program.

The reality is this: no matter the size of your office – you, your staff, and those you hire to help you need a solid understanding of what is expected.

I constantly get an eye-roll when I produce my policy & procedure for sending a fax. The typical response is: “Seriously?? We’re just sending a fax.”


Now let’s focus on the policy and procedure for keeping the software on your computers and your server (if you have one) up to date.

Don’t give me the eye roll.

Yes, I understand this seems obvious…just like backing up your computers…but way too many don’t do that either.

Recently there has been a lot of talk about the NSA hacking tools that were obtained by a group known as the “Shadow Brokers”.

Yes, they sound spooky.

They release what is supposed to be the hacking tools the NSA uses to get into people’s computers. Exploits in Windows, etc.

Shortly after the release of these tools, Microsoft came out and announced that all the “holes” these tools used have been patched already.
These tools are specifically for Windows: 2000 and XP to Windows 8. On the server side they are used against Server 2000, 2003, 2008 ,2008 R2 and 2012.

Worth noting, these tools do not work on Windows 10 nor Server 2016.

So, what is your policy for updates?

Do you know that all your computers are set the same?

What about your server? This tends to be a bit more complicated as you need to confirm your EHR is compatible with the latest security patch first.

You need a policy & procedure that sets expectations for all of this, including:

  • How computers are set to install updates – automatic or manual
  • Who runs updates
  • When are updates run
  • Then if you have a server:
  • Run a backup before the update
  • Update only on weekend(?)
  • Confirm latest release is EHR compatible
There is more to it than just these items, but the point is…it does take some thought and planning.
Many of you outsource your IT support, which is fine, but you still need to set the expectations.
You still need to have an understanding of how things are to happen.
This still is your responsibility.
You can definitely create these policies on your own. Search the internet, have someone in your office write something up that you hope is sufficient…or simplify your life and acquire our already done-for-you set of HIPAA computer policies.

About John Brewer

This author hasn't yet written their biography.
Still we are proud John Brewer contributed 177 great entries.

0 thoughts on “Shadow Brokers and You

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *