Updated 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

Your Cybersecurity Questions Answered!

Thanks to everyone who attended our November 4th webinar, Don’t Become the Next Cybersecurity Scary Story! We are grateful to our guest experts, Sean Nobles from NaviSec and Brett Haines from Atlantic.Net, for joining us. We discussed social engineering, PenTesting, ways to secure online accounts, how to guard against user error, and other best practices in cybersecurity.

If you submitted a question during the webinar, you will find the panelists’ responses below!

If you have not done so, you can still register to receive a recording of the webinar and a free Total HIPAA Training License!

I have a small ABA practice and we want to have two-factor authentication (2FA) but aren’t sure how to go about getting started. Do you have any advice for getting started?

NaviSec — I would point to Brett’s input during the webinar — lean on your vendors. For smaller shops, most major cloud-based solutions like Google Suite, Office 365, and banks will have built-in 2FA solutions that integrate with free mobile phone apps like Google Authenticator. For VPN, contact your MSSP. We’re a Fortinet shop and, out of the box, Fortinet includes a couple 2FA tokens for VPN users but other vendor solutions may vary.

A.Net — First, establish what systems your team uses and which need 2FA (e.g., VPN, Windows Servers, Linux Servers, Windows 10/11 Desktops, Macs, smart phones, etc.). Then spark up discussion with your IT manager or whoever you lean on for recommendations while also reaching out to vendors that supply 2FA. There are free versions of 2FA, however, it requires more work on your side so the recommendation is usually to start with looking at paid versions so installation, maintenance, updates, etc. are not a distraction from your core business. Duo by Cisco has been a popular provider, and you can look at other alternatives.

Do you have any thoughts on Sync rather than Dropbox or similar programs?

NaviSec — Each platform will have its own pros and cons. If your organization has compliance requirements like encryption at rest, file access monitoring, or backups, you may prefer one provider over another based on those features. Most of these providers have publicly posted security audit results and papers to roll up with your own compliance audits. The “best” solution will always be the one that best fits the use case.

A.Net — I am not too familiar with Sync and their offering. After a quick search I do see that Sync does offer a BAA here. This is a good sign for the start of your research into the provider. If the service provider doesn’t offer a Business Associate Agreement (BAA), then it would be a non-starter. I would start to ask around for reviews and insights about availability, backups, and best practices with Sync along with discussing with Sync themselves.

When using a VPN to connect to a production environment, you do not have control over the personal equipment and could open up the network to bad actors if the personal computer has been breached, correct?

NaviSec — That is correct. There are mitigating controls you can put into place like requiring endpoint compliance before allowing the machine to connect to the VPN. Fortinet’s VPN solution has client profile options that require certain patch levels/security posture of the connecting equipment to be allowed to join the VPN. Bring Your Own Device (BYOD) architecture can be very challenging to manage since you’re utilizing assets that the business doesn’t own to interact with company infrastructure and you generally can’t force employees to install software on their personal devices. I definitely understand the need for small companies to be cost sensitive but BYOD, in my opinion, is a very risky policy if the device is connecting to sensitive company networks and resources.

A.Net — If you do not have control over the personal device, yes, you do have the potential of opening up your network to potential compromised devices. It is best practice to segment your network in a way to not allow access for certain VPN users to systems they do not need access to. For example, if you are able to expose an accounting webpage that is on your internal network to only the accounting users on the VPN while blocking access to the rest of your network, then it reduces your exposure to potential bad actors. This should be part of your best practices per HIPAA regulations as well. It is “as needed” access based on roles in the company. With that said, if at all possible, it is best to not allow personal devices on your network that are not under control of your IT admins for the reason above and more. Once you give up control of devices on your network, your attack surface grows drastically.

How often do we need to change the SSH keys?

NaviSec — There may be compliance drivers for how often to change keys and passwords. Generally speaking, I would recommend using the same frequency as changing/expiring passwords or utilizing a centralized credential/authentication solution that manages key rotations in larger environments. I’m not super familiar with the solution but I believe this is one of Thycotic’s selling points.

A.Net — This ties into the same debate of when do you change passwords? I would follow the same protocols that you do for passwords and apply those to your SSH keys.

Can you include the NIST link for the password changes/requirements?

NIST Special Publication 800-63 Digital Identity Guidelines

Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.

Want to know more about how you can become HIPAA compliant?

Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)