OutsideCTO - HIPAA From Scratch - Physical Safeguards: Workstations

Physical Safeguards: Workstations

Acquire your first company-managed computer

Again, our whole strategy is to be completely clean as we set up our systems. Up to now, you have used your old personal computer to bootstrap an initial email address, etc. But now we want a physical computer that is as secure as we can make it. We'll use this computer for the next stage of setting up your presence on the network, which will be to set up your virtual office in a secure and compliant way (in the next chapter, I'll show you how to do this with Google Workspace).

A note about Windows

Because so many users use Windows, it is the most targeted platform for exploits. As of this writing, I consider Windows itself to be something of an attack vector, requiring constant attention and updating. I have worked at places where Windows is essentially banned: There are no Windows laptops or computers, including in the cloud (which also means no Active Directory). If a visitor has a Windows laptop, they can only connect to a special guest network. If there is some software that absolutely must run Windows, it is run virtually (with VMWare or VirtualBox) or in a cloud container such as Amazon Workspaces.

If you can keep your Windows infrastructure up-to-date, it can work. In recent years Microsoft has siginfiicantly improved its security posture for its latest releases. But if you have older equipment, you will find that you need staff to maintain it. I don't think it's worth it.

Some companies may want a hybrid environment where multiple platforms are supported. But now you will have to have an export in Windows, and an expert in the other systems, such as the Mac and/or Chrome. My advice is to keep it simple and require one platform for everyone.

"But I have to use Excel on Windows"

Maybe you do, but I doubt it. Both Google Sheets and Excel on the Mac can do most things that are on the list for power users, such as pivot tables. There are a few reasons why a power user might need to use Excel on Windows: They may be doing forecasting, or need more support for Visual Basic for Applications. The Mac used to not have auto-save, but it does now. The Mac doesn't have the View Side-by-Side feature. It is also possible that a power user has an Excel sheet with so many rows that it must be run on a local machine rather than in the cloud. Having said that, if you have that much data, you should probably be using a database. If a power user in your computer absolutely must use Windows, a possible solution is to run Windows virtually, as I suggest above, locally on the machine with VMWare or VirtualBox, or in the cloud with something like Amazon Workspaces.

"But I have to use PowerPoint"

PowerPoint does have a lot of bells and whistles, but I would argue that the convenience of being able to share a link for a web-based presentation is more powerful for the business than using all of the pretty things in PowerPoint. Besides, increasingly customers will want a PDF, and all of those extra disappear when you convert to PDF.

So, what kind of computer?

If you're following me, then, Windows is out. The new versions are a lot better, but . . . I'm a pretty committed Apple user, but in what follows I'm going to use a Google Chromebook for my examples. The better Chromebooks are highly comparable to a Macbook Air. What is nice about the Chromebooks is that very little is stored on the device itself, and it lends itself to centralized management. What do you have to give up? Well, you won't be able to install Microsoft Office. In compliance-world, limiting apps that can be installed on the device is a big advantage. Another huge advantage of a Chromebook is that because everything is in the cloud, you don't have to back up the device.

In any case, every computer acquired for staff must now be set up to accord with policy (which you don't have yet -- stay tuned) regarding "endpoint protection." Here's the bare minimum of what you need to do. Unfortunately, automating this for conventional laptops (Windows and MacOS) requires software and a computer that is set up to manipulate computers so that they are in compliance, or image them so that they are all alike (e.g., SCCM for Windows; JAMF or Mosyle for Macs). But we can get pretty far with the ChromeBook and management in Google Workspace.

Critical settings

The following should be relatively easy.

Encrypt the disk.
Turn on host-based firewalls.
Turn off remote access.
Install anti-virus, anti-malware, and anti-spyware software.
- Ideally, set scans to be performed "on the fly," at startup, and on a schedule.
Set the screen saver to start after 15 minutes (this is required by standards such as PCI; note that CMS requires the screensaver to be triggered after 2 minutes). When the screen saver is triggered, ensure that a password is required to access the system.
Know how to control (turn on / turn off / enable / disable) Java, JavaScript, ActiveX, PDFs, postscript, Shockwave, and Flash, both on the computer and in the browser. If you had software to manage this centrally, you would want to be able to turn things off in accordance with policy; for now, just assure yourself that you have some command of how to do this.
Install your password vault (such as LastPass).

These next few may be more difficult.

Behavior of the anti-virus, -malware, -spyware scanning should be available somewhere for audit. E.g., if the scan can produce a report, you'd like it to go into a secure place.
The anti-virus (etc.) software should be regularly updated.

And some things I don't want you do to

Do not install any office software (Microsoft Word, Excel, PowerPoint, Apple Pages, Keynote). You're going to do these things in Google Workspace from now on.
Do not install backup software. Most everything will be in Google Workspace.