Medical Device Security

This is article is part of RWA’s series on the 10 Best Health Industry Cybersecurity Practices.
Learn more at HHS 405(d) HICP website.


Medical devices are essential to diagnostic, therapeutic and treatment practices – but as with all technologies, medical device benefits are accompanied by cybersecurity challenges. Vulnerabilities are sometimes introduced when medical devices connect to the internet and process required updates. Medical devices are a specialized type of Internet of Things (IoT) device, and rather than recreating cybersecurity practices for them, healthcare organizations are encouraged to extend the relevant cybersecurity practices from the rest of the network and implement them appropriately.

Establish Endpoint Protection Controls: As with other endpoints devices, medical devices should follow protocols such as installing local firewalls, routine patching, network segmentation, and changing default passwords.

Implement Identity and Access Management Policies: Just like endpoints, medical devices security should include authentication measures and remote access controls like multifactor authentication.

Institute asset Management procedures: It is important to follow your asset management procedures for medical devices just as you would for endpoints. Keep an updated list of inventory and software updates to ensure your devices are accounted for and are up to date.

Create a Vulnerability Management Program that can consume Medical Device Management disclosures and respond accordingly when received.

Add security terms to Medical Device Management contracts that enable you to hold device manufacturers accountable.


As always, contact RWA to discuss the next steps in your cybersecurity journey!

Cybersecurity Policies

This is article is part of RWA’s series on the 10 Best Health Industry Cybersecurity Practices.
Learn more at HHS 405(d) HICP website.


Over the past decade, one of the greatest changes in addressing cyberattacks involves establishing and implementing cybersecurity policies, procedures, and processes. These policies set expectations and foster a consistent adoption of behaviors by your workforce. With clearly articulated policies, your employees, contractors, and third-party vendors will know which data, applications, systems, and devices they are authorized to access, as well as the consequences of unauthorized access attempts.

Establish Roles and Responsibilities: Key people need to be tasked with implementing security practices and establishing policy. Even small organizations need to clearly define cybersecurity roles and responsibilities.

Education and Awareness: As technology advances, social engineering attacks will return to target the most vulnerable entities in your organization – your employees. The workforce will need regular training on practices, threats, and mitigation.

Moble and Personal Device Policies: As more work is done at home and in the field, new policies need to be developed and deployed to address these use cases, and how data can be secured and used in remote settings.

Incidence Response and Disaster Recovery Plans: It’s no longer enough for a small practice to rely on luck and agility. With the adoption of cloud and mobile technologies, disaster can strike anywhere, and it’s important to have standard practices for recovering assets, including backup plans.

As always, contact RWA to discuss the next steps in your cybersecurity journey!

Endpoint Protection Systems

This is article is part of RWA’s series on the 10 Best Health Industry Cybersecurity Practices.
Learn more at HHS 405(d) HICP website.


In medicine, federal law requires an organization’s endpoints to be protected and hardened against attack. Your endpoint devices typically include desktops, laptops, mobile devices, printers, and computerized medical equipment. Federal regulations also require encrypted storage and constant monitoring. For hybrid organizations or those wishing to embrace the cloud, RWA will work with you to deploy the best in modern cloud endpoint management technologies and policies.

Antivirus systems, full disk encryption, patching, and monitoring are all elements needed for modern endpoint protection systems. RWA will guide your business through all of the relevant options and services, from Microsoft Endpoint Management to our own Remote Monitoring and Managment technologies.

Benefits of migrating to properly managed endpoint protection systems include:

  • Stale or vulnerable administrator accounts will no longer be an issue, with access limited only regularly audited, cloud-based device management accounts.
  • Software updates and patching becomes a reliable process across the organization, supported by monitoring and management through the cloud. Different systems can abide by different policy based on stability requirements and typical use.
  • Endpoints can be automatically provisioned. With new cloud technologies such as Autopilot, group configurations can be bundled and deployed without the need to have a technician sit down for hours at each individual machine before the assigned employee can begin their work.

E-mail Protection Systems

This article is part of RWA’s series on the 10 Best Health Industry Cybersecurity Practices.
Learn more at HHS 405(d) HICP website.


The two most common phishing methods occur through e-mail access.

Credential Theft – An attacker attempts to trick targets into providing access through received e-mail.

                Typically, this takes the form of links in an e-mail that sends you to a fraudulent login website.

Malware Attacks – An attacker attempts to deliver malware through e-mails that compromise endpoints such as PCs and cell phones.

                When an unprotected computer opens an malware application, the attacker will usually exploit vulnerabilities or lax security policies to gain additional access to the computer, your password, and your personal information. In worst case scenarios, the attacker may even encrypt your data and demand a ransom.

                E-mail protection systems block attacks before they arrive in your Inbox, and work with the cloud to identify attackers and their methods as they evolve.

                RWA can work with you to identify and deploy the best e-mail protection systems, cloud providers, and encryption platforms that will work with your business. Office 365 and Exchange Online features multiple layers of customizable security, along with policies that are appropriate for each group of employees.

                Additionally, RWA can deploy Multi-Factor Authentication to add an additional layer of protection to your online services, and we have partnered with leading Phishing Training and Simulation services to support regulatory security compliance.

Getting Ready for Enterprise Data Protection

This past week, we learned of the most notable Supreme Court information leak in history. While we are going to steer clear of the political ramifications about the pending ruling, we have to ask… Could the document leak have been prevented with modern technology?

A decade ago, probably not. Today… there’s not much of an excuse.

First, security chips have been available on electronic hardware for quite some time. If you go back all the way to the Nintendo Entertainment System in 1985, it shipped with a simple lockout system. If a game didn’t have a Nintendo-produced security chip on the cartridge, the game system would get stuck in a reboot cycle. In modern times, the first version of the Trusted Platform Module standard was produced in 2009, then superseded by TPM 2.0 in 2015. With few exceptions, Windows 11 will require a TPM 2.0 chip as well as a modern CPU, and businesses will need to replace Windows 10 with Windows 11 by October 2025.

In the near term, security chips provide exciting new opportunities to secure workstations and protect them against ransomware and other attacks. Even now, we can audit service access and document activity in the cloud, including behavior of multiple system administrators. We’ve also had the ability to prevent the extraction of information from protected apps – such as medical EMRS – through the use of screenshot and screen recording applications.

Over the next few years, as vendors get more sophisticated and cloud integration progresses, we expect a future where a document authors in Word can completely secure and control who can access the content by default. They’ll be able to explicitly allow others to view or extract the content, audit access to the document, track changes, and prevent printing of hard copies.

If you’re already using the latest hardware platforms and cloud subscription services – such as Office 365, Windows Information Protection, and Azure Information Protection – you may already be able to take advantage of some of these services, and RWA can help you deploy new information policies and support your staff.

Keep in mind that your security is only as secure as your weakest link. If you have devices or servers that have fallen behind in compliance, you’ll need a plan to bring everything up-to-date. If you contact us today, RWA will help you get ready for a more secure future.

How to send a HIPAA compliant email

These days, it would be unthinkable to operate any kind of business without email or other forms of electronic communication. And it’s a pretty standard practice among businesses of all sizes to at least be aware of security issues such as phishing, address spoofing, viruses, and spyware. For businesses that deal with protected health information (PHI) however, there is an added layer of security required.

We’re talking about the Health Insurance Portability and Accountability Act, most commonly known as HIPAA. HIPAA sets the standard for protecting sensitive data. All businesses dealing with PHI are required to make sure that physical, network, and administrative security measures are in place and kept in compliance.

Included in these considerations is handling HIPAA compliant email.

What’s involved?

HIPAA requires that PHI is secure both when it’s being sent and when it’s not. The email must be protected by levels of unique usernames and passwords for PCs and servers, and secure encryption procedures each time the information is sent or received.

This means that it’s not recommended to use common, free internet-based email services. If you do use an internet-based email service, you must have a signed Business Associate Agreement (BAA) which confirms that administrative, physical, and technical safeguards are being maintained. The BAA will generally cover the host server responsibility, but you’re still required to protect every other part of the email or transmission chain.

Encryption, particularly for stored files, is also your responsibility. There are many options available for encrypting data on your own computers, and failure to take steps to use encryption could result in heavy fines.

How to keep email secure

What to consider when setting up secure email procedures

  • Many email servers will encrypt emails from sender to recipient. If the recipient is not a client of that server, they are given the option to securely connect to the server in order to receive the email.
  • Patient portals allow for secure storage of PHI and other communications. An email is sent to the recipient informing them of an incoming message. They can then log in and securely receive the message.
  • When setting up your own email accounts, use strong password protections and possible 2-factor authentication.
  • While email disclaimers and confidentiality statements aren’t a guaranteed protection for you, said disclaimers should clearly state that the information sent is considered PHI and should be treated as such. This is not a replacement for encryption or other security measures.

What about the patients?

HIPAA realizes that you have no control over the email clients and security patients may use. The regulation states that as long as you’re using secure email and encryption on your end, you are not responsible for what happens on the patient’s end of things. Well… there are a few conditions:

  • You must have a fully secure, alternate option for patients to receive information (such as a patient portal).
  • You must inform patients that their personal email clients may not be secured. If they still want the information, it’s all right to send it.
  • You must document the above conditions.

Protecting different types of emails

Not all emails are sent from a provider’s office to a patient. Emails sent between doctors located in different locations, and not sharing a secured network or email server must also use encryption. Likewise, doctors who email PHI from their home computers to their work accounts must use encryption to avoid HIPAA violation. While in-office emails using the same secured email server don’t have to worry about additional encryption, remote access situations must follow encryption procedures.

In conclusion

Don’t become overwhelmed by the many requirements for sending a HIPAA compliant email. Consider working with a managed IT services provider experienced in HIPAA compliance and technology.

Detecting Foreign and Domestic Invasions

At the risk of sounding alarmist, our typical duties and responsibilities as a Managed Service Provider involves analyzing connection and activity logs and – sometimes – blocking potentially unwanted activity.

A few of our customers still use passwords instead of Multi-Factor Authentication. If that customer only operates in Denton from 7AM to 6PM, then it’s a pretty safe bet that midnight “Login Failures” from Virginia, Oregon, or even China are attempts to break into protected services. Thanks to a mix of new auditing tools, not only can we investigate specific login attempts, we can also research unusual activity from suspicious users and guests in the cloud.

RWA technicians can not only keep an eye on your services, but decode the relatively esoteric results you get from an audit sweep. One of our recent adventures involved investigating rule changes in Outlook – an approved piece of software changed inbox rules to redirect new mail to the MSN Communicator folder. It’s the sort of change that only makes sense if you remember the state of technology from 12 years ago, and RWA technicians can help walk you through the implications of detected activity.

Unfortunately, the cybersecurity landscape only seems to get more challenging with each year, but RWA is here to help. Contact us if you need help with any cybersecurity concerns or questions.

Annual maintenance tips for PCs in the home and office.

The last few years have been crazy – and there’s no real end in sight. Most computers built before 2018 will need to be replaced by 2025 in order to receive support through Windows 11, but selection and options on store shelves are at an all time low. Until you’re ready to make your next purchase, keep your computers going strong with the following tips.

1. Remove programs you no longer use

Are your devices running slowly? It could be all of those programs you downloaded this year — accounting tools, marketing software, business applications, etc.  Get rid of programs you no longer need and free up space in the process. You’ll thank yourself for it later.

2. Organize your desktop

Take a look at your desktop and streamline this space. Remove any files and folders you no longer use and only keep shortcuts to frequently-used applications.

“Hoarding files on your desktop not only makes it challenging to locate what you need when you need it, but it can also compromise the speed of your computer,” says HubSpot.

3. Review your anti-virus software

Hackers pose a significant threat to businesses who rely on technology to store and process data. Still, 90 percent of small businesses don’t have any data protection at all for customer and company information.

If you currently use anti-virus software, make sure it still works and perform a comprehensive scan of your systems. If you don’t have any anti-virus software at all, make it your priority to get some.

4. Change your passwords

Believe it or not, people don’t change their passwords very often. Others don’t change them at all — shockingly, 30 percent of people have never replaced their passwords. This is a big mistake. Changing your passwords on a regular basis can prevent hackers from accessing your company’s valuable data.

Use a combination of letters, numbers, and special characters — this makes it more difficult for hackers to guess your new password. Try to use different passwords for different applications, too. Use one password for your CRM system, for example, and a completely different one for your email.

5. Clean your hardware

Processors, servers, and other hardware can become dusty and dirty over time. It’s time for an end-of-the-year clean. Use a cloth to remove dust and grime from your equipment and wipe down your monitors. You can even use a clean toothbrush to remove dirt from your keyboards.

6. Clear your internet browser cache

Once you’ve dusted your hardware, it’s time to clean your software. Clear your internet cache and cookies in order to speed up your browsing experience and protect your personal information.

“Web browsers save cookies as files to your hard drive,” says computer expert Graham Cluley. “They’re small in size (only a few KB), but over time, you can accumulate a lot of them. This volume means your web browser must use more and more computing power to properly load saved web pages, which means your browser sessions will likely get slower and slower.”

Whether you use Internet Explorer, Firefox, or Google Chrome, clearing your cache can take as little as a few minutes.

Final thoughts

It’s not to late to make a fresh start for 2022. Don’t have time to complete these tasks yourself and your staff? There’s a managed service provider in Texas that can do all the work for you.

3 Business Problems That RWA Specialists Can Solve

Our technicians and network administrators wears many hats. They monitor your network performance, ensure compliance, and evaluate your hardware infrastructure. But how do these services actually benefit your business? Here are a few examples:

Problem #1: Hackers are trying to steal your personal information

Cybersecurity is a huge concern for almost every business owner, especially with recent headlines about ransomware and data loss. You’re probably concerned about the personal data you keep on your hard drives and servers, and might not even know if your data is backed up or encrypted.

43% of cyber attacks target small businesses, and 62% of companies have been victims of social engineering and phishing scams. 

The solution:

RWA can monitor your network performance and generate reports that provide peace of mind you when it comes to computer security. Our professionals can also evaluate your infrastructure and suggest any necessary upgrades and adjustments that will improve network security in your workplace.

Problem #2: You’re spending way too much cash on IT

The average company spends 5.2% of their total budget exclusively on IT. For some big brands, this means spending millions of dollars on the latest hardware and software that optimizes performance and increases productivity. Many small businesses just don’t have these budgets and feel like they are spending way too much cash on IT as it is.

How can they cut costs?

The solution:

Our IT consultants can evaluate your current IT budget. Based on their experience and evaluations, they can make suggestions for investments that will save you money in the long-run. It may be a matter of getting rid of inefficient hardware that costs too much money to maintain, or you may simply need to deploy new technologies and software that will instantly save cash. 

Problem #3: You’re struggling with compliance

If you own a small business, there are various laws and regulations that you need to adhere to, especially when it comes to data protection. It can be difficult to keep track of all these rules, and sometimes you need a helping hand,

The solution:

The best IT consultants will ensure you adhere to all the relevant data protection procedures in your sector and prevent you from being fined. If you operate in the healthcare industry, for example, RWA can make sure you are HIPAA-compliant, while safeguarding patients’ personal information at all times.

These are just 3 business problems an IT consultant from RWA can solve. If you are spending too much money on IT, want to boost your security credentials and improve compliance, investing in managed services could provide you with a decent return on your investment.

Year-End Checklist: Licenses and Employee Permissions

It’s that time of year again! Make sure you’re not spending money on unnecessary licenses, and ensure that all of your employees only have access to data they need.

A variety of new cloud products are available to fit your workforce better than ever before. Frontline and outside sales workers can collaborate with the rest of the group through Microsoft F3, while we can meet your demands for modern productivity and security with Microsoft 365 Business Premium.

If you need any guidance, RWA is here to help.