Holiday Hugs Toy Drive

Christopher Draven, Client Experience at Umbrella Managed Systems

With the blizzard conditions last week, the team at Umbrella went into ‘holiday mode’ a bit early this year. In years past, we have participated in a variety of charities that allow us to give back to the community we love. This year was no different.

This holiday season, Umbrella participated in the Holiday Hugs Toy Drive held by the Shadow Buddies Foundation.

From action figures to board games, and even a few superhero capes, Umbrella employees got into the spirit of things – keeping the presents adequately nerdy (even slipping in some Nerf® toys). With two large, overflowing boxes and a lot of holiday cheer, Umbrella employees were proud to get involved.

A huge thanks to the S.T.A.R.S. team (our internal group of motivators and planners) for coordinating the effort, and a special thanks to the Shadow Buddies Foundation for putting out such a fun event.

Faxploit – Are You Vulnerable?

By Christopher Draven, Client Experience at Umbrella Managed Systems

Faxing Is Out

Fax machines have suffered much negative press recently. News articles highlighting the aging technology have pointed to faxing as a culprit to the delay of Healthcare Interoperability. Even the CMS Administrator, Seema Verma, publicly called for an end to provider reliance on fax machines by 2020.

In the healthcare industry, physician practices and health systems transmit and receive patient information via fax every day. Verma’s comments sparked a media frenzy. However, beyond the inconvenience of using a decades-old solution, a security vulnerability dubbed Faxploit was recently uncovered.

Faxploit is Real

Check Point, a cybersecurity company, published research on a vulnerability in a specific transmission protocol, known as ITU T.30. What researchers uncovered was direct evidence that popular fax machines, like the HP All-In-One, can be hacked to launch a cyberattack to access networks – with nothing more than the fax number.

“While technically possible, a properly managed network makes delivering malicious payloads via fax unlikely. Unfortunately, many organizations do not have preventative measures in place. This new Faxploit threat vector does raise eyebrows, considering healthcare’s continued reliance on faxing.”

– Trent Peters, Principle & CTO of Umbrella Managed Systems

It sounds like something out of a Science Fiction movie, but Faxploit is a legitimate security concern.

Umbrella Can Help

Being aware of and resolving newly discovered vulnerabilities is one component of the proactive services Umbrella offers. Properly securing your system is not only wise but also a regulatory concern. ITMS 3.0 program addresses the constant barrage of threats from Ransomware, Phishing, Faxploit, and other attacks on your infrastructure.

ITMS 3.0 Offers:

  • Drive Encryption
  • Next Generation Firewall Security
  • Security Awareness Training
  • Advanced Email Security and Encryption

Knowing your system vulnerabilities and planning for the worst is how you can recover from a cyber-attack. For more information on how Umbrella can help your business improve system resiliency and put safeguards in place, please get in touch.

For more information on Faxploit, read the Check Point article or the Full Research Report.

The Client Perspective – Rising Technology Costs

By Jean Hansen, COO at Umbrella Managed Systems

As a Clinic Administrator, I always disliked this time of year. The weather turns cold, scheduling around the holidays is a challenge, and staff are looking forward to holiday bonuses and salary increases. Top all of that off with the hardest part of the job – budget season.

Healthcare practices face a unique set of challenges when it comes to budgeting. Few businesses are restricted from passing rising costs along to the customer (the patient in our case). From salaries and employee benefit increases to rent cost escalation clauses, Clinic Administrators are tasked with finding financial solutions from an already overburdened checkbook. There just aren’t many options for bringing in more revenue when you are a small to mid-sized clinic.

A real culprit in the fight for profitability is the technology line item on your budget. To maintain existing Medicare and Medicaid reimbursement levels, providers were expected to implement an electronic health record (EHR). Almost overnight, technology rose to your number two expense; with personnel costs holding maintaining its lead.

The cost to maintain the system and keep the software updated has become a delicate balancing act. Plus, unlike other types of software, you have no choice but to keep everything current due to regulatory requirements to keep your software and workstations upgraded.

For instance, were you aware that an outdated operating system can result in fines?

The Office of Civil Rights (OCR) covered the topic in their June 2018 Cybersecurity Newsletter. Patching system vulnerabilities is a requirement under the HIPAA Security Rule. When an operating system exits its support lifecycle, patches to resolve new vulnerabilities stop. Microsoft® is one company which recently announced support for several operating systems, including Windows 7 and Windows Server 2008, will end in approximately 13 months.

That doesn’t leave much time to coordinate upgrades – especially since Allscripts and other major EHR vendors have declared Windows 7 incompatible with their systems. That means your very expensive EHR software may not work on unsupported computers after December 2019.

When I was a client, I trusted Umbrella to stay on top of these developments. As my MSP, I expected technical expertise and strategic planning to keep my technology working. Over time, this helped me drive down costs, as I wasn’t rushing to catch up.

Since joining Umbrella, I have learned so much about the services and programs offered by the company. For Clinic Administrators looking to control costs while staying compliant, I suggest asking about the new ITMS 3.0 program. Features include an annual ‘tech refresh’ program, strategic planning assistance, and group pricing discounts on hardware.

I’m pleased Heath and Trent strive to stay client-centric, updating services that keep the customer perspective firmly in mind.

Employee Spotlight: Brandon Heldstab, Systems Administrator

By Christopher Draven, Client Experience at Umbrella Managed Systems

Umbrella has continued to grow, bringing on seven new employees over the past few months. With an infusion of new blood, we thought it was a good idea to introduce Brandon Heldstab, our newest Systems Administrator on the Professional Services team.

Brandon joins Umbrella with over 6 years of direct IT experience, specializing most recently in Office 36 5 migrations. An alum of KU and a former US Army Calvary Scout, Brandon is a ‘get things done’ sort of guy. To get to know him better, Brandon agreed to answer the following questions:


Q: Before Umbrella, what was the weirdest job you had?

A: Immediately after college, I worked on a road crew out of Eudora, Kansas. We re-routed road lanes for construction (laying out cones, stripping and relining lane stripes, etc.). It’s something I never saw myself doing and DEFINITELY something I never want to go back to.

Q: Favorite line from a movie?

A: I have two

“The man in black fled across the desert, and the gunslinger followed.” – Stephen King, The Dark Tower

“Smokey, this is not ‘Nam. This is Bowling. There are rules!” – The Big Lebowski

Q: Your desk is always clean – are you this organized at home?

A: As organized as I can be in our small apartment. I have a lot of hobbies involving the outdoors, so I usually have camping gear, fly-rods, and climbing gear scattered around. My wife hates it.

Q: Coffee or Tea?

A: Both? I can’t get my day started without some coffee, and I enjoy tea at night before going to bed.

Q: A skill you hope to learn one day?

A: I just recently picked up a harmonica. I’m hoping to start working on that next year.

Q: Describe yourself in a hashtag.

A: #WhatIsSocialMedia?

Q: If you made a documentary, what would it be about?

A: I’m not sure about a documentary, but I would like to take a month-long trip fly-fishing across the country someday, and film the adventure.

A Big Thank You to Brandon for participating. We are excited to have you on the team!

That Time HIPAA Had a Breach

By Christopher Draven, Client Experience at Umbrella Managed Systems

CMS, the division of the HHS which provides “education and complaint-driven enforcement” of HIPAA regulations, announced suspicious activity in one of its systems this month. Unfortunately, information of approximately 75,000 individuals was accessed.

“While this is a small fraction of consumer records present on the FFE, any breach of our system is unacceptable.” – CMS stated in an October 19th, 2018 press release.

An Interesting Case Study

Watching how the government agency responsible for oversight of these types of incidents responds has been interesting. CMS has followed the same steps they advise other organizations use:

  • Take immediate steps to secure the system by deactivating access to the affected system.
  • Launch an internal investigation.
  • Notify the appropriate legal authorities
  • Coordinate efforts to notify, offer protections, and support to impacted individuals

The investigation is ongoing, but CMS confirmed no banking, federal tax information, or PHI was exposed during the breach.

An Unexpected Twist

Two days before the initial breach was announced, the U.S. Department of Health and Human Services (HHS), announced a new Security Risk Assessment tool for use by HIPAA-Covered entities. Boasting new usability features, the project included support from the Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) – Federal agencies involved in HIPAA privacy regulations.

It is unlikely CMS will feel the sting of fines or public corrective action plans (read our Anthem Breach post). However, it is encouraging that CMS reported the breach and ‘walked the walk’ in handling the situation.

How Umbrella Can Help

Properly securing your system is not only wise but also a regulatory concern. The Umbrella ITMS 3.0 program addresses the constant barrage of threats from Ransomware, Phishing, and other attacks on your infrastructure.

At a high-level, our program offers:

  • Drive Encryption
  • Next Generation Firewall Security
  • Security Awareness Training
  • Advanced Email Security and Encryption

Knowing your system vulnerabilities and planning for the worst is how you can recover from a cyber-attack. For more information on how Umbrella can help your business improve system resiliency and put safeguards in place to combat Ransomware and other malicious attacks, please get in touch!

Vendors: A Hidden Risk In Your Data Security Program

By Christopher Draven, Client Experience at Umbrella Managed Systems

A data security expert once told me…

“You want to guarantee your data is secure? Lock your computer in a water-tight box and dump it in the ocean.”

Unfortunately, business doesn’t work that way. Protected Health Information (PHI) and Consumer Financial data is everywhere, and organizations track this information to provide basic services. Data is a necessary part of doing business in an ever-connected world. Your data must be shared to be of value.

Umbrella works closely with our clients to secure data and eliminate vulnerabilities. We have successfully fended of Ransomware attacks, Phishing Attempts, and other forms of malware and cyber crime. However, even if your data is hidden behind a fortress of firewalls, there is an often-overlooked vulnerability.

How do your vendors handle the data you share?

There is a growing list of breaches where, through no fault of the client, data was breached. Industries across the spectrum have been targeted, and sometimes the easiest way in is through a trusted vendor. Target is a well-publicized example, suffering a breach of 40 Million credit and debit card accounts.

How did hackers get their hands on the company’s data? Credentials for an HVAC vendor!

Umbrella’s Tips for Managing the Data and Vendor Interactions

  • Does the vendor conduct proper security training?
  • Review the contract – Vendor agreements should include language regarding a vendor’s responsibilities in protecting your data.
  • Organizations governed by regulatory standards should enforce and monitor those same obligations among third-party vendors who have access to your data.
  • Be aware of what data you are sharing and with whom.
  • Limit data to the minimum necessary, even if it proves cumbersome.
  • Verify that data is encrypted in transit and at rest!
  • Does your vendor have a disaster recovery plan in place?

The best tip is to stay engaged with your vendors and discuss your expectations.

Managing vendor relationships can be daunting, especially when the conversation gets technical. The Umbrella ITMS 3.0 Program includes vendor management as a key component. Umbrella can keep on top of your technical relationships and keep your data secure. Contact us today!

What the Anthem Breach Means for Your Office

By Christopher Draven, Client Experience at Umbrella Managed Systems

Health insurer Anthem, Inc. has agreed to a $16 million settlement and follow a substantial corrective action plan from The Office of Civil Rights (OCR). The agreement comes after Anthem suffered a series of cyber attacks which led to a breach of PHI of nearly 79 million individuals – instantly becoming the largest U.S. heath data breach on record).

While the fine is staggering (over 3x the previous record), the investigation is the real ‘brow-raising’ moment.


Preventing a Breach

Listed as the last item in the Anthem Resolution Agreement, the breach of 78,800 individual records is no small footnote. According to the OCR notice, media reports of a “sophisticated external cyber attack” on February 5th, 2015 prompted the Federal agency to open a compliance review.

Working to repel cyber-attacks and work to secure data against a breach is a core responsibility of every covered entity and business associate.


Enterprise-Wide Risk Analysis

The OCR report indicated that Anthem failed to conduct an enterprise-wide risk analysis. While the Corrective Action Plan sets out the requirements of such a review now, Anthem would have been well-served to consider proactive measures.

Completing an annual security risk analysis is a required component of the Administrative Safeguards required of either a covered entity or business associate – an often overlooked or misunderstood obligation.


Information System Activity Review

While some policies are better than no policies, the OCR report includes language around minimum content requirements, including the Information System Activity Review.

Audit logs, access and security incident tracking reports are a good start, but the OCR’s language in the Anthem Resolution Agreement include requirements for “…regular review of records of information system activity collected…” and “…processes for evaluating when the collection of new or different records needs to be included in the review.”


Detecting and Responding to Security Incidents

While the OCR does directly state Anthem failed to properly report the attack and subsequent breach, the timeline, and the Reportable Events section of the agreement set firm expectations on how Anthem will communicate subsequent events.

A company’s desire to control the narrative and conduct internal reviews should never obstruct its obligation to properly report security incidents and notify the OCR and impacted individuals.


Access Controls

Unfortunately, many organizations get Information Access Management wrong. The concepts of minimum necessary and restricted access are overridden by a business mentality of “I need access to everything!” – however, what is convenient for users and systems developers may not meet your regulatory burden.

Network segmentation and password management requirements are just the beginning. Organizations must retrain users to consider modern technology and what it means. Giving too many people unfettered access to your system means you are at a greater risk when user credentials are compromised.


The Thing Anthem Missed

The critical takeaway from the Anthem Resolution Agreement is a call for organizations to Be Proactive. No matter the size of an organization, safeguards are only as good as your enforcement efforts.

As experts in cyber security, Umbrella is here to help!

Contact us to learn about our ITMS 3.0 program and the wide array of security monitoring, detection, and threat mitigation services which help protect our clients from possible cyber-attacks.

The Beast of Microsoft: Windows 10 Upgrades

By Sam Orlando, Systems Engineer | Team Lead at Umbrella Managed Systems

The Beast of Microsoft: Windows 10 Updates

There was a time when managing Windows updates was simply a matter of configuring Group Policy to change settings on every workstation centrally. Patch management remained behind the scenes – an easily tamed beast – a worry for IT to handle while end users worked without interruption. Systems stayed updated, and all was as it should be…

…until the introduction of Windows 10.

What Changed

The newest of Microsoft’s operating systems have pulled patching out of the hands of IT service providers and leaned more heavily on users to manage their machines. Experts in the industry (Computer World, Windows Central, and RCP Magazine) have cried out to Microsoft to reconsider, to no avail.

In response, technology companies got crafty by snooping through buried registry settings which drive the Windows Update process. The change worked, for a time, then Microsoft released new updates and features to wrest away control once more.

The Impact

There are real issues to the way Microsoft wishes to handle system updates:

  • Persistent user notifications
  • Patching and System Reboots occur while users are trying to work
  • System admins do not control which updates are applied

Windows 10 is the first subscription-based operating system, meaning features and functionality are in a constant state of change. These upgrades are typically dispersed twice a year – sometimes causing a business to come to a crashing halt. Recent updates (1709 and 1803) catch users in failure loops (where the update fails, attempts to revert back and then restart the update, only to fail again and restart the cycle).

System admin groups have been buzzing with ideas on how to get a handle on Windows 10 patching. However, the constant flux of the operating system means most solutions don’t work or are quickly outdated.

A New Normal

In the end, we are confident and eager that Microsoft will provide the right features and fixes that will allow them to meet their Windows 10 model while allowing service providers to keep maintenance work behind the scenes where it belongs.  Umbrella has always believed in a smooth end user experience.

…and to that end, we fight on.

The Client Perspective

By Jean Hansen, COO at Umbrella Managed Systems

Several times over the past few months, colleagues and former co-workers have approached me to ask, ‘Why Umbrella?’ – curious about what seems like a 180° career move.

My typical response: Honestly, I couldn’t be more thrilled.

A Little Bit of History

Umbrella has been part of my professional landscape since 2008, when I met Heath at the Greater Kansas City Medical Managers annual conference. The service Umbrella offered was intriguing to me as a practice administrator. Why? Because in 2006, most practices were struggling to implement Electronic Medical Records (now we call them Electronic Health Records).

At that time, very few clinical staff used computers. Most of the electronic work was done by the business office and practices lacked on-site professional IT support. The industry had a technical skills gap, and it was frustrating. This meant I jumped at the chance to partner with Umbrella, who quickly evaluated our needs and set achievable recommendations that made sense for our practice.

What started as a simple vendor relationship quickly grew into a partnership. Umbrella helped me navigate the implementation of an EHR and provided ongoing support. A simple and complete technology solution.

The Client Perspective

This next piece isn’t ground-breaking material. Most business books boil down to this concept:

“Understanding your customer is critical for success.”

Simple enough, but the concept is easier said than done.

In practice, the core group of decision makers are not just juggling meetings. Providers and business teams are interacting with patients, handling insurance claims and prior authorization requests, and working with another practice to pass along patient information. And that’s a slow day! To further complicate things, the game can change from one medical specialty to another. The complexity of a physician practice can strain relationships with vendors – who don’t always understand the full breadth of regulatory, business, and patient expectations a practice must juggle.

Leaving patient care to work with a healthcare IT company was a tough decision, but I’m glad to have made the change. From the start, Heath and Trent have asked me to share The Client Perspective.

Moving Forward

Coming to Umbrella as a former client and accepting the role of COO proves to me that this company is serious about client experience. Umbrella continues to partner with its clients, ready to offer even more resources and knowledge that matters and makes sense to clients.

I am excited to be part of this journey!


By Christopher Draven, Customer Experience at Umbrella Managed Systems

Ransomware Breach: 40,800 Patient Records at Risk

The news continues to remind us that Ransomware is a real and continuing threat. Earlier this month, an obstetrics and fetal diagnostic lab announced a 40,800 patient breach on June 30th, 2018. When these stories break, our clients often reach out and ask what Umbrella is doing to minimize the risk.

As data and systems security experts, we spend much of our time examining technical vulnerabilities and providing our clients with recommendations. Industry reports and our research shows there are two key factors when measuring the resiliency of your technology stack – Aging Technology and Employee Education.

Systems Aging Out of Support

Older operating systems may feel familiar and comfortable. However, those tools become security nightmares once Microsoft announces the end of support. As new threats develop, Microsoft stops releasing software updates to fix any holes in the software, which leaves a computer open to new threats.

For example, if you have any of these operating systems on your network, it is time for an upgrade:

  • No Longer Supported: Windows XP and Windows 2003
  • Support Ending in 15 Months: Windows 7, Windows Server 2008 R2, and
    Microsoft SQL Server 2008 R2

Employee Education

Unfortunately, we are only human. Employees are often the weakest link in an organization’s security. Hackers develop sophisticated tools and methods to trick your users into giving up system credentials.

How Umbrella Can Help

The Umbrella ITMS 3.0 program addresses the constant barrage of threats from Ransomware, Phishing, and other attacks on your infrastructure.

At a high-level, the program offers:

  • Drive Encryption
  • Next Generation Firewall Security
  • Security Awareness Training
  • Advanced Email Security and Encryption

Knowing your system vulnerabilities and planning for the worst is how you can recover from a Ransomware attack. We encourage you to reach out with any questions about ITMS 3.0 or your own system vulnerabilities.

For more information on how Umbrella can help your business improve system resiliency and put safeguards in place to combat Ransomware and other malicious attacks, please get in touch.