It’s 4:00am. I’m burning the midnight oil, and there it is again!
I just spied a TeamViewer icon on the desktop of another dental practice computer.
I checked to see if the TeamViewer program was registered to a company or person; it was not.
It was simply downloaded from the Internet and then installed. I checked the TeamViewer logs and discovered was recently used.
TeamViewer is just one of many “remote access” programs that can be easily downloaded and installed on a computer system. I’ve encountered many instances where an employee installed remote access software without management’s knowledge or consent.
Most often (as was the case here) the employee was well-intended and did not realize the associated risks. However, sometimes employees install remote access software for malicious purposes.
For security and privacy purposes, it is important that all remote access connections to your practice are recorded.
- Use LogMeIn, Splashtop, AnyDesk or other software that maintains a detailed access log. Know who was logged on and when.
- Every person who uses remote access must have their own unique ID, usually their email address.
- Never share remote access usernames and passwords with other individuals or use a common login name and password.
If you use an IT vendor, they are responsible to maintain a record of their remote access. Since the IT person or company may encounter confidential patient information, even if unintentionally, they must have a privacy agreement in place with your practice (e.g.: a BAA)
In the event there is a breach or legal challenge, the IT company must be able to provide the practice with access logs that can identify who was logged on, when and why.
While most IT vendors follow these procedures; it’s unfortunately that some do not.
Related topic: “Tech Support Scams” : https://en.wikipedia.org/wiki/Technical_support_scam