As security threats becomes more prevalent, it’s important to understand the risks associated with storing your client’s confidential information in your practice management system. Here are eight ways to keep your client information secure within Time Matters.
1) Setup Security Profiles
Security profiles are a must for any office working with Time Matters. Too often firms completely disregard the security section leaving the firm database open and accessible for everyone. Depending on the office size and security restrictions needed, I recommend a minimum of two security tiers which will allow for specific security rules to apply. Firm management should work with a Time Matters consultant to develop security profiles to decide the structure and security requirements. Once the security profiles are designed, apply to new and existing TM users easily. If we should need to create a new rule or exception, just changing the profile will push out to all users.
In my example, four security profiles can assign rules depending on role, responsibility and access needs. When we hire a temporary employee focusing on data entry, I can remove entire lists such as billing or contact details that may contain social security numbers. For my financial management team, there may also be security exceptions to be able to edit others time entries or billing expenses. Below are a few other rules you can add onto a security profile today.
2) Turn on the audit log
A truly simple method for firm management to track records in Time Matters is the audit log. This tool will create an automatic audit log of changes or updates to fields in Time Matters. Keep in mind; this is not turned on automatically for all fields!
Once it is activated on a key field, if you should want to check who updated a client’s date of birth or their address information an automatic log will be generated. The audit log available under Record Properties will include a date and time stamp of changes along with the Time Matters staff id who executed the update. Firms will also have access to the original field contents making correcting any issues painless.
3) Turn off workstation auto-login
There is a workstation preference that allows for Time Matters users to open the program and rather than entering their password instead bypass the log-in screen to be taken directly to the firm information. Think of how easy that would be for an outside person with access to your PC or laptop to login to Time Matters and access your client details, case lists or firm billing information. All of those records we are striving to safeguard could now be easily opened up because we wanted to save a couple clicks.
4) Private calendar appointments
Are you sharing your personal doctors’ appointments or kids’ soccer game details with co-workers? Often when I dig into a firm’s calendaring system, I find too many personal event records are shared for the entire office to view. A few security settings I put into place is to include the private checkbox on the record along with making sure that private records cannot be viewed based on the security profiles.
This same private checkbox can create matter or contact privacy to create ethical walls, protect confidentiality rules and restrict the matter for other users. Firm administrators should also check security profiles for who at the office is creating private records.
5) Remove access to archives or recycle bin
One important rule to include in any user set-up or security profile is to disable user access to the recycle bin. Think about other areas of the office, do we allow most people to permanently delete documents? This could lead to a large scale data loss if someone had access to delete a case or a large volume of cases along with going into the recycle bin to permanently delete them.
Archived lists are equally important to block delete access rights for most end users. I recommend firm administrators be savvy enough to restore items from the archives or recycle bin. Most Time Matters end users should then need to reach out when they do accidentally delete a record, rather than items going missing or misplaced.
6) Hide Personal Identifiable Information
Often when I am consulting with a Time Matters firm on customization or layout changes to their forms I’ll hear the statement “We don’t use that field anymore.” That can be due to the original customization ideas or the firm’s practice requirements have changed, but this can be alarming if the field contains Personally Identifiable Information (PII) about their clients. If traditionally, a firm always requested social security numbers, birthdates, tax identification information or other PII, there must be extreme caution on who can access these details. If the field is no longer in use, mark it has hidden. We can also create field-level exceptions in a security profile that says, “Our staff can view the client record, but on the secondary tab they will not see the client’s social security number.”
7) Setup Password Updates & Perform Security Training
Another incredibly simple tool built into Time Matters is on the security setup menu where we can regulate how often TM passwords expire. In my example, every 90 days Albert needs to create a new unique log-in password. Rather than just forcing team members to update passwords, we recommend office-wide security training. These sessions, just like the application training about Time Matters, can describe firm practices, cybersecurity risks within Time Matters and action plans if there is a security breach.
One example of a network infection I discovered within Time Matters was when a client called because their normal drop-down lists in TM under their Status field did not look normal. Typically, they saw options for the status of a case such as Closed, Pending, Waiting on Client, etc. Instead, listed was a series of characters/Chinese letters. When I went to their server to open the .txt files where they were saved I discovered they were infected with the destructive Cryptolocker virus. Being that our office is also their Managed Service Provider, we had a more immediate response to lock down further files from potential infection. This example is one of many where firm members can know what to do and how to report potential security breaches or database infections/viruses when seeing something out of the ordinary.
Example of the Cryptolocker:
8) Selectively let Time Matters users sync to Outlook
Firm management should be incredibly selective when deciding who at the office should have a calendar or contact synchronization from Time Matters to Outlook. Imagine if everyone at the firm was given the ability to push their Time Matters contacts and calendar lists over to their Outlook account. Now with their own Outlook account they can sync those lists into any number of devices – phones, tablets, laptops, etc. Instead of protecting your client’s information on an upcoming merger meeting that is extremely confidential, you now have that information syncing out to devices across the firm. One scenario to keep in mind is when a firm last year had an employee accidentally leave their laptop in a restroom (whoops) and ended up costing the firm over $225,000 after breaking FINRA rule 3010.
Device guidelines and Time Matters security reviews are examples of an IT security policy along with security training that we recommend to firms. To learn more about what security policies your firm should have in place, check out our Cybersecurity Policy Handbook.