small dental office advice... multple questions :-)

P

pookguy88

Gawd
Joined
Jan 20, 2002
Messages
682
I've been lurking around this forum for awhile and I thought i'd fire you guys a question, I'm tasked with managing a very simple small dental office network. The way they have it setup now is they have 2 separate networks, 1 network is the main network that runs the dental software and doesn't need internet access, the other network is for the personal computers in the office that need internet access. The thinking there is/was that the manager wanted to keep an internet network separate from the main network to keep the possibility of virus infection low. Now that I'm in control here, is this the best way to do this? Isn't there just a way to limit the access of certain computers from using the internet and just keeping everything on 1 network? I'm using a dd-wrt motorola router on the 2nd network

Another road block is that the main network uses static IPs (non-DHCP) I'm guessing because some of the network dental equipment (x-rays mainly) use static IPs (not sure if they are settable). Should I be using a domain controller instead?

Any advice is greatly appreciated... thanks!
 
Well, I currently do the Hardware/Network side of a 2 location dental office here and frankly I can say this.

You do not need to separate the internet, no reason to really if the employees have responsibility (easy to do in a smallish office) and if you run good AV software. You probably should be running a DC of some sort, they should already have a server as most dental software runs off of a server (in fact the one in use at the office I setup requires a server and domain to be in place to even run).

If you really want to keep the internet from some PCs for virus reasons, you have to do separate networks as one of the internet enabled machines could get a virus...it travels through the network...and boom the supposedly "internet free" PCs get infected. Better to just have all on one network and secure all of them properly IMO.

Another thing you could do is just limit PCs by MAC address for internet access if you are more worried about employee use (still does not solve the issue I described above). DD-WRT can do this.
 
hmm thanks for the advice, you are right. The office already has a file/app server which the dental software runs off of, is it ok to run the DC off this server as well?

Just out of curiosity, what dental software (and digital imaging system, if you are in fact using digital imaging) are you running at that office?
 
I manage a few dentist office networks.....where the chairs are not allowed internet access, they simply don't have a gateway entry in their TCP/IP properties. DHCP runs from the single server, which is a DC, as well as houses their databases for Kodak PracticeWorks, Dexis, and Sidexis.

I have another small dentist office client..only 5x PCs...they just run peer to peer with a dedicated 2Kpro box in the corner housing their database for Patterson Eaglesoft.
 
A thought: How open is management to change? Are you there simply to maintain the network, or are they expecting you to clean it up and make it "better"?

How you procede is directly related to these questions. Were I you, this would be my goal:

1) Setup a domain, join all computers/users. Users are all limited users.
2) Install NOD32 on all workstations
3) No systems have direct access out. Default gateway prevents this. Instead, they use a proxy ( Which allows you more control and overall network protection ).
4) Users sign IT policy ( in one form or another ). This is corporation protection, so when you catch employees browsing porn or gambling, you have recourse.

That's just a start. I wouldn't do this all at once mind you, but gradually over the course of 6 or so months.

( I still manage a 4 office dental office ( 10 ops per office ) using dentrix enterprise )
 
wow, lots of great replies guys..

again, I have a few more questions that arise from your responses:

YeOldeStonecat, that's what is being done now, leaving a blank gateway in the TCP/IP properties. I want to move away from this because I want the computers to get windows updates whenever they are available.

XOR != OR,

1) I've thought about this, but how do I join the network devices (mainly the Xrays)? I'm not sure if they have some sort of web interface for me to play around with their network settings and I'm not familiar with what software/protocol they use to talk with the server. This is what concerns me the most, breaking the xrays. I know they use Sirona Xray equipment and I've gone to their site to try and find some nitty gritty tech specs but I can't find any.

I'm kind of new to the whole domain thing, I guess I should read up on it a bit (or try it at home) before I start anything at the office.
 
Well, if it's not a computer/user, you probably aren't going to join it to a domain ( active directory domain that is ). Which is fine, the only reason I would do so is for management purposes. As active directory doesn't have any facilities for the xray machines, it would be worthless even if you could.

As far as playing with the xray system, you probably won't find the information you need on the vendor's website. They always tell you to run as power or admin user, which is worthless in a locked down environment. Instead, setup a test system and start playing with it. Which reminds me of the most important thing you need to do that hasn't been mentioned yet:


BACKUPS!!!!!!

The first thing I would do, regardless of your other duties, is to verify the backup system in place or to put one in place. Learn how it works, and do test recoveries once a month so you know the process and media works. This is the most important job any system administrator has, but it's also a boring one so it never gets the attention it deserves. MAKE SURE YOUR BACKUPS WORK BEFORE YOU NEED THEM. Pretend I underlined that too.

Were I you, I'd go do that right now. Murphy is a cruel bastard, you don't want to tempt him.
 
Ok, well I guess I'll read up on domains.

I hear you on the backups, luckily the dental program they use is called Cleardent and basically only uses SQL Server on it's back end so I think all I need to do is back up the appropriate database(s). The X-Ray raw images... I don't even think those are being backed up; those I'll have to check on.

A bit off topic, but do you know if there is a forum specifically for dental office network administration (or even medical field related)? I'm guessing not but I figure I might as well ask

XOR != OR said:
Well, if it's not a computer/user, you probably aren't going to join it to a domain ( active directory domain that is ). Which is fine, the only reason I would do so is for management purposes. As active directory doesn't have any facilities for the xray machines, it would be worthless even if you could.

As far as playing with the xray system, you probably won't find the information you need on the vendor's website. They always tell you to run as power or admin user, which is worthless in a locked down environment. Instead, setup a test system and start playing with it. Which reminds me of the most important thing you need to do that hasn't been mentioned yet:


BACKUPS!!!!!!

The first thing I would do, regardless of your other duties, is to verify the backup system in place or to put one in place. Learn how it works, and do test recoveries once a month so you know the process and media works. This is the most important job any system administrator has, but it's also a boring one so it never gets the attention it deserves. MAKE SURE YOUR BACKUPS WORK BEFORE YOU NEED THEM. Pretend I underlined that too.

Were I you, I'd go do that right now. Murphy is a cruel bastard, you don't want to tempt him.
Click to expand...
 
The software is by Dentech at the office I manage. I actually only manage hardware/network and Dentech manages the software side (which is great since it is very complicated stuff ;) ).

I would be careful before you go in trying to join users to AD and such as you will want to first make sure you are not going to have a ton of downtime or just plain not be able to get things working again.

My main advice will be take it slow, investigate everything before you even think about changing anything.
 
pookguy88 said:
YeOldeStonecat, that's what is being done now, leaving a blank gateway in the TCP/IP properties. I want to move away from this because I want the computers to get windows updates whenever they are available..
Click to expand...

Easily solved..and actually more efficient and manageable....by installing WSUS locally on the server. Less hit on the internet, and you can controll all updates when they are approved..instead of leaving it up to end users and finding out some .NET Framework update just tanked something important they all run on.
 
YeOldeStonecat said:
Easily solved..and actually more efficient and manageable....by installing WSUS locally on the server. Less hit on the internet, and you can controll all updates when they are approved..instead of leaving it up to end users and finding out some .NET Framework update just tanked something important they all run on.
Click to expand...

Just reading up on WSUS... do the computers on the network need to be on a domain for WSUS to work?
 
pookguy88 said:
Just reading up on WSUS... do the computers on the network need to be on a domain for WSUS to work?
Click to expand...


I do not believe so.

We have computers that do not connect to the internet, but still get updates from WSUS, but they are all on the domain.

I would HIGHLY suggest to put all of the computers and devices on the domain, this would simplify management so much more.
 
You don't need to hook the computers up to a domain with WSUS. You just need to push out the registry to the machines ( setup a test machine, export that part of the registry and have it run on all other client machines ).
 
pookguy88 said:
how do you "push out the registry"?
Click to expand...
Once you have a registry file ( regedit -> highlight appropriate key -> export ), you do regedit /s settings.reg at the command line on the client computers.

As this relates to WSUS, you'll have to run this as admin for the settings to take.
 
VLAN's plus ACL's to keep the client machines from getting into trouble and keep the segregated form whatever...it's not rocket science :/
 
YeOldeStonecat said:
Easily solved..and actually more efficient and manageable....by installing WSUS locally on the server. Less hit on the internet, and you can controll all updates when they are approved..instead of leaving it up to end users and finding out some .NET Framework update just tanked something important they all run on.
Click to expand...

Agree with the WSUS. Also do the machines that need internet access need to use the dental software at all? If they do not a managed switch that supports vlans will take care of keeping them apart.

For av I would go symantec or nod32, both the managed versions.
 
XOR != OR said:
That might be a bit out of budget for your small dental office. :)
Click to expand...

One small router + one of those dell gig-e switches ($180) should do the trick. I just recently learned some of those dell switches do dot1Q trunking, so thats not out of reach.
 
who ever suggest anything but Nod32 :rolleyes:

norton and mccafee? lol what garbage antivirus.

Run Trend Micro or Nod32 or AVG if you want freebie.

As far as Inet goes, you can block it thru routers, or just get rid of the gateway. And WSUS isn't hard to setup, but its expensive cause you need a copy of Server 03 and a Spare machine. If your gonna go thru all that work, setup a domain as your gonna have to buy the copy of Server 03, and you can build a semi cheap domain server for what you need. Have Domain, WSUS, DHCP, DNS, and Folder Redirection/File Server. One place to backup etc. Then if you do that you can look into server side version of antivirus (Trend or Nod would be my picks again)

One negative I found when fucking around with WSUS is you have to approve the Updates, so you will have to remote into the server and approve the updates and then they will push out to the machine.

I would imagine if you setup a domain server somewhere in Group Policy you can take away internet on a group of machines.

Then for backup, could be as cheap as burning a CD/DVD (since you said just the SQL database), or can go into some remote backup from Mozy.
 
There is a very good reason aside from limiting internet access to segmenting the networks. Health Insurance Portability and Accountability Act

Read this:
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#The_Security_Rule

You do not want to go down the road and get dragged into a lawsuit because someone gains unauthorized access to the network you maintain.

here is a snipit

Physical Safeguards - controlling physical access to protect against inappropriate access to protected data

Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)

Access to equipment containing health information should be carefully controlled and monitored.

Access to hardware and software must be limited to properly authorized individuals.

Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.

Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public.

If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities.

Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.

Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.

Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.

Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.

Covered entities must also authenticate entities it communicates with. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.

Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.

In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.

Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)
Click to expand...

this should answer your questions. Now most offices are far from HIPAA compliant but I highly doubt you wanna be the one explaining why you didn't follow practices, since im sure the dr office is not going to take the blame for not complying.
 
marley1 said:
And WSUS isn't hard to setup, but its expensive cause you need a copy of Server 03 and a Spare machine. If your gonna go thru all that work, setup a domain as your gonna have to buy the copy of Server 03, and you can build a semi cheap domain server for what you need. .
Click to expand...

I didn't see where he stated what OS their existing server is...he may already have 2K3....and an office this small...I'd run it off their existing server...it's not intensive on small network.
 
YeOldeStonecat said:
I didn't see where he stated what OS their existing server is...he may already have 2K3....and an office this small...I'd run it off their existing server...it's not intensive on small network.
Click to expand...

I didn't read that he had a server.

I skipped over all that, either way if he has a server, he can run Domain, and WSUS without any strain
 
what's the best way to setup a 2 VLANs? I have a dd-wrt router at my disposal but not sure if that would be the best way to implement the VLANs. I basically need one DHCP VLAN (for the 'do whatever/surf the web network) and one static IP/Non-DHCP VLAN for the main office network.

Thanks again!

PS, yes I do believe Win 2k3 server is the OS on the server right now
 
dd-wrt does it, i have a vlan running like that at my work.

192.168.1.x (main office, with server 2003 running dhcp and dns), 192.168.2.x (client machines with a test server 2003 running dhcp and dns).

teh 192.168.1.x network can talk to 192.168.2.x (only through ip, dns name doesn't work), but 192.168.2.x cant.

personally i would have 1 network, and just limit the machines in active directory for no internet access (sure u can do it in active directory).

that way they can all be on the domain
 
also the dd-wrt thing has been dead stable.

i've used it for like 5-6 months now, copied directly off of the how to on the dd-wrt forums.

just modified it when i added teh dhcp servers into the mix.

anyone know why i can't communicate from 1.x to 2.x using dns names?
 
One thing I would suggest is you check out Windows SBS. Managing a SBS server is pretty easy and it can take care of most of the recommendations here.
 
You must log in or register to reply here.
Back
Top