FAQs

Are you looking for:

Consistent Delivery

Cutting Edge Cybersecurity

Proactive and Prevention Planning

Quick Support Response and Resolution

Transparent, Predictable Pricing

Q: What is a Managed Services Provider?

A: A Managed Service Provider (MSP) is a third-party company that manages and assumes the responsibility of a defined set of IT and technology management services to its clients. It is a strategic method of improving operations that is commonplace among large corporations as well as small and medium-size businesses, non-profit organizations, and governments. As an MSP, the team at Cooperative Systems can act as the client’s IT Department or can simply augment the IT staff that is already in place.

Q: What is the difference between a Managed Services Provider and a regular IT support company?

A: The main difference between an MSP and a regular IT support company is the type and scope of services offered. For example, an MSP focuses on preventing IT issues before they disrupt work whereas regular IT support companies concentrate only on fixing issues after they’ve occurred. This is commonly referred to as a “break/fix” model, which wastes time and valuable IT resources.

Q: What types of business are the best fit for Managed IT Services?

A: Companies in all types of industries will benefit from working with an MSP to fully outsource or augment their IT Services. There are multiple benefits to working with an MSP including predictable costs, scalability, reliable and up-to-date IT infrastructure, increased cybersecurity and reduced risk, increased efficiency and productivity, better regulatory compliance and more.

Q: Do your engineers and technicians come to my office when I need assistance?

A: Yes, when there is an issue that needs on site attention, we will dispatch one of our technicians to handle them. However, in most instances, most IT issues can be handled remotely.

Q: How quickly will my issue be resolved?

A: As quickly as possible though please keep in mind that response times will vary depending on the severity of the issue you're facing. Our goal is to address and resolve issues as soon as they occur to minimize your downtime. If an issue needs more time, we’ll send you updates until it’s settled.

Q: What certifications do your engineers have?

A: Our technical staff hold a variety of industry certifications from Cisco, Microsoft and more.

Q: What are your Helpdesk Support hours?

A: Our Helpdesk Support is always ready to help. Our process includes a dispatch team that is available 24 hours a day, 7 days a week, 365 days a year. They quickly assess the nature of your issue and quickly connect you to the right technician. Please see this page for more information on how to reach our Helpdesk Support should you need assistance.

Q: How do you charge for your services?

A: All of our services are fixed fee except for project based offerings (please contact us for more information about these). At the beginning of our relationship, we perform a thorough Assessment and Discovery process to properly analyze and recommend the best fixed fee services to meet your needs. We’ll discuss the pricing and then you’ll receive a fixed monthly service fee that covers everything we do. We value transparent pricing so that you can best manage your IT budget.

Q: How will your services help support the growth of our business?

A: A significant focus of our relationship is to ensure that your technology i well aligned with your company’s needs and goals. Part of our work together includes a comprehensive assessment, recommendations and the creation of your entire tech roadmap. In addition, under your NOAH Complete Care plan you’ll work with our vCIO advisory services that will continue to drive your long-term IT strategy. More specifically, our vCIO will hold regularly scheduled Strategic Business Review meetings to continue to review your technology and discuss any need needs that need to be addressed as well as make suggestions on how to continue to optimize your IT.

Q: What kind of cybersecurity protection should my business have?

A: We always recommend a multi-layered approach to cybersecurity. There is no one product or service that completely protects a business against all cybersecurity threats. You must implement multiple systems that provide different types of protection, as well as implement multi-vendor solutions. Learn more about our approach to cybersecurity here.

Q: How can I maintain security working from home?

A: In order to maintain security while working from home, please use the following tips:

Use a VPN to connect to your company network.
Enforce multi-factor authentication when connecting to your accounts and applications.
Ensure that any company machine you use has the latest updates, including security patches, software applications and operating systems, installed.
Use a separate computer for personal web access, if possible. Or at least minimize personal use of company equipment.
Follow the same vigilance when opening websites and emails as you would in the office.
Provide security awareness training for all of your employees so they know how to recognize and avoid common cyberattacks like spam, phishing, malware, ransomware and social engineering.

Q: Do I need a VPN to connect and work from home?

A: A VPN is not necessarily required, but it’s probably the most secure method of connectivity, and we strongly recommend it.

Q: Is remote desktop services (RDS), also known as Microsoft Terminal Services or Terminal Server, secure?

A: Direct RDS access is not secure therefore we don’t recommend it. Instead, we suggest connecting either via VPN first or implementing a Remote Desktop Gateway.

Q: Will my work email be accessible from home?

A: This is dependent on your organization's policies, but in most cases, yes. However, it’s important to work with your MSP so they can design a secure solution for remote workers that includes seamless email access, business applications, helpdesk support, and cybersecurity protection.

Q: How do I access my work files from home?

A: This is also dependent on your organization’s policies, programs, and infrastructure, but it is possible to configure remote access to files and applications. However, it’s best to work with your MSP so they can evaluate your applications, infrastructure, processes, and workflow to determine the most secure and transparent methods of gaining remote access to your sensitive corporate data.

Q. Which regulatory compliances can you help with?

A: We can assist with a variety of regulatory compliances such as CMMC, GLBA, PCI-DSS, HIPAA, FedRAMP, CMCC, NCUA, FISMA and more. Once fully onboarded, we can answer most questions on a typical IT audit.

Q. Do you offer project-based work?

A: Yes, we do. Our project-based work typically includes connectivity failover, multi-site networking/WAN, WIFI networks, cabling, eFax solutions and more. If you have other project needs, please contact us to discuss it more.

IT for Healthcare FAQs

Q: What is the Health Insurance Portability and Accountability Act (HIPAA)?

Put into federal law in 1996, HIPAA is a set of national standards put in place to protect confidential patient health information. HIPAA contains both a Privacy Rule and a Security Rule. The former covers the use and disclosure of patient’s “protected health information” (PHI) by specific entities. The latter secures only one subset of information, “electronic protected health information” (e-PHI), safeguarded by the Privacy Rule.

Q: Who is responsible for the enforcement of the HIPAA Privacy and Security Rules?

HIPAA is enforced by the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Learn more about enforcement procedures here.

Q: Does my telecom or unified communications system need to be HIPAA Compliant?

Yes. Any system (physical, verbal and electronic) that stores or transfers PHI data must be compliant. When it comes to telecom and unified communications systems, there are multiple ways PHI is stored and transferred electronically rendering it e-PHI also protected under HIPAA. These include, Caller ID information, call recording, voicemail, voicemail transcription, SMS (text), and Fax to email. It’s vital that you verify with your telecom vendor and/or managed IT Services partner that these systems are compliant with HIPAA to keep your e-PHI secure.

Q: What’s the average direct cost of a data breach for a healthcare practice?

Unfortunately, Healthcare data breaches cost the most when compared to other industries. Once a practice or provider experiences a breach, the direct costs add up fast and include establishing a crisis management team with a cybersecurity remediation company or partner to expel the intruders and re-secure the entire IT infrastructure and environment. Most practices also need to set up or hire a PR Team to managed brand reputation damage and respond to patients. Additional costs are operational downtime, fines, and or legal ramifications.

According to IBM Security’s Cost of a Data Breach Report 2021, “Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report. Costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security.”

Data breaches are extremely expensive. You’ll save money in the long term by putting robust, enhanced cybersecurity measures in place to defend your practice.

Q: What are the indirect costs associated with a data breach?

When it comes to data breaches, there are two types of costs: the direct costs (money lost/spent) and indirect costs (brand damage, which can be felt financially). Here are some of the indirect costs:

Loss of reputation and good will.
Staff “sweat equity” needed to respond to the incident.
Loss of customers due to diminished operational confidence. (This refers to the loss of *more* customers than expected.”

Lastly, once a breach has been identified and contained, HIPAA requires what’s known as a Notification Process, in order to make all effected parties aware of the breach.

Q: How can Cooperative Systems help future proof and secure my practice?

By offering you a comprehensive IT assessment to identify your biggest cybersecurity vulnerabilities, risks and gaps. Once you know where your weaknesses are, we can then craft a plan for you to protect your company while remaining HIPAA compliant.

Q: What are some of the consequences from unplanned network downtime?

In the healthcare industry, when a network goes down unexpectedly there could be some major consequences. The first being, patient care. Some patients relay on technology fueled treatments to manage their conditions. Depending on the nature of their illness, an unplanned outage could be lift threatening.

Another major consequence is negatively impacting the Electronic Health Record (EHR) line of business application. This could severely disrupt or halt daily operations and patient reporting leading to temporary or even permanent data loss.

Q: Can I lose my medical license if my healthcare practice is found to be non-compliant?

Potentially yes and it depends on the severity of your HIPAA violations. Transgressions could lead to serious disciplinary actions such as considerable fines ($50,000K+), license suspension or revocation, and even jail time.

HIPAA standards are non-negotiable. Going forward, HIPAA compliance will be enforced at an increasing rate due to the rise in global cybersecurity risks.

Q: Is the healthcare industry targeted by cybercriminals to the same extent or amount as other industries?

In general, yes because, healthcare will be a $10 trillion+ sector by 2022. Malicious actors go where ever the money is. Cybersecurity Ventures predicts that, “Healthcare will suffer 2-3X more cyberattacks in 2021 than the average amount for other industries.”

Q: How many individuals are impacted by healthcare data breaches each year?

Unfortunately, the number of patients impacted by healthcare-related breaches is on the rise, especially with more staff working remotely. According to the Bitglass Healthcare Breach Report 2021, 26 million+ people were negatively impacted in 2020 alone. This is why investing in the most recent cybersecurity strategies and tools is vital to protecting your practice and your patients.

Q: If my practice experiences a security breach, will it be vulnerable to more attacks in the future?

Though experiencing a data breach is terrible, it doesn’t necessarily make you more vulnerable to future cyber threats. Your cyber resilience in the face of attacks comes down to the strength of your cybersecurity program. As long as you invest in new wave cybersecurity technologies such as multi-factor authentication (MFA), staff phish email trainings, endpoint detection and response (EDR) and more, you’ll be better positioned to prevent breaches from occurring. Learn more about enhanced cybersecurity options here.

We’d like to take a moment to warn you against paying ransomware hackers to recover your data. According to Cybereason’s Ransomware: The True Cost to Business report, “This research revealed that of the organizations that opted to pay a ransom demand, 80% incurred another attack. Of those who did get attacked again, nearly half (46%) said they believed it was at the hands of the same attackers, while just 34% said they believed the second attack was perpetrated by a different set of threat actors.”

It truly pays to invest in strengthening your cybersecurity program before a breach every occurs.

Q: What are some of the newer technologies being implemented to secure medical and healthcare practices like mine?

The newest cybersecurity technologies that will keep your practice safe include multi-factor authentication (MFA), staff phish email trainings, endpoint detection and response (EDR), Security information and event management (SIEM) and more.

EDR, in particular, stands out as a top priority investment. Compared to traditional security measures such as tradition antivirus software, EDR provides enhanced visibility into endpoints (computers, laptops, mobile devices, etc.) and also allows for a quicker response time should suspicious activities be detected. In addition, EDR can detect and prevent against lateral movements within your practice's network infrastructure, effectively shutting down potentially risky or unusual communications before they become an issue.

SIEM is another important component to any cybersecurity program. According to Fortinet, “Protecting today's healthcare networks requires pulling data from a number of different sources in real time. SIEM solutions allow organizations to move data that traditionally lives in a silo to a centralized location where all the threat data from across the network can be viewed through a single lens. SIEM solutions convert each piece of information into a single event and then input it into an automated analytics engine so real-time action can be taken.”

Again, due to the constantly evolving nature of today’s cyber threat environment, any tool that provides real time monitoring and reporting is vital to keeping your practice safe.

PCI FAQs

Q: What is Payment Card Industry Security Standard (PCI DSS) compliance?

A: PCI is a set of security standards put in place 2006 to protect consumers’ credit card information. It mandates that all companies that accept, process, store or transmit credit card, debit card, and pre-paid cards information must maintain a secure environment to protect this data.

The PCI standards are managed by the Payment Card Industry Security Standard Council (PCI SSC), enforced by large payment card brands (American Express, Discover, JCB, MasterCard, and Visa International), and audited by qualified PCI auditors.

In addition, The Federal Trade Commission (FTC) is responsible for regulating consumer privacy and security. This means they could play an additional role in enforcing PCI violation penalties. Learn more here.

In general, PCI compliance is required by credit card companies to ensure that online transactions are secure and protected against identity theft. The current standards can be found here.

Q: Who needs to be PCI compliant?

A: Every merchant that accepts client credit card payment and processes, stores, and transmits this data must be compliant. Even if you take credit card information over the phone, do not store the data, or work with third-party processors, you must still comply with PCI.

Q: How does a PCI audit work?

A: First, you’ll need to find and hire a qualified security assessor (QSA). QSAs are certified by the PCI Security Standards Council. Techopedia explains the audit process succinctly. “These professionals look at point-of-sale systems and other parts of a business IT architecture to determine whether internal operations meet the standard for cardholder information security. Assessors give companies a risk assessment that shows them where they stand in terms of PCI compliance.” For more information on this process, please see the PCI DSS Quick Reference Guide here.

Also, since the FTC’s mission is to protect consumers’ privacy and data, they can request more information on how PCI audits are conducted by QSAs (for an example, see here). Then, they can use this knowledge to perform a study or inform regulations.

Q. What are the different levels of PCI compliance?

A: There are four levels to PCI compliance. They are determined by the amount of credit card payments a merchant processes annually. According to ComplianceGuide.org, they are:

Level 1: Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 2: Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.

Level 3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

Each level has a set of steps that must be completed in order to comply at that level.

Q: What could happen if I fail to comply with PCI standards?

A: Compliance failure increases your risk of a security breach, which can lead to hefty penalties, fines, and loss of your merchant account. If you lose your merchant account, you will no longer be able to process credit card transactions and impact your profitability.

Q: How much can non-compliance penalties cost?

A: On average, PCI penalties range from $5,000 to $100,000 per month for PCI violations. The specific amount is determined by multiple factors including the company’s PCI-DSS level, the length of time they've been in violation, and the number of clients and transactions that were negatively impacted. For example, a Level 1 company that was non-compliant for 7+ months could face up to a $100K+ monthly fine.

The penalties are distributed by the payment brands to the merchant’s bank. The bank then passes these fine onto the merchant. In addition, the bank may choose to increase the merchant’s transactions fees or end the business relationship. These penalties could be fatal for small businesses. That’s why it is essential to make sure your company is PCI compliant.

Q: What are the financial costs of a data breach?

A: There are many costs, on top of PCI penalties, when your company experiences a data breach. According to SecurityMETRICS, these costs include:

Merchant processor compromise fines: $5,000 – $50,000
Forensic investigation: $12,000 – $100,000+
Onsite QSA assessments following the breach: $20,000 – $100,000
Free credit monitoring for affected individuals: $10-$30/card
Card re-issuance penalties: $3 – $10 per card
Breach notification costs: $2,000 – $5,000+
Technology repairs: $2,000 - $10,000+
Increased in monthly card processing fees
Legal fees
Civil judgments

Q: What are other compensatory costs from PCI non-compliance?

A: If your company experiences a data breach and client credit card information is impacted, you could face a number of direct costs such as fines, penalties, breach remediation and PR brand reputation services.

However, you’ll also be responsible for compensatory costs. Not only must you notify your clients of any breaches that put their data at risk, you’ll face damage to your company reputation and client relationships.

According to Bitdefender, "..,83% of consumers in the US claim they will stop spending at a business for several months immediately after a security breach and 21% will never return to that business.”

CMMC FAQs

Looking for more information? Please see the DoD’s CMMC FAQ’s page here.

Q: What is CMMC compliance?

CMMC stands for Cybersecurity Maturity Model Certification. The purpose of this compliance process is to train, certify and verify that Defense Industrial Base (DIB) sector and Department of Defense (DoD) supply chain contractors have cybersecurity processes and practices in place to protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is stored in their information systems for job completion.

Q: Who created and oversees the CMMC program?

The CMMC program was developed by the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S) in conjunction with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the DIB sector.

This comprehensive program includes cybersecurity training, certification, and a 3rd-party assessment run by the DoD and a non-profit accreditation board, comprised of industry stakeholders.

Q: Who needs to be CMMC compliant?

Prime and subcontractors must both achieve CMMC compliance before operating in the DIB sector and the DoD supply chain. This prevents the loss of intellectual property that could negatively impact U.S. technical innovations and advantages. It also safeguards national security data and interests.

The CMMC consists of five levels. Your required level of compliance is determined by the type of CUI you need access to for contract fulfillment. Typically, the DoD will state the mandatory CMMC level in their Requests for Information (RFIs) and Requests for Proposals (RFPs).

Q: What is the CMMC model framework?

The CMMC model framework is made up of maturity processes, other frameworks, and cybersecurity best practices from a variety of cybersecurity standards including National Institute of Standards and Technology (NIST), Federal Acquisition Regulation (FAR), and Defense Federal Acquisition Regulation Supplement (DFARS), and recommendations from DIB and DoD stakeholders.

To aid contractors in understanding where they stand and how to achieve cybersecurity maturity, this model serves as a benchmark against which they can measure their degree of compliance, identify areas of improvements and set goals. The model consists of the following components: processes, practices, domains and levels.

Click here to learn more about the CMMC model.

Q: What are the 5 levels of CMMC?

The CMMC model has five cumulative levels. Each level corresponds with a specific set of processes and practices that contractors must implement before advancing to the next compliance level.

Click here to learn more about the CMMC levels.

Q: What are the CMMC domains?

The CMMC model uses domains to categorize areas of cybersecurity maturity. These domains, were informed by the Federal Information Processing Standards (FIPS) Publication 200 and NIST SP 800-171. There are 17 domains in total, which include:

Access Control (AC)
Asset Management (AM)
Audit and Accountability (AA)
Awareness and Training (AT)
Configuration Management (CM)
Identification and Authentication (IDA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PP)
Recovery (RE)
Risk Management (RM)
Security Assessment (SAS)
Situational Awareness (SA)
System and Communications Protections (SCP)
System and Information Integrity (SII)

Click here to learn more about these 17 domains.

Q: Where can I get the latest information about CMMC?

To get the latest information on CMMC compliance, please see the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) FAQs page here and the CMMC Accreditation Body here. These are the two resources where most of the CMMC-related materials originate.

Q: Are mobile devices compliant at level 3?

This varies from scenario to scenario and device to device. However, please compare your mobile devices to CMMC requirements and evaluate. If you need more assistance, consider hiring a CMMC consultant to help advise. Learn more about the five CMMC levels here.

Q: Is the use of public Wi-Fi compliant at level 3?

Using public Wi-Fi can pose serious cybersecurity risks. In addition, most organizations prohibit the use of public hotspots. The best ways to protect your team’s laptops during travel include using VPN, smart software firewalls and zero-trust architecture. You could also issue private cellular hotspot devices to travelling employees. Lastly, when it comes to remote works using their home Wi-Fi networks to conduct business, make sure there is a remote work agreement in place and that everyone is trained in and required to follow cyber-hygiene best practices. Learn more about the five CMMC levels here.

Q: Do I need to purchase a set of CMMC policies for my organization?

This will ultimately depend on your needs. Though there are free policy templates available, customizing them could incur fees. The most important thing is to train your team to adhere to the CMMC policies you put in place.

Q: Do I need to subscribe to a Compliance Platform?

Yes, but please exercise extreme caution when selecting a cloud-based Compliant Platform (aka a website that enables you to automatically produce your own CMMC compliance documents). You will need to thoroughly vet the vendor (and parent company, etc.) that owns, operates and runs the Compliant Platform and its hosting because any CUI you enter could be used for nefarious purposes. At least verify that the platform is owned by US citizens and based in the US. As of now, the US Government hasn’t released any security requirements for these types of platforms that interact with CUI. Please learn more here.

Q: Can employees use personal devices to connect to our network from home?

We strongly advise against this. CMMC level 1 strongly recommends limiting and controlling the use of personal devices that connect to your network and access your data. If your data is related in any way to a federal contract or CUI, then the answer is absolutely not. The best practices to follow for remote workers include issuing them a company laptop, setting them up with a virtual desktop or both. Learn more about the five CMMC levels here.

Q: When will the CMMC affect my business?

According to the CMMC Accreditation Body, all DoD Supplier will need CMMC Certification by 2025.

In addition, they suggest that you start planning your certification at least six months or more in advance based on the CMMC level you intend to apply for. Learn more about the CMMC Certification process here.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.