"Prevent Intrusions into Your Computer System (Part 2 of 2)"
A step-by-step guide to stopping both external and internal mischief
by Gil Weber, MBA
Adapted with permission from Ophthalmology Management
© Copyright, 2002. All rights reserved.
Assaults against your practice's computer system can come in a variety of ways, from both external and internal sources. Because potentially devastating damage can result from these intrusions, it's critical that you protect your system from any type of electronic mischief.
In last month's article, I focused on preventing outside "hackers" from gaining access to your computers. This month's article will primarily deal with internal security. I'll outline measures you can take to protect your system from the mistakes or malicious intentions of individuals who are actually authorized to use the system.
Once you have your network configured and secured as best you can from outside probes, it's essential to take some steps to secure it from internal mischief. The first thing to do is limit the accidental or intentional changes that any users can make on their own computers and on the system as a whole. This is called limiting permissions.
Only the network administrator should have authority to make system-wide changes, and many IT experts recommend that individual users not be allowed to make any modifications to their own work stations other than customization. Thus, an employee could change the way her desktop looks, but not the way the computer operates. For example, changing fonts in a word processing program or creating templates would be permitted, but installing personal programs would not.
Limiting permissions also gives your system an added layer of file protection. You can limit employee access to selected files such as patient medical records by "locking out" unauthorized users, such as part-time accounting help. The network administrator can also set the system to write a detailed log showing the date, time, and ID of every confidential file view.
You can also set the system to restrict permissions to the World Wide Web. For example, insurance department personnel could be given rights to access a list of HMO Web sites to look up benefits and eligibility, but wouldn't be able to access unauthorized sites for on-line shopping or other personal business.
And you might also consider disabling or even removing CD and floppy drives from most workstations. In today's office environment, there's little or no need for most employees to load programs or information onto their individual hard drives or onto the system server. And, in fact, this should never be allowed at the local user level. Only the system administrator should load CDs or floppy disks and only then after a thorough disinfection sweep with an up-to-date anti-virus/worm/Trojans program.
Some offices are converting to "thin clients" -- workstations that are little more than a monitor, a keyboard, and some memory. All of the programs and updates come from the central server, and all information from the workstations is stored there, not on local hard drives.
Develop a Password Protocol
Certainly everyone is aware that you must use passwords to prevent unauthorized system access. And we should all be using passwords and a formal log-in protocol as a means of identifying users seeking the authorized permissions just discussed.
But basic password protection alone isn't enough. Left alone and unchanged, passwords can be -- and often are -- compromised. HIPAA will mandate that practices have a log-in authentication process. However, the means by which you implement that protection, and the relative "strengths" of the password protocol and log-in policy, will be yours to determine.
You'll definitely want to have a practice protocol specifying how passwords should be created (i.e., the approved password format) and how often they must be changed. Further, it's essential that your software not allow a user to reuse the same password -- to do so is self-defeating.
While no password protocol can be made 100% "crack-proof," you still want to be certain that your password protocol doesn't make the "cracking" process any easier. Thus, never allow passwords that are as easily guessed as a user's name, the name of a family member, birth date, favorite hobby ("golfer"), or job title/description ("accountant").
Most experts suggest that the password be at least six characters, preferably more. The password should include both letters and numbers, and even some characters such as the plus sign (+) or ampersand (&). The password is even more difficult to crack if it contains both upper and lower case letters.
However, and this is a big however, if the password protocol is so complex that it becomes too difficult to remember the password, then a user will write it down and stick the paper in a desk, wallet, or purse where it can be found and used by unauthorized persons. As with a program that would allow the user to reuse the same password, this just becomes self-defeating.
(Note: one way around the problem of remembering complex passwords is to issue on a regular basis individual key cards that can be "swiped" in a desktop card reader. Obviously this is more costly, but if you're already using a swipe system for building access then tying it to your computer for desktop log-ins shouldn't be a difficult undertaking.)
Finally, you'll want to mandate that passwords be changed on a regular basis -- perhaps every 90-120 days. Your system should be programmed to lock out any user who fails to change her password by the published deadline.
Control Remote Access
Granting remote access to your system can present problems. Don't overlook this important component of Internet security. You should restrict all staff remote access privileges, such as access from home, to "as-needed." And your system should be programmed to log all remote access so that you'll always know who has gotten into your system from off-site, from where that process was initiated, and what the person did during the access. The outcome of any investigation or audit of your practice arising from a possible HIPAA problem could turn on your ability to monitor and identify such access. Note, however, that access logs are useful only to a point. An experienced hacker will delete any evidence of his activities on your system.
The Promise of Biometrics
Biometrics is an exciting, new area of computer security. You've certainly read or heard about incredible systems that can scan the retina or iris and confirm identities based on a person's unique characteristics (see, for example, www.iriscan.com). But other developmental efforts currently under way may bring us affordable biometrics sooner than we think. For example, prototype joysticks and computer mice that recognize a user's unique thumb print and "unlock" a computer based on that identification. And there are palm scanners under development to provide similar authentication. Keep your eyes open for promising new products that employ biometric technology.
Who's That Friendly Stranger?
Do you know how many of the most successful hackers get into supposedly secure corporate and government computers? They ask employees carefully focused but deceptively mundane questions. And the answers to those pointed inquiries often provide the electronic "keys" to unlocking supposedly secure systems.
Good hackers can smooth talk information out of your employees without their even being aware of the game that's being played. So your security protocols should include written rules of what can and can't be discussed with anyone. Furthermore, they should include prohibitions against discussing any office-related matters with any person who's not clearly authorized to receive such information. The old World War II adage rings true: "Loose lips sink ships."
Choose Safe Software
Any discussion on Internet and computer security, HIPAA or otherwise, eventually must address a fundamental and critical concern: Which operating system and ancillary software will you use?
By now, everyone knows that some of the most popular software programs are easily compromised. For example, it's well documented that Microsoft's Outlook/Outlook Express e-mail programs can propagate certain malicious code and transmit infected attachments to those whose names appear in the programs' e-mail address books. If your system wasn't contaminated by Nimda, Sircam, Melissa, or any of the other nasty "bugs" that made their way around the world last year, consider yourself lucky. Many of your colleagues weren't so fortunate.
MS Internet Explorer, Excel, Word, and Power Point, also have well-known vulnerabilities that can allow internal or external hackers unauthorized access to read, edit, and/or delete files, or capture "cookies" (the bits of data that hold such important information as credit card numbers), or cause other mischief and/or damage.
Microsoft's procession of operating systems (Windows 95, 98, 98ME, NT4, NT5, 2000, and XP) also have had well-documented security problems. In December of last year, Microsoft actually took the extraordinary step (for Microsoft) of admitting that its new XP operating system -- promoted as the most secure OS ever -- contained very serious flaws that could allow hackers to do significant damage to any computer accessing the Internet via XP. MS advised all users to download a "patch" for XP.
As Microsoft products are ubiquitous, and their many flaws known to hackers, this is all a bit frightening, especially in light of HIPAA. And if you're a Microsoft shop, you should be concerned. (Later in this article you'll read that others already are very concerned.)
While Microsoft reacts by issuing security "patches," this isn't much comfort to those whose systems have already been compromised. And despite good-faith efforts to secure one's own system, you can be left exposed when those who should know better (e.g., corporate network and ISP administrators) don't keep up with the required security upgrades at their end.
Change Operating Systems?
If Microsoft products are the easily compromised and preferred targets of choice for hackers, and if using them potentially leaves your computer system so vulnerable to intrusion, should you investigate switching to a different operating system and software known not to be so vulnerable? I suggest the answer is yes -- you should look into the feasibility of change. And I see two possible alternatives for your consideration.
The first and better known is MacIntosh. Mac software code simply isn't as easily compromised as Microsoft's, and the number of successful attacks on Mac/Apple systems is miniscule when compared to Microsoft-based systems. Learning to run an Apple computer with Mac software really isn't an issue.
But converting to MacIntosh might prove financially impractical for many of you, because in addition to the software you'd also have to replace your PCs with Apples and, quite possibly, replace all ancillary hardware such as scanners and printers. Therefore, converting instead to a different PC-based software system might be more feasible for most.
The second viable alternative is conversion to the Linux operating system. Though not as well known as MacIntosh, Linux has been around for years and is very popular with its rapidly growing user and software base.
Linux runs on the same PCs that you now use to run Microsoft. So you wouldn't have to replace any of your computers and few, if any, printers and scanners -- a major cost savings. And, unlike Windows, you can put a copy of Linux on as many PCs as you want without the considerable, added cost of multiple licenses. This is a legal right granted by the Linux license but expressly forbidden by Microsoft's license.
Those significant financial pluses notwithstanding, there are numerous security points to consider when weighing the merits of Microsoft vs. Linux. Here are a few.
Though Linux runs on PCs, Linux program code is significantly different from that of Windows
It doesn't use the infamous Windows VBScript scripting language and, thus, isn't vulnerable to the same, ubiquitous viruses, worms, and Trojan Horses that regularly cripple or take down Windows-based systems. (This isn't to say that there are no "bugs" that might infect a Linux system, but they're seen so infrequently, and then typically only in test labs, that Linux program contamination simply goes at the bottom of any potential worries list.)
File security control via "permissions" can be more effective with Linux than Windows
Networks run on Windows 9x essentially have no meaningful file security. Networks run on NT+ (NT, 2000, or XP) with the NT File System (NTFS) can be made more secure.
With Linux it's simple for a knowledgeable system administrator to restrict each user's or computer's rights to move data to, from, and within a hard drive. Properly set, Linux "permissions" can stop rogue files from migrating to other files on hard drives, replicating in address books, and automatically broadcasting themselves onto networks or out to the Internet to infect other computers.
Insurance companies are starting to take notice of vulnerabilities
It's just possible that with the security mandates added by HIPAA, your liability insurance carrier or another insurer might become wary of Windows and "incentivize" you to switch operating systems. While not yet an industry trend, there's anecdotal evidence that this is already happening. For example, UK-based J.S. Wurzler (www.jswum.com) has begun charging up to 15 percent more to insure companies deploying Windows NT for their Internet services.
Where Do You Stand Now?
No practice wants to believe that one day its computer system might be breached and confidential data compromised. But in today's world this is becoming more likely.
HIPAA makes it more important than ever to reduce the opportunities for hackers, crackers, and others to get into your system and create mischief. It's not optional that you do this; it's mandatory. The price for being inattentive is much too high.
Do yourself a favor and obtain a checklist of HIPAA security issues. Then go down that list to see just how well you're doing. (See the American Society of Cataract and Refractive Surgery/American Society of Ophthalmic Administrators or American Academy of Ophthalmology web sites for information on HIPAA requirements.)
If you haven't already started developing practice security protocols, it's imperative that you begin immediately. If you have any security protocols in place, you must review them and make appropriate changes to keep up with the ever more creative and devious methods of the "bad guys."
All of this is going to cost. You can invest in protective measures at the front-end or you can pay the much more costly consequences at the back-end.
Special thanks to software designer and systems consultant Rick Downes of RadSoft (http://radsoft.net) and Michael Lockard, administrator at Talley Medical-Surgical Eye Care Associates, for their contributions to this series. For an excellent guide on computer attacks and defending against them, read Counter Hack by Ed Skoudis (Prentice Hall). For a primer on network connections and Internet security see Linksys at www.linksys.com/edu
Gil Weber is an author, lecturer and practice management consultant to the managed care and ophthalmic industries. He has served as Managed Care Director for the American Academy of Ophthalmology.