I n the March and April 2002 issues of Skin & Aging, I offered readers “heads-up” advisories on critical computer system and Internet security issues as they relate to the impending HIPAA regulations. I urged readers to take immediate action to upgrade office systems to prevent or reduce opportunities for external attack and internal mistakes, mischief, or malice. But two recent news stories continue to have me worried that many, if not most, computer systems remain highly vulnerable to attack. Many users simply don’t seem to appreciate the magnitude of the security issues involved, or the risks of not taking appropriate and necessary steps to prevent intrusion into their systems and the compromise of sensitive data files. Concerns About Wireless Networks The first story was on our local Ft. Lauderdale NBC TV affiliate’s evening report November 13, and also published on the station’s Web site the next day. This story dealt with the almost total lack of security that’s present on most home and business wireless computer networks. And it showed in dramatic style how easy it is for someone with a basic understanding of software programs to “crack” into an unsecured wireless network and gain access to the files stored on the associated computers. Windows Requirement The second story appeared in the September 2002 issue of Infoworld, a well-known computer journal. This was the first mention of HIPAA and patient record privacy and security issues I had ever seen in a computer “techie” magazine. The article discussed Microsoft’s onerous and potentially risky new EULA (end user licensing agreement) for Windows XP and 2000. And I found it fascinating to read a “lay” person’s precise understanding of just what a can of worms medical practices might open up by installing and using either of these Microsoft operating systems. Unsecured Wireless Networks Wireless networks are becoming very popular. Essentially a wireless network is a system whereby the computer terminals communicate with each other through simple radio transmitters and receivers rather than on hard-wire connections. The NBC reporter drove around Ft. Lauderdale residential and business districts with a computer security expert. As they cruised they used a wireless laptop computer to scan for open wireless networks (“war-driving” in techie terms). One after another they “hit” on the radio frequency broadcast signals sent out by these wireless systems. Less than 20% of the wireless networks they scanned had any security. (See the NBC story at www.nbc6.net/news/1784744/detail.html.) Effortlessly, they were able to get into numerous networks. In a particularly worrisome demonstration they sat outside a building known to house many medical practices and repeatedly accessed unsecured networks. Even more incredibly, they then used a global positioning satellite (GPS) program laid over the scanning program to identify the physical location of each compromised network! Had they been so inclined, these two would have been free to probe the systems and browse through files including confidential patient records. Everything was wide open. Further, they could have created a log showing the GPS locations of these compromised networks. That information would have allowed them or anyone else to return to any of the locations to re-access a network at any time as long as it remained unsecured. Why was all of this possible? Because those who set up and used these wireless networks had not initiated even the simplest (“no-brainer”) security protocols. They had not changed the default password in their wireless routers — the entry gateways that were broadcasting to their networks and, also, to the outside world. And any “hacker” who’s out and about conducting these network searches knows the default passwords. And, incredibly, in some cases medical practices stored their individual, staff user passwords on the computer not as encrypted data but, rather, as plain text – in a file format that anyone could read once they were on the system. By not encrypting passwords you essentially give the keys to your computer files to anyone who gets into the network. These are simply incredible security lapses. Yet, as the reporters so clearly demonstrated, they’re very common. An additional word of warning: Don’t be fooled by any naive talk that most of the “war-driving” is done by people with no malicious intent — by fun loving techies looking for an available high speed connection they can “borrow” temporarily to do nothing more than send or receive a few e-mails. HIPAA requires you to be pro-active — to take the necessary steps to protect your system from being accessed not only by malicious hackers but also by those who might have jumped on board for a little “joy-ride.” EULAs and Windows Operating Systems When installing or updating software do you ever bother to read through the multiple screens of legalese that pop up with the licensing agreement, and ask you to click “I accept”? I’d suspect you do not read all or any of the agreement. Virtually nobody does. Well, particularly in light of HIPAA requirements I suggest you do need to pay much closer attention. For Microsoft’s newest version of the End User Licensing Agreement (contained in XP’s Service Pack 1 and 2000’s Service Pack 3) gives that company the right to connect to your computer at any time to analyze the software you’re using and to make any changes of any kind at its sole discretion. If you’re using properly updated Windows 2000 or XP you have a significant HIPAA security issue and a quandary. HIPAA requires that medical practices have a “. . . compliant technical information infrastructure . . . .” The computer system must secure patient records and protect their confidentiality. But if Microsoft (or anyone else) can access your computers at will and make changes at its sole discretion, isn’t that obviously a big problem? And two other quotes from those involved with HIPAA reflect what should be every Microsoft user’s concern. A software development and management consultant opined: “I think the new SP3 (service pack 3) license terms are in direct conflict with HIPAA. Either I don’t install the service pack — and am therefore running an OS with known security holes, which HIPAA frowns upon — or I do install the service pack and thereby install a new security hole, which allows for automatic changes of the software configuration.” And from a systems manager at a teaching hospital: “If, after a Microsoft service pack is applied to overcome a security weakness in their operating system, and the service pack also secretly breaks the multimedia software and/or revokes access to our patient’s data, thus damaging our patient care, who is responsible?” Frightening to think about. Who is responsible if you allow others unrestricted access to your computers and there’s a problem with the confidential records? And given the well-documented history of Windows security flaws, how long will it be before we hear of hacker “exploits” piggy-backing in on Microsoft updates? (You can access the Infoworld story at www.infoworld.com/articles/op/xml/02/09/16/020916opwinman.xml.) The Cost of Complacency? We don’t know yet the actual cost consequences to a medical practice for its complacency or inattentiveness to detail regarding protection of confidential patient records. If you don’t want to be the one whose practice name goes on the first HIPAA test case, then take the time to look at your hardware and software systems. Give everything a thorough review to be certain that you’re not doing anything now and have not created scenarios that in the future might compromise your ability to secure and protect that electronic data. For more on HIPAA and computer/Internet security including suggestions for making your system less vulnerable to attack, see these Skin & Aging articles: Computer Security on the Internet and in Your Office (Part 1) March 2002. https://skinandaging.com/sa/displayArticle.cfm?articleID=article413. Securing Your Office Computers (Part 2) April 2002. https://skinandaging.com/sa/displayArticle.cfm?articleID=article803.
Computer Security Issues and HIPAA
I n the March and April 2002 issues of Skin & Aging, I offered readers “heads-up” advisories on critical computer system and Internet security issues as they relate to the impending HIPAA regulations. I urged readers to take immediate action to upgrade office systems to prevent or reduce opportunities for external attack and internal mistakes, mischief, or malice. But two recent news stories continue to have me worried that many, if not most, computer systems remain highly vulnerable to attack. Many users simply don’t seem to appreciate the magnitude of the security issues involved, or the risks of not taking appropriate and necessary steps to prevent intrusion into their systems and the compromise of sensitive data files. Concerns About Wireless Networks The first story was on our local Ft. Lauderdale NBC TV affiliate’s evening report November 13, and also published on the station’s Web site the next day. This story dealt with the almost total lack of security that’s present on most home and business wireless computer networks. And it showed in dramatic style how easy it is for someone with a basic understanding of software programs to “crack” into an unsecured wireless network and gain access to the files stored on the associated computers. Windows Requirement The second story appeared in the September 2002 issue of Infoworld, a well-known computer journal. This was the first mention of HIPAA and patient record privacy and security issues I had ever seen in a computer “techie” magazine. The article discussed Microsoft’s onerous and potentially risky new EULA (end user licensing agreement) for Windows XP and 2000. And I found it fascinating to read a “lay” person’s precise understanding of just what a can of worms medical practices might open up by installing and using either of these Microsoft operating systems. Unsecured Wireless Networks Wireless networks are becoming very popular. Essentially a wireless network is a system whereby the computer terminals communicate with each other through simple radio transmitters and receivers rather than on hard-wire connections. The NBC reporter drove around Ft. Lauderdale residential and business districts with a computer security expert. As they cruised they used a wireless laptop computer to scan for open wireless networks (“war-driving” in techie terms). One after another they “hit” on the radio frequency broadcast signals sent out by these wireless systems. Less than 20% of the wireless networks they scanned had any security. (See the NBC story at www.nbc6.net/news/1784744/detail.html.) Effortlessly, they were able to get into numerous networks. In a particularly worrisome demonstration they sat outside a building known to house many medical practices and repeatedly accessed unsecured networks. Even more incredibly, they then used a global positioning satellite (GPS) program laid over the scanning program to identify the physical location of each compromised network! Had they been so inclined, these two would have been free to probe the systems and browse through files including confidential patient records. Everything was wide open. Further, they could have created a log showing the GPS locations of these compromised networks. That information would have allowed them or anyone else to return to any of the locations to re-access a network at any time as long as it remained unsecured. Why was all of this possible? Because those who set up and used these wireless networks had not initiated even the simplest (“no-brainer”) security protocols. They had not changed the default password in their wireless routers — the entry gateways that were broadcasting to their networks and, also, to the outside world. And any “hacker” who’s out and about conducting these network searches knows the default passwords. And, incredibly, in some cases medical practices stored their individual, staff user passwords on the computer not as encrypted data but, rather, as plain text – in a file format that anyone could read once they were on the system. By not encrypting passwords you essentially give the keys to your computer files to anyone who gets into the network. These are simply incredible security lapses. Yet, as the reporters so clearly demonstrated, they’re very common. An additional word of warning: Don’t be fooled by any naive talk that most of the “war-driving” is done by people with no malicious intent — by fun loving techies looking for an available high speed connection they can “borrow” temporarily to do nothing more than send or receive a few e-mails. HIPAA requires you to be pro-active — to take the necessary steps to protect your system from being accessed not only by malicious hackers but also by those who might have jumped on board for a little “joy-ride.” EULAs and Windows Operating Systems When installing or updating software do you ever bother to read through the multiple screens of legalese that pop up with the licensing agreement, and ask you to click “I accept”? I’d suspect you do not read all or any of the agreement. Virtually nobody does. Well, particularly in light of HIPAA requirements I suggest you do need to pay much closer attention. For Microsoft’s newest version of the End User Licensing Agreement (contained in XP’s Service Pack 1 and 2000’s Service Pack 3) gives that company the right to connect to your computer at any time to analyze the software you’re using and to make any changes of any kind at its sole discretion. If you’re using properly updated Windows 2000 or XP you have a significant HIPAA security issue and a quandary. HIPAA requires that medical practices have a “. . . compliant technical information infrastructure . . . .” The computer system must secure patient records and protect their confidentiality. But if Microsoft (or anyone else) can access your computers at will and make changes at its sole discretion, isn’t that obviously a big problem? And two other quotes from those involved with HIPAA reflect what should be every Microsoft user’s concern. A software development and management consultant opined: “I think the new SP3 (service pack 3) license terms are in direct conflict with HIPAA. Either I don’t install the service pack — and am therefore running an OS with known security holes, which HIPAA frowns upon — or I do install the service pack and thereby install a new security hole, which allows for automatic changes of the software configuration.” And from a systems manager at a teaching hospital: “If, after a Microsoft service pack is applied to overcome a security weakness in their operating system, and the service pack also secretly breaks the multimedia software and/or revokes access to our patient’s data, thus damaging our patient care, who is responsible?” Frightening to think about. Who is responsible if you allow others unrestricted access to your computers and there’s a problem with the confidential records? And given the well-documented history of Windows security flaws, how long will it be before we hear of hacker “exploits” piggy-backing in on Microsoft updates? (You can access the Infoworld story at www.infoworld.com/articles/op/xml/02/09/16/020916opwinman.xml.) The Cost of Complacency? We don’t know yet the actual cost consequences to a medical practice for its complacency or inattentiveness to detail regarding protection of confidential patient records. If you don’t want to be the one whose practice name goes on the first HIPAA test case, then take the time to look at your hardware and software systems. Give everything a thorough review to be certain that you’re not doing anything now and have not created scenarios that in the future might compromise your ability to secure and protect that electronic data. For more on HIPAA and computer/Internet security including suggestions for making your system less vulnerable to attack, see these Skin & Aging articles: Computer Security on the Internet and in Your Office (Part 1) March 2002. https://skinandaging.com/sa/displayArticle.cfm?articleID=article413. Securing Your Office Computers (Part 2) April 2002. https://skinandaging.com/sa/displayArticle.cfm?articleID=article803.
I n the March and April 2002 issues of Skin & Aging, I offered readers “heads-up” advisories on critical computer system and Internet security issues as they relate to the impending HIPAA regulations. I urged readers to take immediate action to upgrade office systems to prevent or reduce opportunities for external attack and internal mistakes, mischief, or malice. But two recent news stories continue to have me worried that many, if not most, computer systems remain highly vulnerable to attack. Many users simply don’t seem to appreciate the magnitude of the security issues involved, or the risks of not taking appropriate and necessary steps to prevent intrusion into their systems and the compromise of sensitive data files. Concerns About Wireless Networks The first story was on our local Ft. Lauderdale NBC TV affiliate’s evening report November 13, and also published on the station’s Web site the next day. This story dealt with the almost total lack of security that’s present on most home and business wireless computer networks. And it showed in dramatic style how easy it is for someone with a basic understanding of software programs to “crack” into an unsecured wireless network and gain access to the files stored on the associated computers. Windows Requirement The second story appeared in the September 2002 issue of Infoworld, a well-known computer journal. This was the first mention of HIPAA and patient record privacy and security issues I had ever seen in a computer “techie” magazine. The article discussed Microsoft’s onerous and potentially risky new EULA (end user licensing agreement) for Windows XP and 2000. And I found it fascinating to read a “lay” person’s precise understanding of just what a can of worms medical practices might open up by installing and using either of these Microsoft operating systems. Unsecured Wireless Networks Wireless networks are becoming very popular. Essentially a wireless network is a system whereby the computer terminals communicate with each other through simple radio transmitters and receivers rather than on hard-wire connections. The NBC reporter drove around Ft. Lauderdale residential and business districts with a computer security expert. As they cruised they used a wireless laptop computer to scan for open wireless networks (“war-driving” in techie terms). One after another they “hit” on the radio frequency broadcast signals sent out by these wireless systems. Less than 20% of the wireless networks they scanned had any security. (See the NBC story at www.nbc6.net/news/1784744/detail.html.) Effortlessly, they were able to get into numerous networks. In a particularly worrisome demonstration they sat outside a building known to house many medical practices and repeatedly accessed unsecured networks. Even more incredibly, they then used a global positioning satellite (GPS) program laid over the scanning program to identify the physical location of each compromised network! Had they been so inclined, these two would have been free to probe the systems and browse through files including confidential patient records. Everything was wide open. Further, they could have created a log showing the GPS locations of these compromised networks. That information would have allowed them or anyone else to return to any of the locations to re-access a network at any time as long as it remained unsecured. Why was all of this possible? Because those who set up and used these wireless networks had not initiated even the simplest (“no-brainer”) security protocols. They had not changed the default password in their wireless routers — the entry gateways that were broadcasting to their networks and, also, to the outside world. And any “hacker” who’s out and about conducting these network searches knows the default passwords. And, incredibly, in some cases medical practices stored their individual, staff user passwords on the computer not as encrypted data but, rather, as plain text – in a file format that anyone could read once they were on the system. By not encrypting passwords you essentially give the keys to your computer files to anyone who gets into the network. These are simply incredible security lapses. Yet, as the reporters so clearly demonstrated, they’re very common. An additional word of warning: Don’t be fooled by any naive talk that most of the “war-driving” is done by people with no malicious intent — by fun loving techies looking for an available high speed connection they can “borrow” temporarily to do nothing more than send or receive a few e-mails. HIPAA requires you to be pro-active — to take the necessary steps to protect your system from being accessed not only by malicious hackers but also by those who might have jumped on board for a little “joy-ride.” EULAs and Windows Operating Systems When installing or updating software do you ever bother to read through the multiple screens of legalese that pop up with the licensing agreement, and ask you to click “I accept”? I’d suspect you do not read all or any of the agreement. Virtually nobody does. Well, particularly in light of HIPAA requirements I suggest you do need to pay much closer attention. For Microsoft’s newest version of the End User Licensing Agreement (contained in XP’s Service Pack 1 and 2000’s Service Pack 3) gives that company the right to connect to your computer at any time to analyze the software you’re using and to make any changes of any kind at its sole discretion. If you’re using properly updated Windows 2000 or XP you have a significant HIPAA security issue and a quandary. HIPAA requires that medical practices have a “. . . compliant technical information infrastructure . . . .” The computer system must secure patient records and protect their confidentiality. But if Microsoft (or anyone else) can access your computers at will and make changes at its sole discretion, isn’t that obviously a big problem? And two other quotes from those involved with HIPAA reflect what should be every Microsoft user’s concern. A software development and management consultant opined: “I think the new SP3 (service pack 3) license terms are in direct conflict with HIPAA. Either I don’t install the service pack — and am therefore running an OS with known security holes, which HIPAA frowns upon — or I do install the service pack and thereby install a new security hole, which allows for automatic changes of the software configuration.” And from a systems manager at a teaching hospital: “If, after a Microsoft service pack is applied to overcome a security weakness in their operating system, and the service pack also secretly breaks the multimedia software and/or revokes access to our patient’s data, thus damaging our patient care, who is responsible?” Frightening to think about. Who is responsible if you allow others unrestricted access to your computers and there’s a problem with the confidential records? And given the well-documented history of Windows security flaws, how long will it be before we hear of hacker “exploits” piggy-backing in on Microsoft updates? (You can access the Infoworld story at www.infoworld.com/articles/op/xml/02/09/16/020916opwinman.xml.) The Cost of Complacency? We don’t know yet the actual cost consequences to a medical practice for its complacency or inattentiveness to detail regarding protection of confidential patient records. If you don’t want to be the one whose practice name goes on the first HIPAA test case, then take the time to look at your hardware and software systems. Give everything a thorough review to be certain that you’re not doing anything now and have not created scenarios that in the future might compromise your ability to secure and protect that electronic data. For more on HIPAA and computer/Internet security including suggestions for making your system less vulnerable to attack, see these Skin & Aging articles: Computer Security on the Internet and in Your Office (Part 1) March 2002. https://skinandaging.com/sa/displayArticle.cfm?articleID=article413. Securing Your Office Computers (Part 2) April 2002. https://skinandaging.com/sa/displayArticle.cfm?articleID=article803.
