Part 2 Securing Your Office Computers
April 2002
To help you better implement a system to protect sensitive patient information, last month I discussed ways that you can secure the information on your computers from outside influences.
This month, I'll focus on steps you can take to protect sensitive patient information from being accessed by unauthorized personnel inside your practice. These actions include limiting network permissions, developing a password protection and log-in policy and limiting remote access. I'll also cover points to consider when evaluating your current operating system.
NETWORK PERMISSIONS
Once the network is configured and secured from outside probes, it's essential to take steps to secure it from internal mischief. So, the first thing to do is limit the changes (accidental or intentional) that any user can make on his or her computer and on the system as a whole. This is called limiting permissions.
Only your network administrator should have authority to make system-wide changes, and many information technology experts recommend that individual users not be allowed to make any modifications to their own workstations other than customization. In other words, an employee can change the way his or her desktop looks but not the way the computer operates (for example, changing fonts in a word processing program or creating templates would be okay, but installing personal programs would not).
Permissions also give your system an added layer of file protection. You can limit employee access to selected files such as patient medical records by "locking out" unauthorized users -- for example, part-time accounting help. The network administrator can also set the system to write a detailed log showing the date, time and identification of every confidential file view.
It's also possible to set the system to restrict permissions to the World Wide Web. For example, staffers who handle insurance and billing could be given rights to access a list of HMO Web sites to research benefits and eligibility. But they couldn't access unauthorized sites for online shopping or other personal business.
And you might also consider disabling (via network permissions) or even removing CD and floppy drives from most workstations. In today's office environment, most employees have little or no need to load programs or information onto their individual hard drives or onto the system server. This should never be allowed at the local user level. Only the system administrator should load CDs or floppy disks and only then after a thorough disinfection sweep with an up-to-date anti-virus/worm/Trojans program.
In fact, some offices are converting to "thin clients" -- workstations that are little more than a monitor, a keyboard and some memory. All of the programs and updates come from the central server, and all information from the workstations is stored there, not on local hard drives.
PASSWORD PROTECTION/LOG-IN POLICY
Certainly, everyone's aware that you must use passwords to prevent unauthorized system access. And we should all use passwords and a formal log-in protocol to identify users seeking authorized permissions.
What many unfortunately don't realize is that once password protection is in place, that's not enough. Left alone and unchanged, passwords can and often are compromised. HIPAA will mandate that your practice has a log-in authentication process. However, the means by which you do that and the relative "strengths" of the password protocol and log-in policy will be yours to determine.
You'll definitely want to have a practice protocol specifying how passwords should be created (for example, the approved password format) and how often they must be changed. Further, it's essential that your software not allow anyone to reuse the same password -- to do so is self-defeating.
While no password protocol can be 100% "crack-proof," you still want to be certain that any password protocol doesn't make the "cracking" process any easier. A safe bet is to never allow passwords that are as easily guessed as a user's name (or name of family member), birth date, hobby (for example, "golfer") or job title/description (for example, "reception").
Most experts suggest that passwords include at least six characters, preferably more. The password should have both letters and numbers and, preferably, some characters such as the plus sign or ampersand (+&). The password is even more difficult to crack if it contains both upper- and lowercase letters.
However, and this is a big however, if your office's password protocol is so complex that it becomes too difficult to remember the password, then staff members are likely to write it down and stick the paper in a desk, wallet or purse where it can be found and used by unauthorized persons. As with a program that would allow the user to reuse the same password, this just becomes self-defeating.
(Note: One way around the problem of remembering complex passwords is to regularly issue individual key cards that would be "swiped" in a desktop card reader. Obviously, this is more costly, but if you're already using a swipe system -- perhaps for building access -- then tying it to your computer for desktop log-ins wouldn't be difficult.)
Finally, you should mandate that employees change passwords on a regular basis -- perhaps every 90 to 120 days. The system should be programmed to lock out users who fail to change passwords.
LIMITING REMOTE ACCESS
Limiting remote access is another important component of Internet security. You should restrict all staff remote access privileges (for example, access from home) to "as-needed." And your system should log all remote access to help you determine:
* who has accessed your system from off-site
* from where that process was initiated
* what the person did during the access.
The outcome of any audit of your practice arising from a possible HIPAA problem could turn on your ability to monitor and identify such access. Note, however, that access logs are useful only to a point. An experienced hacker will delete any evidence of his activities on your system.
CHOOSING SOFTWARE
Any discussion on Internet and computer security, HIPAA or otherwise, eventually must address a fundamental and critical concern -- Which operating system and ancillary software will you use?
By now everyone must know that some of the most popular software programs are easily compromised. For example, it's well documented that Microsoft's Outlook/Outlook Express e-mail programs can propagate certain malicious code and transmit infected attachments to those whose names appear in the programs' e-mail address books. If your system was not contaminated by Nimda, Sircam, Melissa or any of the other nasty "bugs" that made their way around the world last year, consider yourself lucky -- many of your colleagues weren't so fortunate.
MS Internet Explorer, Excel, Word and Power Point also have well-known vulnerabilities that can allow hackers unauthorized access to read, edit, and delete files or capture "cookies" (the bits of data that hold such important information as credit card numbers), or cause other mischief and damage.
Microsoft's procession of operating systems (Windows 95, 98, 98ME, NT4, NT5, 2000 and XP) also have had well-documented security problems. On Dec. 21, 2001, Microsoft actually took the extraordinary step (for Microsoft) of admitting that its new XP operating system -- promoted as the most secure operating system ever -- contained serious flaws that could allow hackers to do significant damage to any computer accessing the Internet via XP. MS advised all users to download a "patch" for XP.
This is all a bit frightening given that Microsoft products are ubiquitous and their flaws known to hackers. Especially in light of HIPAA, if you're using Microsoft in your practice, be concerned.
While Microsoft reacts by issuing security "patches," this isn't much comfort to those whose systems have already been compromised. And despite good-faith efforts to secure one's own system, you can be left exposed when those who should know better (for example, corporate network and Internet service provider administrators) don't keep up with the required security upgrades at their end. Even Microsoft's own network servers have been breached and brought down when Microsoft engineers were too slow installing their own published patches.
TIME TO CONSIDER A
DIFFERENT OPERATING SYSTEM?
So if Microsoft products are the easily compromised and preferred targets of choice for hackers, and if using them potentially leaves your computer system so vulnerable to intrusion (resulting in a breach of the HIPAA confidentiality requirements), should you investigate switching to a different operating system and software known not to be so vulnerable? I suggest the answer is yes -- you should look into the feasibility of change. And I see two possible alternatives.
Macintosh. The first, and better known, is Macintosh. Mac software code simply isn't as easily compromised as is Microsoft's, and the number of successful attacks on Mac/Apple systems is miniscule when compared to Microsoft-based systems. And for staff use to running a PC, learning to run an Apple computer with Mac software really isn't an issue.
But converting to Macintosh might prove financially impractical for many since in addition to the software you'd also have to replace your PCs with Apples and, quite possibly, replace all ancillary hardware such as scanners and printers. Therefore, converting instead to a different PC-based software system might be more feasible for most dermatology practices.
Linux. The second viable alternative is the Linux operating system. Though not as well known as Macintosh, Linux has been around for years and is popular with its growing user and software base.
Linux runs on the same PCs that you now use to run Microsoft. So you wouldn't have to replace all your computers and few, if any, printers and scanners -- a major cost savings. And, unlike Windows, you can copy Linux onto as many PCs as you want without the considerable, added cost of multiple licenses. This is a legal right granted by the Linux license but one expressly forbidden by Microsoft's license.
Significant financial pluses aside, there are numerous security points to consider when weighing the merits of Microsoft versus Linux. Here are a few:
1. Though Linux runs on PCs, Linux program code is significantly different from that of Windows. It doesn't use the infamous Windows VBScript scripting language so it's not vulnerable to the same, ubiquitous viruses, worms and Trojan horses that regularly cripple Windows-based systems. (This isn't to say that there are no "bugs" that might infect a Linux system. But they're so infrequently seen, and then typically only in test labs, that Linux program contamination is simply at the bottom of any potential worry list.)
2. File security control via "permissions" can be more effective with Linux than Windows. Networks that run on Windows 9x (any variant of Windows 95 or 98) essentially have no meaningful file security. Networks that run on NT+ (NT, 2000, or XP) with the NT File System (NTFS) can be made more secure.
Using Linux, it's simple for a knowledgeable system administrator to restrict each user's or computer's rights to move data to, from and within a hard drive. In part, this is why nasty viruses, worms and Trojan horses similar to those that take down Windows systems aren't likely to damage and are much less likely to spread on Linux computers and networks. Properly set, Linux "permissions" can stop rogue files from migrating to other files on hard drives, replicating in address books, and automatically broadcasting themselves onto networks or out to the Internet to infect other computers.
3. Insurance companies are starting to take notice of vulnerabilities. It's possible that with the security mandates added by HIPAA, your liability insurance carrier or another insurer might become wary of Windows and incentivize you to switch operating systems. Linux Magazine published a story ("NT: High-Risk for Insurance") in its August 2001 "Report from the Front" that stated:
"While it's a bit too early to be called an industry trend, CTOs and CFOs are taking notice of the decision by an insurance carrier to charge companies using Windows a premium for cracker insurance.
U.K.-based J.S. Wurzler has begun charging up to 15% more to insure companies deploying Windows NT for its Internet services. The higher premium is based on research findings that show that NT administrators aren't as well-trained as their *NIX-using counterparts, and also that there is a higher rate of turnover amongst NT admins."
(Note: The J.S. Wurzler company [www.jswum.com] specializes in insurance for the Internet and e-commerce. It has offices in the United States. Also, *NIX, above, refers to LINUX and UNIX operating systems.)
MAKING CHANGES ON THE FRONT-END
If you haven't started to make strides to protect sensitive patient information from being accessed by internal or external sources, you're running out of time. The steps I've outlined in parts 1 and 2 of this series will help you make these necessary changes on the front-end -- instead of waiting to make these changes later when the consequences could become costly. *
Gil Weber is a nationally recognized author, lecturer, and practice management consultant based in Davie, FL. During a 24-year career in managed care, he has held upper level management positions with national HMOs and PPOs and served as special consultant to a regional medical group association and to a national third party administrator.
He is the author of seven books and monographs on practice management and managed care. If you have questions about this article, you may e-mail him at either gil@gilweber.com or www.gilweber.com or call him at (954) 915-6771.
To help you better implement a system to protect sensitive patient information, last month I discussed ways that you can secure the information on your computers from outside influences.
This month, I'll focus on steps you can take to protect sensitive patient information from being accessed by unauthorized personnel inside your practice. These actions include limiting network permissions, developing a password protection and log-in policy and limiting remote access. I'll also cover points to consider when evaluating your current operating system.
NETWORK PERMISSIONS
Once the network is configured and secured from outside probes, it's essential to take steps to secure it from internal mischief. So, the first thing to do is limit the changes (accidental or intentional) that any user can make on his or her computer and on the system as a whole. This is called limiting permissions.
Only your network administrator should have authority to make system-wide changes, and many information technology experts recommend that individual users not be allowed to make any modifications to their own workstations other than customization. In other words, an employee can change the way his or her desktop looks but not the way the computer operates (for example, changing fonts in a word processing program or creating templates would be okay, but installing personal programs would not).
Permissions also give your system an added layer of file protection. You can limit employee access to selected files such as patient medical records by "locking out" unauthorized users -- for example, part-time accounting help. The network administrator can also set the system to write a detailed log showing the date, time and identification of every confidential file view.
It's also possible to set the system to restrict permissions to the World Wide Web. For example, staffers who handle insurance and billing could be given rights to access a list of HMO Web sites to research benefits and eligibility. But they couldn't access unauthorized sites for online shopping or other personal business.
And you might also consider disabling (via network permissions) or even removing CD and floppy drives from most workstations. In today's office environment, most employees have little or no need to load programs or information onto their individual hard drives or onto the system server. This should never be allowed at the local user level. Only the system administrator should load CDs or floppy disks and only then after a thorough disinfection sweep with an up-to-date anti-virus/worm/Trojans program.
In fact, some offices are converting to "thin clients" -- workstations that are little more than a monitor, a keyboard and some memory. All of the programs and updates come from the central server, and all information from the workstations is stored there, not on local hard drives.
PASSWORD PROTECTION/LOG-IN POLICY
Certainly, everyone's aware that you must use passwords to prevent unauthorized system access. And we should all use passwords and a formal log-in protocol to identify users seeking authorized permissions.
What many unfortunately don't realize is that once password protection is in place, that's not enough. Left alone and unchanged, passwords can and often are compromised. HIPAA will mandate that your practice has a log-in authentication process. However, the means by which you do that and the relative "strengths" of the password protocol and log-in policy will be yours to determine.
You'll definitely want to have a practice protocol specifying how passwords should be created (for example, the approved password format) and how often they must be changed. Further, it's essential that your software not allow anyone to reuse the same password -- to do so is self-defeating.
While no password protocol can be 100% "crack-proof," you still want to be certain that any password protocol doesn't make the "cracking" process any easier. A safe bet is to never allow passwords that are as easily guessed as a user's name (or name of family member), birth date, hobby (for example, "golfer") or job title/description (for example, "reception").
Most experts suggest that passwords include at least six characters, preferably more. The password should have both letters and numbers and, preferably, some characters such as the plus sign or ampersand (+&). The password is even more difficult to crack if it contains both upper- and lowercase letters.
However, and this is a big however, if your office's password protocol is so complex that it becomes too difficult to remember the password, then staff members are likely to write it down and stick the paper in a desk, wallet or purse where it can be found and used by unauthorized persons. As with a program that would allow the user to reuse the same password, this just becomes self-defeating.
(Note: One way around the problem of remembering complex passwords is to regularly issue individual key cards that would be "swiped" in a desktop card reader. Obviously, this is more costly, but if you're already using a swipe system -- perhaps for building access -- then tying it to your computer for desktop log-ins wouldn't be difficult.)
Finally, you should mandate that employees change passwords on a regular basis -- perhaps every 90 to 120 days. The system should be programmed to lock out users who fail to change passwords.
LIMITING REMOTE ACCESS
Limiting remote access is another important component of Internet security. You should restrict all staff remote access privileges (for example, access from home) to "as-needed." And your system should log all remote access to help you determine:
* who has accessed your system from off-site
* from where that process was initiated
* what the person did during the access.
The outcome of any audit of your practice arising from a possible HIPAA problem could turn on your ability to monitor and identify such access. Note, however, that access logs are useful only to a point. An experienced hacker will delete any evidence of his activities on your system.
CHOOSING SOFTWARE
Any discussion on Internet and computer security, HIPAA or otherwise, eventually must address a fundamental and critical concern -- Which operating system and ancillary software will you use?
By now everyone must know that some of the most popular software programs are easily compromised. For example, it's well documented that Microsoft's Outlook/Outlook Express e-mail programs can propagate certain malicious code and transmit infected attachments to those whose names appear in the programs' e-mail address books. If your system was not contaminated by Nimda, Sircam, Melissa or any of the other nasty "bugs" that made their way around the world last year, consider yourself lucky -- many of your colleagues weren't so fortunate.
MS Internet Explorer, Excel, Word and Power Point also have well-known vulnerabilities that can allow hackers unauthorized access to read, edit, and delete files or capture "cookies" (the bits of data that hold such important information as credit card numbers), or cause other mischief and damage.
Microsoft's procession of operating systems (Windows 95, 98, 98ME, NT4, NT5, 2000 and XP) also have had well-documented security problems. On Dec. 21, 2001, Microsoft actually took the extraordinary step (for Microsoft) of admitting that its new XP operating system -- promoted as the most secure operating system ever -- contained serious flaws that could allow hackers to do significant damage to any computer accessing the Internet via XP. MS advised all users to download a "patch" for XP.
This is all a bit frightening given that Microsoft products are ubiquitous and their flaws known to hackers. Especially in light of HIPAA, if you're using Microsoft in your practice, be concerned.
While Microsoft reacts by issuing security "patches," this isn't much comfort to those whose systems have already been compromised. And despite good-faith efforts to secure one's own system, you can be left exposed when those who should know better (for example, corporate network and Internet service provider administrators) don't keep up with the required security upgrades at their end. Even Microsoft's own network servers have been breached and brought down when Microsoft engineers were too slow installing their own published patches.
TIME TO CONSIDER A
DIFFERENT OPERATING SYSTEM?
So if Microsoft products are the easily compromised and preferred targets of choice for hackers, and if using them potentially leaves your computer system so vulnerable to intrusion (resulting in a breach of the HIPAA confidentiality requirements), should you investigate switching to a different operating system and software known not to be so vulnerable? I suggest the answer is yes -- you should look into the feasibility of change. And I see two possible alternatives.
Macintosh. The first, and better known, is Macintosh. Mac software code simply isn't as easily compromised as is Microsoft's, and the number of successful attacks on Mac/Apple systems is miniscule when compared to Microsoft-based systems. And for staff use to running a PC, learning to run an Apple computer with Mac software really isn't an issue.
But converting to Macintosh might prove financially impractical for many since in addition to the software you'd also have to replace your PCs with Apples and, quite possibly, replace all ancillary hardware such as scanners and printers. Therefore, converting instead to a different PC-based software system might be more feasible for most dermatology practices.
Linux. The second viable alternative is the Linux operating system. Though not as well known as Macintosh, Linux has been around for years and is popular with its growing user and software base.
Linux runs on the same PCs that you now use to run Microsoft. So you wouldn't have to replace all your computers and few, if any, printers and scanners -- a major cost savings. And, unlike Windows, you can copy Linux onto as many PCs as you want without the considerable, added cost of multiple licenses. This is a legal right granted by the Linux license but one expressly forbidden by Microsoft's license.
Significant financial pluses aside, there are numerous security points to consider when weighing the merits of Microsoft versus Linux. Here are a few:
1. Though Linux runs on PCs, Linux program code is significantly different from that of Windows. It doesn't use the infamous Windows VBScript scripting language so it's not vulnerable to the same, ubiquitous viruses, worms and Trojan horses that regularly cripple Windows-based systems. (This isn't to say that there are no "bugs" that might infect a Linux system. But they're so infrequently seen, and then typically only in test labs, that Linux program contamination is simply at the bottom of any potential worry list.)
2. File security control via "permissions" can be more effective with Linux than Windows. Networks that run on Windows 9x (any variant of Windows 95 or 98) essentially have no meaningful file security. Networks that run on NT+ (NT, 2000, or XP) with the NT File System (NTFS) can be made more secure.
Using Linux, it's simple for a knowledgeable system administrator to restrict each user's or computer's rights to move data to, from and within a hard drive. In part, this is why nasty viruses, worms and Trojan horses similar to those that take down Windows systems aren't likely to damage and are much less likely to spread on Linux computers and networks. Properly set, Linux "permissions" can stop rogue files from migrating to other files on hard drives, replicating in address books, and automatically broadcasting themselves onto networks or out to the Internet to infect other computers.
3. Insurance companies are starting to take notice of vulnerabilities. It's possible that with the security mandates added by HIPAA, your liability insurance carrier or another insurer might become wary of Windows and incentivize you to switch operating systems. Linux Magazine published a story ("NT: High-Risk for Insurance") in its August 2001 "Report from the Front" that stated:
"While it's a bit too early to be called an industry trend, CTOs and CFOs are taking notice of the decision by an insurance carrier to charge companies using Windows a premium for cracker insurance.
U.K.-based J.S. Wurzler has begun charging up to 15% more to insure companies deploying Windows NT for its Internet services. The higher premium is based on research findings that show that NT administrators aren't as well-trained as their *NIX-using counterparts, and also that there is a higher rate of turnover amongst NT admins."
(Note: The J.S. Wurzler company [www.jswum.com] specializes in insurance for the Internet and e-commerce. It has offices in the United States. Also, *NIX, above, refers to LINUX and UNIX operating systems.)
MAKING CHANGES ON THE FRONT-END
If you haven't started to make strides to protect sensitive patient information from being accessed by internal or external sources, you're running out of time. The steps I've outlined in parts 1 and 2 of this series will help you make these necessary changes on the front-end -- instead of waiting to make these changes later when the consequences could become costly. *
Gil Weber is a nationally recognized author, lecturer, and practice management consultant based in Davie, FL. During a 24-year career in managed care, he has held upper level management positions with national HMOs and PPOs and served as special consultant to a regional medical group association and to a national third party administrator.
He is the author of seven books and monographs on practice management and managed care. If you have questions about this article, you may e-mail him at either gil@gilweber.com or www.gilweber.com or call him at (954) 915-6771.
To help you better implement a system to protect sensitive patient information, last month I discussed ways that you can secure the information on your computers from outside influences.
This month, I'll focus on steps you can take to protect sensitive patient information from being accessed by unauthorized personnel inside your practice. These actions include limiting network permissions, developing a password protection and log-in policy and limiting remote access. I'll also cover points to consider when evaluating your current operating system.
NETWORK PERMISSIONS
Once the network is configured and secured from outside probes, it's essential to take steps to secure it from internal mischief. So, the first thing to do is limit the changes (accidental or intentional) that any user can make on his or her computer and on the system as a whole. This is called limiting permissions.
Only your network administrator should have authority to make system-wide changes, and many information technology experts recommend that individual users not be allowed to make any modifications to their own workstations other than customization. In other words, an employee can change the way his or her desktop looks but not the way the computer operates (for example, changing fonts in a word processing program or creating templates would be okay, but installing personal programs would not).
Permissions also give your system an added layer of file protection. You can limit employee access to selected files such as patient medical records by "locking out" unauthorized users -- for example, part-time accounting help. The network administrator can also set the system to write a detailed log showing the date, time and identification of every confidential file view.
It's also possible to set the system to restrict permissions to the World Wide Web. For example, staffers who handle insurance and billing could be given rights to access a list of HMO Web sites to research benefits and eligibility. But they couldn't access unauthorized sites for online shopping or other personal business.
And you might also consider disabling (via network permissions) or even removing CD and floppy drives from most workstations. In today's office environment, most employees have little or no need to load programs or information onto their individual hard drives or onto the system server. This should never be allowed at the local user level. Only the system administrator should load CDs or floppy disks and only then after a thorough disinfection sweep with an up-to-date anti-virus/worm/Trojans program.
In fact, some offices are converting to "thin clients" -- workstations that are little more than a monitor, a keyboard and some memory. All of the programs and updates come from the central server, and all information from the workstations is stored there, not on local hard drives.
PASSWORD PROTECTION/LOG-IN POLICY
Certainly, everyone's aware that you must use passwords to prevent unauthorized system access. And we should all use passwords and a formal log-in protocol to identify users seeking authorized permissions.
What many unfortunately don't realize is that once password protection is in place, that's not enough. Left alone and unchanged, passwords can and often are compromised. HIPAA will mandate that your practice has a log-in authentication process. However, the means by which you do that and the relative "strengths" of the password protocol and log-in policy will be yours to determine.
You'll definitely want to have a practice protocol specifying how passwords should be created (for example, the approved password format) and how often they must be changed. Further, it's essential that your software not allow anyone to reuse the same password -- to do so is self-defeating.
While no password protocol can be 100% "crack-proof," you still want to be certain that any password protocol doesn't make the "cracking" process any easier. A safe bet is to never allow passwords that are as easily guessed as a user's name (or name of family member), birth date, hobby (for example, "golfer") or job title/description (for example, "reception").
Most experts suggest that passwords include at least six characters, preferably more. The password should have both letters and numbers and, preferably, some characters such as the plus sign or ampersand (+&). The password is even more difficult to crack if it contains both upper- and lowercase letters.
However, and this is a big however, if your office's password protocol is so complex that it becomes too difficult to remember the password, then staff members are likely to write it down and stick the paper in a desk, wallet or purse where it can be found and used by unauthorized persons. As with a program that would allow the user to reuse the same password, this just becomes self-defeating.
(Note: One way around the problem of remembering complex passwords is to regularly issue individual key cards that would be "swiped" in a desktop card reader. Obviously, this is more costly, but if you're already using a swipe system -- perhaps for building access -- then tying it to your computer for desktop log-ins wouldn't be difficult.)
Finally, you should mandate that employees change passwords on a regular basis -- perhaps every 90 to 120 days. The system should be programmed to lock out users who fail to change passwords.
LIMITING REMOTE ACCESS
Limiting remote access is another important component of Internet security. You should restrict all staff remote access privileges (for example, access from home) to "as-needed." And your system should log all remote access to help you determine:
* who has accessed your system from off-site
* from where that process was initiated
* what the person did during the access.
The outcome of any audit of your practice arising from a possible HIPAA problem could turn on your ability to monitor and identify such access. Note, however, that access logs are useful only to a point. An experienced hacker will delete any evidence of his activities on your system.
CHOOSING SOFTWARE
Any discussion on Internet and computer security, HIPAA or otherwise, eventually must address a fundamental and critical concern -- Which operating system and ancillary software will you use?
By now everyone must know that some of the most popular software programs are easily compromised. For example, it's well documented that Microsoft's Outlook/Outlook Express e-mail programs can propagate certain malicious code and transmit infected attachments to those whose names appear in the programs' e-mail address books. If your system was not contaminated by Nimda, Sircam, Melissa or any of the other nasty "bugs" that made their way around the world last year, consider yourself lucky -- many of your colleagues weren't so fortunate.
MS Internet Explorer, Excel, Word and Power Point also have well-known vulnerabilities that can allow hackers unauthorized access to read, edit, and delete files or capture "cookies" (the bits of data that hold such important information as credit card numbers), or cause other mischief and damage.
Microsoft's procession of operating systems (Windows 95, 98, 98ME, NT4, NT5, 2000 and XP) also have had well-documented security problems. On Dec. 21, 2001, Microsoft actually took the extraordinary step (for Microsoft) of admitting that its new XP operating system -- promoted as the most secure operating system ever -- contained serious flaws that could allow hackers to do significant damage to any computer accessing the Internet via XP. MS advised all users to download a "patch" for XP.
This is all a bit frightening given that Microsoft products are ubiquitous and their flaws known to hackers. Especially in light of HIPAA, if you're using Microsoft in your practice, be concerned.
While Microsoft reacts by issuing security "patches," this isn't much comfort to those whose systems have already been compromised. And despite good-faith efforts to secure one's own system, you can be left exposed when those who should know better (for example, corporate network and Internet service provider administrators) don't keep up with the required security upgrades at their end. Even Microsoft's own network servers have been breached and brought down when Microsoft engineers were too slow installing their own published patches.
TIME TO CONSIDER A
DIFFERENT OPERATING SYSTEM?
So if Microsoft products are the easily compromised and preferred targets of choice for hackers, and if using them potentially leaves your computer system so vulnerable to intrusion (resulting in a breach of the HIPAA confidentiality requirements), should you investigate switching to a different operating system and software known not to be so vulnerable? I suggest the answer is yes -- you should look into the feasibility of change. And I see two possible alternatives.
Macintosh. The first, and better known, is Macintosh. Mac software code simply isn't as easily compromised as is Microsoft's, and the number of successful attacks on Mac/Apple systems is miniscule when compared to Microsoft-based systems. And for staff use to running a PC, learning to run an Apple computer with Mac software really isn't an issue.
But converting to Macintosh might prove financially impractical for many since in addition to the software you'd also have to replace your PCs with Apples and, quite possibly, replace all ancillary hardware such as scanners and printers. Therefore, converting instead to a different PC-based software system might be more feasible for most dermatology practices.
Linux. The second viable alternative is the Linux operating system. Though not as well known as Macintosh, Linux has been around for years and is popular with its growing user and software base.
Linux runs on the same PCs that you now use to run Microsoft. So you wouldn't have to replace all your computers and few, if any, printers and scanners -- a major cost savings. And, unlike Windows, you can copy Linux onto as many PCs as you want without the considerable, added cost of multiple licenses. This is a legal right granted by the Linux license but one expressly forbidden by Microsoft's license.
Significant financial pluses aside, there are numerous security points to consider when weighing the merits of Microsoft versus Linux. Here are a few:
1. Though Linux runs on PCs, Linux program code is significantly different from that of Windows. It doesn't use the infamous Windows VBScript scripting language so it's not vulnerable to the same, ubiquitous viruses, worms and Trojan horses that regularly cripple Windows-based systems. (This isn't to say that there are no "bugs" that might infect a Linux system. But they're so infrequently seen, and then typically only in test labs, that Linux program contamination is simply at the bottom of any potential worry list.)
2. File security control via "permissions" can be more effective with Linux than Windows. Networks that run on Windows 9x (any variant of Windows 95 or 98) essentially have no meaningful file security. Networks that run on NT+ (NT, 2000, or XP) with the NT File System (NTFS) can be made more secure.
Using Linux, it's simple for a knowledgeable system administrator to restrict each user's or computer's rights to move data to, from and within a hard drive. In part, this is why nasty viruses, worms and Trojan horses similar to those that take down Windows systems aren't likely to damage and are much less likely to spread on Linux computers and networks. Properly set, Linux "permissions" can stop rogue files from migrating to other files on hard drives, replicating in address books, and automatically broadcasting themselves onto networks or out to the Internet to infect other computers.
3. Insurance companies are starting to take notice of vulnerabilities. It's possible that with the security mandates added by HIPAA, your liability insurance carrier or another insurer might become wary of Windows and incentivize you to switch operating systems. Linux Magazine published a story ("NT: High-Risk for Insurance") in its August 2001 "Report from the Front" that stated:
"While it's a bit too early to be called an industry trend, CTOs and CFOs are taking notice of the decision by an insurance carrier to charge companies using Windows a premium for cracker insurance.
U.K.-based J.S. Wurzler has begun charging up to 15% more to insure companies deploying Windows NT for its Internet services. The higher premium is based on research findings that show that NT administrators aren't as well-trained as their *NIX-using counterparts, and also that there is a higher rate of turnover amongst NT admins."
(Note: The J.S. Wurzler company [www.jswum.com] specializes in insurance for the Internet and e-commerce. It has offices in the United States. Also, *NIX, above, refers to LINUX and UNIX operating systems.)
MAKING CHANGES ON THE FRONT-END
If you haven't started to make strides to protect sensitive patient information from being accessed by internal or external sources, you're running out of time. The steps I've outlined in parts 1 and 2 of this series will help you make these necessary changes on the front-end -- instead of waiting to make these changes later when the consequences could become costly. *
Gil Weber is a nationally recognized author, lecturer, and practice management consultant based in Davie, FL. During a 24-year career in managed care, he has held upper level management positions with national HMOs and PPOs and served as special consultant to a regional medical group association and to a national third party administrator.
He is the author of seven books and monographs on practice management and managed care. If you have questions about this article, you may e-mail him at either gil@gilweber.com or www.gilweber.com or call him at (954) 915-6771.