HIPAAnotes Volume Three, September 2003

No. 36 – SpyWare Demystified

Implementing the HIPAA Security Rule is not the only thing that CIOs have enough to worry about. The recent wave of computer viruses, worms, and hackers have already caused billions of dollars in lost productivity, and the healthcare industry has been sharing some of that pain. Now another risk has popped up on the radar screen – SpyWare.

SpyWare is now a hot new topic of discussion within the security community, but is it still a Trojan Horse under a different saddle. Its roots started with the advertisers who wanted to track a user's web browser habits, and is transforming itself into a tool hackers can use to capture keyboard commands (e.g., logins) and application data. This feature should worry CIOs since the SpyWare can reveal internal network architecture information. Armed with this information, hackers can target certain users and capture sensitive information.

SpyWare can get into a system through several means, but the most common is through surfing on the Internet. Commercial web sites commonly use advertising to support operations, and many of these popup ads have embedded software to track the end user's Internet surfing habits. Armed with this information, web site operators can target the user's interest and deliver specific content in either pop-up ads or even spam. Implementing sound security policies alone will not stop SpyWare since there are many opportunities to infect a PC without the knowledge of the web surfer. Users do not have to take action to download SpyWare; sometimes it just self-loads. Spam may also be used to carry the programs and deposit them on the PC. Education can help, but don't expect it to be a good defense.

To make matters worse, the current technology of anti-virus software is not designed to look for SpyWare. SpyWare may use also DLLs and other registry items to mask their true intentions. Users may install what appear to be harmless clocks, streaming weather or other Internet-enabled productivity programs. In addition, clicking on ads or visiting what appears to be a harmless web site may infect a PC.

There are a few commercial-grade software programs, such as PestPatrol, available to search and destroy these programs. Firewalls also are just a facade defense unless the administration is very strong to prevent unauthorized connection to all 'pre-canned' SpyWare collection sites. An Internet search for "SpyWare" will offer you several programs to monitor the surfing habits of your teenager, but most don't search and destroy SpyWare. There are also a couple of shareware tools out there, e.g., SpyBot & SpyFerret. However, being "shareware," they lack the central management features to be deployed on a 5000+ user network. SysAdmin can use these programs to routinely "sample" computers for the presence of SpyWare signatures, then locate the target IP (web) address for those programs. At this point, SysAdmin can use the firewall to block all internal attempts to reach those sites – effectively shutting down that particular SpyWare, but with thousands of known programs, this is only a game of cat and mouse until the security software industry catches up.

Let's also remind ourselves that the HIPAA Security Rule does require implementation of policies to prevent dangers from malicious software. However, as we have learned here that policies alone may not be all the protection we need. It will require changes in the industry, awareness and vigilance to the threats that exist.

Author's note: Phoenix does not recommend or endorse any of the products noted above. They are mentioned as a reference point for CIOs to begin their search for products to help them protect their organizations from the dangers of "SpyWare."

Clyde Hewitt, Principal
Phoenix Health Systems

No. 37 – Setting the Boundaries of the Security Program

Introduction

The HIPAA Security Rule requires covered entities to protect electronic protected health information (ePHI) by April 21, 2005. Given the efforts already invested during the Privacy Rule implementation, it is expected that these same covered entities can quickly identify all of the clinical applications as systems containing ePHI and begin to develop appropriate safeguards.

A more difficult task is to identify all computer systems that may contain a covered entity's ePHI. Many of the larger healthcare organizations have a Chief Information Officer (CIO) or Information Technology (IT) Director who has responsibility for the core systems, including servers, workstations, and the network. The responsibility for securing these clearly rests upon the CIO or IT Director and is likely already an organizational priority.

There are probably other computer systems outside of the span of control of the IT department that contain ePHI. Since HIPAA doesn't distinguish between ePHI residing in a clinical information system and a laboratory analysis system, these other workstations must also be protected.

Evaluating Non-IT Systems for ePHI

One of the first tasks for a covered entity's security official should be to identify all workstations with ePHI. Before completing this task, it will be necessary to break the conventional definition of "workstation." Workstations with ePHI will take on the form of desktop and notebook computers with access to the clinical and financial applications, but the Personal Digital Assistants (PDAs) carried by many medical students are also "workstations" under HIPAA since they likely contain ePHI about your patient population. Although these devices may not be owned by the covered entity, it still has the responsibility to establish controls over their use through appropriate policies and procedures.

The security official should also look at radiological, laboratory, and biomedical equipment. Typically, the IT department does not manage these systems, therefore, they may not be included in inventories of computer systems and applications. However, this type of equipment may very well contain ePHI. Granted, gaining unauthorized access to a MRI or CT device is highly unlikely for the average hospital visitor, however, the security official needs to protect against unauthorized disclosures to the medical equipment vendors. Maintenance contracts with some vendors specify a periodic replacement of the hard drives on a specific time period. The old drives are often returned to the factory for credit. The covered entity must ensure that any patient data on these drives has been removed. The covered entity's policies and procedures must be expanded to address these devices as well.

Finally, look no further than a laboratory and you will find much vendor-owned and managed or leased equipment with ePHI. In addition, some laboratory devices are FDA-regulated so getting HIPAA-compliant security changes is not an easy task and will require a long lead-time. A recent "tongue-in-cheek" remark by one security official indicated that he expects hackers to make changes to his systems before his 486-based FDA-regulated devices are upgraded.

Summary

The bottom line is that all workstations within the organization must be identified and appropriate security practices implemented to ensure their protection, based on the risks to ePHI associated with those devices. HIPAA doesn't exempt biomedical, radiological, and laboratory equipment from the definition of workstations.

Clyde Hewitt, Principal
Phoenix Health Systems

No. 38 – Beyond the Borders – Managing the Wireless Revolution

Introduction

In early September, an individual was arraigned in Raleigh for hacking into a physician office's computer system and accessing electronic protected health information (ePHI). After gathering the information, he contacted patients and insurance companies to warn them that their ePHI wasn't safe. (See story. )

The hacker did not need any tools beyond a wireless card and his personal computer because the wireless network was unsecured. In the past, hackers attacked modems by 'war dialing' and looking for the familiar screech of the modem. Once they found a modem, they had to guess a username and password. Now, hackers practice "war driving" where they drive around searching for those Wireless Access Points (WAPs). Many of the WAPs today broadcast 800 feet in all directions. Other offices, and even those sitting in the parking lot, will likely be able to see the WAP and gain access to the unprotected network.

Rather than guessing at usernames and passwords, it only takes some tools that are readily available on the Internet to sniff usernames and passwords once a wireless network is detected. In other instances, computers behind the corporate firewall may have shared drives that are inviting to anyone on the network.

With the proliferation of cheap wireless devices, many under $100, small providers may be tempted to install wireless networks in their office rather than pay the average of $75 to $100 per network drop just to install the Ethernet cable. The typical setup is relatively simple and for those who have home broadband or DSL connections, relatively non-technical. This simplicity often leads medical practices to take the easy road and install wireless networks without considering security.

So what does it take?

Wireless is a cheap and highly efficient solution to wiring an office, but if sound security practices are not put into place, they are potential "sieves" ready to leak information to anyone with a wireless card. Today, it doesn’t even require a PC to do this since many PDAs also have wireless WiFi capabilities. The issue facing office managers and security officials is how to provide capability and still maintain security. The first line of defense is always policies. Because of the relatively cheap cost, end users may be tempted to bypass the information technology staff and install their own wireless network. Policies and procedures must be put in place to prohibit this behavior and to take serious action if an unauthorized wireless network is installed. With very few exceptions, an unsecured wireless network has no place in the healthcare environment. Nearly all of the reputable vendors provide the ability to encrypt the transmission between the WAP and the workstation. These encryption algorithms are adequate for the near future to prevent all but the professional spy from getting access in real time. That is, providing the installer took the time to set up a non-guessable algorithm.

Setting up WAP encryption normally requires a 40-, 64-, or 128-bit encryption "key." This key is derived from a word or passphrase the installer chooses during the install process. If the passphrase is easily guessed, a hacker may not need to break the full 128-bit encryption key, but rather just the passphrase. Imagine an installer choosing "Downtown Pathology" as the passphrase which automatically generates the key C01CE3C8E7E433C23142F3B46B. The passphrase could certainly be guessed, but the key would require a professional and a lot of luck.

Next, covered entities should consider other, more robust, forms of wireless access. Hardware and software solutions exist that require each wireless device to login through the WAP before gaining network access. Unauthorized users will see the WAP, but will not see the network behind it.

Bottom Line

Wireless networking is rapidly exploding in the healthcare environment. The benefits are great, especially with the clinical workstation environment. Security officials and IT staff need to build security into the project plan before the first piece of equipment is purchased. Without it, your organization may be the lead story on the six o-clock news.