HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/SECURE: Security Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/SECURE: Security Q/A
September 2003

"Worms, Viruses, and Trojan Horses:
A Dangerous New Battlefront for Healthcare"

by Clyde Hewitt, Principal, Phoenix Health Systems

August 2003 marked a unique milestone for the global wired community: a record four major Internet "worms" attacked hundreds of thousands of computers worldwide, wreaking economic damages in the billions of dollars. The New York Times reported that at the epidemic's peak in mid-August, emails infected with the "SoBig" worm accounted for 73% of email traffic worldwide – creating the most aggressive online virus attack ever. While two individuals were arrested for creating much of this virtual havoc, the arrests did not slow the spread of these epidemics, nor prevent similar future attacks. Copycat programmers and others intent on spreading damage continue to capitalize on the publicity that invariably accompanies major computer virus attacks.

The trend is clear: computer users are seeing – and will continue to see – an increase in computer infestations, and must be equally proactive in keeping defensive systems updated to avoid being impacted.

What are Viruses, Worms and Trojan Horses?

A computer virus is a man-made program or piece of code, often disguised, that replicates itself and causes unexpected and typically negative effects upon computers, applications and networks. A worm is a viral variant that "worms" its way into the active memory of a computer and then duplicates itself, often sending clones of itself on to other computers through E-mail or other vehicles. A Trojan Horse is not considered a virus, because it doesn't replicate itself. Nevertheless, Trojan programs, which pretend to be benign, may be just as malicious since they can capture sensitive information and compromise information by clandestinely sending it to an outside entity.

How Worms, Viruses, and Trojan Horses Hurt Healthcare

Some healthcare CIOs, who contend with many important operational issues, would like to put computer viruses, worms, Trojan Horses and other viral variations at the bottom of their priority list. But computer pests can potentially stop an organization in its tracks. An infection may cause a loss of computing power. Servers and workstations either slow down or quit responding. In addition, network bandwidth and Internet connections (a primary means of communications with other organizations), may slow so much that essential performance is affected. Healthcare organizations that depend on the Internet, especially those running remote Application Service Provider (ASP) programs, may not be able to connect because Internet response time can be substantially degraded by the additional traffic created by infected emails.

In addition, removing worms, viruses, and Trojan Horses from systems requires countless hours that otherwise could be more productive. Even more painful is the lost productivity of clinical and administrative workers while systems are shut down during the clean-up process.

Identifying Vulnerabilities

The need to take precautions is obvious. The resoures spent to clean up computer pests are far greater than the resources needed to protect computer systems. What is less clear is that there is no silver bullet to protect against all potential threats. As operating systems are upgraded, systems added, and applications upgraded, each potentially opens new vulnerabilities. This creates an endless game of trying to stay one step ahead of those with malicious intent. Nevertheless, it IS possible to "win" this game – in reality, a battle – through a multi-pronged, proactive initiative:

  • Start With Your People

    Workforce members must be every organization's first line of defense against computer infections. Information technology staff should be well-versed in computer security vulnerabilities, and security requirements and approaches. Computer users need to be aware of computer pests' damaging effects and learn not to open suspicious emails. Users also need to know the organization's policies about protecting removable media and the use of the Internet. A strong training program should be implemented to ensure that all computer users know what danger signals to look for and how to call for help when needed.

  • Use Firewalls Effectively

    The second protection against computer pests is the firewall. The August 2003 wave of viruses was looking for specific open ports as vulnerabilities, specifically TCP 135, UDP 135, TCP 139, UDP 139, TCP 445 and UDP 445. Fortunately, because this list was widely published, some users turned off these vulnerable ports at their firewall, thereby protecting their organizations from those specific worms. Unfortunately, some of these ports are used by Microsoft Exchange email, so modification of the firewall settings turned off external email. The lesson learned by many is to not make changes without first understanding the consequences. Firewalls, while very effective, must be managed knowledgeably and carefully.

  • Keep Up with Security Patches

    The next level of protection against computer pests is maintaining a current version of the operating system and office application environment. During the August 2003 epidemic, wide publicity from Microsoft about installing security patches to Windows 2000 and XP operating systems helped to prevent more widespread damage. Computers with the latest updates were not vulnerable. What is not as well known is the requirement to also update security patches for office applications. Microsoft's Office has vulnerabilities that required the Service Pack 2 and four additional security patches to correct. Microsoft's auto detect feature that notifies end-users of updates to its operating systems was not designed to look for security updates for the Office suite of applications. These must be accomplished manually.

  • Maintain Anti-virus Software

    Anti-virus software can protect computers against all known viruses, but the key is 'known'. If a computer's anti-virus software definition files have not been recently updated, it likely cannot detect the newer viruses. Most information technology departments take great care to update the virus definition files on servers and network computers on a weekly or more often basis, but other computers such as notebook computers also need protection. In addition, computers that are owned and managed by outside entities may not have updated protections. CIOs should implement a process to ensure that the anti-virus definition files remain current on all such machines.

  • Don't Neglect Remote Users

    Many hospitals and physician practices provide workforce members remote access to email and clinical information systems. These users connect directly via a dial-up modem or through an Internet connection after first connecting to their Internet Service Provider. Most organizations do not check to see if these other computers have current anti-virus software before permitting a connection. However, some organizations have addressed this issue by implementing liberal anti-virus site licensing programs that include home and remote users. The updated anti-virus definition files are checked and updated, if necessary, during the login process.

    In addition, many home users do not know to install the latest patches and security updates to their home machines. Brand-new computers are often unboxed with operating systems that are months behind in security patches. Further, the large size of some patches, often as great as 30MG, prohibits the average user from installing them using a slow dial-up modem. To counter this problem, healthcare organizations should consider making patches available on CDs for their remote users and engage in an active education program with their workforce to further extend their defenses.

    Finally, the rapid proliferation of broadband and DSL service to homes and small businesses, including providers, has opened new vulnerabilities. While these services offer the benefit of high-speed Internet access, they also permit anyone on the Internet to 'see' the computer device. Users are typically unaware that they can be port scanned. Worms use this exposure to find unprotected computers and will automatically infect a machine without any user intervention. There are both hardware and software firewalls that can protect remote users. Healthcare CIOs should consider policies that require all remote users with broadband or DSL service to install some type of firewall to reduce the risk of worms infecting the remote user community, which would then potentially infect the healthcare organization's systems.

Drawing Your Battle Line

The bottom line is that worms, viruses, and Trojan Horses have become a major threat to healthcare operations -- and there is every indication that this threat will grow. If your organization has not already done so, it is time to draw a battle line of proactive defense. Many vulnerabilities can be addressed effectively with technology, but only when accompanied by policies, procedures, and training that provide standards and ensure follow-through by staff. CIOs must upgrade the priority of computer, network, and applications security, and provide adequate protections to all systems that access their data. With good planning, appropriate technology counter measures, staying abreast of new vulnerabilities, and diligent, security-savvy people, your organization might just win the war against computer pests and their perpetrators.

Read past HIPAA / SECURE Q/A articles.

Clyde Hewitt, M.S., is a Principal at Phoenix Health Systems where he is responsible for consulting in program management, strategic planning and systems implementation, and HIPAA compliance services, and security remediation.

Go to TOP