Most people have heard stories of malicious viruses and other Internet-borne security breaches that steal or destroy data. Many of those stories are horrifyingly true and the situation is getting worse, experts agree.
“The threats have grown exponentially, and they won’t stop growing any time soon,” said Randall Palm, Chief Technology and Information Security Director for CompTIA, a computer industry trade organization.
The stakes for small ophthalmic practices are even higher than for most other businesses, said Mr. Palm. That is because security breaches can compromise the privacy and security of patient records, which would put your practice out of HIPAA compliance. Also, small offices have fewer financial and personnel resources to protect them against fallout that security breaches can cause.
The best way to fight off intrusions, said Mr. Palm, is to combine defenses against specific threats and to deploy some general “best practices.”
Six Best Practices
So-called best practices don’t necessarily target specific problems but rather provide an overall framework for protecting your office’s computer network.
The following best practices are practical for small ophthalmic offices, according to Mr. Palm.
1. Employ or retain a networking expert. The time is long gone in which nonexperts can manage and ensure Internet security, said Mr. Palm.
“If you have a permanent connection to the Internet, you need somebody who understands security,” he said. Such permanent connections include DSL, cable and T1 lines. By contrast, hackers find it far more difficult to break into systems that use slower dial-up connections.
2. Maintain separate networks for moment-to-moment use and for confidential data. With this networking scheme, all users must supply a password and user name for logging on to the general network. However, only selected users can access confidential information such as patient data with a second user name and password. “By separating the two, it’s much more difficult to compromise the essential data,” said Mr. Palm.
3. Use data encryption. Encryption involves scrambling data in such a way that intruders can’t easily unscramble it. It is a core requirement of the HIPAA security regulations.
The key time to use encryption is when transferring or accessing confidential data via the Web, said Mr. Palm. Such access, for example, can occur when your office interacts with a third party payer or clearinghouse. Using encryption in these cases is simple to do, said Mr. Palm. Most Web browsers these days support SSL, which is an encryption protocol for sending private documents via the Internet. You simply need to make sure your Web browser supports SSL. Of course, the other side of the transaction also must use SSL encryption. You’ll know you’re accessing a site securely if a padlock appears at the bottom of your browser window.
4. If you have your own server, put it in a secure, separately locked room. Servers are computers used strictly for storing and accessing information via your internal local area network. If somebody steals your server, they’ve stolen all the confidential information stored on it. Some small businesses either rent space on a secure server located elsewhere or have computer consultants physically manage the server. Others, however, keep their own servers on premises. If this is the case in your practice, Mr. Palm warned that you should put it in a locked room and limit who can access the room.
5. Perform regular data backups and store those backups in a secure location. This is one of the most commonly discussed security needs. It remains an essential task.
6. If you use a wireless LAN, make absolutely certain it is secure. Wireless Wi-Fi networking has become common in small offices. It enables physicians to carry PDAs or laptops from exam room to exam room, which provides fast access to patient records and other key information. However, wireless networks are notoriously insecure. There are, to be sure, ways to make them secure. A network expert can help you.
Four Problems to Solve
After applying the best practices, it’s time to focus on specific Internet-borne threats to your data, said Mr. Palm.
The problem of spam . . . “Spam is largely a waste of your time,” said Mr. Palm. “But some spam is malicious.” That is, spam can carry viruses or trojans that give hackers access to your data.
. . . the solution: Mr. Palm strongly suggested using what he calls collaborative antispam software, which uses feedback from multiple users to figure out the sources of the spam. Then, the software can block incoming spam from the same sources. Mr. Palm said that collaborative antispam software, such as Mail Frontier, costs $30 per person.
The problem of spyware/adware. . . Hackers and organizations that want to know more about you have developed software that can install itself on your computer. This happens after you’ve visited a malicious Web site or clicked on a link that they’ve placed on the Internet. In its least malicious form, this software can cause advertisements to pop up on your screen. However, such software also can monitor keystrokes. In so doing, the purveyors of this software can learn your passwords and other private information. In such cases, you may not even know that the malicious software is on your computer.
. . . the solution: Spyware/adware can be difficult to get rid of, said Mr. Palm. A number of antispyware programs are readily available from download sites such as www.download.com. Try those first. However, often spyware regenerates itself after you think you’ve deleted it. If that happens, the only solution may be to back up all your data, reformat your hard drive and reinstall Windows. Another solution is to have a consultant or IT expert create specific user accounts for each computer in your office. With such accounts, the administrator can prohibit the installation of new software, a limitation that effectively prevents behind-the-scenes installation of spyware/adware. This can be an annoyance in its own right since it prevents installation of legitimate software by users.
The problem of hacker intrusions. . . This involves a hacker detecting your presence on the Internet and exploiting vulnerabilities in your operating system, browser and other applications to access data on your computer or network.
. . . the solution: The vulnerabilities that hackers can exploit are, typically, part of either Windows or your browser, most frequently Microsoft’s Internet Explorer. Microsoft regularly updates those products to deal with vulnerabilities even as hackers discover new weaknesses. At the very least, keep current with the latest updates (see www. windowsupdate. com). You also can use other browsers that are more secure, such as Firefox, which is gaining popularity because it seems to have far fewer vulnerabilities than Internet Explorer. You can download Firefox for free from www.mozilla.org. In addition, use a hardware firewall, not a software firewall, said Mr. Palm. Firewalls prevent access to your network unless you or your employees initiate that access. Mr. Palm noted that when a software firewall malfunctions, you are vulnerable. Hardware firewalls are separate devices that connect to your network and, when they malfunction, they prevent access to the Internet. That’s an annoyance, but at least it doesn’t open you up to hackers.
The problem of viruses and trojans . . . Trojans lure you to download or install viruses on your computer. For instance, if you get an e-mail with a link for downloading software, you might actually be downloading a virus. Viruses can slow down your computer, destroy data, send private information out over the Internet and even render your computer unusable.
. . . the solution: Antivirus software from vendors such as Symantec, McAfee and F-Secure has been around for years. If you don’t already have it, get it and use it. And make sure you regularly update the virus definition files used by the software. Also, instruct employees to never open e-mail or attachments from people whom they don’t know. E-mail attachments are the most common method of transmitting viruses, although you also can get them from malicious Web sites.