Article Date: 2/1/2002

Access Denied
A four-part plan for securing your office computer system against unauthorized users.
By Richard Hom, O.D., F.A.A.O.

At any time any day, someone can gain access to your computer and consequently to confidential information about you and your patients. Interestingly, most damage or loss of data doesn't occur because of theft or intentional acts, but from simple mistakes made by legitimate users.

Regardless of the type of threat, you should rank protecting your data on the top of your priority list. This month, I'll explain how you can guard against your own mistakes and against intentional intruder attempts.


Step 1: Securing yourself

Initial planning for computer security relies on one or more generally accepted system security principles (GASSPs) of the International Information Security Foundation. One of the foremost is the principle of proportionality.

This principle states that ". . . security controls should be commensurate with the value of the information assets and the vulnerability. . . ." In other words, if the data are valuable (and I'm assuming that any practice data are), then plan to protect it.

Assuming your data are valuable, the first defense measure you should take is limiting physical access to your computer system. This entails putting as much of your computer system behind locked doors as possible. If an intruder has physical access to your computer system, then he can defeat even the best security software.

Step 2: Checking your OS

The next best line of defense is making sure you have a robust operating system (OS) for all of your workstations and servers. If yours isn't adequate, then it's time to upgrade. Most doctors use some form of Windows on an Intel microprocessor-based computer. Therefore, the logical choice for an Intel-based workstation is Windows NT 4.0 or Windows 2000 Professional.

Unlike its bigger brother, the Windows 95/98/ME password scheme can be bypassed either by hitting cancel at the logon screen or by turning on the computer with a "startup" diskette in the floppy disk drive. With Windows NT/2000 Professional, it's difficult to logon if you don't have the correct password.

But even the best OS can be defeated by inattentive users who leave their passwords in plain view (like a password written on note paper placed next to the monitor), use easily identifiable passwords (like names of pets or family members or birth dates) or don't change their passwords often enough (passwords that haven't been changed in years).

Smart cards (a credit card-like memory device) were one of the first attempts to avoid passwords. You insert this card into a special slot in the computer that reads it for special information that identifies you as a legitimate user. Unfortunately, like keys, these cards are easy to steal.

A newer technology, called biometrics, captures fingerprints, images of the iris, retina or face and even speech and compares them to a stored image or speech pattern to authenticate logon. Biometrics is ideal because it isn't exchangeable or easily forgotten as are passwords and it can't be forged and copied like keys. Biometrics once cost thousands of dollars per user, but is now available for a couple of hundred dollars per user.

Step 3: Backing up

Another vital component to security is reliably and consistently backing up your computer data. Timely backups correct the damage caused by either an intruder or by a user. But backups are useless if you do them too infrequently or unreliably. A rule of thumb for complete and full backups is 1 week and incremental backups daily. If your data change infrequently, then you can lengthen the interval. Likewise, if the data change at a high rate, then I would advise more frequent backups.

Step 4: Maintain awareness

The last GASSP principle of note is the principle of awareness. All potential users should be aware of the importance of the data, the availability of security tools and policies and the potential threats to the data. It should be part of any office procedure manual, practiced routinely and updated periodically to withstand ever more sophisticated attacks by outsiders.

Awareness creates an atmosphere of caution and a higher compliance to control. Awareness can mitigate the damage that can occur and speeds recovery. With naivete, the discovery time for any damage is prolonged, which increases the impact of that damage.

An ounce of prevention

Computer security works, so don't be a victim. Protect your patient records. Soon new federal statutes will require a high degree of security for these records. Be ready for these new statutes so when they're mandated, you can bounce back quickly. Although sometimes tedious and onerous, computer security is your friend -- not your enemy.



Fool-Proofing Your Plan

Here are some other things you can do to protect your computer system and network.

  • With a single computer connected to the Internet either by modem dial up or by DSL/cable modem, make sure that the network configuration for sharing printers and files is disabled. This prevents outsiders on the Internet from seeing your computer while browsing the network.
  • Disable sharing of your local hard drive partitions in Windows 95/98/ME (the lettered drives that let you store data) through the properties dialog window of Windows Explorer. With Windows NT/2000, set your permissions list to named users or to "administrator" rather than to "everyone."
  • When configuring a computer or security device, avoid using the default settings. Most intruders know that many individuals will use only the default settings even down to using the password that ships with their product.
  • Use specialized software or hardware firewalls that can screen for intermittent intruders who are searching for an unprotected computer. More recent intruders want to take control of your computer to launch denial of service attacks on another Web site or network. Such hackers cobble together tens to hundreds or even thousands of pirated computers to constantly request access to the other Web site over and over again. When the Web site administrator tries to trace the origin of the attacks, the trace leads to your computer. Normally, most users are completely unaware that their computers have been taken over for such attacks.


Optometric Management, Issue: February 2002