Spyware Risks, Protection, and Removal for Healthcare Businesses with HIPAA Compliance Requirements
The hackers and criminals who write spyware programs, do so specifically to steal information. Your patient's protected health information is at risk if you have spyware on your computers.
Spyware is software that collects information from your computer without your knowledge. Often spyware is used for something relatively harmless, such as the collection of marketing data. However, many criminals and organized crime groups are also jumping into the mix and creating spyware for identity theft, credit and banking information theft, and to collect any information they might be able to misuse or sell, such as protected health information. Fortunately there are a number of steps you can take to protect the information on your computers.
The people who create it use many of the same methods that virus writers employ to trick users into downloading and installing or running malicious programs that can harm a computer in any number of ways. If a program collects information and reports it back to the author without the users’ consent, it is considered to be spyware. If it infects files and is self-spreading, it is also a virus. If it is hidden in another program that you want on your computer, like a game or a screen saver, it is also a Trojan. And if it does not infect valid files, but is self-spreading, it is also a worm. Viruses, Trojans and worms have invaded computers for quite some time, the only real difference in these threats and spyware is that malicious spyware is defined by its purpose, to collect information, rather than its method of infection.
While spyware can crash your computer or cause all sorts of popups and productivity disruptions just like any other general virus, the most effective spyware programs operate without your knowledge, posing a much bigger risk because there is a very real financial reward for quietly stealing your data and selling it to others for their criminal use. Organized crime tends to thoroughly test their spyware programs to make sure that they do not crash your computer, do not cause popups, do not show up in add and remove programs or in the task manager so that you can easily shut them down. Ironically, some of the best-written spyware programs will actually remove other viruses, popups and spyware from your computer so that it runs better. Unfortunately, they also disable or cripple many of the anti virus programs you might try to use to stop them. The last thing a criminal enterprise wants is for you to have computer problems or get errors that prompt you to call your technical support for help.
Spyware Can be Prevented
Prevention is by far the most secure and cost-effective method of dealing with spyware. Because there is not a single, 100% effective method for preventing spyware, the best practice is to employ multiple methods for prevention. This practice is often referred to as defense in depth. There are three places that we can target to prevent spyware on your computer. The first is user education, the second is on the computer itself, and the third is at the internet connection or firewall. There are a number of techniques that should be employed at each location, as well.
Your Employees Can Help you Protect Patient Information
First and foremost, employees should be reminded that computers with protected health information contain sensitive data and are for work-use only, and that there is security in place that they should never try to circumvent. Employees should be instructed about what constitutes a potential risk for spyware, to keep an eye out for odd behavior on their computer and to report it to the appropriate person. They should not try to fix problems themselves because a favorite trick of spyware writers is to market their spyware as anti-spyware software. Every computer should have limited access using good, mixed number and letter passwords that employees do not share. Email containing protected health information should never be sent outside of approved channels. Fortunately, when it comes to educating employees regarding their role in protecting the computers from spyware, there is nothing technical that the average user needs to know.
Rules regarding employee use of computers containing protected health information is best communicated via a signed, acceptable use policy. Your acceptable use policy should make clear both the employees’ responsibilities and the seriousness of protecting your patients’ information. A good acceptable use policy also gives you room to take corrective action, up to and including employee termination, if required.
Your Computers Can Be Secured to Prevent Spyware
The computer itself is an important point for preventing spyware. Each computer in your office should be assessed to determine whether the employees who use it need access to patients’ information. If a computer does not need to be used to access patient information, don’t give that computer access. If a computer’s users do need access, the first thing to do is patch or update software on the computer to close security holes that spyware could take advantage of. Microsoft updates are available for the Windows operating system and most applications such as Word or Outlook, but other non-Microsoft software must be updated as well, including Adobe Acrobat and Java. Your healthcare-specific clinical applications are less likely targets of spyware, and are most likely updated through a software-specific support contract. Updates can be planned so that they will not conflict with your need to use clinical applications during business hours.
Make sure that only a limited number of employees are able to operate as power users or administrators with high levels of permissions granted to make changes to the computer systems when needed using a separate logon identity. Most employees do not need to be able to make these kinds of changes and their access to the computer should be designated as something other than an administrator. When all employees with access to the computer have full rights and permissions as administrators, you are giving spyware many more opportunities to gain access to your system. By designating most employees as users rather than administrators, employees cannot unintentionally alter system files or give malicious programs access to the computer and neither can any spyware they might encounter. User permissions are set within the Control Panel on individual workstations, or in the Group Policy for an entire network. Some software will require additional security changes to set permissions on an employee-by-employee basis, but most often, making this change only requires granting access to a file or two.
The third thing you can do to protect each individual computer is to install a quality Desktop Security Suite, including anti virus, anti spyware, anti spam, and firewall software. The firewall portion of any Desktop Security Suite is particularly important because it will alert you when any unknown software tries to send information out to the internet. The anti-spyware part of the suite will block most spyware from access to your system, which in combination with restricting the number of people who are allowed to act as “administrators” on the computer will both prevent spyware from infecting your computer and help you remove any malicious programming that you may run into.
The fourth thing you can do to protect individual computers is to “harden” the computer, which means removing unneeded software, tightening security settings, and configuring the system to make it difficult to get the computer to do anything you don’t want it to do. In other words, the computer will be safer if you turn off or uninstall any program you don’t need to conduct business from that computer. The fewer the number of programs installed, the fewer the potential security holes you will encounter. Your computers may be quite vulnerable to software that is installed but not used, especially because you may not remember to frequently update unused programs. One component in system “hardening” is to have a good password policy. The best password policies have configuations that require complex passwords (a combination of letters and numbers), a limited number of guesses before locking the account, and creating a log of failed attempts so that an administrator can see when attempts are being made to access the sensitive files on the computer. Computers running Windows operating systems are designed to be easy to use rather than secure but it’s security that will help prevent spyware from gaining access to your computer.
We Can Stop Spyware at Your Internet Connection
To stop spyware before it even reaches your computer, typically we employ a firewall or set of hardware devices to provide security. All firewalls are not equal, however, and to prevent spyware, there are a few features to look for and a few configuration techniques that work better than others.
Most firewalls are good at blocking all incoming requests from the internet, except for requests that you allow specifically. By default, most firewalls allow all outgoing requests on to the internet which is bad, because once spyware infects a computer, if the firewall allows all outgoing requests, the infected computer is able to send any information it wants to anywhere in the world. If you want to make sure your data is safe, outbound filtering is a must. The best way to secure your information is to block everything going to and from the internet, and allow only what you need to. This is relatively easy for inbound requests as you may not have anything you need to allow, but there can be a surprising number of things you need to allow out. The good news is that if you forget to allow a request you can adjust the firewall as needed. If, however, you stick with the default configuration, you may not become aware of how much of your information is getting out before it’s in the hands of people who shouldn’t have it.
A good firewall that includes a content management solution, an anti virus solution, or both can help to prevent spyware. A basic firewall uses port numbers to allow or disallow traffic. For example, web pages use port 80 by default. Basic firewalls, however, don’t inspect the traffic and can’t tell the difference between good web traffic, and bad web traffic that includes a virus or spyware. In fact, a basic firewall can’t even tell if information moving through port 80 is actually web traffic or just addressed to port 80 claiming to be web traffic. A better solution is to choose a firewall that has more components with greater security options. Good anti virus protection that is built into a firewall can detect spyware programs. It is good to have the firewall provide anti virus protection in addition to any other anti virus protection already installed on the computer because different vendors detect different spyware programs, and because if either program is not working properly for any reason, you will still have some protection from viruses.
Content management prevents spyware by allowing you to choose what internet sites an employee or computer can access. If you want to allow internet access, but block spyware sites or sites with content that is inappropriate for a business, a content management solution will check each internet access attempt against a database of categories to see if you have chosen to allow or deny that category, such as adult sites, for example. Content management solutions are easy to maintain as the database or lists of sites are updated via a subscription on a daily basis, just like anti virus protection.
Just as having your firewall block some websites completely is a good idea, so is blocking certain types of files or programs. To provide the greatest amount of protection against spyware, you should block access to executable programs, meaning programs that can run on your computer if launched, including those with the following file extensions, .exe, .com, .bat, .dll, .cpl, and .src. Files with these extensions should also be blocked as email attachments. A much more complete list of suggestions for files to block is included with the documentation for your firewall. We recommend that you start by blocking anything suggested by the firewall vendor and adjust the settings as you need to. Before you take steps to block them, zip files deserve special mention. A zip file can be anything that has been compressed for quicker transmission. Most good firewalls can decompress the zip file and examine its contents to see if it is harmful before delivering it to your computer. This is better than simply blocking zip files, as many are useful and legitimate. Unfortunately, if your firewall cannot scan compressed zip files, you should block them, as this is a favorite trick used by spyware authors to get past firewalls.
Spam filtering is another anchor in the war on spyware and should be employed within any business organization. In addition to wasting resources, time, and upsetting your employees, spam is a risk to your systems. Some email programs will automatically run malicious HTML content that is delivered as a part of an email which is the same as going to a website you do not trust. Mini-programs like ActiveX and Java which are common on websites can allow spam to automatically install spyware on your system. Many of the updated email programs now require that you approve any automatic action that results from a file with an email, but it is better to simply filter out the spam before it ever gets to your computer, or gives employees the opportunity to install spyware.
Removing Spyware is Possible
Ideally good preventive steps will keep spyware from infecting your systems, but if spyware does manage to get through your defenses, you will need to remove it. To remove spyware or remove virus problems, the first step is to immediately disconnect the computer from the internet by unpluging the network cable. To allow network access but no internet access, we can create a rule in your firewall to deny all traffic to or from that computer until the problem is corrected. After stopping any possible information leaks by disconnecting the system, any data stored on the infected computer should be backed up. Removing spyware or a computer virus from a computer can damage the operating system and data so we need to save what we can before we determine whether we will try to repair the damage done by the spyware, or whether it would be more prudent to start over with a clean operating system and restoring data from your backup.
If a spyware infection is minor we can try to clean the system of the spyware and any damage it may have caused. First, it is necessary to backup and remove all protected health information from the computer and reconnect it to the internet so that it is only allowed to get updates for your desktop security suite so that you can run a full scan. There are some free or inexpensive spyware scanners available such as Spybot Search and Destroy, Microsoft Windows Defender, and Adaware. Despite their claims, most spyware scanners cannot detect everything, so it would be best to run more than one to extend the coverage. One way to make this easy is to set up the spyware scanners on a good clean computer, and then installing the hard drive from the infected computer as a second hard drive in the clean system. This allows you to trust the integrity of the spyware scanners and ensures that no spyware is running and interfering with your ability to remove it.
Because spyware is so difficult to remove with 100% certainty, it is often more time and cost-efficient to reformat the computer and restore the operating system, applications, and user information. To effect a clean re-start, you will need all the disks, hardware drivers, configuration and license information. Because of the possibility of having to start over in this way, many organizations use an imaging program, or choose to automate boot processes and software installation to simplify this process. In a small office, products such as Ghost or Drive Image will work well. In larger environments, a boot server on the network will supply the image every time the computer is restarted. If you know your systems are clean, you can use imaging software to create an image which allows easy recovery should you need to later.
Checklist for Preventing Spyware
When dealing with spyware, prevention is the key. Here is a quick checklist for preventing spyware:
· Develop an acceptable use policy for employees to follow.
· Update the software on the system to close security holes.
· Limit permissions for most employees to “user” not “administrator.”
· Install, use, and frequently update a Desktop Security Suite.
· Harden the computer by removing unneeded programs and using good passwords.
· As a default, deny both inbound and outbound traffic at the firewall.
· Employ anti virus and content management at the firewall.
· Block unnecessary file extensions at the firewall.
· Provide Spam filtering to catch unwanted applications.
· Immediately disconnect infected computers from the network.
· Use clean images for a quick and absolute recovery from infections.
J.P. Schwartz, Inc. can provide professional review, installation, training, and testing of your spyware prevention and recovery systems. Professional help is the best way to get peace of mind where spyware is concerned. Our engineers have worked with many organizations and security systems and can work with you to provide a spyware solution that is right for your business and your budget. We can employ the industry’s best methods to prevent your data from being stolen and to meet your HIPAA compliance obligations without worry.
If you are ready to take the steps necessary to protect your computers and your vital business information give the spyware solutions experts at J.P. Schwartz a call today at (303) 482-1242 or contact us by e-mail at info@jpschwartz.com. Our offices are located in the Boulder Colorado and Denver Colorado metropolitan areas, but we consult for companies nationwide.
If you found this information helpful, please feel free to forward it on to your colleagues.
|
