Insidious software and hidden viruses living in your computers could be threatening confidential records and practice productivity. Here’s how to protect yourself.
I once had the fortune of working in an academic medical environment affiliated with a very tech-savvy university, where most nonclinical computer system activities, including Web surfing and e-mail, were managed by the university. I found myself constantly grumbling under my breath when, during my Web surfing, I was confronted with the dreaded message, “This site is blocked by your system administrator,” and some other warning about how my computer would probably melt or turn into a black hole.
I’d often lament to my peers about the woes of such strict policies. That was, until I heard about my colleague’s experiences. His medical group, which was quite large, had considerably more lax Internet policies regarding Web surfing and e-mail attachments. After years of such an approach, their network was crippled by a relatively common virus, which had not even produced the faintest hiccup at my facility. Even the medical equipment with PCs attached had succumbed to the attack, as many of those devices were configured with unfettered-Web access.
In medical practices, particularly with regard to technology, daily operations tend to focus on support of the fundamentals. Activities like generating claims and getting electronic billing out the door often take precedence over the more mundane matters such as virus and malware blocking. Even worse, some of the best of us in IT can see issues like antivirus and malware blockers as problems for the rookie PC junkie on staff, not as something that needs to be part of high level IT strategy planning.
Beware of an attack
While the term “computer virus” has been on the scene for some time, the word “malware” is a bit newer to the vernacular of even the savviest PC user. While a computer virus may take many forms, malware is a more gray area. Malware is software that can originate from any number of places, much like a virus. Basically, it shouldn’t be on your PC. It can potentially damage your computer, steal confidential information, or be used to leverage your PC as a “zombie” to attack other computers - all without your knowledge.
To compound the issue, malware is often installed on a PC without the user even knowing it. The most horrifying part is that malware exists all over the Internet, and can come from Web sites, as hidden parts of e-mail attachments, or even in what might seem like dead or invalid Web links sent to you from what appears to be the e-mail address of a friend.
After my friend’s experience, I realized that the organization in which I had worked might have seemed a bit harsh in their policies, but the reality was that those very policies kept our systems shielded from this new flavor of security breach (caused by malware), as well as from more traditional virus attacks.
Protecting the practice
How should you protect yourself? It’s a combination of technical solutions and staff education. First and foremost, if you are serious about protecting your systems (and you should be), there can be no sacred cows. Everyone must accept that these policies are in place to protect one of your most valuable assets: your data. There can be no exceptions.
Next, it is important to establish and enforce a well-defined understanding that computer assets within your organization are for use in work activities only. While some amount of personal use of the Internet is going to happen, it needs to be clearly established that such personal use is the exception, not the routine.
In more technical matters, smaller practices may need to farm out this work to their chosen IT contractor, but the following are some fundamentals to help protect you from problems. It’s important to understand there is no single solution. Protection from threats is a multilayered approach, and often involves a number of different software applications, hardware applications, and user policies, all of which must be vigilantly maintained to deal with an ever adapting set of threats.
Before you decide these moves will be too expensive for your practice, consider the overall costs. Can you say with 100 percent certainty your PC is free of malware?
There are upfront costs, as well as some ongoing maintenance costs (in both staff and software), but those are miniscule, especially when you consider the costs from the loss or corruption of data and interruption of system availability. Implementing a layered approach, with varying combinations of the above items which fit your budget and setup, will save you money (and headaches) in the long run.
Jonathan McCallister is a client-site IT manager for a major healthcare consulting firm, and he is currently assigned to a 140-physician practice. He has worked in healthcare IT management for more than eight years and in general IT management for more than a decade. He can be reached via firstname.lastname@example.org.
This article originally appeared in the March 2010 issue of Physicians Practice.