Malware and Antivirus Protection

March 1, 2010

Insidious software and hidden viruses living in your computers could be threatening confidential records and practice productivity. Here’s how to protect yourself.


I once had the fortune of working in an academic medical environment affiliated with a very tech-savvy university, where most nonclinical computer system activities, including Web surfing and e-mail, were managed by the university. I found myself constantly grumbling under my breath when, during my Web surfing, I was confronted with the dreaded message, “This site is blocked by your system administrator,” and some other warning about how my computer would probably melt or turn into a black hole.

I’d often lament to my peers about the woes of such strict policies. That was, until I heard about my colleague’s experiences. His medical group, which was quite large, had considerably more lax Internet policies regarding Web surfing and e-mail attachments. After years of such an approach, their network was crippled by a relatively common virus, which had not even produced the faintest hiccup at my facility. Even the medical equipment with PCs attached had succumbed to the attack, as many of those devices were configured with unfettered-Web access.

In medical practices, particularly with regard to technology, daily operations tend to focus on support of the fundamentals. Activities like generating claims and getting electronic billing out the door often take precedence over the more mundane matters such as virus and malware blocking. Even worse, some of the best of us in IT can see issues like antivirus and malware blockers as problems for the rookie PC junkie on staff, not as something that needs to be part of high level IT strategy planning.

Beware of an attack

While the term “computer virus” has been on the scene for some time, the word “malware” is a bit newer to the vernacular of even the savviest PC user. While a computer virus may take many forms, malware is a more gray area. Malware is software that can originate from any number of places, much like a virus. Basically, it shouldn’t be on your PC. It can potentially damage your computer, steal confidential information, or be used to leverage your PC as a “zombie” to attack other computers - all without your knowledge.

To compound the issue, malware is often installed on a PC without the user even knowing it. The most horrifying part is that malware exists all over the Internet, and can come from Web sites, as hidden parts of e-mail attachments, or even in what might seem like dead or invalid Web links sent to you from what appears to be the e-mail address of a friend.

After my friend’s experience, I realized that the organization in which I had worked might have seemed a bit harsh in their policies, but the reality was that those very policies kept our systems shielded from this new flavor of security breach (caused by malware), as well as from more traditional virus attacks.

Protecting the practice

How should you protect yourself? It’s a combination of technical solutions and staff education. First and foremost, if you are serious about protecting your systems (and you should be), there can be no sacred cows. Everyone must accept that these policies are in place to protect one of your most valuable assets: your data. There can be no exceptions.

Next, it is important to establish and enforce a well-defined understanding that computer assets within your organization are for use in work activities only. While some amount of personal use of the Internet is going to happen, it needs to be clearly established that such personal use is the exception, not the routine.

In more technical matters, smaller practices may need to farm out this work to their chosen IT contractor, but the following are some fundamentals to help protect you from problems. It’s important to understand there is no single solution. Protection from threats is a multilayered approach, and often involves a number of different software applications, hardware applications, and user policies, all of which must be vigilantly maintained to deal with an ever adapting set of threats.

  • Choose and deploy one centrally managed antivirus software solution. Compare costs, and consider the cost to your business if you should experience data loss and system downtime from a virus outbreak.

  • Establish rules that no personal external devices may be connected to company computers or equipment. This includes USB storage devices, digital music players, PDAs, cell phones, and digital cameras. Allowing this type of activity is just asking for trouble. You might even consider disabling USB ports on your PCs.

  • Implement a spam filtering system as a complement to your existing e-mail system to help block harmful attachments and links from making it into your network. If you are a small shop and your e-mail is hosted by another company, contact them and discuss options for spam filtering. Educate your staff on the numerous paths by which viruses and malware can make it to your network. Ask your IT staff to show you some example scam e-mails, including e-mails that might look legitimate, but are instead methods for introducing malware and viruses to your network.

  • If possible, isolate your network into different subnets, sometimes known as VLANS. This puts devices such as PCs linked to medical equipment on an isolated network, and may help minimize the impact should something make its way into your network.

  • Implement centralized control systems to limit Web surfing. There are a number of good vendors in the marketplace selling low maintenance hardware solutions, which can be placed between your network and your Internet provider, that block known Internet sites containing malware, viruses, or any malicious or questionable content. While not fool-proof, this layer can substantially reduce your risk. Be careful of shared drives, which are common file storage areas, and the administrative rights provided to users on these drives. Drive sharing is handy and common in the office, but be certain these arrangements have correctly set permissions to prevent someone from having too much access.

  • Close ports in your firewall. Smaller offices often have a tendency to set up their Internet connections wide open, meaning many unnecessary ports, or doorways between your network and the Internet, are open.

Before you decide these moves will be too expensive for your practice, consider the overall costs. Can you say with 100 percent certainty your PC is free of malware?

There are upfront costs, as well as some ongoing maintenance costs (in both staff and software), but those are miniscule, especially when you consider the costs from the loss or corruption of data and interruption of system availability. Implementing a layered approach, with varying combinations of the above items which fit your budget and setup, will save you money (and headaches) in the long run.

Jonathan McCallister is a client-site IT manager for a major healthcare consulting firm, and he is currently assigned to a 140-physician practice. He has worked in healthcare IT management for more than eight years and in general IT management for more than a decade. He can be reached via physicianspractice@cmpmedica.com.

This article originally appeared in the March 2010 issue of Physicians Practice.