> Healthcare Technology
> Technology for Doctors
> Research Reports
> e-Newsletter


Computer security 101:
Do you know the basics?

There is much to know about keeping a computer or network running reliably and securely. It is important to have the big picture, but sometimes the technical details that are so often glossed over can spell the difference between a secure network, or single computer, and one that is easily compromised. READ MORE

ZixMail secures e-mail
Secure e-mail need no longer be an oxymoron.

EMRs, Chatham-style
When Dr. Brian Gamble’s patients come to see him, they do not see a paper file about themselves anywhere in his office. READ MORE

The news from HIMSS
There’s progress in PDA-based solutions for drug references.

Editor's note: Electricity in the air
News: OntarioMD.ca: Will this be your new homepage?; Infoway has physicians on the radar screen; Alberta bone doctors.
SanDisk; Fujitsu; Xerox; Apple; TREO.
Chatroom: Why won’t Canadians use IT to save lives? Dr. David Zitner




Computer security 101: Do you know the basics?

A few simple practices will protect your computer system from most intruders.

By Issie Rabinovitch, PhD

There is much to know about keeping a computer or network running reliably and securely. It is important to have the big picture, but sometimes the technical details that are so often glossed over can spell the difference between a secure network, or single computer, and one that is easily compromised. This is the first of several articles that will attempt to provide useful technical information for users and managers of computers and small networks.

Passwords, strong and weak: At some time in the future, passwords may become an anachronism. All devices will incorporate biometric security features to authenticate users by scanning irises or fingerprints. Fingerprint scanners have already appeared in notebook and tablet computers from several major manufacturers. External fingerprint scanners can be added to computers without this feature. For the time being, at least, passwords are vital and they should be used properly.

Some passwords are better than others. The ones that don’t provide adequate protection against intrusion are called “weak”. Most passwords in use are weak. Chances are you depend on one yourself.

If a password is a form of your name or some name associated with you, it is easily guessed by anyone who knows you or talks to someone who knows you. Names associated with you include the names of family members (don’t forget the dog or cat), your car, high school, university, favourite sports teams, and so on.

Any word found in a dictionary, regardless of the language, is a weak password. There are many password-cracking applications in the hacker community that test 100,000 or more entries in a dictionary within minutes to find the one that unlocks a server, router, or computer.

Any password that contains fewer than nine characters, regardless of whether they form a word, is considered weak. Unfortunately, there is freely available software, used by hackers, that goes through every conceivable combination of characters at lightning speed. It starts with single-character passwords and works up to longer ones, one character at a time. Passwords with eight or fewer characters are fairly easy for this kind of software to crack, especially if they use only letters, rather than combinations of letters and numerals.

What are the characteristics of a “strong” password, the kind that you should use to protect your servers and routers and any other critical device?

A strong password consists of at least nine characters. Longer passwords are harder to crack, but they shouldn’t be so long that they are difficult to remember and enter.

Passwords should contain a mixture of upper and lower case letters and at least one numeral (0-9) and at least one non-alphanumeric character (!, @, #, $, %, etc.). The ideal strong password is one that looks like gibberish to everyone but you. For reasons known only to you, it is easy to remember and to type. One way to choose a strong password that is easy for you to remember is to keep in mind that the difference between upper and lower case letters is the use of the “Shift” key. Ditto for the difference between numerals and characters like “&” (Shift-7). Don’t try to remember special characters. Remember then in terms of Shift-number.

Another way to strengthen your password policy is to change your passwords every three months or so. A password that has been in use for a long time gradually weakens in its effectiveness. Eventually people learn passwords that they shouldn’t know. The longer a password has been in use the more likely it is to appear on a scrap of paper or a sticky yellow note somewhere in the office or clinic. It’s painful to ditch a cleverly chosen strong password. It is human nature is to keep familiar passwords too long, like comfortable old shoes.

Virus issues: Before networks and particularly the Internet became ubiquitous, most viruses (or virii) spread via floppy disks. Booting a computer with an infected floppy disk in the drive resulted in the virus being transferred to the system.

For many years, I didn’t use anti-virus software because I understood how viruses were spread and I was able to take the steps required to avoid them. I run anti-virus software now because the nature and the frequency of the threats have increased and I want to think about other things while I am using a computer.

I talked recently with Stuart McClure about security issues during one of his Canadian speaking tours. Stuart McClure is senior vice president of risk management and product development at Foundstone, a division of McAfee. He is also the best-selling co-author of Hacking Exposed: Network Security Secrets and Solutions.

According to Mr. McClure, when it comes to computer security, there’s no substitute for human intelligence and knowledge. Users need to recognize strange behaviours and correctly assess situations. Is something a real virus or is it something else? “There are limits to what technology can do. Education is necessary,” says McClure.

I couldn’t agree more, but the fact remains that most computer users need good anti-virus software. They simply aren’t as knowledgeable or as disciplined as McClure. With good anti-virus software, used properly and combined with a little knowledge and good sense, most computer users can escape being hit by a virus. That’s a topic for another column, as is software that scans for spyware and other kinds of malicious software.

Wireless network security: The failure to take the proper steps to secure a wireless network can lead to unexpected and unpleasant consequences. An unsecured wireless network is wide open to any passerby with a notebook and Wi-Fi card. Anyone in your waiting room with such equipment (or even a tiny handheld with Wi-Fi) can roam your network.

Security for a wireless network begins at the router. Management access to a router is controlled by password. Needless to say it should be a strong password.

The next step should be to check on encryption settings. For most routers encryption is turned off by default. It should be turned on and an encryption method such as 128-bit WEP should be chosen. That’s not the strongest level of encryption available, but it is probably good enough to keep unauthorized individuals from using your wireless connection. Running a VPN (virtual private network) on your internal network requires an even higher level of security and will be discussed in a future article.

With a router in a conventional wireless network, you will be asked to provide a passkey or a hex key, depending on the brand of the router and the encryption software it is using.

Make the choice something difficult to guess (according to the principles previously discussed) and keep a record of it in a safe place. In order to keep your router or the computers connected to it safe from being hijacked over the Internet, make sure that the firewall settings are correctly chosen. Factory-set defaults vary according to brand and age of router. Don’t take it for granted that they are appropriate for your circumstances. It is probably a good idea to use maximum security settings and then back off until everything works. Starting with weak security settings (so that everything works immediately) and strengthening them incrementally creates an unnecessary window of opportunity for hackers to cause mischief.

There is another useful step to take that is easily implemented. Every Ethernet card, whether it is wired or wireless, has a unique physical identifier called a MAC (media access control) or physical address. An example of a valid address is 00-08-72-AB-CE-1B. Every manufacturer of Ethernet cards is given a block of valid addresses to use and is prohibited from using an address more than once. A MAC address is a unique identifier.

I will use the Linksys Wireless-G Broadband Router, model WRT54G, in the following example, but the principles are the same for other wireless routers.

Under the wireless MAC filter menu I can choose to enable or disable the wireless MAC filter. Once I enable it, I can limit access to those PCs on a list I create (where they are identified by their MAC addresses). Every other computer is denied access to the wireless network. If you purchase a new computer, or perhaps change the wireless card in an existing one, that computer won’t have access to the network until you edit the list to include the new MAC address.

This procedure can be carried out in less than a minute, once a list of wireless computers identified by MAC address has been created. This begs the question of how to find out the MAC address of a computer in the first place.

If the address isn’t in your documentation or engraved on the card itself, there are a few simple steps to take that can be accomplished in under a minute. Here’s how it’s done on a computer running Windows 2000 or XP.

Choose the Run command from the Windows Start Menu and enter cmd. This will take you to a DOS-style command prompt. Enter the command “ipconfig/all” and you will see various bits of networking information about your computer. Windows uses the term “physical address” rather than MAC address. Look for a sequence like the one above on the appropriate line. That’s it. Repeat this for each wireless computer on your network. Enter this information on your router and you’re done. •



EMRs, Chatham-style

Dr. Brian Gamble has used a computerized solution in his clinic for several years. It reduces his paperwork and gives him faster access to results.
By Catherine Krever

W hen Dr. Brian Gamble’s patients come to see him, they do not see a paper file about themselves anywhere in his office. Dr. Gamble is one of eight doctors in Chatham, Ont., who connect to their clinical management software and to their hospital, using Smart Systems for Health Agency’s (SSHA’s) secure hosting and network products.

The physicians have been using the computerized solution for several years now. In fact, they were one of the initial pilot projects for the ePhysician Program (ePP) in Ontario, which was created by the Ministry of Health and the Ontario Medical Association.

(Editor’s note: Information about ePhysician and clinical information systems in Ontario is currently available at www.health.gov.on.ca. While few physicians in Ontario have actually signed on with the ePP initiative, those who have seem to be singing its praises.

We reported on the relatively low acceptance of e-Physician in our October 2004 issue. To obtain funding for computerization, physicians have been required to join networks and switch to a salaried formula of compensation and away from fee-for-service. To paraphrase an old advertisement, they’d rather fight than switch.)

The technology used in Dr. Gamble’s clinic allows the doctors to have electronic access to patient data generated by the local hospital laboratory, radiology department and outpatient clinics.

In their own offices, the doctors use clinical management software provided by YorkMed Systems, principally Montreal-based Punkinje EMR software. However, the software runs on a server housed in a SSHA data centre. The software is accessed in a secure fashion over the SSHA network.

With quicker access to their patients’ histories, the doctors spend less time managing files and thus have more time to treat patients. Dr. Gamble estimates that about 45 minutes per day have been freed up for him, allowing him to see three more patients on average.

“My practice has converted from a paper-based office to being chartless,” Dr. Gamble says. “And this has resulted in administrative efficiencies of 25 to 30 percent. My staff performs fewer menial and repetitive tasks – we are able to keep up with letters and documentation much faster.” The significant improvement in administrative efficiency is due in large part to the ease with which files are now found. When records are paper-based, a surprising amount of time is devoted to just looking for them.

“I used to spend a lot of time on documentation – now documentation is completed by the time a patient leaves my office. I use a computer to be more efficient and to be a better physician. I would never go back to the old method,” he says.

Dr. Gamble now has more free time at home. Previously, he took files home at night and on weekends to review and update them. This represented about four to six hours per week. He now spends 15 extra minutes a day in his office doing electronic record keeping and no longer needs to work at home on files. That’s an excellent trade-off.

As well, he no longer worries about the safety of his patient information. “Patient files no longer sit in my office. They are securely stored in SSHA’s data centres in Toronto. I access them only when I need them. I no longer have to worry about my laptop being lost or the server in my office failing,” he explains. “This provides me with a huge level of comfort. I rely on SSHA to do their job. My role is to gather data, theirs is to protect it. I no longer have to do both – it’s very reassuring.”

Electronic patient files have also enabled Dr. Gamble to become more pro-active – letting him shift from reacting to acute illness episodes to more of a preventative focus. He is contacting patients rather than waiting for them to come and see him.

He identifies patients by conducting searches of his patient database and targeting those with specific chronic conditions – such as heart disease, dementia, diabetes and asthma – who are missing one or two appropriate medications.

He has gone further by using the local network connection to his hospital to access information about his patients if they were hospitalized. He can then cross-reference that data to his patient database.

“Patients who have come out of the hospital following a cardiac event don’t always see me, but they should,” he says. “They need to have a discussion about the four main drugs that offer the best prevention. It is important to me that all my patients have the opportunity to be on the right medications. My database and electronic files will let me do this.”

This pilot project in Chatham-Kent is an initiative of the Ministry of Health and Long-Term Care and the Ontario Medical Association, using SSHA’s information technology products and services.

While the large scale benefits are still to come, Dr. Gamble and his patients need no convincing about the benefits of electronic healthcare, they have already seen its success. •

Catherine Krever is a communications advisor at Smart Systems for Health Agency.