INSIDE THE APRIL 2005 ISSUE:
Do you know the basics?
There is much to know about keeping a computer or network running
reliably and securely. It is important to have the big picture, but
sometimes the technical details that are so often glossed over can spell
the difference between a secure network, or single computer, and one
that is easily compromised.
Secure e-mail need no longer be an oxymoron.
When Dr. Brian Gamble’s patients come to see him, they do not see a
paper file about themselves anywhere in his office.
The news from HIMSS
There’s progress in PDA-based solutions for drug references.
Editor's note: Electricity in the air
News: OntarioMD.ca: Will this be your new
homepage?; Infoway has physicians on the radar screen; Alberta bone
Tech: SanDisk; Fujitsu; Xerox; Apple; TREO.
Chatroom: Why won’t Canadians use IT to save
lives? Dr. David Zitner
Computer security 101: Do you know the basics?
A few simple practices will protect your computer
system from most intruders.
By Issie Rabinovitch, PhD
There is much to know about keeping a
computer or network running reliably and securely. It is important to have
the big picture, but sometimes the technical details that are so often
glossed over can spell the difference between a secure network, or single
computer, and one that is easily compromised. This is the first of several
articles that will attempt to provide useful technical information for users
and managers of computers and small networks.
Passwords, strong and weak: At some time in the future, passwords may
become an anachronism. All devices will incorporate biometric security
features to authenticate users by scanning irises or fingerprints.
Fingerprint scanners have already appeared in notebook and tablet computers
from several major manufacturers. External fingerprint scanners can be added
to computers without this feature. For the time being, at least, passwords
are vital and they should be used properly.
Some passwords are better than others. The ones that don’t provide adequate
protection against intrusion are called “weak”. Most passwords in use are
weak. Chances are you depend on one yourself.
If a password is a form of your name or some name associated with you, it is
easily guessed by anyone who knows you or talks to someone who knows you.
Names associated with you include the names of family members (don’t forget
the dog or cat), your car, high school, university, favourite sports teams,
and so on.
Any word found in a dictionary, regardless of the language, is a weak
password. There are many password-cracking applications in the hacker
community that test 100,000 or more entries in a dictionary within minutes
to find the one that unlocks a server, router, or computer.
Any password that contains fewer than nine characters, regardless of whether
they form a word, is considered weak. Unfortunately, there is freely
available software, used by hackers, that goes through every conceivable
combination of characters at lightning speed. It starts with
single-character passwords and works up to longer ones, one character at a
time. Passwords with eight or fewer characters are fairly easy for this kind
of software to crack, especially if they use only letters, rather than
combinations of letters and numerals.
What are the characteristics of a “strong” password, the kind that you
should use to protect your servers and routers and any other critical
A strong password consists of at least nine characters. Longer passwords are
harder to crack, but they shouldn’t be so long that they are difficult to
remember and enter.
Passwords should contain a mixture of upper and lower case letters and at
least one numeral (0-9) and at least one non-alphanumeric character (!, @,
#, $, %, etc.). The ideal strong password is one that looks like gibberish
to everyone but you. For reasons known only to you, it is easy to remember
and to type. One way to choose a strong password that is easy for you to
remember is to keep in mind that the difference between upper and lower case
letters is the use of the “Shift” key. Ditto for the difference between
numerals and characters like “&” (Shift-7). Don’t try to remember special
characters. Remember then in terms of Shift-number.
Another way to strengthen your password policy is to change your passwords
every three months or so. A password that has been in use for a long time
gradually weakens in its effectiveness. Eventually people learn passwords
that they shouldn’t know. The longer a password has been in use the more
likely it is to appear on a scrap of paper or a sticky yellow note somewhere
in the office or clinic. It’s painful to ditch a cleverly chosen strong
password. It is human nature is to keep familiar passwords too long, like
comfortable old shoes.
Virus issues: Before networks and particularly the Internet became
ubiquitous, most viruses (or virii) spread via floppy disks. Booting a
computer with an infected floppy disk in the drive resulted in the virus
being transferred to the system.
For many years, I didn’t use anti-virus software because I understood how
viruses were spread and I was able to take the steps required to avoid them.
I run anti-virus software now because the nature and the frequency of the
threats have increased and I want to think about other things while I am
using a computer.
I talked recently with Stuart McClure about security issues during one of
his Canadian speaking tours. Stuart McClure is senior vice president of risk
management and product development at Foundstone, a division of McAfee. He
is also the best-selling co-author of Hacking Exposed: Network Security
Secrets and Solutions.
According to Mr. McClure, when it comes to computer security, there’s no
substitute for human intelligence and knowledge. Users need to recognize
strange behaviours and correctly assess situations. Is something a real
virus or is it something else? “There are limits to what technology can do.
Education is necessary,” says McClure.
I couldn’t agree more, but the fact remains that most computer users need
good anti-virus software. They simply aren’t as knowledgeable or as
disciplined as McClure. With good anti-virus software, used properly and
combined with a little knowledge and good sense, most computer users can
escape being hit by a virus. That’s a topic for another column, as is
software that scans for spyware and other kinds of malicious software.
Wireless network security: The failure to take the proper steps to
secure a wireless network can lead to unexpected and unpleasant
consequences. An unsecured wireless network is wide open to any passerby
with a notebook and Wi-Fi card. Anyone in your waiting room with such
equipment (or even a tiny handheld with Wi-Fi) can roam your network.
Security for a wireless network begins at the router. Management access to a
router is controlled by password. Needless to say it should be a strong
The next step should be to check on encryption settings. For most routers
encryption is turned off by default. It should be turned on and an
encryption method such as 128-bit WEP should be chosen. That’s not the
strongest level of encryption available, but it is probably good enough to
keep unauthorized individuals from using your wireless connection. Running a
VPN (virtual private network) on your internal network requires an even
higher level of security and will be discussed in a future article.
With a router in a conventional wireless network, you will be asked to
provide a passkey or a hex key, depending on the brand of the router and the
encryption software it is using.
Make the choice something difficult to guess (according to the principles
previously discussed) and keep a record of it in a safe place. In order to
keep your router or the computers connected to it safe from being hijacked
over the Internet, make sure that the firewall settings are correctly
chosen. Factory-set defaults vary according to brand and age of router.
Don’t take it for granted that they are appropriate for your circumstances.
It is probably a good idea to use maximum security settings and then back
off until everything works. Starting with weak security settings (so that
everything works immediately) and strengthening them incrementally creates
an unnecessary window of opportunity for hackers to cause mischief.
There is another useful step to take that is easily implemented. Every
Ethernet card, whether it is wired or wireless, has a unique physical
identifier called a MAC (media access control) or physical address. An
example of a valid address is 00-08-72-AB-CE-1B. Every manufacturer of
Ethernet cards is given a block of valid addresses to use and is prohibited
from using an address more than once. A MAC address is a unique identifier.
I will use the Linksys Wireless-G Broadband Router, model WRT54G, in the
following example, but the principles are the same for other wireless
Under the wireless MAC filter menu I can choose to enable or disable the
wireless MAC filter. Once I enable it, I can limit access to those PCs on a
list I create (where they are identified by their MAC addresses). Every
other computer is denied access to the wireless network. If you purchase a
new computer, or perhaps change the wireless card in an existing one, that
computer won’t have access to the network until you edit the list to include
the new MAC address.
This procedure can be carried out in less than a minute, once a list of
wireless computers identified by MAC address has been created. This begs the
question of how to find out the MAC address of a computer in the first
If the address isn’t in your documentation or engraved on the card itself,
there are a few simple steps to take that can be accomplished in under a
minute. Here’s how it’s done on a computer running Windows 2000 or XP.
Choose the Run command from the Windows Start Menu and enter cmd. This will
take you to a DOS-style command prompt. Enter the command “ipconfig/all” and
you will see various bits of networking information about your computer.
Windows uses the term “physical address” rather than MAC address. Look for a
sequence like the one above on the appropriate line. That’s it. Repeat this
for each wireless computer on your network. Enter this information on your
router and you’re done. •
THE CONTENTS LISTING
Dr. Brian Gamble has used a computerized solution in
his clinic for several years. It reduces his paperwork and gives him faster
access to results.
By Catherine Krever
W hen Dr. Brian Gamble’s patients come
to see him, they do not see a paper file about themselves anywhere in his
office. Dr. Gamble is one of eight doctors in Chatham, Ont., who connect to
their clinical management software and to their hospital, using Smart
Systems for Health Agency’s (SSHA’s) secure hosting and network products.
The physicians have been using the computerized solution for several years
now. In fact, they were one of the initial pilot projects for the ePhysician
Program (ePP) in Ontario, which was created by the Ministry of Health and
the Ontario Medical Association.
(Editor’s note: Information about ePhysician and clinical information
systems in Ontario is currently available at www.health.gov.on.ca. While few
physicians in Ontario have actually signed on with the ePP initiative, those
who have seem to be singing its praises.
We reported on the relatively low acceptance of e-Physician in our October
2004 issue. To obtain funding for computerization, physicians have been
required to join networks and switch to a salaried formula of compensation
and away from fee-for-service. To paraphrase an old advertisement, they’d
rather fight than switch.)
The technology used in Dr. Gamble’s clinic allows the doctors to have
electronic access to patient data generated by the local hospital
laboratory, radiology department and outpatient clinics.
In their own offices, the doctors use clinical management software provided
by YorkMed Systems, principally Montreal-based Punkinje EMR software.
However, the software runs on a server housed in a SSHA data centre. The
software is accessed in a secure fashion over the SSHA network.
With quicker access to their patients’ histories, the doctors spend less
time managing files and thus have more time to treat patients. Dr. Gamble
estimates that about 45 minutes per day have been freed up for him, allowing
him to see three more patients on average.
“My practice has converted from a paper-based office to being chartless,”
Dr. Gamble says. “And this has resulted in administrative efficiencies of 25
to 30 percent. My staff performs fewer menial and repetitive tasks – we are
able to keep up with letters and documentation much faster.” The significant
improvement in administrative efficiency is due in large part to the ease
with which files are now found. When records are paper-based, a surprising
amount of time is devoted to just looking for them.
“I used to spend a lot of time on documentation – now documentation is
completed by the time a patient leaves my office. I use a computer to be
more efficient and to be a better physician. I would never go back to the
old method,” he says.
Dr. Gamble now has more free time at home. Previously, he took files home at
night and on weekends to review and update them. This represented about four
to six hours per week. He now spends 15 extra minutes a day in his office
doing electronic record keeping and no longer needs to work at home on
files. That’s an excellent trade-off.
As well, he no longer worries about the safety of his patient information.
“Patient files no longer sit in my office. They are securely stored in
SSHA’s data centres in Toronto. I access them only when I need them. I no
longer have to worry about my laptop being lost or the server in my office
failing,” he explains. “This provides me with a huge level of comfort. I
rely on SSHA to do their job. My role is to gather data, theirs is to
protect it. I no longer have to do both – it’s very reassuring.”
Electronic patient files have also enabled Dr. Gamble to become more
pro-active – letting him shift from reacting to acute illness episodes to
more of a preventative focus. He is contacting patients rather than waiting
for them to come and see him.
He identifies patients by conducting searches of his patient database and
targeting those with specific chronic conditions – such as heart disease,
dementia, diabetes and asthma – who are missing one or two appropriate
He has gone further by using the local network connection to his hospital to
access information about his patients if they were hospitalized. He can then
cross-reference that data to his patient database.
“Patients who have come out of the hospital following a cardiac event don’t
always see me, but they should,” he says. “They need to have a discussion
about the four main drugs that offer the best prevention. It is important to
me that all my patients have the opportunity to be on the right medications.
My database and electronic files will let me do this.”
This pilot project in Chatham-Kent is an initiative of the Ministry of
Health and Long-Term Care and the Ontario Medical Association, using SSHA’s
information technology products and services.
While the large scale benefits are still to come, Dr. Gamble and his
patients need no convincing about the benefits of electronic healthcare,
they have already seen its success. •
Catherine Krever is a communications advisor at Smart Systems for Health
THE CONTENTS LISTING
SUBSCRIBE - ADVERTISE -
ARCHIVES - CONTACT US