The voice for the medical software reseller community.

Is There A Need for HIPAA Security? 

Physicians, hurting from huge malpractice insurance increases, are looking for every opportunity to trim costs.  Is there a need to invest scarce dollars in improved computer security?  VARs can help physicians by educating them on the increasing dangers of the connected world.  The troubling statistics below will show that just because nothing bad happened to them in the past few years doesn’t mean that trouble won’t arise in the near future. 

Huge Increase in Spam.  The fact that spam has grown dramatically is no surprise to any e-mail user.  According to Message Labs, a company which sells anti-spam technology to ISPs, spam during the first 6 months of 2004 has risen to over 64% of all e-mail.  The spam rates for comparable time periods in 2002 and 2003 are illustrated below: 

Spam, a burden and nuisance in itself, is related to other more serious threats.  Specifically, perpetrators of on-line frauds known as phishing scams and writers of malicious software are increasingly using spam to deliver their payloads.

E-mail has become the dominant method of spreading malicious software.  In fact, Message Labs also offers the statistic that fully 8.3% of all e-mail in transit contains malicious software. 

Malicious Software Infections Skyrocket.  Most of these infected e-mails are deleted either by ISPs, corporate filtering, or home user anti-virus programs.  Nonetheless, infections of malicious software, including viruses, trojans, and other variants, have increased.  Measuring the number of instances of infection is difficult due to different definitions of an infection, but one fact is clear:  the number of problems dramatically expanded in 2004.  Virus Bulletin, a UK based newsletter, has documented a 10-fold increase in virus infections in 2004 over the previous year. 

VARs are well aware of these problems.  Some larger VARs receive calls and dispatch their support technicians on a monthly or even weekly basis to help individual customers deal with the problems of virus infections.  In some cases, hard drives must be wiped with all software re-installed and reconfigured, resulting in significant costs, down time and in some cases, loss of data.  In many cases, these problems could have been prevented.

Security Flaws in Microsoft Products.  Many of the software infections were enabled by security flaws which exist in all versions of Microsoft operating systems, as well as other internet-enabled software.  This includes Outlook, Internet Explorer, Microsoft Office, and SQL Server.  Interested VARs should check the current SANS Top 10 list (www.sans.org) which is an expert consensus of the Top 10 vulnerabilities in the Microsoft Windows environment. 

Many virus attacks exploit security vulnerabilities which have been fixed by Microsoft.  Unfortunately, these fixes often are not applied.

Still today, many VARs have the philosophy that “if it isn’t broke, don’t fix it.”  Applying operating system upgrades is time consuming, and therefore costly.  In the competitive marketplace, VARs are reluctant to ask clients for the money to apply patches.  Unfortunately, this approach is no longer viable, especially for clients who are connected to the internet with broadband connections.  Unpatched software is one of the major vulnerabilities in physician offices which increases the risk of business loss from malicious software.

On-line Fraud.  As noted above, spam is used to launch what the FBI has called “the hottest, most troubling new scam on the internet.”  Known as “phishing scams”, fraudulent e-mail is sent, crafted to appear like messages from large national organizations, especially banks and other financial institutions.  The user is directed via an HTML link to a rogue web site, which is crafted to look exactly like the institution’s real web site.  The unsuspecting users log in, revealing their user ID and password.  This access information is then used by the perpetrators to access the account of the victim and drain their accounts.

The Anti-Phishing WorkGroup (www.antiphishing.org) has published statistics which show the huge increase of these scams during 2004.  In 2003, such attacks were virtually unheard of. 

These attacks illustrate the need for security awareness training, for both businesses and individuals.  The Gartner Group has estimated that some 30 million Americans have experienced a phishing lure, and some 1.78 million have fallen victim.

Summary.   In summary, VARs need to educate their clients on the risks of the connected world.  Understanding these risks is the starting place for clients who need to implement security programs mandated by HIPAA.  HIPAA suggests a comprehensive program for reducing the risks from the very real threats of the internet.  In 2005, a security management program simply makes good business sense.

For more information on technical security training for Medical VARs, e-mail Gary Pritts at: gpritts@eagleconsultingpartners.com

Gary Pritts is not affiliated with InvestMed; he is a healthcare, business and information systems consultant with 25 years of experience.  To contact Gary with questions about this article or HIPAA in general, visit his website at:  www.eagleconsultingpartners.com