DOI: 10.1148/rg.235035021
(Radiographics. 2003;23:1329-1337.)
© RSNA, 2003
Personal Computer Security
Part 1. Firewalls, Antivirus Software, and Internet Security Suites1
Ronald D. Caruso, MD
1 From the Neuroradiology Section, Department of Radiology, University of Louisville School of Medicine, CCB-C07, 530 S Jackson St, Louisville, KY 40202. Received January 28, 2003; revision requested March 14; final revision received May 7; accepted May 29. Address correspondence to the author (e-mail: rcaruso@louisville.edu).
 |
Abstract
|
|---|
Personal computer (PC) security in the era of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involves two interrelated elements: safeguarding the basic computer system itself and protecting the information it contains and transmits, including personal files. HIPAA regulations have toughened the requirements for securing patient information, requiring every radiologist with such data to take further precautions. Security starts with physically securing the computer. Account passwords and a password-protected screen saver should also be set up. A modern antivirus program can easily be installed and configured. File scanning and updating of virus definitions are simple processes that can largely be automated and should be performed at least weekly. A software firewall is also essential for protection from outside intrusion, and an inexpensive hardware firewall can provide yet another layer of protection. An Internet security suite yields additional safety. Regular updating of the security features of installed programs is important. Obtaining a moderate degree of PC safety and security is somewhat inconvenient but is necessary and well worth the effort.
© RSNA, 2003
Index Terms: Computers • Internet • Radiology and radiologists, design of radiological facilities
|
Introduction
|
|---|
Maintaining the safety of the files stored on a radiologist’s personal computer (PC) is becoming more important—and more difficult. Often, his or her files contain sensitive personal and patient information. Common sense requires that these files be protected. Additionally, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) now mandates safeguarding of electronic patient data, with stiff penalties for noncompliance. Such protection involves two interrelated elements: safeguarding the basic computer system itself and protecting the information it contains and transmits.
Each radiologist needs to have a basic understanding of the issues to decide what level of protection is appropriate for his or her situation. As in any endeavor, there is a tradeoff between the level of protection desired on the one hand, and cost and functionality on the other. Fortunately, moving from little or no protection to moderate security entails only modest cost and inconvenience. Higher levels of protection require progressively greater effort with less enjoyment of the computing process.
Unfortunately, a computer system, or even the Internet itself, is only as secure as its weakest link. At the time this article was written, the Internet was recovering from an attack that could have been prevented if network server managers had installed a free update from Microsoft (Redmond, Wash). Simultaneously, Microsoft announced yet another critical security patch for an unrelated problem affecting its software. Local attacks on computers are far more common than Internet denial-of-service attacks. For instance, lack of a firewall or antivirus program exposes the radiologist’s PC to myriad security problems, particularly for individuals with cable or similar "always on" connections to the Internet. Failure to properly configure or regularly update installed software often results in a poorly protected PC. If there is compromise, a computer breach may be obvious or a program can work in the background to take control. Wireless networks that are not properly configured and encrypted can be accessed, and their communications can be monitored ("sniffed") by any nearby computer with a wireless network card; once the network is compromised, files on the network’s computers can also be accessed if not properly protected. Disposing of a PC without first using file-wiping software can permit recovery of "deleted" files, even if the hard drive has been reformatted. Implanted keystroke logging programs can steal passwords and other data. Passwords obscured by asterisks can be displayed. An otherwise secure hospital computer system can even be compromised by a secure virtual private network (VPN) connection, whether direct or remote, to a compromised computer, such as the radiologist’s home PC, whereby a "back door" to the secure system is created. And the list of hazards goes on.
This article, the first of two in a series, will feature Microsoft Windows XP (W-XP) and related software, the current edition of the PC software found on a majority of radiologists’ computers. Because of Microsoft’s overwhelming market share and its premature release of ever more complex, feature-laden software, these programs are also the most vulnerable to security breaches. In this article, I will discuss the physical security of the PC, setup of basic account passwords and of a password-protected W-XP screen saver, and installation and configuration of an antivirus program, Norton Antivirus (NAV) 2003 (Symantec, Cupertino, Calif). Passwords for a basic input/output system (BIOS), which provides basic hardware control, will be mentioned but not covered in detail. Hardware and software firewalls will also be examined, including (a) the basic firewall included in W-XP, (b) a hardware firewall router by Linksys (Irvine, Calif), and (c) an Internet security suite, Norton Internet Security (NIS) 2003 (Symantec). Spyware utilities, VPNs, wireless networks, and updating of security software will be covered briefly. The second article will discuss configuration of the security features of W-XP/Internet Explorer 6 and Microsoft Office XP; file management issues, including defragmentation, passwords, wiping, backup, header information, and encryption; and Digital Imaging and Communications in Medicine (DICOM) scrubbing, which refers to the removal of patient information from the file header. This two-part series will not cover computer servers, network configuration, picture archiving and communication systems, file recovery, BIOS passwords, and similar advanced topics. Neither will it address safe e-mail and Internet practices, because these topics are well covered elsewhere. In general, menu items and similar choices are capitalized. If sequential operations are to be carried out, the ">" symbol is used to separate components. The pathways described are for the W-XP Default View; they will be different for the W-XP Classic View.
Much PC security information is available on the Internet. Many individuals, computer magazines, software vendors, and rating services have extensive information and reviews posted. The Table lists a few selected World Wide Web sites, including the HIPAA site. The user’s manual for NAV (1) and similar manuals are excellent sources of general information on viruses and security. Numerous other books are also available. For those so inclined, there are detailed references, including a 763-page W-XP security manual by Bott and Siechert (2) that is published by Microsoft Press. For those with more basic needs, the "Dummies" series has a readable treatment that also discusses e-mail and browser safety (3). Integral and online help are available in most programs. Microsoft provides extensive coverage of many security issues both on its Web site and, assuming the special update for this feature has been installed, in W-XP Help.
|
Physical Security and Passwords
|
|---|
The PC should be kept in a secure area, which is particularly important for portable computers. Locks and alarms are available to minimize access. Passwords provide additional layers of protection. Ideally, passwords should be a unique combination of at least seven characters (due to the W-XP architecture), including at least one lowercase letter, capital letter, number, and symbol. The symbol should be in position 2–6 (ie, not the first or last of seven characters). Use of eight or more characters will increase the time that a password cracking program must expend. Very short passwords, especially those found in a dictionary, can be broken in seconds or at most a few minutes. All words (in any language) or meaningful numbers should be avoided. Each W-XP account should have a password. (To set a password, log on as an administrator, select Control Panel from the Start menu, and double-click on User Accounts; the User Accounts dialog box will open, where the password is set.) A password-protected screen saver should also be set for those times when the computer is left on but is unattended. (Right-click on an open area on the basic desktop outside any program, then go to Properties and Screen Saver. From the drop-down list, select the desired design. Then set the time interval after which the screen saver will engage automatically. Be sure to check On Resume, Password Protect. Then select Apply and OK.) If the computer is left before the screen saver activates, it can be locked by hitting Windows Logo Key + L (not case sensitive) or with Start Menu > Turn Off Computer > Stand By. A BIOS password can also be set, which the user will have to enter when the computer is started or BIOS adjustments are made, thereby providing an additional layer of protection. See computer documentation for details.
|
Choosing Additional Antivirus, Firewall, and Privacy Protection
|
|---|
The first decision concerns how much security is desired. Users who need only modest protection should activate the basic XP firewall and install a modern antivirus program. Cost is minimal; antivirus programs, including a 1-year update subscription, are heavily discounted from a list price of about $50. Significantly more protection can be obtained at little additional cost by installing an Internet security suite, which typically adds a software firewall, applications control, and privacy features to the antivirus program. The same end can be achieved by installing individual programs if desired. The Norton suite lists for $70 but is usually discounted and is available from the manufacturer for $40 as an upgrade or to the user of any other Symantec product. Other excellent suites, such as McAfee (Network Associates, Santa Clara, Calif), are also available. An inexpensive hardware firewall router adds an additional layer of security and can also serve as a network hub. The Linksys and similar firewall routers (either single-port for one computer or four-port for a small network) usually sell for about $50; routers with more ports can also be purchased, or ports can be added to the basic routers. Many supplemental software security programs are also available, some of which will be discussed in the second article. For basic firewall and antivirus protection, I recommend that most radiologists purchase an Internet security suite, perhaps supplemented by a firewall router. For those with a network, the firewall router may already be in place.
Viruses and Antivirus Software
The NAV user’s manual defines a software virus as "a parasitic program written intentionally to alter the way your computer operates without your permission or knowledge" (1). Antivirus software protects against these rogue software programs, including classic viruses and many similar programs such as malicious script, "worms," "zombies," and "Trojan horses" (the last being programs that masquerade as being beneficial but perform a negative function, such as monitoring PC activity). Detailed discussion of each type of virus is beyond the scope of this article but can be found in most antivirus program user manuals or antivirus Web sites in the Table. Although the effect of a virus on the PC may be innocuous, such as display of a benign message, some of the worst programs permit remote control of the PC or its entire network, including surreptitious transfer of files, data alteration or destruction, or attacks on other computers or networks. Viruses and similar nefarious programs usually arrive by e-mail (especially as attachments) or in material downloaded from the Internet; occasionally, they are implanted on the PC, arrive over a network, or are present in shrink-wrapped software.
Radiologists not desiring a security suite should invest in one of the highly rated antivirus programs, such as NAV or McAfee VirusScan (Network Associates), which have evolved over the years into elegant programs that are simple to install and maintain. Their corresponding security suites will be discussed later. Whatever program is selected should run automatically in the background and have a 1-year subscription for updates that can be easily performed. Ideally, the program should have e-mail protection and other advanced features. Consult the Table for Web sites that review antivirus and other software and provide further information.
Before installing any antivirus program, one will find it useful to skim the user’s guide, particularly the first few chapters. Installation and configuration of NAV are straightforward. Administrative rights are required to install, configure, and update the program. The default configuration settings will be adequate for most users. Figure 1 shows the NAV System Status screen (thedefault opening screen) after installation and initial setup operations, including the first Live Update and Full System Scan. Operations begin from this screen. Note that the Status tab is highlighted by default in Figure 1. One can quickly confirm the dates of the most recent system scan, virus definitions, and subscription service and perform a Live Update. Options are configured with the middle icon at the top. Although most users will feel comfortable with the default settings, which can easily be restored with an icon at the bottom of each box, there are some options to consider. Most of these options are self-explanatory and are covered in the user’s guide. A password for the Options menu can be set on the Miscellaneous tab. Many popular e-mail and messenger programs are protected if properly configured (usually automatically). In addition to automated live updates of virus definitions, I recommend performing a manual live update at least once a week, which will also include program updates. (Live updates are routinely issued late on Wednesday and as needed; daily manual updates are also available for administrators and other interested parties.) A scan of the entire system can easily be automated and should be performed at least weekly. Disks, directories, and individual files can be scanned by right-clicking on them in Windows Explorer and most other locations where their names are displayed and selecting Scan with NAV from the pop-up menu. It is recommended that any outside file be scanned prior to being opened, including files on compact or floppy disks, downloaded material from the Internet, e-mail attachments, and similar items. An icon is available on Internet Explorer for use there. Protection is also provided for Microsoft Office documents. A program icon is visible on the system tray (unless it has been configured not to be displayed), and the user can right-click on the icon to disable protection temporarily or to open the main dialog box. Holding the cursor over the icon will display the current protection status. The NAV program installed with NIS is identical to the stand-alone program.
Antivirus programs detect multiple threats to the PC, and software and hardware to be described later can help restrict access to personal information. However, some users may wish to restrict various types of "spyware" placed on the PC by Internet Web sites. Such programs transmit information related to Web activity beyond that of typical "cookies" and are frequently deposited on the radiologist’s computer. Some programs may even change the browser’s home page or direct it to nefarious Web sites. Software is available to eliminate spyware, and most of it is free to users. Ad-aware (Lavasoft, Falköping, Sweden) is a popular freeware program; its Web site is listed in the Table. Some Internet security suites are beginning to incorporate protection against spyware.
Firewalls and Security Suites
Any PC connected to the Internet or otherwise networked with any other computer must have a firewall to block access to its files and transmissions. If remote or other access is desired, the firewall can be so configured. Some users will elect to use the W-XP firewall, which is turned off by default. To see if this firewall is activated, go to Control Panel > Network and Internet Connections > Network Connections, then inspect the resulting dialog box. If the firewall is active, it should read Enabled, Firewalled under Status. To turn the firewall on or off, consult Help. Although the W-XP firewall can be configured to some degree, most users who would elect to configure it might be happier with more advanced software. Configuration of the firewall may be required on certain networks or in other situations in which some services may not otherwise function, usually due to a blocked port. For instance, one computer-savvy radiologist with a fully functioning home network found that activating the firewall on one of the network’s three PCs resulted in improper function of the PC. In such cases, the logging feature of the firewall must be activated to determine the problem. (See W-XP Help or the book by Bott and Siechert [2] for details.) I had no such difficulty with the two PCs on which I tested the W-XP firewall; one PC was part of a large Novell network and the other was connected to a cable modem. I tested these systems, with NAV also installed, at the Symantec Security Check site (Fig 2). (The Symantec Web site is listed in the Table.) The systems passed all tests except for the browser privacy test.
Third-party software firewalls and security suites can expand the protection available in the basic W-XP firewall. Although the basic W-XP firewall blocks unsolicited inbound traffic, it does not control outbound access, allowing any software on the PC to communicate over the Internet. As suggested earlier, most radiologists should purchase an Internet security suite, which controls outbound access and provides many additional features. There are several highly rated programs, including McAfee Internet Security 5.0 (Network Associates) and the featured NIS. The latter includes Norton Firewall 2003, NAV 2003, applications control, individual accounts control, parental control, a "hot key" to block Internet access, private information protection, and other features. Consult the manufacturers’ Web sites and online rating services, such as those listed in the Table, for details of the various programs available.
Installing NIS is straightforward. The first step is to remove any antivirus program, except NAV 2003, and turn off the W-XP firewall (discussed earlier) to prevent conflicts. The appropriate sections of the user’s manual (4) should be read first; this is particularly important for gaining a basic understanding of applications and privacy control setup. One can either use the setup "wizard" to configure the applications at the time of installation or select the default configuration and make changes later. If the latter is elected, at least some configuration must be done after installation. Applications control, the election of which programs can access the Internet, can be achieved by accepting the initial defaults (programs approved by Norton; these can be changed if desired) and deciding, via a connection dialog box that appears, whether to allow access for programs as they are used. One can decide whether to permit (or deny) access as a default or make a decision each time a program appears. (This must be done with care because essential programs can be denied access to the Internet, rendering them useless, and any resident rogue programs can be allowed unfettered Internet access.) A setting can be redone if necessary. NAV is configured as discussed earlier, mainly accepting the default settings. Passwords for both the firewall and NAV can be set. After installation, Live Updates should be performed repeatedly until no additional updates are available; this may require two or three cycles, each time with a reboot. The whole process, including program configuration and addition of privacy information, should take about 2
–3 hours for a first-time user; most of the time will be spent with the manual. Simply installing and updating the program in its default configuration takes about 15 minutes. As with most security software, as the chosen level of security increases, so will the number of warnings, requested permissions, Internet access denials, and other interactions. One of the more useful features of the program is its ability to terminate and reestablish Internet access by means of a "hot key." Usually the most convenient method is to select the program icon in the system tray (lower right corner of the default desktop) and click on Block Traffic (or Allow Traffic). If the System Status screen (Fig 3) or Security Monitor is already displayed, it can also be used. A minus sign appears on the icon when traffic is blocked. This is a useful precaution for when the computer is to be left on for a prolonged period and is the software equivalent of unplugging the appropriate cables. NAV can be similarly disabled by right-clicking on its icon in the tray. Both should be set to automatically activate as the default setting whenever the computer is booted.
View larger version (41K):
[in this window]
[in a new window]
[Download PPT slide]
|
Figure 3. NIS System Status screen. Note the tabs at the top, which allow the user to block (or allow) traffic, perform live updates, configure options, and visualize the security monitor. There is a tab at the left for NAV, which is identical to the stand-alone program.
|
|
Radiologists should consider adding a hardware firewall router as additional protection, even if they do not have a network (Fig 4). These small, inexpensive devices are especially useful for those with a cable or digital subscriber line (DSL) "always on" connection. The Internet protocol (IP) address of any computer behind the router is hidden from those outside the network by the built-in network address translation firewall. The router is wired between the cable or DSL modem and the computers, and setup is quite easy for an existing Internet account. In addition to hiding the IP address, the router serves as a backup of the software firewall, not permitting any unsolicited inbound traffic. Like a simple software firewall such as the W-XP firewall, the basic firewall router does not provide applications or privacy controls and does not serve as an antivirus program.
View larger version (54K):
[in this window]
[in a new window]
[Download PPT slide]
|
Figure 4. LinkSys firewall router. This small, inexpensive device is wired between the modem and the PC and provides additional protection. Multiport models are available for setting up a network.
|
|
Firewall routers are available in many configurations from numerous manufacturers, such as D-Link (Irvine, Calif), Netgear (Santa Clara, Calif), and Linksys. To test such a firewall on a cable modem system, I installed a single-port firewall router, the Linksys BEFSR11, ver 2 EtherFast Cable/DSL Router (Fig 4). The router cost $50; a four-port model costs about the same. The Linksys Web site (Table) is particularly useful for a basic introduction to network security issues. It is easy to hook up the router for a functioning cable or DSL modem account. For my cable account, which uses dynamic host configuration protocol for supplying an IP address to the PC, configuring the router was easy. First, with the power turned off, the router was wired between the cable modem and the PC. Power was then restored, and the computer was booted. The Internet service provider’s Web site was then accessed (which was possible even though the router was not yet configured) and the router was added as a new "computer" ("Router"). There was no need to run the connection software provided with the router ("Run Me First"), enter any special names or numbers, or adjust the network address translation firewall. After being rebooted, the system functioned as it had before the router was added. I was assured by the Linksys telephone help line technician that no additional configuration was necessary. Your experience will likely be different depending on the router selected, the type of Internet service, and whether there is a local network; some configuration will be necessary for a network. Before proceeding with the installation, one should check with the service provider and read the documentation that accompanies the router. I tested my system at the Symantec Security Check site after disabling its software firewall (NIS). It flunked only the browser privacy test, which it passed after the software suite was reactivated. The initial result was the same as that obtained for the W-XP firewall/NAV system described earlier (Fig 2). There was no noticeable slowing of Web activity with the combined hardware and software firewalls.
Wireless Networks, VPNs, and Software Updating
Detailed discussion of wireless connections is beyond the scope of this article. Information about wireless networks is available at many of the Web sites cited earlier and listed in the Table. Bott and Siechert (2) provide extensive coverage, emphasizing the importance of proper initial configuration. Briefly, such networks provide an inexpensive way to connect PCs and peripheral equipment but introduce the possibility that nefarious individuals will intercept the radio-frequency signals of systems that are not properly configured. All that is required is a wireless network card. With such a setup, the wireless communications of a PC can be monitored. Files on the PC can be accessed if file sharing has been enabled and the network connection can be used by the offending party. Accordingly, wired equivalent privacy protocols have been developed to encrypt and authenticate wireless exchanges. Varying levels of protection are available, and potential users should educate themselves before choosing and installing such a network. Typically, a wireless network card and a wireless network router are purchased, often from different vendors. Documentation for each component should be consulted. None of the current wired equivalent privacy protocols are as safe as a wired network, which is the recommended system where possible. Because of the deficiencies of these protocols, a new, safer standard is being developed that will include updated hardware and software. As of this writing, Microsoft has just released an upgrade to W-XP that supports an interim standard: Wi-Fi Protected Access. Additional challenges are presented when one uses a portable PC with a wireless network card on a "foreign" wireless network, such as when traveling.
VPNs are also beyond the scope of this article, except for a brief introduction. A VPN as defined by Bott and Siechert (2) is "a secure means of connecting to a private network (such as your home or office network) via a public network (typically the Internet)." A telephone connection can also be used, which is potentially more secure, but slower. VPNs provide a secure connection by encrypting the transmitted information as it travels between the computers or networks, a process known as "tunneling." As indicated in the Introduction, despite the integrity of the VPN connection and the host network, an unsecured connecting PC can open a "back door" to potentially compromise the network. Of course, this can also occur over a nonsecure connection. Accordingly, even a home PC that is not used to house or transmit sensitive information must be protected if it will be connected to other PCs or networks that require protection.
Usually, a VPN is set up by a hospital computer administrator to permit outside access. W-XP also allows easy configuration of a VPN for use on a PC, such as for permitting secure remote access to a home computer. (See W-XP Help or Bott and Siechert [2].)
Radiologists who have not installed the latest Microsoft Critical Updates and Service Packs (software security updates) should strongly consider doing so. Software is complex, and security problems are frequently discovered. Free security upgrade patches are issued at vendor Web sites. Occasionally, the updates themselves are found to have deficiencies. Also, connection with any update site may potentially allow the vendor to acquire information about the user’s PC or even install nefarious software. For these reasons, some users are reluctant to visit vendors’ update sites. In my opinion, the risk of not installing a security update from a major vendor is almost always much greater than the risk of doing so. (Software should not be installed initially if there is a concern about the vendor.) Only trusted vendor sites should be used, and each update should be evaluated prior to installation. Program updates that do not affect security can be installed if useful and appropriate. Sometimes, programs activate update automation by default, varying in degree from simple notification to background installation. Complete automation of updating is not recommended, except for virus definitions from a trusted vendor’s Web site and for users who would not otherwise update their programs. Because updating varies with each program, radiologists should consult program documentation for details.
To update W-XP/Internet Explorer, select Windows Update on the Internet Explorer Tools menu and follow the instructions. The available security updates for your system will be listed as well as other program updates, including the security Help update file referred to earlier. For Office XP, go to the Microsoft Web site (Table) and select the Office Update link under the Office logo. Bookmark these two sites to simplify subsequent updates, which should be performed frequently. Other programs can be similarly updated where appropriate.
|
Conclusions
|
|---|
Obtaining a moderate degree of PC safety and security is somewhat inconvenient but is necessary and well worth the effort. It is necessary both to secure the PC itself and to protect its files and the information it transmits. Basic protection starts with physically securing the computer and setting a few passwords. A software firewall and an antivirus program are also essential. An Internet security suite, recommended for most radiologists, incorporates the latter two programs and provides significant additional protection at little or no extra cost. A hardware firewall router, which can also serve as a network hub, can be used as a second layer of protection. A spyware utility should also be considered. Software must be updated regularly. Other important measures will be discussed in the second article, including software configuration, file maintenance, and removing patient identification from DICOM files that are used for education or research.
|
Footnotes
|
|---|
Abbreviations: BIOS = basic input/output system,
DICOM = Digital Imaging and Communications in Medicine,
DSL = digital subscriber line,
HIPAA = Health Insurance Portability and Accountability Act,
IP = Internet protocol,
NAV = Norton Antivirus,
NIS = Norton Internet Security,
PC = personal computer,
VPN = virtual private network
|
References
|
|---|
- Symantec Corporation. Norton Antivirus 2003 user’s guide Cupertino, Calif: Symantec, 2002.
- Bott E, Siechert C. Microsoft Windows security for Windows XP and Windows 2000 inside out Redmond, Wash: Microsoft Press, 2003.
- Levine JR, Everett-Church R, Stebben G. Internet privacy for dummies New York, NY: Wiley, 2002.
- Symantec Corporation. Norton Internet Security 2003 user’s guide Cupertino, Calif: Symantec, 2002.
Top
Abstract
Introduction
