Inside a Security Audit: The Bad NewsReview reveals employees' risky behaviors
That's the lesson a small biopharmaceutical company learned when it hired a web auditor. The project, originally designed to investigate why Internet access was so slow, revealed numerous security threats, many tied to web surfing habits.
Using web filtering software, the auditors discovered that some of the company's PCs were infected with malware as a result of employees visiting web sites that, well, they shouldn't have. One PC was even sending small amounts of data to a Russian web site, apparently the result of a botnet attack.
The IT manager for the company, who asked to remain anonymous, has this advice to organizations of all sizes in healthcare and, for that matter, any other industry: "Don't be naive. You may think you're secure, but you really don't know what's going on in your network. We thought we were in good shape; the results of our audit were really surprising."
The advice could come in handy for healthcare organizations conduct security audits and risk assessments as they prepare to comply with the HITECH Act's toughened privacy and security rules. The Act requires hospitals, clinics and others to report major breaches to federal regulators.
And when it comes to keeping healthcare information private and secure and avoiding breaches, a risk management approach is far more effective than a narrower, regulatory compliance approach, says Sharon Finney, corporate data security officer for the 37-hospital Adventist Health System.
"If you look at security purely from a compliance-based approach, you may be missing a huge area of technical or administrative risk within your environment," Finney says.
For years, the small pharmaceutical company had been using such security technologies as a firewall and virus detection software. And it had educated its staff members about how to avoid security risks when surfing the Web. "But we learned that even after all that, we were still vulnerable," the IT manager says.
The pharmaceutical company recently spent about $5,000 to have Networks Unlimited, Hudson, Mass., conduct a 45-day audit of its Internet use, bringing in a server armed with web filtering software from San Diego-based Websense Inc. The software "captured every packet of data going in or out of our Internet connection," the IT manager says.
In addition to identifying security risks, the auditor helped the company determine that its staff productivity was adversely affected by the amount of time employees spent on social networking sites and other sites unrelated to their work, he adds.
As a result of the lessons learned during the audit by Networks Unlimited, Hudson, Mass., the company permanently installed the web filtering software from Websense Inc., San Diego.
Rather than punishing any workers for their past web surfing transgressions, company executives simply informed everyone that, moving forward, all Internet traffic would be monitored as a virus-prevention strategy.
"We reminded everyone that it's OK to briefly use the Internet for personal use during break times," the IT manager says.
Building awareness of the web monitoring did the trick.
"We still get folks using social networking sites, but it's way, way down," the IT manager says. "And visits to some racy web sites that are inappropriate for a work environment have stopped, as has access to poker web sites."
The moral to the story? "End-users need to be somewhat protected from themselves," the IT manager says. "You're really only as protected as much as your end-users are trained."
In addition to helping identify security threats, the software is helping the company to educate its workforce. The IT manager illustrated this with a recent example.
"We're doing fundamental scientific research here, and one person is working on a reproductive health project. Websense blocked her search of one particular web site," he explains, because the site was infected with a virus. But the researcher insisted the web site was vital to her research, so the company permitted her to access it, keeping a watchful eye on the results.
Sure enough, a virus immediately infected her computer, but was quickly eliminated by the IT team.
In addition to using the web filtering software, the pharmaceutical company is taking other steps to beef up security. For example:
- Those who access applications remotely via a virtual private network now use two-factor authentication with hardware tokens.
- The drug company also is increasing the complexity of its passwords "so if a virus affects a PC and conducts a brute force attack, it's much more difficult to crack the password," the IT manager says.
- The firm is attempting to minimize the number of staff members who have administrative privileges for a particular application, because that makes their PCs a high-priority target for hackers.
The need for speed
And to help speed up Internet access, which, after all, was its original concern, the company wound up switching to a higher-speed connection. Plus, staff members are no longer allowed to use streaming media, such as to listen to music, which was slowing down access for everyone.
"A lot of the younger folks who grew up with high speed connections figure it's OK to use streaming media at work," the IT manager says. "They forget that 200 people are sharing that pipe."