SAFETY TIPS IN AN INSECURE WORLD
Cutting Through the Hype and Hyperbole

May 16, 2000

With the most recent spate of viruses hitting computers, and with continuing rallying cries about how inherently insecure computers are in general, I thought I'd spend a few moments discussing some actual facts. Think you know it all when it comes to online security? Well, find out now.

Viruses:
The Problem

It's hard to imagine what computers would be like a decade after Windows 3.x was born. Viruses were passed around on diskettes, when people exchanged data or programs with floppies, not with network connections. (A computer virus is nothing more than a computer program which follows certain instructions the author programs into it -- copy itself to other computers, delete files, rename files, etc.) So virus programs were pretty simple -- scan the diskette before allowing access to it. The operating systems which run the majority of our computers also took a pretty simplistic view of how viruses are passed. Microsoft never imagined that everybody's computer would be networked with everyone else's computer (e.g., the Internet). So they built all of their consumer operating systems to be inherently pretty insecure when networked.

 The Internet changed the world of virus makers. Disk-borne viruses are practically nonexistent today, while Internet-based viruses take over. Virus makers were given another gift from Microsoft as well. Microsoft started allowing ordinary end-users the power of programming through things called "macros" in word processing and spreadsheet programs. This gave users a lot more power in these programs, but also introduce a whole new strain of viruses. Virus authors could exploit macros to cause all sorts of havoc. And throughout the 1990s, this is exactly what they did.

 Much of the problems experienced by users could have been solved if Microsoft put security concerns before feature bloat, but Microsoft made the decision to closely integrate its software with its operating system. This decision hasn't helped security, but has allowed virus authors to thrive.

 Microsoft, to its credit, has tried to patch its consumer operating systems to make them more secure, with varying degrees of success. For example, to run the "I LOVE YOU" virus from email, a pretty large warning box pops up and explains the danger of trying to run the program unless it is from a trusted source.

 Virus writers are quite ingenious though. "Trusted" means, to most people, that the email and accompanying virus comes from someone you know. So the popular means of distribution these days is to send email with attached viruses to everyone in the target's email address book. Again, Microsoft's programs make it very easy to disseminate viruses this way, entirely unintentionally. Other email programs are less susceptible to this problem.

 Oh, and if you have a Mac and think your immune to viruses like this, don't be fooled. Most virus writers concentrate on infecting the largest amount of machines possible. Since Mac users are a tiny percentage of all computer users (5-6%), they are usually less of a target. But viruses have been and continue to be written to take advantage of Mac-specific OS and software exploits.

Viruses:
The Solution

Even virus protection programs didn't pick up the "I LOVE YOU" virus until after it was released (which was too late for most people). So while it is important to invest in a virus detection and cleaning program, it is not enough. You, the end-user, need to change some of your behaviors to keep the virus from spreading.

 The easiest behavior to change is to stop double-clicking on attachments in email. It is also the hardest behavior to change, since we do so almost automatically (like a Pavlovian dog responding to the infamous bell). Just stop. If you were not expecting a document, a note, a joke, a picture, a photo, or whatever else might come as an "important" attachment in email from a friend, family member, or colleague, do nothing with it. Then, email the person back and ask them if they sent the attachment and what is in it.

 If people stop automatically opening any attachment that comes to them from persons known or unknown, we'll cut down on viruses spreading tomorrow. Only open attachments you were expecting from people you know.

Security Online:
Facts and Myths

In general, I hear far more "straw-man" arguments about security online than real-world experience has taught us. You've probably heard them, too. Anybody can steal your credit card information from a Web site. Web servers are inherently insecure. How can you think about putting that kind of sensitive information online? Well, the reality is slightly different than the fear-mongers would have you believe.

 Not a single credit card number has been stolen online while in transit from your Web browser to the Web server. None that I've ever heard of or seen in security forums. Yes, credit card numbers have been stolen off of Web servers, but not in the way you think. The server was broken in through a piece of software residing on the server, not by simply hacking through the server's front door. That means that software developers (and the people who buy that software) must be very careful when developing for the Web. It doesn't mean the Web is inherently more insecure than other modalities.

 A perfect example I like to use is while working as a practicum student in graduate school. One of the community mental health centers I worked for had a file room, as do most centers and larger therapy practices. During the day, the file room was kept unlocked to ease access to our client's charts. Do you see the problem here? Community mental health centers can be pretty large places. And the ones which act as training grounds for students mean a lot of student therapists are coming in and out of the place constantly. Did I know all of them by sight or by name? Heck no. So if someone else was in the file room when I went in there, I had no idea whether they were in there legitimately or not. They could've been a client for all I knew!

 The secretaries who handled billing issues also had access to those same charts. The entire thing. That means that people who shouldn't have access to your clinical information freely did (and in most clinics, still do). All they needed was the information necessary to do billing, but they had access to the progress notes, the test results, the medication list, everything. Are these folks bound by any ethical principles like therapists are? Largely, no, they're not. Scary.

 So the real world is a pretty insecure place in many clinics across the nation. Can the online world do better? You bet. Online records can be encrypted and secured through methods which have no comparable real-life equivalent. Access to different sections of a client's chart can be controlled so that only the people who need access to a particular section have such access. Secretaries have access to billing or scheduling information, but not clinical information. Therapists can even provide access to the chart directly to the client. And clients can track every access made to their online record through a log of transactions. So you can see that your psychiatrist accessed your record the day of your appointment, but not again for 4 weeks.

 Now, about those insecure servers online. It all depends on who is providing the service. If it's Joe Therapist who has put up a little Web site to conduct online therapy through, yes, Joe's resources put into security may be somewhat limited and suspect. However, if you're looking at Big Therapy Corp, they have the resources to do therapy and record keeping online right. They can hire a security team to monitor the servers 24/7 (and some do). They can ensure they have the best equipment and encryption technologies available. And they can backup all the information daily, so even if something does happen, they have a copy of it and can restore the system immediately.

 Where would you rather have your data stored? Paper is fine for now, but like all things paper, paper record keeping will eventually go away. Its time is limited. On your therapist's PC on his desktop? Many therapists use PC desktop software programs to help manage their practice. The problems with this sort of setup are many:

Desktop PCs
  • Desktop PCs data is rarely backed-up, so if something happens to the PC, the data may be lost
  • Desktop software relies on the software developer providing occasional updates (maybe once a year, if they're lucky)
  • Desktop PCs usually have only minimal security, such as an easily-bypassed operating system (OS) login, and insecure hardware (hard drive can be readily removed)
  • Desktop PCs connected to the Internet run into all the same kinds of problems as any Internet-connected PC, including the increased likelihood of being susceptible to a virus
  • No 24/7 monitoring of the PC to ensure safety of data
  • In case of natural disaster (fire, flood, etc.), PC's data may be lost
Online Servers
  • Server data backed up nightly
  • Server software applications updated constantly
  • Server hardware can be in a secured, locked location; server hardware itself can be locked
  • Servers connected to the Internet can be secured behind firewalls and since they do not run consumer software, are inherently more secure than desktop operating systems
  • Servers can be monitored 24/7 by real people
  • In case of natural disaster, server's data is recoverable and server backup can be placed online

Given the choice, I would feel much safer if my data was on a server sitting in a locked room someplace, and monitored constantly by a live trained staff. In most cases, I would probably demand it over a stand-alone PC solution by the therapist.

Nothing is 100%
Don't get me wrong. Nothing is 100% in this world, and that includes online security, as well as real-world security. People often fall back onto the solutions they've always used because they are the most familiar, despite any failings they may have. Unfortunately, the Internet has contributed to a world changing at a speed that many clinicians (and clients) find daunting. That also means a new emphasis and focus on privacy and confidentiality rights for clients.

 Online providers of record keeping services are the future, have no doubt. Service providers in this area are working very hard to ensure that the standards they live up to are 100 times more rigorous than anything in the real world. My experience with talking with these providers suggests they take security, privacy, and confidentiality concerns far more seriously than real-world providers (including insurance and managed care companies).

 Get ready, because here they come!

 - John

Last reviewed: By John M. Grohol, Psy.D. on 27 Jan 2007
    Published on PsychCentral.com. All rights reserved.

 

 

Happiness depends on ourselves.
-- Aristotle