Hospital Treats its Own Spyware Infection
A Seattle hospital had a serious spyware issue, and IT administrators knew they needed to treat it quickly before confidential information was put at risk.
''Pop-ups at desktops became a severe and growing problem,'' says Ken Burton, CTO of Northwest Hospital. ''It slowed down performance to many help desk calls.''
Burton realized the problem could quickly escalate to more serious types of spyware which could potentially steal passwords, solicit confidential financial information and compromise patient records. As a result, spyware prevention became a priority in the hospital's regulatory compliance efforts.
''Although we hadn't yet been affected by the nastier forms of malware, it became apparent that anti-virus and other types of security protection were not enough,'' says Burton. ''We couldn't take the risk of clinical or financial data snooping.''
''We are now maintaining the integrity of our desktops and have eliminated spyware-related help desk calls,'' says Burton. ''We feel solid as regards safeguarding our user community and patient records.''
Spyware is malicious code that is secretly downloaded on a computer to convey information about the user back to the malware author. The spyware can track online behavior, distribute annoying pop-up ads, spread viruses and obtain personal information from the infected computer.
HIPAA Shake Up
According to Stamford, Conn.-based Gartner Inc., a major industry analyst firm, 80 percent to 90 percent of computers suffer from some form of spyware. To make matters worse, Gartner analysts report spyware has spread from being mainly a consumer threat to being a real concern for the enterprise. And that is a big cause for concern in the health care industry due to the mandates of the Health Insurance Portability and Accountability Act (HIPAA), which calls for heightened information security.
HIPAA requires, among other things, for hospitals to maintain electronic safeguards for patient privacy. But with spyware becoming increasingly invasive, it presents a big challenge to compliance efforts.
''As part of ongoing HIPPA efforts, you have to protect patient records from malicious software,'' says Burton. ''You have to have spyware prevention in place or you are at risk.''
Battling Spyware and Adware
The Northwest Hospital's Cisco-based network consists of 1,200 end users, with the IT infrastructure residing in one central data center. The 100 or so servers that host all hospital information and applications are primarily Windows Server 2003 based, though a handful of UNIX servers are also present. At the desktop, Windows 2000 predominates.
On the security side, the organization uses Computer Associates' eTrust suite for anti-virus, firewall and intrusion detection system (IDS). In addition, it utilizes employee Internet management software from Websense Inc. of San Diego. Burton says this program has been configured to block instant messaging, gambling and pornographic material from entering the network. Despite these tools, adware became a menace.
''No matter what you do, some users will let some adware in,'' he says. ''We were getting 12 calls a day from users complaining about pop-ups or adware-related slows.'' As well as tying up the phone lines, this meant that one or two technicians had to make daily rounds to cleanse PCs of spyware. Initially, they used freeware tools, such as Ad-Aware from Lavasoft of Sweden. Burton found such tools great for working on home PCs, but unworkable in an enterprise setting.
''Technicians had to use them manually, moving from desktop to desktop to debug our machines,'' he adds. ''We wanted to be able to scan enterprise PCs in a minute and have the program running in real-time mode like in modern anti-virus tools.''
The organization narrowed the selection process down to Webroot Spy Sweeper by Webroot Software Inc. of Boulder, Colo., and PestPatrol from Computer Associates. The selection parameters included figuring the amount of administration required, effectiveness in detecting and preventing spyware, time taken for scans and CPU utilization.
Burton used the Windows Performance Monitor to test both products. He says Webroot and PestPatrol both consumed more resources than he'd like, but PestPatrol came out a little ahead. He measured it at 15 percent to 30 percent CPU usage with a few higher spikes -- better than other tools, but not good enough. He says he is working with the vendor to have later versions consume far fewer resources.
''If people are performing work-related tasks at their desks, the spyware program shouldn't interfere,'' says Burton. ''The way it works currently, they might get a noticeable freeze -- perhaps one or two seconds -- on occasion.''
In terms of management, he says he is largely happy with PestPatrol.
All pest detection and cleaning activities are logged to a central reporting system. The administrator sets policies on actions to take when spyware is found. Specific applications can be excluded from detection by name, type, filename, directory or path if desired. Updates are automatically relayed from the vendor Website to one server in the Northwest data center. Those updates are then automatically distributed to PCs running the workstation agent.
''The management capabilities of PestPatrol were the best of the bunch, but were not quite where we needed them to be,'' says Burton. ''The next release will have better reporting and other management enhancements.''
Northwest's main complaint is that PestPatrol has to be managed separately from the rest of the eTrust repertoire. To be fair, Burton says, Computer Associates only recently acquired the product and integration takes time.
''I don't want two separate tools. I want it to integrate fully with anti-virus,'' says Burton. ''Fortunately, that is the direction C.A. is taking.''
Due to resource consumption issues, the hospital has held off employing PestPatrol in real-time mode. Under that method, it is constantly looking at the stream as the users view email or the Web. For the moment, he is content to perform a once-a-day scan after hours on all machines. Once the next product release has arrived, he will test it and plans to role it out in real-time mode -- provided it consumes fewer resources, as promised.
But even with some issues to resolve, he'd much rather have anti-spyware software running than continually have to manually debug individual desktops.
''The difference in having a centralized tool is like night and day as you move from reactive to proactive management,'' says Burton. ''With so many spyware threats constantly coming out, you need an enterprise-class tool to stay on top of things.''