General discussion

Locked

How to Solve this security Problem

By HAL 9000 Moderator ·
A company who supplies most Doctors Surgeries with a vital piece of software for billing purposes sends out updates several times a year. These updates require an appointment to be made and at the appointed time the supplied CD is placed in the drive an internet connection is made and the surgery logs on to the companies site and then activates PC Anywhere so that the suplying company can run the upgrade on all computers that use their software. In this way there are no errors in upgrading the software which is used to bill in Australia Medicare and the HMO's in America so far so good as it requires very little expence by the software manafacture to keep their product up to date.

But their software contains personal information like the names, addresses and phone numbers of patients the dates that they attended appoitments what the appointment was for any treatment performed any illness that the person is suffering ect.

Now how do you secure the computer from unorthorised access via PC Anywhere that could lead to massive legal claims being bought against the Doctors Surgery by the lack of security of having PC Anywhere on a computer that holds this type of information?

Also if this data was to be stolen there would be Criminal action bought against the Doctors Surgery for breaching Privicy Laws.

Anybody want to offer a solution to this problem?

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Short Answer!

by areets In reply to How to Solve this securit ...

Business= software upgrade satisfaction
Technical= Networking and security
Technology= VPN + IPSEC
Build a VPN tunnel using IPSEC; then stream upgrade. Client initiates VPN and PC Anywhere will execute.

TSP

Collapse -

Are you asking?

by madroxxx In reply to How to Solve this securit ...

Are you asking from the perspective of the company doing the upgrades or the Doctor with P.C. anywhere installed on his computer?

Collapse -

No I've just got conned into

by HAL 9000 Moderator In reply to Are you asking?

Maintaing the system as a favoutr for an alledged friend.

In answer to the above posting as well the company concerned doesn't support VPN and the computer was built by someone else who specalies in home computers for the games market so it has Windows XP Home installed. This company makes a very good living selling budget computers to the general public and has the idea that they can fully satisfy all business needs.

Collapse -

Disable or Firewall

by clearsmashdrop In reply to No I've just got conned i ...

Except for the scheduled time when you do the PC Anywehere xfer you should either disable PC Anywhere on the client machine, or close the ports that PC Anywhere uses on the firewall.

Is there the possiblity that you can use PC Anywhere via the modem?

Collapse -

Cryptography will help you...

If You have no IPSEC, You can use file encryption with digitally signed hash of the file ( see "RSA Security's Official Guide to Cryptography" for example)

And you must block access via FireWall to Your PC Anywhere port in any time, exluding these updates.
(for more information see "Building Internet Firewalls, 2nd Edition" )

regards,
Vladimir B. Kropotov

Collapse -

Thanks for the idea

by HAL 9000 Moderator In reply to Cryptography will help yo ...

But I don't think that the nurse that works the single computer will be capable of performing these steps even after I et them up as she has a hard enough time to remember to perform virus updates let alone opening and closing ports in a firewall wich isn't there either.
I guess that I'll just have to set it up securly and then run down there every time an upgrade is required or leave it as it is and suffer the conquences {thats not a very good idea} so I'll just have to put myself out every 6months or so to do this little job.

Collapse -

Secure PCAnywhere

by pmehta In reply to Thanks for the idea

As far as secure transfer of data is concerned, you can infact should use Secure PcAnywhere or any other secure remote desktop accessing tool.

Protecting the pc: you already have antivirus running well, most of the antivirus softwares come with personal firewalls which you can configure once and forget about them unless some major changes are needed.

If you don't want to spend money on those you can use ip filters, and have password properties configured in the security and analysis configuration.

Hope this helps.

Collapse -

Monitor and Modify

by jrosenberger In reply to How to Solve this securit ...

You are already turning the PCAnywhere off when there is no scheduled update, so have somebody watch while the update occurs to verify that the vendor (or thier representative) is not accessing (viewing) or coping your data to their computer during updates, and to turn it off when done. Also, the PCAnywhere host session can limit upload / download file privledges. If all you need is on the update CD, limit those privledges. Setup a different session with full access for use if there is a problem that requires uploading and downloading of files. Log everything, and review those logs before and after. Hope this helps.

Back to Security Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums