| Because of HIPAA legislation, health | | | | |
| organizations have to be particularly careful | | | | IM and P2P also expose end-user equipment to |
| about the vulnerability of the patient data | | | | worms, viruses and other backdoor software |
| they maintain. Exposing patient data to the | | | | that -once introduced, can infect a network |
| Internet through IM exchanges or P2P file | | | | and inflict damage on a wide scale. Employee |
| sharing can jeopardize their compliance with | | | | abuse of their computer privileges can be the |
| a variety of state and federal regulations. | | | | silent destroyer of networks. Whether it is a |
| The popularity of IM and P2P protocols has | | | | dramatic problem such as denial of service or |
| penetrated every aspect of our society | | | | the downloading of backdoor worms and |
| including those organizations entrusted with | | | | viruses, the misuse can be dangerous and |
| sensitive data such as health records. The | | | | damaging and ultimately undermines network |
| opportunity for data to be exposed to eyes | | | | security. |
| outside an organization has increased whether | | | | |
| such exposure is intentional or not and | | | | Managers of network security need to take |
| organizations bound by HIPAA regulations are | | | | advantage of hardware appliance solutions in |
| required to protect their patient data or | | | | order to fully protect their networks from |
| suffer the consequences. | | | | employee abuse and misuse. The damage to |
| | | | productivity and profits of a company are |
| Often in hospital situations, employees on | | | | only the tip of the iceberg. Introducing a |
| different shifts are sharing workstations. | | | | filtering option that does not have a single |
| Many of them may be communicating with family | | | | point of failure, or cause latency in network |
| and friends, outside the organization, via | | | | traffic is critical. Equally important, a |
| Instant Messaging or P2P and can unknowingly | | | | solution that doesn't need to share memory or |
| download a malicious agent that can damage | | | | processing power with another device is the |
| not only individual workstations, but entire | | | | best choice to protect networks against |
| networks. Because many people may have access | | | | security breaches and legal liability and to |
| to the same computer, this activity is | | | | help preserve the corporation's good |
| difficult to trace and can occur with | | | | reputation. |
| alarming ease. | | | | |
| | | | Legal Liabilities |
| When a malicious program is downloaded, it | | | | |
| can exploit a back door in the system and | | | | P2P and IM file sharing can be dangerous |
| proliferate across the network. Depending on | | | | applications that quickly devour bandwidth |
| the nature of the parasitic code, patient | | | | and jeopardize company finances because |
| information may be accessed and transmitted | | | | companies can be held liable for employee |
| from behind the firewall to a designated IP | | | | actions such as downloading copyrighted song |
| address or it may launch an attack against | | | | material. In addition, P2P and IMs can |
| the host network. These types of attacks can | | | | contain malicious software that downloads and |
| bring the network down. Even short downtime | | | | installs itself into the host network; a |
| can cause significant financial and data | | | | company's computers and networks may be used |
| loss. | | | | to launch denial of service (DoS) attacks on |
| | | | other companies and networks. |
| Public Communications | | | | |
| | | | There is an established legal precedent that |
| Adding more complexity to the situation, the | | | | will hold a company liable in part for the |
| Securities and Exchange Commission (SEC) and | | | | damages inflicted on another company if their |
| the National Association of Securities | | | | computers or networks were used to stage the |
| Dealers Inc. (NASD) identify Instant | | | | attack. Because of this legal precedent, the |
| Messaging traffic as communications with the | | | | danger to a host network is not just the loss |
| public that companies must save and monitor. | | | | of bandwidth and subsequent breakdown in |
| The Sarbanes-Oxley Act requires even those | | | | communications, but also the legal |
| instant messages that are casual and personal | | | | liabilities involved can result in damage to |
| to be saved and recorded as formal | | | | a company or organization's reputation, and |
| correspondence. | | | | even threaten its financial stability. |
| | | | |
| Many companies capture and store the data as | | | | It's important to note that the damage to an |
| required by law. Because this information can | | | | organization's reputation can be more costly |
| be used as legal evidence, there are several | | | | in the long run, especially if the |
| instances where data contained on message | | | | organization is supposed to be secure and web |
| boards and via IMs were submitted to support | | | | savvy or if security vulnerabilities can |
| or defeat a case being adjudicated. Imagine | | | | threaten to expose sensitive data such as |
| if medical advice were contained in an IM, | | | | health records. For hospitals, health |
| even something as innocuous as advising | | | | insurance and dedicated health care |
| Tylenol for a feverish child. Such | | | | providers, such damage can result in a loss |
| correspondence could be used to make a | | | | of business over time that devastates their |
| medical malpractice case against a nurse or | | | | long term prospects and when combined with |
| physician. | | | | -short term fines, can even mean going out of |
| | | | business or experiencing a takeover by |
| Network Security | | | | another health care company. |