In cyberspace, no one can hear you scheme

May 21, 2004

The old telephone party line is back. Now it's called the network."The near-ubiquitous remote availability of information is one of the most compelling advantages of information systems," said Dr. Paul Chang, director of radiology informatics at the

The old telephone party line is back. Now it's called the network.

"The near-ubiquitous remote availability of information is one of the most compelling advantages of information systems," said Dr. Paul Chang, director of radiology informatics at the University of Pittsburgh Medical Center.

Unfortunately, it is also a monumental security liability. Although the probability of attack is slim, the consequences of data loss are huge, he said.

But most people consider security an IT issue, to be solved by throwing more hardware and software at it.

"This is an inaccurate perspective," Chang said. "Any adequate security model transcends devices and technology. It's critical that security be integrated into user workflow."

The problem is that security is boring, in the way that car insurance is boring.

"People want to pay as little as possible for security, then hope they never need it," he said.

Chang discussed network security during a SCAR University session Friday morning, in which he outlined six areas of concern.

· Secure the environment.
"Any guy in a lab jacket can steal a baby or get to your PACS archive and network closet," Chang said.

· Secure the network. Everyone must have a firewall.

· Secure the computer and software. Run antivirus software.
"Beware of laptops, the unfaithful spouses of IT," Chang said.
Laptops are often exposed to the outside world, especially "Trojan horses" left by vendors for backdoor network access.

· Secure the computer. Install patches. Keep the operating system current.

· Secure the data. Consider rights management. Practice disaster recovery.
"E-mail without encryption is insecure, a postcard anyone can see," Chang said.

· Secure the user. Authentication is critical, but overly zealous security schemes may backfire, leading to Post-it notes with passwords stuck to monitors. No guest accounts, and no general user should have administrative rights as delivered in Windows XP.

· Auditing is important.
"How will you know something is wrong if there is no audit trail?" Chang said.