Alas, those days are gone, and end-to-end security now requires complete control over everything, from the keyboard to the hard drives spinning in the data center. We can no longer depend on the kindness of strangers on the Internet. We can't even trust our friends and co-workers to keep us safe from technological malfeasance.
At Boston's Beth Israel Deaconess Medical Center and Harvard Medical School, over half our help desk calls are related to spyware, Trojan horses and keystroke loggers planted on desktops from infected Web sites. Wireless access points need to be secured with usernames and passwords for both employees and guests to prevent virus-infected laptops from launching denial-of-service attacks. Visiting faculty members who plug their laptops into the wired network could introduce maladies to other users. Employees who use home computers (beyond the control of our antivirus program) to access Web-based resources risk having their credentials intercepted by spyware.
In a hostile environment where 2 million spam messages are filtered every day and hackers attack every seven seconds, what are we to do?
We could thwart keystroke loggers by using hardware tokens with constantly changing PINs.
We could use 802.1x technologies to require credentials for every device, preventing unsanctioned network access by visiting faculty.
We could implement stateful inspection technologies such as Cisco Security Agent, which examines desktops for patches and antivirus software, based on central policies, before granting them an IP address on the network.
We could require registration of all Ethernet card MAC addresses before allowing wired or wireless connections to the network. (MAC addresses can be spoofed, so this is of only limited effectiveness.)
We could require an SSL VPN for all remote access, enabling us to have a single point of control and filtering for all Internet-based applications.
About the only way to defeat many attacks would be a throwback to 1970s serial terminals and mainframes -- unmodifiable thin-client devices connected to a Citrix application server. Each byte flowing would be centrally controlled, and the desktop would be locked down.
With all these measures, we might end up with a system so secure that no one could use it. The most secure library in the world is the one that never allows books to be checked out.
Imagine this scenario: A clinician needs critical data about a dying patient. The clinician fumbles with a hardware token and mistypes his eight-character, alphanumeric, mixed-case non-English password and token PIN three times and is locked out for five minutes. He grabs a wireless laptop and asks another clinician to authenticate because he's locked out. Seconds pass as the laptop uses EAP-FAST authentication and a supplicant checks for antivirus updates and patches. A new Microsoft patch is missing, and the clinician is denied access until it's downloaded and the machine is rebooted. Then the antivirus software scans to ensure that the modified desktop is uninfected. After five minutes, the clinician gets access to the needed data.
Although this example is a bit extreme, it does illustrate that security is a balance between complete protection and ease of use.
Security is one of my top priorities in 2006. I can no longer trust internal users or home access via the Internet. The balance needs to swing toward protection, away from ease of use. Alas, Blanche, we can no longer depend on the kindness of anyone.
-- John D. Halamka is CIO at CareGroup Health System, CIO and associate dean for educational technology at Harvard Medical School, chairman of the New England Health Electronic Data Interchange Network, CIO of the Harvard Clinical Research Institute and a practicing emergency physician. Contact him at jhalamka@caregroup.harvard.edu.