And in this, just like in so many other ways, we're in the same
position as radiology:
http://www.e-health-insider.com/Features/articles.cfm?docID=65
Jonathan
On 14 Sep 2004, at 11:07, Jonathan Kay wrote:
>
> On 10 Aug 2004, at 11:57, Jonathan Kay wrote:
>
>> We have a vast number of computers used to control analysers, run
>> middleware etc. Many of these are PCs running Windows and are
>> therefore
>> vulnerable to viruses, trojans, worms etc. Increasingly these are
>> connected over LANs rather than serial lines.
>>
>> The key issues seem to be:
>> * Agreeing the responsibility for protection, patches etc between the
>> laboratory, the supplier and the local IT department.
>> * Not putting other software on these systems
>> * Not putting discs/ USB sticks etc into them without stringent
>> precautions
>> * Network issues, including firewalls
>>
>> How do others handle this?
>
> Here are the anonymised answers. I think the most useful things to do
> would be
> 1 Agree a Code of Conduct with suppliers
> 2 Continue to share experiences
>
> Jonathan
>
>
> ...............
>
> We are not allowed to put any software onto our PCs. Only our IT
> department
> with administrative rights can do this. It's very annoying at times,
> but we
> have avoided catching any major viruses etc. and as such, one can only
> support this policy.
> A similar comment re. USB sticks.
> Our network people are pretty hot on virus protection and firewalls.
> The major difficulty is the tripartite nature of the lab / IT / LIS
> supplier. It's rare to get all 3 around a table, and we find
> difficulty in
> ascertaining whose responsibility it is when we have problems. But
> that's a
> common scenario in most labs.
> We have only experienced one major problem with xxx in that last >5
> years.
> yyy made a (miniscule) change which brought us all to our knees (except
> BT which very sensibly is on a separate independent mini hub) without
> warning, as they thought that the change would not affect our day to
> day
> running. We filed an IR1, and have subsequently instituted a 3 way
> closed e
> mail group so that we can alert each other rapidly to forthcoming
> changes /
> work / updates etc. We hope in this way to be on the lookout for
> crashes,
> and perhaps more to the point, who to bollock when it all turns to mud
> (in a
> blame free culture, of course!)
>
>
> ............
>
> All these, exactly as you stated. As computers are all networked, all
> get virus protection via network. Network is well protected and most
> breaches appear to have been a breach of standing instructions.
>
> Unauthorised surfing is logged and certain staff have received
> warnings about their activities.
>
> I don't think we have had any instructions on USB sticks but they are
> similar to floppies.
>
> All dial in (for out-of-hours authorisation) is via a strong
> authentication server which can be a pain but does seem to be secure -
> there is muttering about VPN but we can't afford it yet and it means
> the home PC must be secure as well (instead of just running a terminal
> emulator).
>
> The one thing they haven't covered is trojans and nasties via the
> internet. They may be creamed by the firewall but I had a sudden
> increase in junk mail when I visited one site suggesting I have
> something on my disc. I can't use the cleaners (adaware, pestscan,
> spybot etc) as they require administrator rights that I don't have and
> the IT dept are run ragged as it is, without dealing in minor
> nuisances.
>
> Its a bit big-brotherish but it does seem to work.
>
>
>
> .................
>
> We have recently had a problem as you describe with our xxx Interface
> which succumbed to one of the Trojan worm viruses. The PC was supplied
> with Windows 2000 but automatic Windows update was turned off by
> default. It was also recommended that updates should be manually run
> so that the IM software was logged of and backed up before running the
> update. Unfortunately this detail had been overlooked and the
> networked machine was infected. We had previously used PGP interfaces
> that ran DOS software and has not encountered this problem before.
>
> We are presently replacing some equipment and I have found that the
> manufacturers have moved towards Windows 2000 or NT application
> software with networked interfacing. Previously most of our analysers
> tended to use specialised process control operating systems for
> running the machines even when they had a windows look-a-like screen
> presentation. I have asked if the manufacturers now offer any guidance
> for maintaining security but have yet to receive a reply. I am not
> aware that the suppliers preload any anti-virus software on the
> analyser PCs, or that they ensure that it is regularly updated.
>
> The problem is not only limited to the risk of infection by loading
> disks locally but by the overall issue of infection of any PC within
> the hospital, inside the firewall, or by staff connecting laptops to
> the network that may have been used elsewhere, both offer routes for
> malicious infection.
>
> Regards,
>
> .............
>
> With difficulty - In some cases we build subnets behind switches
> otherwise we insist on full virus protection. Where companies don't
> know
> how to deal with it we make them come back with viable solutions often
> involving buffer PCs to isolate off the systems which can't handle the
> protection. Most companies do not understand mixed multipurpose
> networks
> and assume the have full network access and bandwidth. They need to
> wise
> up and fast.
>
>
>
> ..................
>
>
> I would agree with Jonathan's suggestions and add the following:
>
> - try and avoid the Windows OS if possible: Unix is potentially much
> easier to secure and more stable
>
> - always install a secure subset of the OS, and get someone who really
> knows to help with this
>
> - as part of the above turn off all ports and services not specifically
> required for the control tasks
>
> - do NOT install software such as browsers unless required to prevent
> accidental contamination
>
> - remember the biggest risk may be from other computers on the local
> network getting infected and flooding the local network with
> broadcasts,
> and that their security or lack of it is outside your control (we speak
> from experience!)
>
> - to avoid this ensure your control systems are isolated from the rest
> of
> the hospital network by a local firewall: we have to implement this in
> Medical Physics to protect our linear accelerator control systems and
> the
> threat is very real
------ACB discussion List Information--------
This is an open discussion list for the academic and clinical
community working in clinical biochemistry.
Please note, archived messages are public and can be viewed
via the internet. Views expressed are those of the individual and
they are responsible for all message content.
ACB Web Site
http://www.acb.org.uk
List Archives
http://www.jiscmail.ac.uk/lists/ACB-CLIN-CHEM-GEN.html
List Instructions (How to leave etc.)
http://www.jiscmail.ac.uk/
|