On Friday 30 November 2001 08:18, Heidi wrote: > As I have seen here on the list that some do not recommend that Outlook or > Outlook Express be used for e-mail due to security holes, I would > appreciate recommendations. This would be for people working on home > computers, who have medical information stored on their systems. These are > only connected to a network when they log in to transfer their work to the > network. When the work is transferred they log in using a VPN. Otherwise, > they are stand-alone PCs, which are used by some of the people for their > work, as well as personal internet use. Hotmail is being used on the > network end to send information to the home PCs. The concern here is when > these people are surfing the internet that the medical files would be > vulnerable to access, especially after reading the latest advisory sent > below, in relation to internet explorer and previous postings I have read > here on the list about not using Outlook. This system for these people is > fairly new and they are in the learning stages of file protection, VPN, > etc. > Also, does any one in the medical related industry know what the dates are > that we will have to be complaint using encryption on our files, and if > there will be training provided using the required encryption, etc. to meet > the compliance requirements for HIPA? . I have been asked by my employer > to relay any of this information regarding security issues back to them. > Thank you for any help in advance. Heidi > This is the latest advisory I make reference to: > > National Infrastructure Protection Center > "Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions" > Assessment 01-028 > 29 November 2001 > You can respond to me individually at mcps@private <mailto:mcps@private> . > Thank you, Heidi Henry Where do I start... There are so many things wrong here. First of all, Hotmail is VERY insecure. Anything going through hotmail should be encrypted. (PGP or GPG is highly recommended here.) Hotmail has been broken more times than I care to think about. Hushmail ios a better choice, if you can get them to switch. There are free versions of PGP available from http://www.pgp.com/. Gnu Privacy Guard is an Open Source version of PGP and can be obtained from http://www.gnupg.org/. As for the "home pcs". I assume these are Windows 9x boxes. There is no security there. (With tooks like BackOrifice/B2K and its varients, your system can be rooted and you would never know it.) Win 9x passwords are next to useless. (Just hit "cancel"!) WindowsNT/2k will give you a bit more security, but the little sprogs will probably not be able to play games on the machine any more. (Like that is a bad thing.) At least the account passwords work... Eudora is a safer e-mail client. (Not perfect, but it is much better than Outlook.) If they need the calendar functionality, get them to install Mandrake Linux and use Evolution for mail. As for the VPN... What *kind* of VPN? If it is PPTP from Microsoft, you need to replace it with something that is secure. (It has multiple vulnerabilities in version one. They "fixed" them in version two, but made it possible to default back to version one. Pretty sad...) What you described is an accident waiting to happen. It can be fixed, but it is going to require changing a number of bad habits, both from the people handing out the data and the people working with it at home.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:19 PDT