RE: PDA's/Blackberrys: risk to networksL

["Beauford, Jason" <jbeauford () EightInOnePet com>]

Chinnery, Paul wrote:
> Some of our directors are bringing in PDA's like Palms and using them
> to sync up with their email.  Since virus writers and mailicious
> hackers are targeting these devices, we are wondering what the
> security impact is on networks Can viruses be transmitted easily
> between PDA and the network machine they connect to? Could a key
> logger prg or other malicious prg be easily transferred?    
> We're a small, rural hospital and although I keep pretty current on
> security issues I haven't see much on this forum or other security
> related forums which is why I am asking the group for their opinions.
> BTW, we're a W2K shop with W2K Pro and XP sp2 computers using
> Exchange2K and SQL. 
>
> Paul Chinnery
> Network Administrator
> Memorial Medical Center

In my opinion, any device not issued and controlled by the Network Admin
is a risk.  Especially in a Medical Center where HIPPA standards need to
be enforced, no one should be bringing in their own peripherals from
home.  Viruses (again, in my opinion) are the least of your worries.
Unencrypted patient data leaving the hospital on some Director's PDA is
the problem.  What happens if that Director loses his/her PDA?  Is that
data encrypted or secure?  If not, how can you protect your patients
confidentiality?  The answer is simple, you cannot.  Therefore, if there
is an immediate need by these Directors to have access to email or
patient data at all times, then try making more options available using
secure methods.  If they absolutely need PDA's, issue them yourself and
make sure that the data is encrypted on the device at all times.  Make
the data available using VPN technologies.  From what I've read, SSL
VPN's have been a big hit with in the medical arena.  If you can make
the data available to your users in a controllable and secure
environment, you will be able to avoid having to deal with people
bringing in their own devices.  Keep in mind that, in addition to making
the data available, you might want to lock down your environment a
little more to prevent any unauthorized devices on your network.  By
removing Admin or Power Users permissions you can effectively lock out
your users from installing applications and drivers often required by
PDA's.  If you need to lock down CDROMS, Floppy drives or USB you can
accomplish this easily using Group Policy.


Good Luck to you.



Kind Regards,


JMB



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------