MODEMS

Once the standard for Internet connectivity, modems for the most part have been replaced by high-speed network connections to the Internet for many hospitals and medical centers. However, in 2003 there are still many vendors , insurance companies and government agencies that still have old main frame computer systems that require slow, sometimes very slow modem connections to transmit patient billing information, or to connect to a main frame for direct data input.

Among these entities still requiring modem connections are Blue Cross/Blue Shield, Medicare, and insurance clearinghouses such as NEIC. It is very common for medical center staff to dial-up to a main frame at one of these providers each day and stay connected for most of the day while directly inputting data, as well as batch transmitting bills containing patient data on a daily basis.

The transmission of PHI over common-carrier phone lines, or even the direct data input of PHI will have to cease when HIPAA Security regulations become effective. Modem connections to sources outside the medical center are a major security hole. Dial-up phone connections are not secure and cannot be easily monitored . They bypass network security, firewalls, content filtering programs, and other security measures. It is predicted that the final HIPAA Security regulations will see and end to the common use of modems for DDI and other data transmission.

However, there may be some need for temporary, emergency modem use. In situations where a network T1 or wireless Internet connection is down, emergency dial-up to an ISP could provide temporary connectivity for very important reasons, such as to transfer banks funds to a payroll account on payday. In such cases, a personal firewall such as ZoneAlarm of BlackIce Defender properly configured would be the perfect emergency security measure.

In order for a medical center to get a handle on the current use of modems, there are several things that can be done. The location of all modems must be identified. All modems not needed for an emergency situation such as previously mentioned should be disabled or removed from the PCs. In a large organization this could be a really big project. This project will also undoubtedly run into varying degrees of resistance with staff, some of whom will want to continue to use their modem for FAX transmissions, phone answering, or other uses. Just because there is a stand-alone FAX machine connected to a specific phone line, it doesn't mean that location can be considered safe. Someone working nearby with a modem-equipped PC could easily run a line splitter and dial out on the line.

In a telecom environment where the number and locations of modems and FAX machines is unknown, the technique of 'war-dialing' can be used against phone systems to find unsecured modems. Commercially available programs such as Sandstorm's 'Phone Sweep' http://www.sandstorm.net/ ¹⁴ is a telephone scanner that will dial every phone number in your organization and find computers running CarbonCopy, RAS, pcANYWHERE, and other remote-access programs. These programs sitting on a modem that has its 'auto-answer' feature turned on are ripe for unauthorized war dialers to connect to and attempt access. Any modem in use should have its auto-answer feature disabled as a power-on default to prevent unauthorized access.

Other tried and true war dialers such at 'Tone Loc' provide a similar service, but without the cost. These same types of programs are used by phone 'Phreakers' who run war dialing programs in an attempt to identify modem lines that can lead to allowing them unauthorized access into a computer or network. It is better to run these programs as a defense to identify un-secure modems before Phreakers do.

Many newer telephone systems include a digital phone 'switch' which is really a computer that controls the telecom hardware and has a software interface on a PC that allows a PBX administrator to setup and control the phone system. In many of these types of systems there are specific digital and analog phone ports or lines in use, all of which had to be identified and designated properly when the phone system was installed and setup. In this type of environment, the administrator knows exactly where the analog phone lines are, which can cut the time when trying to identify un-secure modems. Controlling who has access to analog lines can prevent unauthorized use of modems. This type of phone switch also allows an administrator to turn off an analog port at any moment, in case an intrusion is suspected.