You're not alone in facing this problem. User behavior is still one of the most serious security threats, especially to the medical community. Even with good antivirus software that should identify infected e-mails, many users will ignore the warnings. A firewall on every computer could help too, at least to minimize infection by Trojan horse programs and block any communication between the creator of the code and computer it has infected. Personal firewalls like ZoneAlarm and Tiny are affordable and very effective. Assuming that you have proper antivirus software in place on every computer that's used for the hospital (inside and out) and regularly update your antivirus definitions (the maker of the antivirus software should offer this service), then the next challenge is changing behavior. The best way to change user behavior is to show users the drastic consequences of ignoring the rules: Consequences for the hospital The virus community has often talked about smart viruses and other code that can be targeted at hospitals and which are capable of wiping out patient medial records and critical research data. Other malicious programs can be designed to seek out and interfere with hospital equipment, perhaps even switching off life-support systems. Imagine the consequences to the patients, hospital and staff if such an incident occurred, one which could have been prevented by a little more care. The creator of the virus may not have deliberately targeted the hospital. Or the virus author may be a previous patient with a grudge, or simply a malcontent looking for publicity. Consequences for staff Employers and courts have become far less tolerant of risky behavior by employees, and the excuse of "I didn't know" is no longer a safe defense. Staff who are careless about the way they deal with e-mail in such a sensitive environment, and who have already been warned, may face the risk of discipline, dismissal, a civil action and perhaps even criminal charges, if their negligent behavior harms a patient. Staff with dangerous biological infections, such as Hepatitis C, understand the basic precautions they must take to minimize the risk of blood contact with patients. The same common sense must apply to computer viruses. They threaten patients, the hospital's reputation and job security. Avoiding the risk is not hard. Technology only goes so far and can always be circumvented by users. A user must see a computer virus as seriously as they view HIV and must understand that e-mail is the biggest carrier of computer viruses, which can do as much harm to a patient as the most lethal biological virus.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Employee security education
Best Web Links: Security Policy & Infrastructure
Dig Deeper on Email and Messaging Threats-Information Security Threats
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.