Private Browsing and Password Vaults

The bulk of my time during the last two weeks has been spent working on computers infected with dangerous spyware. The spyware comes in various names and has different techniques for infecting your computer and for making your life miserable by stealing your identity (or at least your friend’s emails). I’ll get to some of the worst in the next several blog entries. Just a very loud shot out: get your computer and ALL programs up-to-date or you WILL be a victim. By ALL I mean all Adobe applications, all security applications, all browser applications, including their helpers, all office applications, all drivers, your BIOS, etc. If you need help contact me.

This entry lists two specific ways to protect your browser AFTER you have it up-to-date.

1. The “Private Browsing” (Firefox) or “InPrivate Browsing” (MS IE). This feature is available from the "Tools" sub-menu of either browser. When you use this feature, the browser won't keep any browser history, search history, download history, web form history, cookies, or temporary internet files. However, files you download and bookmarks you make will be kept. It is important to also remember to turn off "remember password." In Firefox, for example, control for this option will be found under Tools->Options, Advanced Tab. (However, install LASTPASS first, because during the installation it will load all your browser-stored passwords and then delete them. Read on...)
   
2. Remove ALL passwords from your browser's "memory." Do this by downloading the application LASTPASS. This application stores your passwords in an encrypted format, so the passwords are "safe" and you can access your passwords from any computer by entering one password to log on to LASTPASS. Once logged in, the application will fill in your passwords automatically, bypassing keystroke loggers. If you have to enter a new password, say because you visit a site you haven't been to before, then LASTPASS will give you the opportunity to save the password in its database. Instructions on using LASTPASS are here.
   

With respect to LASTPASS, I'm sure you will question whether or not LASTPASS is a safe place to save passwords; after all, this is someone else's program. You can go to their website and read up on it to help you make the decision.

If you don't want to use LASTPASS, another option is to use a spreadsheet (EXCEL). Be sure to put a password on the spreadsheet and to encrypt it. Instructions on doing that are available in EXCEL's help.

Quicken Sunset Tactics

I opened quicken this morning and got this message: 

I have 2007.  The message says all support, including what I use daily, the download of all accounts and investment positions and prices, will cease functioning April 30.  To me that is really rotten.  The program I have works just fine- I don’t need more function.  But now the company is taking away key function- from what I bought- to force me to purchase the new version. 

The “free” program is a willmaker, not of interest to me. 

You can do a search on line for coupons to lower the price.  Amazon offered 23% off and I had a $10 coupon to use on Amazon, so I bought the program there. 

More on the Adobe Reader Malware Issue

An announcement:

Adobe today released an out-of-band security update to patch a pair of gaping holes that expose hundreds of millions of computer users to remote code execution attacks. The vulnerabilities are rated “critical” and affect Adobe Reader and Adobe Acrobat on all platforms — Windows, Mac and Linux.

Note the last 3 words! This is not just an Windows issue.

If you want help uninstalling Adobe Reader and installing Foxit Reader, let me know.

Adobe PDF Files Are a Primary Source of Maleware

Lately we’ve had a rash of malware infections in the Cliffs communities.  Yesterday I got a PDF attachment in my email that seemed unusual.  It was from someone I didn’t know and it had a name that was a number followed by the .pdf extension.  I immediately deleted it.  This morning I got the following article through one of my subscriptions.  The net:  Beware of pdf files too.  Is nothing sacred?  And… I emailed the author and he said this was a problem with Adobe Reader itself.  So use Foxit Reader.  This app is also much faster than Adobe and an order of magnitude smaller.

The Article:

From Computerworld - Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, a security firm announced that by its counting, malicious Reader documents made up 80% of all exploits at the end of 2009.
According to ScanSafe of San Bruno, Calif., vulnerabilities in Adobe's Reader and Acrobat applications were the most frequently targeted of any software during 2009, with hackers' PDF exploits growing throughout the year.
In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter.
"PDF exploits are usually the first ones attempted by attackers," said Mary Landesman, a ScanSafe senior security researcher, referring to the multi-exploit hammering that hackers typically give visitors to malicious Web sites. "Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits."
Landesman, the author of ScanSafe's just-published annual threat report, said that attackers' preferences for PDF exploits were clearly demonstrated by the data. Exactly why hackers choose Adobe as their prime target is tougher to divine, however.
"Perhaps they are more successful," she said. "Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product.... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"
She also called out the popularity of Reader as a big reason why hackers have pinned a bull's-eye on Adobe. "There's the ubiquitous factor," Landesman said. "PDF use is huge."
Contributing to Adobe's problem is a major increase in vulnerabilities. Landesman's searches of the Common Vulnerabilities and Exposures (CVE) database showed a rapid climb in reported bugs harbored within Adobe's products. In 2009, 107 Abode vulnerabilities were logged into CVE, nearly double the 58 added in 2008 and almost triple the 35 reported in 2006. "There's obviously a lot of activity [by researchers] trying to flush out vulnerabilities from Adobe's software," Landesman said.
"All of these things kind of converge," she added. "I'm not trying to bash Adobe.... Attackers are like electricity, they always follow the path of least resistance. For them, it's 'Tag, you're it,' and Adobe is the one now."
Just as Adobe has done many times itself, Landesman recommended that users disable JavasScript in Reader and Acrobat and steer clear of the Reader browser plug-in.
Later today, Adobe plans to patch several critical vulnerabilities in Reader and Acrobat for Windows, Mac and Linux.
As Landesman intimated, Adobe struggled to keep up with hackers last year. In 2009, Adobe patched four PDF vulnerabilities only after they had already been exploited; 2010 hasn't started out much better, with one PDF zero-day already on the books.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

The Blue Screen of Death on Startup

A recent Microsoft update has been causing, on occasion, a blue screen of death when an XP or Vista computer is powered on. This is caused by a malware program already present on the compromised computer that is interacting with the update. For details on the status of the problem, see: http://blogs.zdnet.com/Bott/?p=1764&tag=nl.e589. Give me a call or email if you get a blue screen when you power on.

Update: Thursday, Feb 18. The following link provides more technical detail for those who are interested. http://blogs.zdnet.com/hardware/?p=7377&tag=nl.e589

At the bottom is a link to MS Support, which will give you help with this issue: https://consumersecuritysupport.microsoft.com Or call me.

Getting rid of those aggravating video ads

You browse to a web page and, before or after you arrive, you get one of those aggravating video-like commercials.  Not only is it intrusive, it wastes time and slows down your browser.   Aaaargh!   I found the following hint on my PCWorld feed.  It was written by Jared Newman of PCWorld:

“Here's a neat piece of Windows software called FlashMute. It installs to your system tray and can deny Flash access to your audio hardware. Just click the icon or hit Ctrl-Alt-M to switch it on and off. Note: Anti-virus programs tend to flare up when visiting FlashMute's download page. The developer says it's because FlashMute uses the same method of hooking into your browser as some types of AdWare, but it's only intercepting sound from Flash and other Web sources. Fair warning.”

Feb 2010: Many Malware Problems Occurring

I’ve encountered numerous computer problems that are being caused by virus and other bad (malware) programs. The sites from which they came, through an innocent visit or “drive-by”, or the emails that introduced them, through opening an infected attachment, have not been determined. In subsequent posts I will describe a number of them. If you are having a problem, please contact me. Specifically:

• If your computer suddenly begins to behave in unusual ways


• Especially a message pops up saying your computer is "infected" and you don't recognize the message, the colors, or there's something else suspicious.
  
• Your computer seems to be slow
  
• The browser behaves strangely, such as taking you to sites you did not expect.
  

How the US Government will change your Dr visit experience (by using IT)

[Begin My notes:

I’ve taken the following information from the web site “Healthcare IT News”. (The reason I don’t just link to the article is that the web sites can remove the article, so the link won’t work any more. If I copy it here, then I can avoid this.)

One of the primary problems associated with the adoption of EMRs (Electronic Medical Records) in the provider (Drs office) setting is that the ROI show nos payback in an acceptable time period. Though the conclusion might be legitimate, in most cases the conclusion is incorrect because the models used are too simple and include a number of unsubstantiated assumptions.

On the other hand, the government has just made the ROI calculation more difficult because it has changed regulations and is offering funding for the migration to an EMR. This will be both a carrot and stick approach that will result in most providers either completely eliminating support for Medicare or, frankly, retiring.

The following article describes criteria that providers must meet in order to receive funds from the federal government. It gives you an idea of the changes that WILL be made in your office visit experience in the next several years, if the changes haven’t already occurred. There’s a lot of jargon, as there is with anything related to the gov. Let me know if you need any translation, or google the term.[end My Notes]

Eligible Provider "Meaningful Use" Criteria

{by Jack Boudoin}

WASHINGTON – On Dec. 30, the Centers for Medicare and Medicaid Services issued a notice of proposed rulemaking that outlines provisions governing the Medicare and Medicaid EHR incentive programs, including a proposed definition for the central concept of “meaningful use” of EHR technology (see related story). In order for professionals and hospitals to be eligible to receive payments under the incentive programs, provided through the Recovery Act, they must be able to demonstrate meaningful use of a certified EHR system.

The following list of 25 Stage 1 Meaningful Use criteria for eligible providers was taken from the proposed rule: "Medicare and Medicaid Programs; Electronic Health Record Incentive Program." A second list, for eligible hospitals, is provided here. You can download the full 556-page document at http://www.federalregister.gov/OFRUpload/OFRData/2009-31217_PI.pdf

[1] Objective: Use CPOE
Measure: CPOE is used for at least 80 percent of all orders

[2] Objective: Implement drug-drug, drug-allergy, drug- formulary checks
Measure: The EP has enabled this functionality

[3] Objective: Maintain an up-to-date problem list of current and active diagnoses based on ICD-9-CM or SNOMED CT®
Measure: At least 80 percent of all unique patients seen by the EP have at least one entry or an indication of none recorded as structured data.

[4] Objective: Generate and transmit permissible prescriptions electronically (eRx).
Measure: At least 75 percent of all permissible prescriptions written by the EP are transmitted electronically using certified EHR technology.

[5] Objective: Maintain active medication list.
Measure: At least 80 percent of all unique patients seen by the EP have at least one entry (or an indication of “none” if the patient is not currently prescribed any medication) recorded as structured data.

[6] Objective: Maintain active medication allergy list.
Measure: At least 80 percent of all unique patients seen by the EP have at least one entry (or an indication of “none” if the patient has no medication allergies) recorded as structured data.

[7] Objective: Record demographics.
Measure: At least 80 percent of all unique patients seen by the EP or admitted to the eligible hospital have demographics recorded as structured data

[8] Objective: Record and chart changes in vital signs.
Measure: For at least 80 percent of all unique patients age 2 and over seen by the EP, record blood pressure and BMI; additionally, plot growth chart for children age 2 to 20.

[9] Objective: Record smoking status for patients 13 years old or older
Measure: At least 80 percent of all unique patients 13 years old or older seen by the EP “smoking status” recorded

[10] Objective: Incorporate clinical lab-test results into EHR as structured data.
Measure: At least 50 percent of all clinical lab tests results ordered by the EP or by an authorized provider of the eligible hospital during the EHR reporting period whose results are in either in a positive/negative or numerical format are incorporated in certified EHR technology as structured data.

[11] Objective: Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach.
Measure: Generate at least one report listing patients of the EP with a specific condition.

[12] Objective: Report ambulatory quality measures to CMS or the States.
Measure: For 2011, an EP would provide the aggregate numerator and denominator through attestation as discussed in section II.A.3 of this proposed rule. For 2012, an EP would electronically submit the measures are discussed in section II.A.3. of this proposed rule.

[13] Objective: Send reminders to patients per patient preference for preventive/ follow-up care
Measure: Reminder sent to at least 50 percent of all unique patients seen by the EP that are 50 and over

[14] Objective: Implement five clinical decision support rules relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules
Measure: Implement five clinical decision support rules relevant to the clinical quality metrics the EP is responsible for as described further in section II.A.3.

[15] Objective: Check insurance eligibility electronically from public and private payers
Measure: Insurance eligibility checked electronically for at least 80 percent of all unique patients seen by the EP

[16] Objective: Submit claims electronically to public and private payers.
Measure: At least 80 percent of all claims filed electronically by the EP.

[17] Objective: Provide patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, and allergies) upon request
Measure: At least 80 percent of all patients who request an electronic copy of their health information are provided it within 48 hours.

[18] Objective: Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies)
Measure: At least 10 percent of all unique patients seen by the EP are provided timely electronic access to their health information

[19] Objective: Provide clinical summaries to patients for each office visit.
Measure: Clinical summaries provided to patients for at least 80 percent of all office visits.

[20] Objective: Capability to exchange key clinical information (for example, problem list, medication list, allergies, and diagnostic test results), among providers of care and patient authorized entities electronically.
Measure: Performed at least one test of certified EHR technology's capacity to electronically exchange key clinical information.

[21] Objective: Perform medication reconciliation at relevant encounters and each transition of care.
Measure: Perform medication reconciliation for at least 80 percent of relevant encounters and transitions of care.

[22] Objective: Provide summary care record for each transition of care and referral.
Measure: Provide summary of care record for at least 80 percent of transitions of care and referrals.

[23] Objective: Capability to submit electronic data to immunization registries and actual submission where required and accepted.
Measure: Performed at least one test of certified EHR technology's capacity to submit electronic data to immunization registries.

[24] Objective: Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission according to applicable law and practice.
Measure: Performed at least one test of certified EHR technology's capacity to provide electronic syndromic surveillance data to public health agencies (unless none of the public health agencies to which an EP or eligible hospital submits such information have the capacity to receive the information electronically).

[25] Objective: Protect electronic health information maintained using certified EHR technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1) and implement security updates as necessary.

Healthcare record automation

Many of you have had the experience of visiting a doctor’s office where the nurses and doctors enter your financial and perhaps medical information in “real-time” on a computer.  I want to focus on the medical part:  called the “patient visit.”  The general term for the software is EMR, or Electronic Medical Record.  I have a number of years of experience in this area and want to make myself available to you to answer any questions you might have.   And you should have questions, because the government is going to make every doctor use this technology, one way or another.  I can give both the pros and cons to various things that are happening, so send me your questions.  In the meantime, I will use this blog to post some background information on the government effort and on the technology itself.