By Joshua Benton
A crippling virus swept across the University of Texas M.D. Anderson Cancer Center in Houston last month, disabling all it touched and stopping doctors from treating some patients.
It wasn’t the sort of virus that could be stopped by surgical masks and drugs. Rather, it was the Sasser worm, a computer virus that infected more than a quarter-million computers worldwide – including a third of M.D. Anderson’s systems.
A new report from the state auditor’s office says the cancer center’s vulnerability to electronic attack isn’t unusual.
In a study of some Texas research institutions, including the University of Texas Southwestern Medical Center at Dallas, auditors found significant security holes in the systems used to gather, analyze and store research data.
The vulnerabilities include many of the same security flaws found in private businesses or homes. Anti-virus software isn’t always updated. Passwords are sometimes easy to guess. Backups aren’t made often enough.
But the unique nature of academic research creates a unique set of problems, said the audit’s manager, Ron Franke. Corporate research is often done in a locked-down, tightly secured environment. “The academic environment tends to be much more open,” Mr. Franke said. “Not only is sharing information OK, it’s encouraged. That openness brings its own set of challenges.”
The biggest challenges tend to be in the most decentralized areas of an institution’s research operations, he said. The more that security is left in the hands of individual researchers or departments, the more at risk they may be.
Among the solutions cited in the report:
* Standardized security plans for researchers and better data security training.
* Better network security, particularly on easier-to-access wireless networks.
* Improved security standards at the user level, including more rigorous use of security patches.
* Better backup plans, with backups stored at an off-site location.
Mr. Franke said the study found no evidence the state’s research labs were being specifically targeted for invasive data attacks. But, he said, universities had historically been attractive targets for hackers because they host massive computing resources. Once compromised, those resources can be used to launch further attacks.
The report, released Wednesday, makes no estimates on how much it would cost to bring security standards up to an acceptable level. But, Mr. Franke said, the institutions studied have already begun to make changes in response to the audit’s findings.
UT Southwestern would not allow any of its security personnel to discuss the report with the media. But spokesman Philip Schoch, in a prepared statement, said medical center officials had “corrected many of the problems identified … and are vigorously addressing those issues remaining.”
Research is big business for Texas institutions. The three that were the primary focus of the study – UT Southwestern, UT-Austin, and the UT Health Science Center at San Antonio – received more than $774 million in research funding in fiscal 2003.
Texas researchers have suffered through a number of high-profile data losses in recent years. Perhaps the most notable came with Tropical Storm Allison in 2001, which flooded large parts of Houston. Along with the loss of thousands of research animals and tissue samples, scientists at the Baylor College of Medicine and the UT Health Science Center at Houston lost 10 years of data on spinal cord injuries.