Improvement of the Information Security Situation at Al Nahda Hospital - Case Study Example

? [INFORMATION SECURITY AT AL NAHDA HOSPITAL] Words Count (3316) Table of Contents Executive Summary 3 Introduction 4 0: Main Categories of Information Assets that may be at Risk and have to be protected 4 3: Security Plan with Counter Measures to Manage Threats and Vulnerabilities of the Information System 8 5: Social, Legal, and Ethical Issues/Constraints 11 6: Recommendations for the Improvement of the Information Security Situation 12 Executive Summary Information has become extremely important in today’s business. This has led to the need to properly secure information because it is a vital asset to any organization. In the health sector, hospitals require information for various purposes. In addition, the high level of connectivity that has been made possible by the internet has led to new concerns over the issue of information security. This is because internet users are potential customers and suppliers, and potential threats, as well. In case information stored in the hospital premises is tampered with, serious, adverse effects may result, because there are so many people who are dependent on this information. It is the responsibility of management to liaise with other departments to protect an organization’s information assets. This report analyses and evaluates information security at Al Nahda Hospital. In this report, the main categories of information assets that may be at risk and have to be protected have been described. The report also appraises the actual and potential threats and vulnerabilities of Al Nahda Hospital’s information assets. The report then formulates a security plan that describes counter measures that will manage the threats that put Al Nahda Hospital’s information assets at risk from a risk management perspective. A comprehensive information security education and awareness program for use by management, staff and contractors for Al Nahda Hospital is also provided in this report. The report also explores the social, legal, and ethical issues or constraints that may be associated with the implementation of the comprehensive information security plan at Al Nahda Hospital. Finally, the report recommends valid actions that can be taken to improve the information security situation of Al Nahda Hospital. Introduction Al Nahda Hospital is a government hospital which is located in Oman. The hospital has a client server application called “Health Information Management system (HIMS)” on a local network. It also has applications that have been developed with oracle database, forms and reports. Al Nahda Hospital’s medical staff users can access and use the system from a local network using desktops, Personal Computers, or they can use laptops with WIFI, during wards round. Also, this system is connected to the headquarters with MPLS line. Users have access to both the operating system username and password and the database username and password. After a careful assessment of the information security situation, a security plan for the protection of the information holdings of the Al Nahda Hospital is required. The security plan will ensure that the security personnel oversee the security of information from deliberate and accidental threats to the hospital so as to improve Al Nahda Hospital’s information security. 1.0: Main Categories of Information Assets that may be at Risk and have to be protected Al Nahda Hospital’s information assets may be at risk, as far as the information status is concerned. These assets may be categorized into information assets, software, hardware, systems and people. 1.1: Information Assets Information assets of Al Nahda Hospital that may be at risk and need to be protected include documented information. Documented information contains both printed or written information and electronic information stored on the hospital’s servers, website, extranets and internets. Electronic information can be stored in laptops, personal computers, cell phones, CD ROM and USB sticks, among other devices. The information that may be threatened includes training materials and research information (Calder, 2006, p, 49). Also, tests results for patients, as well as, scan results are vulnerable, and the security of this information needs to be ensured. The reason as to why this information is at risk is because the information stored in the form of databases that have been developed using oracle database, forms and reports may be accessed by the hospital’s medical staff users from local network, using their desktops, personal computers and laptop that have WIFI, during wards round. In case, outsiders with malicious get access to the Al Nahda Hospital’s information system, through Al Nahda Hospital’s staff members, they might tamper with the stored information. 1.2: Software Assets. Public Software The hospital’s public software assets that are at risk include; Networking software Client server application (HIMS-Health Information Management System) Private Software The hospital’s private software assets that may be facing threats include; Custom applications Office applications (Alberts & Dorofee, 2004), which are used by the hospital to process, store and transmit information Confidential Assets The hospital’s private software assets that may be facing threats include; Database systems that store confidential client information such as patient records, scan results and test results 1.3: Hardware Assets Al Nahda Hospital’s hardware assets include the physical devices of information technology within the hospital. These include workstations and servers (Alberts & Dorofee, 2004, p, 88). For instance, Al Nahda Hospital has a client server application called “Health Information Management system (HIMS)” on a local network. This information system is operated through the physical components of the hospital such as desktops, personal computers, mobile phones and even laptops. These physical devices need to be secured because if the functionality of any of them is interfered with, then hospital operations will be affected adversely. The hospital’s servers may be at risk, as explained. Main Server: This is the hospital’s main server that responds requests made by system users Backup Server: Al Nahda Hospital’s server that backs up and restores files an databases to prevent data loss may also be at risk Antivirus Server: The hospital’s server which protects the hospital’s stored files and other servers from viruses may be facing threats OPG Server: Al Nahda Hospital’s server, which stores and transmits information on X-ray and dental scans, may also be at risk. MRD Server: Al Nahda Hospital’s server, responsible for the storage and transmission of patient files between computers may be at risk Mail Server: The hospital’s mail server, through which emails pass when the users of the hospital’s system may be at risk 1.4: People People are a very important asset in an organization. As for the case of Al Nahda Hospital, the people who are important for the hospital’s operations include management members, doctors and other medical staff, clients and suppliers. There is an information security threat associated with people because some of them such as medical staff members possess valuable skills, training, knowledge and experience (Alberts, Behrens, & Wilson, 2007, p, 3). In addition, some people are charged with trusted roles within the hospital that require accountability. Also, outsiders and other people who have access to the hospitals’ information assets through web based applications can be a threat, as much as they are a valuable asset. 1.5: Systems Al Nahda Hospital systems are valuable asset of the hospital, which may be at risk, and may require security protection. The hospital’s information systems process and store information. Information systems are a combination of information, hardware, assets, hosts, clients and servers. For instance, Al Nahda Hospital has client server application called “Health Information Management system (HIMS)” on local network. This information management system requires protection from security threats. 2: Actual and Potential Threats to and Vulnerabilities of the Organization’s Information Assets The information assets of Al Nahda Hospital face various potential threats and vulnerabilities. Threats Cyber attack Loss of confidentiality DoS (denial of service) attacks Vulnerabilities Virus attack Hacking Privileged access Intellectual property theft Consequences Occurrence of a cyber attack is likely to hamper clinical operations, hospital communications, records, and other functions of the hospital in case it is affected by malware. Malicious attackers may comprise the hospital’s information system, rendering communication between one hospital computer and another futile. Such a cyber attack can disrupt the hospital’s capability address patient issues (Snair, 2013). In addition, malware can infect or disable configured or network connected medical devices, within the hospital. The hospital can suffer losses of confidentiality, where there can be theft or loss of patient information. Networked patient data and personal medical devices are at a high risk This may lead to loss of integrity among patients and practitioners on the hospital’s information system due to the perception of inadequate security (Snair, 2013). A cyber attack can disrupt the process of health care, when there are software outages because the hospital’s access to health records is limited. Insurance and payment utility systems can also be damaged, and thus prevent people from accessing compulsory medical care (Snair, 2013). The hospital may suffer financial, moral and emotional damage. People may have access to the system, and this may lead to misuse of the system in case such people decide to tamper with the information system. There can be theft of crucial hospital information such as transaction information and patient information. Attackers may compromise the information system of Al Nahda Hospital through denial of service (DoS) attacks, which will deny the rightful users of the system access to the information system. Limitations in the provision of appropriate and adequate patient care. Likelihood occurrence Malicious attackers may hack into the system and change the stored information. For instance, former employees who have still can access both the operating system username and password and the database username and password, may decide to manipulate the information system for their own intentions. Alternatively, current and former employees may leak information pertaining to access of the information system to outsiders, who can in turn, manipulate system for their own intentions. Insider threats arise from dissatisfied employees and former employees who are experienced in the information system operations because they have used the same hardware or software before (Glantz & Landine, 2013, p, 11). 3: Security Plan with Counter Measures to Manage Threats and Vulnerabilities of the Information System Given the aforementioned threats and vulnerabilities of the information system and information assets of Al Nahda Hospital, there is a need for a practicable security plan that will counter and manage the threats and vulnerabilities. The security plan should ensure that the information system for the hospital is protected from malware and is functional all the time. The plan should also ensure that there are back ups that enhance recovery of information, in case of any losses. The first component of this security plan is authentication mechanisms. Therefore, Al Nahda Hospital’s information system should be designed in a way that in enhances user authentication mechanisms. To achieve this goal, the information system should have user authentication measures, where users should use a strong password and a username at the same time to log into the system. Password protection should be strengthened by avoiding hard-coded passwords. The public should be limited from accessing the passwords that are used for technical device access (FDA, 2013). There should be active security protection, when the hospital’s devices are in use. This will involve the deployment of routine and validated security patches. There should be a method of restricting software updates to authenticated code. In addition to the aforementioned counter measures, there should be a back up approach installed on the information assets so that the information devices can have their critical functions running, including when the security of the information system has been compromised. There should also be data recovery mechanisms such that it is possible to recover lost data after compromised cyber security incidents (FDA, 2013). This will ensure efficient restoration and recovery. Al Nahda Hospital should restrict access to configured or networked medical devices so that only authorized access is allowed. Data confidentiality within Al Nahda Hospital should be ensured. This can be done by ensuring that there is data origin authentication and integrity. To counter and manage threats and vulnerabilities of the information system of Al Nahda Hospital, web application security should be ensured. This is because an intruder may compromise the hospital’s system at its application level, and may tamper with its capabilities, including querying the back-end database and accessing proprietary information (Vacca, 2013, p, 399). Web application firewalls should be installed to protect the hospital’s network system from malware. The hospital’s information system should also be protected by intrusion prevention systems. The firewalls and anti-malware devices should be updated frequently. The same case should be applied to security patches, which should be evaluated and updated periodically. The security team should disable unnecessary ports and services to reduce vulnerabilities. Al Nahda Hospital’s security team should ensure that information roles and responsibilities have been defined for security shared by all members of the hospital. This will reduce instances of privileged access, which increases the vulnerability of the information system to security threats. Another element of the security plan is compliance, whereby network and system administrators should identify and repair any identified vulnerabilities. This should be done promptly and correctly. Vulnerability assessment will locate exposure within information assets so that the identified vulnerabilities can be repaired before the weaknesses are exploited (Whitman & Mattord, 2010, p, 168). 4: Comprehensive Information Security Education and Awareness Program for Use by Management, Staff and Contractors The comprehensive information security education and awareness program for use by management, staff and contractors of Al Nahda Hospital aims at disseminating security information, which the staff members and managers need in order to do their jobs. The following considerations will be taken into account. Training of managers, staff members and contractors of Al Nahda Hospital as a counter measure Provision of information and tools to employees that will enable them protect the hospital’s vital information resources (Vacca, 2013) A course for management members, staff members and contractors, with information security training as the main component Information security experts will be hired to train all the users of Al Nahda Hospital’s Health Information Management system (HIMS) Training for employees who have been newly hired so as to orient them The course will also entail training on responsibility so that system users will be accountable for their actions while using the hospital’s information system Refresher courses where information system users who have already undergone training can remind themselves forgotten concepts Training on privacy, where users are trained on how to safeguard private and confidential information such as passwords and usernames Frequent campaigns, which will be continuous, targeting employees and contractor personnel, as well as, management members of Al Nahda Hospital During these campaigns, which will be conducted by information security experts, newsletters will be distributed to every hospital, staff member and contractor staff A newsletter, with a form that has reinforcement testing questions will be offered during these campaigns The form will be used as a questionnaire to test the impact of awareness and education program because every member will be required to fill the form and return it for analysis The information security education and awareness program will also involve games for members, and prizes will be offered because handouts and events are among the factors that can raise staff awareness on security issues (Colling & York, 2009, p, 394) There will be a quarterly awareness days which will be held after every three months, seeking to ensure that responsibility and privacy is observed while using the hospital’s information system During this awareness days, security experts will be required to teach hospital management members, hospital staff members and contractors on security awareness There will be a tip posted to every member’s email address on a weekly basis. This tip will act as a reminder that will keep the members updated on how to ensure security of the organization’s information assets and information system (Secure State LLC, 2013) because security awareness is not a one time thing, but an educational experience, which entails a continuing program of communication between the educator and the employee (Roper, Grau, & Fischer, 2006, p, 90) The program aims at producing behavioral so as to address vulnerabilities and threats. 5: Social, Legal, and Ethical Issues/Constraints Implementation of information security at Al Nahda Hospital faces various ethical, social and legal issues, which might be the constraints to the program. For instance, maintaining privacy and confidentiality of information pertaining to people is an ethical principle. In healthcare settings such as the Al Nahda Hospital case, healthcare practitioners may have knowledge about private information of their patients, which the patients may not wish other people to access. However, in implementing and installing back ups for stored information, information security experts may access patient information, which is an ethical challenge towards the implementation of information security. This is because privacy is characterized by lack of any form of intrusion. Secondly, data has to be aggregated from multiple sources to create information. This means that in the creation of information which can be secured, security experts will access information from various sources and departments, within the hospital, which is against the rule of privacy of information. Therefore, in implementing information security for the hospital, there will be challenges of breaching privacy of patient or client information, as well as, information rights and obligations. On the other hand, it is a requirement to respect property rights and observe accountability and control. Also, the quality of life and the system has to be ensured. This means the security team personnel at Al Nahda Hospital have to limit access to the information system to some people, especially unauthorized users. This implies that not all the public members will access the information system of Al Nahda Hospital because of information security purposes. However, the government requires that all information systems, whether developed or purchased, have to be made accessible to the public. Therefore, Al Nahda Hospital information security team will face legal challenges in securing the hospital’s information by restricting access. 6: Recommendations for the Improvement of the Information Security Situation It has been established from the analysis that the risk to information security in hospitals has risen because hospitals have adopted the use of computers, most of which are networked. For instance, Al Nahda Hospital has a client server application on a local network. The hospital’s staff users access and use the system from a local network, using various devices such as desktops, Personal Computers and laptops with WIFI, during wards round. The hospital is connected to the headquarters with MPLS line, and users have access to both the operating system username and password and the database username and password. This situation puts the information system of Al Nahda Hospital at risk because if people who have malicious intentions access the system they can cause serious damage. For instance, in separate cases, hospitals’ scan test results, blood types inpatient records, have been changed through illegal access of the hospital’s information system. There is a need for the protection of electronic health information at Al Nahda Hospital. This report recommends that the hospital should have an approach that identifies risks to health information, prioritizes and takes appropriate steps to manage them. According to Hopkinson (2011, p, 127), risks should be identified, before they are prioritized. Software There should be malware defense mechanisms. Software and programs should be installed to safeguard the hospital’s information system from threats and vulnerabilities. For instance, the hospital can use Bitdefense as malware prevention software. This program should be updated continuously, upon frequent evaluation of the information system. In addition, this antimalware software should be capable of detecting and removing malware. Procedures The hospital should ensure that only strong passwords are used, all the time. Secondly, the information security team should ensure that passwords are changed frequently, especially after employees have been fired or dismissed. The use of backup systems for Al Nahda Hospital should ensure that its information system has mechanisms for prevention of data loss, even when incidents occur. There should be also frequent account monitoring and control to ensure security of Al Nahda Hospital’s information system. Administrative privileges to access the information system should be restricted by the hospital’s information security team by use of stronger password verification software, which should also be capable of controlling access to the system. The information system security team should ensure that it only allows authorized applications to run (Glantz & Landine, 2013). Finally, there should be multiple security controls on the hospital’s information system. With these procedures, majority of the threats will be fixed. Some of the threats, which are associated with former employees leaking out information about passwords and the hospital’s information system, may not be fully fixed. Therefore, a mechanism for fixing this threat should be found out by the information security team. References Alberts, C. J., & Dorofee, A. J., 2004. Managing Information Security Risks: The OCTAVE Approach. Boston: Addison-Wesley Press. Alberts, C. J., Behrens, S. G., & Wilson, W. R., 2007. Managing Information Privacy & Security in Healthcare. Healthcare Information and Management Systems Society, pp. 1-16. Calder, A., 2006. Implementing Information Security Based on ISO 27001/ISO 17799: A Management Guide. Zaltbommel: Van Haren Press. Colling, R., & York, T. W., 2009. Hospital and Healthcare Security. Burlington: Elsevier Press. FDA., 2013, June 13. FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks. Retrieved from http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm Glantz, C., & Landine, G., 2013. Protecting Organisations from Cyber Attack. Retrieved from http://conferences.wsu.edu/forms/emergencyprep/presentations12/E5_Cliff%20Glants.pdf Hopkinson, M., 2011. The Project Risk Maturity Model (Ebk - Epub) Measuring and Improving Risk . Burlington: Gower Press. Roper, C. A., Grau, J. J., & Fischer, L. F., 2006. Security Education, Awareness, and Training: From Theory to Practice. Burlington: Elsevier Butterworth-Heinemann Press. Secure State LLC., 2013. Security Education and Awareness Training. Retrieved from http://www.securestate.com/Federal/Productized/Pages/Security-Education-and-Awareness-Training.aspx Snair, J., 2013, October 24. Risks of Cyber Attacks on the Healthcare Sector Leave Public Health of Communities Vulnerable. Retrieved from http://nacchopreparedness.org/?p=426 Vacca, J. R., 2013. Computer and Information Security Handbook. Amsterdam: Morgan Kaufmann Publishers. Whitman, M. E., & Mattord, H. J., 2010. Management of Information Security. Boston : Cengage Learning Press. Read More