Identity Theft and Networking Security - Term Paper Example

Identity theft and Networking security Name University School Course Assignment Title Date Table of Contents Introduction 3 Section 1 3 Background 3 Section 2: Strengths and Weaknesses of the Approach adopted 4 Section 3: Existing Theory and Standards 5 Network security 5 Identity theft 6 Cryptography 6 Digital Signatures 7 Health Information Governance 7 Section 4: Future Approach 8 Conclusion 9 References 10 BBC (2011).East Surrey Hospital loses confidential patient records. BBCNews. 5th October 2011. Retrieved from < http://www.bbc.com/news/uk-england-surrey-15176343> 10 Identity theft and Networking security Introduction More people are using networks for banking, filing tax returns, and e –commerce that require that any sensitive messages are secured during transit. The health sector greatly depends on electronic health records to record personal health data for different patients and even the medical diagnosis and prescriptions given. Such systems rely on network connections to connect to databases that hold the sensitive information. Networks also provide a channel for physicians to access remote computers. However, remote computers may be used by malicious people to connect to computers having personal health records which they may not be authorized to use. This step may breach authenticity, integrity and confidentiality of the information stored in the electronic health records. The health sector handles sensitive health records that require adequate protection to earn public trust. In the recent past, there have been increased incidences of breach of security for health information systems. Some are related to cases of stolen identity, outright negligence or poor network security initiatives. This discussion evaluates several case studies where information security in the heath sector have been breached. It also discusses network security and Health Information governance. Section 1 Background In one case, East Surrey Hospital lost critical confidential information on an unencrypted memory stick in 2010 (BBC, 2011). The storage device had confidential information concerning 800 patients. Any attempts to get information that would have helped to recover the storage device proved futile. The situation sent panic across NHS, which runs the East Surrey Hospital, and even invited regulatory warnings from the Information Communication Office indicating possible reprisals in case of repeat action. In another case, nine other NHS trusts lost patient data in the process of data security review conducted on all government departments BBC (2007). Critical information on child benefit claims had been lost, though the government moved to reassure people that they had not seen any evidence that the data had been accessed by malicious persons. Data for the addresses and names of160000 children was missing after City and Hackney Primary Care lost a disc. The Gloucester Partnership Foundation Trust also lost records dating back to 40 years ago. The remaining trusts affected include Bolton Royal Hospital, Sefton Merseyside PCT, Norfolk and Norwich, Sutton and Merton PC and Mid-Essex Care Trust. Section 2: Strengths and Weaknesses of the Approach adopted In the case for East Surrey Hospital, the incidence was first reported by the NHS trust in their annual report, and it indicated that part of its information security policy was that hospital staff should use encrypted storage devices to transfer patient data. This provision was violated, prompting the trust to take steps to avail only encrypted memory sticks for use. Among the immediate steps that the NHS trust took was to inform the Information Communication Office in order to be informed on the best action to take. Notably, the Information Commnication Office took issue with the fact that the hospital staff failed to follow the trust’s policy of using encrypted storage devices. The trust reported that it had reprimanded the staff involved in the act and proceeded to train him. In the case involving the loss of data by nine NHS trusts, the reactions reported by the Depatrment of Health included addressing the issue locally by instituting investigationsinvetsigations on where and how the data protection laws were breached. The incidence exposed the government as having less secure data management. It seems that the centralised systems of data management used by the government required some backup mechanism. The consequences of the incidence would include reluctance by patients to divulge information to doctors, due to lost trust. According to the chief executive of NHS trust, the data handling approaches adopted by the NHS managers could be the cause of the rampant loss of critical patient data. Perhaps these could be addressed by imposing strict procedures and guidelines to prevent and address the data security breaches. Section 3: Existing Theory and Standards Network security The increased ubiquity of computers has linked up many people through computer networks, prompting the need to secure the resources under an administrative unit’s control and only allow restricted access to authorized persons. This would help to protect computing resources from damage, theft or alteration over the network. There are varied threats that a computer host may be exposed to due to its connection to a network. A cracker may randomly test a computer security system to steal data. Alternatively, a person may steal the credit numbers of varied people and sell them for personal gain. Network attacks may be executed as either passive or active attacks. Active attacks are characterized by attempts to bypass or break through a secured computer system. Such attacks may be accomplished by sending viruses, Trojan horses, and worms to a remote host using a network channel. Some examples of active network attacks include man-in-the-middle attacks, denial-of service attacks, brute force attacks, botnet attacks, browser attacks, SSL attacks, smurf attacks, and ping flooding (William & Stallings, 2006). A passive attack is more about the monitoring of any sensitive communication being sent over a network without proper encryption. For instance, clear-text passwords may sniffed during their transmission over a network. Types of passive network attacks include wiretapping, port scanning, and idle scanning. Network security measures may be categorized under four broad categories. These are integrity reinforcement, authentication, non-repudiation, and confidentiality. Identity theft This involves the use of stolen access credentials to access an otherwise secure information system. In this case, an individual who is unauthorised to access the system or possesses lower access levels may get the login details of a super user and them proceed to gain access to his account in the information system (McClure, Scambray, Kurtz & Kurtz, 2009). They may then make transactions perceived by the other users and resources in the system as valid. For example, they may alter the data related to health insurance claims, or disease diagnosis in order to suit their whims. Identity theft can be prevented by changing access credentials frequent enough, using secure password levels, and providing physical protection for critical computers and storage devices. Cryptography This is a security mechanism that used ciphers to distort the message under transit such that when an unauthorized party taps it along the way, he or she would not make any meaning from it. Ciphers are transformations that change the bits or characters of a message to hide it. Ciphers do not consider the semantics or syntax of the message being sent (Forouzan, 2007). The plaintext is transformed using a private key to create a ciphertext that is to be conveyed over the network. When the receiver gets it, he or she would decrypt it using the public key. Varied types of ciphers include transposition ciphers and substitution ciphers. There is need to create redundancy in cryptography. It is also important to devise measures to counter any replay attacks. Some known cryptographic algorithms include the Advanced Encryption Standard, the Data Encryption Standard and Rijndael, and RSA. Digital Signatures These are electronic security schemes meant to achieve the following: allow the recipient of the message to establish the veracity of the claimed identity of the sender; ensure non-repudiation from the side of the sender; and ensure non-alteration of the message by the receiver. The various types of digital signatures include symmetric-key signatures and public key signatures. Digital signatures can be created by using one centralized and trusted authority. Every other user then holds a secret key (Forouzan, 2007). In a symmetric-key signature, suppose Alice needs to communicate with Bob, she would share a private/public combination with the central authority. Bob will also do the same. Therefore, Bob will not know the keys used by Alice. Alice sends an initial message KA (B, RA, t, P) with B as the identity of Bob, RA as some random number suggested by Alice, t as the timestamp for this specific message, P as the plaintext message and KA (B, RA, t, P) as the encrypted message using Alice’s key. The message is sent to a central authority, CA. CA would decrypt the message from Alice and send the message to bob as KB(A, RA, t, P, KCA(A, t, P)). This overall message to Bob has some signed message portion KCA (A, t, P)) and a plaintext portion containing Alice’s original message. CA encrypts all these using Bob’s public key. Health Information Governance This may be defined as the mechanisms used to harmonise evidence-based health practice, health legislations, and policies in order to improve the handling of health information. Health information governance allows health workers to comply with established legal provisions and the established code of conduct when they handle confidential health information such as personal records. It serves a twofold purpose of providing necessary structures to maintain privacy and security standards, and defining the specific standards. Such action should meet legal requirements, efficiency, ethical use, effectiveness, and security of personal health data being handled (Risk & Dzenowagis, 2001). The management can be used strategically to institute proper structures that are necessary in the implementation of proper health information governance initiatives. Clear rules and procedures may guide health workers to know which steps to follow in compliance with health information governance. Section 4: Future Approach In the case presented on East Surrey Hospital, it is evident that encryption policies were in place, though the health workers failed to follow them. The best approach to prevent future incidences is to include encryption procedures as part of work policy to be followed by the health workers. This appears more of a network security issue. All hospital computing equipment should be encrypted in order to protect the data held therein even if it gets into wrong hands. Health information governance supports this approach (Braa, Monteiro & Sahay, 2004). The responsibility of protecting the health data collected from the public should also be placed on the data handlers as part of health legislations or policy. In the second case where nine NHS trusts lost personal data held in confidence, the problem was more of a laxity on the people who conducted the security review. The first step to make when seeking to alter data or move data is to back up the information before proceeding with the exercise. The data security breach occurred as a result of unclear or non-existent health procedures to be followed when changing or moving health information records. Better policies or legislations should be passed to support the larger health information governance framework. Conclusion Electronic Health Records that rely on computer networks should be used effectively. Before one builds a computer network, it is important to conduct a risk analysis to understand the areas that make the information system vulnerable. When hosting a system on a web server, the risk of attack is much higher than when the systems are running on local hosts within private networks. Conducting an information systems security risk analysis would also allow for the development of business continuity plans, response plans and risk mitigation plans. By mapping out possible risks early enough, there is increased chance of preparedness. A security risk analysis model can be relied to establish any causality between risk factors in health information system. Those stakeholders pursuing health information governance should consider including network security as part of their policy in order to protect sensitive electronic health records. This example shows how network security can be effectively structured into the policies and health legislations to improve health information governance. References BBC (2011).East Surrey Hospital loses confidential patient records. BBCNews. 5th October 2011. Retrieved from < http://www.bbc.com/news/uk-england-surrey-15176343> BBC (2007). Nine NHS trusts lose patient data. BBCNews. 23 December 2007. Retrieved from Braa, J., Monteiro, E., & Sahay, S. (2004). Networks of action: sustainable health information systems across developing countries. Mis Quarterly, 337-362. Forouzan, B. A. (2007). Cryptography & Network Security. McGraw-Hill, Inc.. McClure, S., Scambray, J., Kurtz, G., & Kurtz. (2009). Hacking exposed: network security secrets and solutions Risk, A., & Dzenowagis, J. (2001). Review of internet health information quality initiatives. Journal of medical Internet research, 3(4), e28. William, S., & Stallings, W. (2006). Cryptography and Network Security, 4/E. Pearson Education India. Read More