Risk Assessment for Non-profit Hospital - Coursework Example

Risk Assessment for nonprofit hospital Introduction This paper gives a dwtailed analysis and intrpetation of the risk assessment of non-profit hosptial in respect to what is already contained in the literature. From the analysis of my findings, it is inherently evident that healthcare information system security threats are increasing tremendously. It shows that there are several factors, other than virus attack, which are critical, are not yet dealth with. Non-profit organizations also lack technological toosl and financial resources to address these issues adequately. In my study, I also explored the most prevalent threats that affect the hospital information system currently. The study was conductd in medical record department, X-ray department and information technology department. During the study, 18 threats were identified basing on the ISO/IEC 27002 (ISO 27799:2008). The research showed that the most prevalent attack is coursed by actions of human negligence and error. The increase in the use of mobile application softwares in hospital has also heigthen the security risk to hospital data. Interpretation The outcome of the research shows that the helth information system threats can be classified into two major categories. The first category is those threats related to propagation and spread of malcious programs to the information system. These include: Vulnerabilities found on the homepage of HP System Management. MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Vulnerabilities on Microsoft Windows SMB Remote Code Execution (958687) Apache Tomcat Manager Common Administrative Credentials Firebird DataBase Server fbserver.exe p_cnct_count Value Remote Overflow The ways in which these threats propogates can be looked at in details as follows Use of mobile devices Today’s society has been hit by massive use of mobile devices. The types and the number of mobile devices use by nurses, physicians, specialist and administrators have drastically grown. The ability of users to access the information via the networkk expose the health information to network related security threats such as eaves dropping and denail of services. In addition, the software used by these devices is upgraded regularly. The software updates alsway comes with malicious programs such as operating systems, which can be detrimental to the information system. Threats associated with medical embedded devices With the increase in the use of smartphones and tablets computer with Wi-Fi and wide area network capabilities and embedded features such as a system for monitoring patients, medical scanners and imaging devices, the bandwidth used in communicating is trained and hences exposs the information to network threats. Desktop to server virtualization Research has shown that more than 80% of organizations have moved to virtualization in the way they run their applications. Virtualization softwares are used to achieve this. They enable serves to run a variety of applications using limited hardware devices. The strategy is cheaper and energy saving. However, virtualization strategy exposes hospital information to more threats than desktop environment. This is because the communication is via the network or the internet. Spreading of malware programs vai social media Platfforms used in socializing such as youtube, twitter and facebook have attracted many users. The employees in the hopsital environment are not exceptional. They use the smartphone and tablets meant for hospital uses for theirpersonal use such as accessing social media. Unknowingly, the malware program can propagate via the social media and infect their application in their hospital devices. This is one of the theat that was found in MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028). The individuals who develop malware programs are programming experts who have advanced knowledge in compuitng environment. This implies that to block malware parmanently is impossible regardless of installing anti-malware programs. The second category is those related to human errors and negligence. These are threats that target the user accounts. The vulnerabilities involving this type of threat are; Default Password (password) for root Account MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) MS04-035: WINS Code Execution (870763) (uncredentialed check) MS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) (uncredentialed Oracle Database, April 2007 Critical Patch Update Oracle Database, October 2009 Critical Patch Update Oracle Database, October 2012 Critical Patch Update There are different factors that bring about these threats. It can be a contribution of the employees themselves or hackers. There are many instances where the employees in hospital misuse their access privilage right. For example, an employee working in the finance department might try to access patient’s information illegally. The rights of such an employee do not go beyond the processing of the data. Since such employees do not know the regulastions governing the exposure of patient information, the information can get into the hands of unauthorized people who have malicious intentions. On the other hand, hackers tend to take advantage of the employees negligence to access the information. For instance, a nurse leaves her tablet computer containing patient’s information open and goes out. The hacker comes in and find steals the information from the tablet (Briner 2010). In some instances, hackers can launch an attack to the hospital information system for malicous gain such as monetary gain or revenge. Such hackers tend to couse denail of services to the hopsital. Conclusion According to this report, improvements in healthcare risk assessments are crucial to address security and privacy risks. Current challenges to the confidentiality and security of health information are identified and recommendation of security measures that are strong and comprehensive should be implemented. The outcome of the above risk assessment clearly shows that the major threats that affect hosptila data are hacking and malicious program attacks. There are different methods through which these two threats are propagated. The malware related attacks are as a result of technological developments while the hacker related attacks targets the user accounts. The hospital’s information system is a critical asset to the organization. Lose of hospital data can have fatal impacts on the care quality and patient safety because such a condition affects the availability, integrity, and confidentiality of data. In addition, such troubles would cause hospital to incur huge financial losses. The researchers should deliberate more on the technology to ensure that the departments of health take full advantage. The suitability of the system should also be adjusted to fit different needs of different hospitals. This can be achieved by increasing the pilot that is able to run for a longer time. This will eliminate the suitability issues. There is an issue with the reimbursement of the individual who carries out and implement security measures. Most people who carry out these projects are not paid. This will kill the spirit of wanting to research more on the field. Most agencies do not have a laid down strategy for reimbursing the telemedicine reimbursing The rate at which technology is taking over the operations of different daily undertakings makes it cumbersome to predict the future trends in security of hospital information system. The future evaluation of security is very complex. As it expands, there should be a way of solving the reimbursement issues. Considering the benefits and cost of implementing telemedicine, it is crucail for a hospital to ensure the security of its information system. Research shows that there a lot of changes in the medical field. There is a huge shift to the use of technology in hospitals. The implementation of telemedicine still faces a lot of challenges. There has been a drastic rise in the demand for telemedicine services. Consequently, the technology has also led to ithe introductionof different telemedicine devices such as those for managing weight, monitoring blood and rehabilitation (Manser, 2010). The key challenge that proves to be costly to the health service providers is how to apply them in the sector. Practical application has proven to be an uphill task. The privacy of medical information is very critical. As such, the health care providers should invest heavily in the security of the information system used to provide telemedicine services. It is very evident that the cost that is incurred in ensuring maximum information security is high. Some organization invests lies in the system functionality at the expense of the security of critical medical information. Reference Briner, M., Kessler, O., Pfeiffer, Y., Wehner, T & Manser, T. (2010). Assessing hospitals clinical risk management: development of a monitoring instrument. Cengage laerning. Read More