Healthcare companies, like ABC Healthcare, that operate as for-profit entities, are facing a multitude of challenges. The regulatory environment is becoming more restrictive, viruses and worms are growing more pervasive and damaging, and ABC Heathcare’s stakeholders are demanding more flexible access to their systems.
The healthcare industry is experiencing significant regulatory pressures that mandate prudent information security and systems management practices. Furthermore, the continued pressure to reduce cost requires that management focus on streamlining operations, reducing management overhead and minimizing human intervention. The regulatory focus at ABC Healthcare is on the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX).
Both pieces of legislation highlight the need for good systems administration and controls, but focus on different aspects of the business. The main focus of HIPAA is to protect personally identifiable health information while SOX is concerned with data that impacts financial reporting. Violations may be met with both civil and criminal penalties. Therefore, the company must be ever watchful of new threats to their systems, data, and business operations.
The most prevalent security related threat to on-going business operations is the continued development and propagation of viruses and worms. Virus and worm prevention or containment is a vital component to the overall risk mitigation strategy. Virus and worm outbreaks have multiple cost aspects for the company including lost patient charges due to system unavailability, lost productivity because of recovery efforts due to infection, and potential regulatory impacts depending on the virus or worm payload. However, the company must balance risk with opportunities in order to serve the stakeholders and grow the business.
ABC Healthcare’s stakeholders include multiple groups that depend on or need access to clinical and/or financial systems in order to help support and grow the company. The access requirements and associated risk model varies by user group. The main access groups are internal only users (i.e. nurses, hourly employee, etc.), internal/remote users (i.e. salaried employees, doctors, etc.), and business partners (i.e. collection agencies, banks, etc.). Risk mitigation solutions must be developed for each user group to help ensure that the company recognizes the benefit that each group brings and to minimize the risk to business operations. The high-level management goals of the network design implementation are as follows:
•Support the business and balance security requirements without introducing significant overhead and complexity; •Maintain and enhance security without significantly increasing management overhead or complexity; •Implement systems that are industry supported (standards where appropriate), scalable, and fault-tolerant; •Ensure that the design is implemented to help ensure compliance with any and all applicable regulations; •Proper management of access control for legitimate users and malicious users is of the utmost importance for the security of the ABC Healthcare management system. The threat is not limited to outside malicious users but also legitimate users engaged in illegitimate activity.
Based on the above description you are to provide a recommendation of how you would address each of the following ABC Healthcare’s computer network security requirements. Note, whereas cost is typically an important factor, this is not a consideration for this case analysis. Therefore, you do not need to include cost estimates. Your solution should have the “right feel”, despite the lack of depth or details necessary to be accepted by upper management. Be specific in your answers. Write them as if you were writing a proposal to your boss. You do not need to include citations. Since you are developing a solution to a specific circumstance, material that is copied from an outside source will not likely fit so everything should be in your own words.
1.Describe your vision for addressing the security requirements in the overall technical design of the ABC Healthcare network. This should include both internal and external (untrusted and trusted) aspects. Untrusted would include user connectivity to the Internet. The “trusted” network has the main purpose of supporting the business functions of known entities (i.e. partners, suppliers, etc.) which have a business relationship with the company. Note that you are to concentrate on the high level, and you are not expected to provide low level details for your recommended design. (40 points)
A threat is defined as “a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm” (Stallings & Brown, 2008, p. 13). In essence a threat is a possible danger that may reveal vulnerabilities. There are many threats associated with online services especially when you add in personal information. The first threat to ABC Healthcare that should be identified is the “continued development and propagation of viruses and worms” In the development phase of the network design program managers has to ensure not only that there will be antivirus software which will be ran continuously (maybe a network scan done daily after hours) but also ensure there are intrusion prevention and intrusion detection systems (IPS/IDS) in place that would identify network intrusions.
A simple antivirus software like McAfee is easy to use and will not drastically increase their budget which in my opinion would be the first balanced approach. Although they may have to pay a little more for other services to ensure a proper IPS or IDS many companies (including the Navy, uses SNORT which is an open source product). Another area that will have to be identified deals with both trusted users and untrusted users and that is unauthorized disclosure which in essence is the ability for someone to gain access to information which they shouldn’t be allowed to view. This does not always have to be malicious in nature as it could simply be a glitch in the system which allows a user the ability to view others information indirectly.
We also can’t rule out the threat of deception, when dealing with medical information you want to ensure a patients privacy is kept as just that, private. To gain access hackers can pose as someone who should have access to a system. This could be accomplished by simply calling a help desk and providing them with information and having them reset your password (which is one reason why I am glad we finally did away with the infamous “mothers maiden name” security question…well for the most part). The third threat would be disruption which would challenge system availability and in some cases the integrity of the system.
This threat could be carried out in numerous ways; one would be a denial of service attack which would prevent users from accessing the website. Some more basic disruption techniques could be simply damaging network devices or even theft. Overall to prevent or reduce such threats ABC Healthcare will have to take the different defense-in-depth strategy (people, technology, operations) into consideration.
Vulnerability is “a flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy” (Stallings & Brown, 2008, p. 13). One example of a vulnerability to this system would be system performance. A slow running network is just a useless as one that is unavailable and as such will usually result in users opting to find other means to conduct business. Although I can understand the importance of keeping the cost of network security low at times you will have to remind yourself that you get what you pay for. It is paramount that ABC ensures they have well trained and qualified IT personnel to run their networks (hence my further education into the cybersecurity field)
Not only do you have to ensure you have qualified and well trained IT support personnel you have to ensure that each user (employee) that is operating the system is well trained. The biggest threat to a network system is the end user as such they should be trained as to what to look out for such as social engineering. Social engineering could be simple questions asked to a user that they feel are innocent in nature but really provide information to someone who they think would be using the information to help them but in essence be using the information to deceive the user to gain access to network resources or patient information.
Additionally, I would first ensure there is some type of disclaimer provided that the user would have to acknowledge stating something to the effect of: the passing of medical records or privacy information is not recommended unless you can for certain ensure the person you are passing it to will use the information as agreed. Though I am sure it could be written a tad bit better it’s important that users know even though they’re on a secure site their information could still be leaked and disseminated. By having this in place, if something were to happen IT personnel can refer back to this acknowledgment page as issues arise.
To protect patients or other groups that utilize the network outside of the ABC Healthcare organization such as collection agencies and banks, along with the above disclaimer I would ensure that the website utilized port 443 for secure connectivity. Although it can still be breached and users can still become victimized, it adds an extra level of security and prevents sniffer attacks. 2.Discuss the way you will address requirements for system monitoring, logging, auditing, including complying with any legal regulations. (15 points)
The first thing ABC Healthcare IT personnel should consider when conducting security checks is starting with a checklist. This will allow the administrator to ensure they are able to catch all necessities. This is where risk management should come into effect. According to Kathy Schwalbe, there are six major processes involved in risk management: •Planning risk management involves deciding how to approach and plan the risk management. •Identifying risks involves determining which risks are likely to affect a network and document the characteristics of each. •Performing qualitative risk analysis which involves prioritizing risks based on their probability and impact of occurrence. •Performing quantitative risk analysis which involves numerically estimating the effects of risks on objectives. •Planning risk responses involves taking steps to enhance opportunities and reduce threats. •Monitoring and controlling risk involves monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies. (Schwalbe, 2010, p.427).
With auditing it is a good practice if using Microsoft to utilize the “Event Viewer” which would allow you to track events that occur on your system. Eckert and Schitka states that “events that occur on a system are tracked and recorded in different log files, and you can use Event Viewer to view the contents of these logs. For example, you can use Event Viewer to view the contents of the Systems log to determine when and possibly why, a specific service failed to start” (Eckert, J. & Schitka, M. 2006). It would also be a good idea to have a disclaimer on the login screen informing all users that they are subject to monitoring when using the IT asset that way the user (although it may not always help) will be aware that what they do on the network can be traced and the user has the potential to be brought up on disciplinary charges if the matter warrants.
Another thing ABC Healthcare IT administrators should be doing is reviewing files and folders for accuracy. All common server operating systems provide the capability to specify access privileges individually for files, directories, devices, and other resources. By carefully setting access controls and denying personnel unauthorized access, ABC Healthcare IT personnel can reduce intentional and unintentional security breaches. For example, denying read access to files and directories helps to protect confidentiality of information, and denying unnecessary write (modify) access can help maintain the integrity of information. Limiting the execution privilege of most system-related tools to authorized system administrators can prevent users from making configuration changes that could reduce security. It also can restrict an attacker’s ability to use those tools to attack the server or other hosts on the Healthcare’s network.
3.Describe how the system will identify and authenticate all the users who attempt to access ABC Healthcare information resources. (15 points)
ABC Healthcare administrators should consider Group Policies. According to Microsoft (2003) “Group Policy is an infrastructure that allows you to implement specific configurations for users and computers.” Additionally, Microsoft (2003) states that: Group Policy settings are contained in Group Policy Objects (GPOs), which are linked to the following Active Directory service containers: sites, domains, or organizational units (OUs). The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature of Active Directory (Microsoft, 2003). Active Directory in this case would be an added benefit to ABC Healthcare as it allows for the deployment of the Group Policy feature which in turn will allow network administrators the ability to manage each user and computer object.
By creating security GPOs an administrator can apply settings to affect the whole network and not just a standalone computer. This saves time and allows an administrator to affect multiple computers. Another benefit to using GPOs is the ability to define settings for wireless network connectivity. GPOs allow you to configure which wireless networks’ workstations can connect to, and automatically configure Wireless Encryption Protocol (WEP) (Aubert & McCann, 2006). If ABC Healthcare ensures GPOs are set up and followed correctly, users will not be allowed to alter many functions without having advanced administrator privileges and with auditing in place if foul play is suspected it will be quickly noticed.
The best form to ensure that a site is available to authorized users would be to enforce the use of a username and password. This would ensure that the right person is accessing their appropriate material. Some security concerns would be that a hacker may try to access a user’s account without the appropriate credentials. There would be steps in place that would prevent access from repeated incorrect password attempts; many times this is covered by having a lockout function. Additionally the ability for users to be able to utilize the “forgot username and password” function will be readily available. Another option that can be utilized (much like that in the military) would be the use of Common Access Cards (CAC) and Public Key Infrastructure (PKI) which will carry the “non-repudiation” clause that states that what is sent or uploaded is indeed authenticated by the user and as such cannot be disputed. 4.Discuss how the system shall recover from attacks, failures, and accidents. (15 points)
In order to safely ensure that you will be able to maintain information that is stored on your network it is key to ensure IT personnel are conducting backups. Backing up the system is another quality assurance feature that should be viewed by the management personnel. It is paramount that IT management personnel ensure administrators are conducting daily, weekly, and monthly backups of their network. A full backup should be conducted at least once a week with daily differential backups and, with maybe an incremental backup being performed mid-week. This will ensure that in the event of a data loss IT personnel can restore lost material with minimal downtime.
Ensuring there is a baseline in place that has all the original configurations is another way to ensure data safety. When looking at attacks if the system has the IPS/IDS and antivirus software installed the risk could be minimized. Michael Goodrich and Roberto Tamassia also states that administrators should ensure to have checksums and data correcting codes in place. “ Checksums are the computation of a function that maps the contents of a file to a numerical value. A checksum function depends on the entire contents of a file and is designed in a way that even a small change to the input file is highly likely to result in a different output value.
Checksums are like trip-wires, they are used to detect when a breach to data integrity has occurred. Data correcting codes are methods for storing data in such a way that small changes can be easily detected and automatically corrected. These codes are typically applied to small units of storage, but there are also data –correcting codes that can be applied to entire files as well” (Goodrich & Tamassia, 2011).
5.Discuss how the system will address User Account Management and related security improvements. (15 points)
ABC Healthcare would have to ensure they had proper polices, procedures, standards and guidelines in place to ensure user account management and the improvement of their network security. Although many times in conversation we tend to think that policies, procedures, standards, and guidelines are coupled together. Policies are set rules established by a company or organization. A policy usually is the stepping stone for the creation of standards, guidelines and procedures.
A policy would not have to incorporate the other three whereas it would be virtually impossible to create standards, guidelines or procedures without the reference of a policy which is your governing documentation. Having a standard in a way would be a rule used to measure as to how something should be. In the military we have what is called ‘Standard Operating Procedures’ which are rules that provide step-by-step instructions as to how to accurately operate equipment. This prevents users from using the “I didn’t know excuse”.
ABC Healthcare would have to have policies in place if they want to create a governing document that should be followed. This would establish rules that are to be followed by the organization. In order for a policy to be changed it must first be approved by leadership personnel. Having something like the military’s standard operating procedures wouldn’t be a bad idea either. The procedures would be the instructions that a user would follow to ensure something is operating appropriately. Like stated in question 4 for base-lining they should also have standards. So it would be understood how something is to be completed.
For security improvements ABC healthcare can for example create a policy stating that the use of USB drives on computer systems are no longer authorized (as evident by military policy). This is a governing documentation that if not followed could have punitive damages associated with it.
Aubert, M. and McCann, B. (2006). MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced. Boston, MA: Course Technology.
Eckert, Jason W. and M. John Schitka. (2006). Linux+ guide to linux certification (second edition). Boston, MA.: Course Technology.
Goodrich, M.T. & Tamassia, R. (2011). Introduction to Computer Security. Boston, MA: Pearson Education INC.
Microsoft TechNet. (2003). Windows Server TechCenter. Retrieved Nov. 29, 2012. from: http://technet.microsoft.com/en-us/library/cc779838(WS.10).aspx Stallings, W. and Brown, L. (2008). Computer Security: Principles and Practices. Upper Saddle River, NJ: Pearson Educations, Inc.
Schwalbe, K., (2010). Information Technology Project Management (sixth edition). Boston, MA: Course Technology.