Information System Security Plan For United Health Clinic

Background of the Clinic and Its Information System

The United Health Clinic is highly dependent on its information system for business and fundamental works. It is using information system for patient records, insurance records, medical procedures, medical and office staff information. Whole of the health clinic is dependent on the data that are communicated through the information system. The patients with their history, medical procedure, current status, insurance and every other thing is stored in the database, based on which further medical procedure is done. This security plan aims to analyse the current and possible threats in the current system and will guide to control those threats maintaining high level of confidentiality. It will control the possible loop hole from external intruder to protect the clinic from various financial and business losses. Mishandling of the data can result in death of the patient and is likely to cause serious problem for the business itself. Data security and its integrity is very crucial for the organization like this. A high level of security can only be done after the deep analysis of the risks and its management. This security plan will work on that maintaining overall integrity of the Health Clinic.

As this business has a board members, CEO and H.O.D, it is crucial that the security plan comes from top to bottom management. All the clinic staff including board members are to be made aware of the security plans and policies. Board members and CEO will be able to control all the clinic staff including themselves to have a secured, efficient and effective security plan.

The United Health Clinic’s information system is very simple and vulnerable. The scope of this report will look at United Health Clinic Information system (Physical hardware, Data, Networks, Configuration, User Privileges, procedures and current security system). It will also access the current software health clinic is using and it security strategies. It will also make other important recommendation that are needed on the clinic to ensure the best security.

The following is outline of the 6 major sections that form this security plan.

In this section, a brief background of the clinic, its structure and need of information system will be described. This will help in analysing the system and its current possible threats and vulnerabilities with procedures to control them. All the employee with their roles and privilege will also be described. This will help to know the current user privileges and possible threats and controlling measures.

United Health Clinic’s Security Policies

In this part, United Health clinic’s security policies will be discussed. This is the basic framework based on which security plan is designed. This is the part where clinic highly maintains the level of data security ensuring data integrity, availability and confidentiality. The policy will describe its major aims, how different areas of areas are linked together and each area’s objective. This policy will assign responsibilities to implement each area to maintain high level of IT security. This will also have a statement to describe Clinics commitment to IT security.

The security policy is the strategy for how A plans tackle security in its I.T. systems, ensuring its integrity, availability and confidentiality. The security policy provides a strategic framework upon which the remainder of the security plan is built. The policy describes its goals, how different areas of the I.T systems have been grouped and the security objectives and needs for each of these areas. The security policy also assigns responsibility for implementing each of these policy areas and provides a statement on the company’s commitment to I.T. security.  

In this section, current system will be assessed and all the assists and threats will be described along with the current respective control mechanisms. Detailed analysis will be based on the effectiveness of each controlling mechanism.

Conclusions

This section will summarise the current security status of the clinic along with the vulnerable areas. It will also provide list of the areas where clinic need to be aware and work on to ensure higher IT security. This section will indicate the problems that has been found in the process of the procedure.

This part will provide the recommendation to control and lower the risks as provided on the conclusion part. This part will be based on the cost benefit analysis and how much the Clinic can ensure higher data security with respect to their cost benefit. It will help them to reduce the possible and certain risk factors.

In this section, the ways to carry out the recommended procedures are detailed. This will give the idea of implementation table, the role for the implementation and other monitoring of the recommendation plans.

This clinic was formed on year 2012 with a slogan “A passion for putting patients first”. The formation plan initially came from James warner and Max park. Later, they were contributed with the help of Anne smith, John Mansour and Sylvia peters. They were really concerned with the poor lifestyle of the people which was obviously having a negative effect on their health which made them to come up with the idea of building a clinic which concentrate on the fitness of the people and helps the patients to maintain their health. They were easily able to stand up their Clinic as a top around the country as they were able to assess organizational readiness, allocate costs per patient, Enhance service function productivity and many more.

Current System Assessment and Control Mechanisms

At meantime they have got 22 staffs with 6 doctors, 5 nurses, 6 office staffs and 5 therapists. They all are working on a permanent basis. They usually get visited by around 350 patients a week which is basically high in number as being a clinic. The clinic deals with 7 different private and public health insurances. Most of the patient (around 85%) have the health insurance covers.

Going through some of the office staffs, Heather Harper is operating as the office manager. He is one who supervises all the office staff. Ryan Forsythe is responsible for accountings and payrolls. Andrew Wilson helps to maintain patient records whereas Melina Wills is responsible for the paper work related with the insurance claims and insurer. Veronica Donovan looks after the daily patient appointment booking and reminding medical staffs about it. Robert Harper looks after the medical and office inventory. They all help on preparing end of month accounts and reports too.

• Employee Roles

Board Members	James Warner, Max Park, Anne Smith, John Mansour and Sylvia Peters
CEO	James Warner and Max Park
HOD DOCTOR	Max Park
Senior Doctors	John Mansour, James Mansour and Sylvia Peters
Doctors	Doctor 1
HOD Therapist	Anne Smith
Therapists	4 other therapist name
Senior Nurse	Name 1
Nurses	Other 4 nurses
Office Manager	Heather Harper
Accountant	Ryan Forsythe
Patient Record Maintenance	Andrew Wilson
Insurance Claims	Melina Wills
Appointment Booking	Veronica Donovan
Inventory	Robert Harper

The current information system will describe the information system of United health clinic in detail based on its division.

United Health Clinic’s information system can be divided into following areas:

1. The staff and the hardware located in the clinic in Sutherland
2. The cloud server for the system.

The staff working in the clinic run the medical software on a system with Windows OS. All the computer and network devices are connected in the Clinic network. They access the system on the computer through cloud server. No backup / offline server is established and no backup power supply is installed in the clinic.

Clinic is using NeuMD medical software in the system which is a  cloud based system. It provides following dedicated servers:

1. A cloud server
2. File server
3. Database server

At the current stage, united health clinic has not issued a security policy. As this was founded by the doctors, they work based on their standard protocols. All the medical staff does the same while the office staffs have some verbal recommendation and informal security measures as directed by the office manager. There have been issues regarding the policies at the moment and the necessity to have one has come forward. Everyone in the board feels that the written security policy would help to keep things more secure, consistent and easy.

• Threats

The threat is an ex-employee who could damage the current system in any possible way for various purposes. They could steal some confidential information about the patient and use in for various illegal purposes. They may also alter the patient records and information which will cause loss of thousands of dollars to the clinic. They may alter information in the medical procedure, which will result in wrong procedure to the patient which results in patient serious health hazard. Some of the most common and possible nature of threats are listed below:

• Loss of the patients:

Current Security Status and Vulnerable Areas

The average cost for each patient is $150 including a basic health care. If an employee uses patient confidential information for the purpose which s/he was not supposed to, patient will be concerned and will be visiting different health care due to the privacy issues. The level of exposure is medium as level of patient information will be made available according to the hierarchy of post.

• Temporary Loss of server

As the whole system is dependent on the cloud computing, loss of server even for a minute would be costly. A loss of $14000 a week is estimated if the servers become unavailable. However, the chances of losing servers access from ex-employee is less as the servers can only be accessed by CEO. The level of exposure is minimal

• Theft of Information

The amount of loss caused b the theft of information would be dependent on the level of information. A patient information theft will incur an average of $150,000 revenue while the theft of the medical procedure will incur $780,000 as they are special procedures that clinic does.

• Existing Controls
  • Revoke user account

Revoking users’ accounts accessibility is an economical act by Network Administrators to prevent the ex?workers from gaining access to the web?based applications and host servers (Caballero Gil, Molina Gil, Hernández Serrano, León and Soriano Ibáñez, 2014). The price of $25 goes for 30 minutes as per Network Administrator time provide the appropriate praises for all applications as well as on servers.

When a worker terminates, his/her employment contract with a certain employer he/she should hand over all company belongings (Srivastava, Microsoft Technology Licensing , 2015). The company pay a price of $50 for courier service to make sure that the worker can bring back their company PC if he has one.

The enterprise data policy article within the employee work agreements specifies that employees must abolish every copy of company information that is found on their computers and storage gadgets when their contract with company A is terminated (Gordon, Devasahayam, Zhao, Rouskov, Arewar,  Gopalakrishnan, Subramaniam, and Miron, Microsoft Technology Licensing LLC, 2017).

The current available controls are meant at disallowing accessibility to data and hosted servers when the employee’s contract has been concluded. The obvious mistake in this plan is, it has faiths that the worker has never been maliciously destructing information on the servers before the termination of the contract as well as that they abolish all copies of enterprise data as demanded during contract termination (LoBean, Rodriguez, and Tewksbury, International Business Machines Corp, 2012). A joint control efficacy rating of about 50 percent has been allocated since the current controls that just covers half the threat, which is the damage initiated after termination.

Recommendations and Implementation Plans

Physical theft comprises the stealing of:

• Company’s computers
• Employee’s computer containing work related information
• Stealing of storage gadgets having work related data
• Stealing of company related documents

These thefts might occur at worker’s private habitation, at the health clinic, at customer premises or during transit.

Compromised passwords

If workers retain passwords kept on their PCs, then possibilities are there that the secret codes might be found as well as be misused. Passwords might be used to cause momentary loss of the servers, stealing code bases, for corrupting software (Chen and Chou, 2015). About $38,000 is considered as the cost encountered when there has been temporary losses of any server ($12,000) and more the price of restoring ruined software ($29,500). The possibility of password documents being misused is rare since thieves would require to be familiar with what they should do with the passwords, nevertheless when they are misused, the extent of contact would be minimal as personnel have limited right of entry to hosted server centered on their duties and the ventures they are accomplishing.

An approximate $100,000 is according to the predictable loss of income from potential customers as well as the competitive side that the clinic (Unified Health Clinic) experiences with its exclusively developed software. Because of the limited accessibility to code bases as detailed above, the extent of contact is regarded as normal (Jebalia, Letaifa, Hamdi, and Tabbane, 2014). If these computers are embezzled the possibility that the encryption base might be misused is infrequent though as the aim of the stealing would most probably be due to value of the hardware, not the value of the data.

Disclosure of patient information relating to, email address, account information and technical details concerning the client site like configuration details, network information, as well as application and server passwords (Patterson, Sony Interactive Entertainment America LLC, 2013). Nevertheless, the probability of this risk is erratic and the extent of exposure is minimal because of the restricted accessibility to this type of information.

At present, Unified Health Clinic deeply recommends to their employees that all Computers containing work related information must be setup using user accounts as well as must be password secure (Jadhav, and Varshney). The price of this accomplishment is zero for it is an easy task, which takes an insignificant time.

Encryption of delicate data

Crucial data concerning customer as well as staff bank account information and passwords should be stored inside encrypted documents (Harkous, 2012). The price of encrypting is zero because the software used is an open source as well as because of small magnitudes of the documents involved as well as the time consumed for encrypting is negligible.

United Health Clinic’s Information System

The existing controls got a high efficiency rating of about 90 percent. Having been applied with SoftQuest as well as then Unified Health ever since the year 2012, no cases of equipment stealing of Computers has been reported. Employing rudimentary controls like encryption of private data and password safety to user account is efficient in preventing most illegal users from gaining access to data (Byun, Choi, Choo, Ju, Nam, and Hong, Electronics and Telecommunications Research Institute, 2013).

Power Supply

Threats

Power Loss

The word loss hereby is applied to refer to the breaking of power supply normally for some seconds. As well referred to as blackouts the outages might be from some minutes to weeks considering the cause of the power loss.

Power Fluctuation

 Fluctuations power are momentary turbulences in power energy supply that comprise brownouts (under?voltage) and power spikes (overvoltage). Brownouts might contribute to the unexpectedly shutdown of a computer system while power spikes can bring about physical destruction to sensitive PC components. Anecdotal evidence among the memberships of Unified health Clinic operating in Australia is that energy instabilities significant to make PCs to restart and happens one time in a month (Aarthi, 2016). The probability of damage happening is unlikely, nevertheless when damage happen the exposure level is approximately 23 percent (low) since damage usually happens to power supplies and probably one or even two other constituents.

Natural Disasters AND Civil Unrest

Threats

Natural Disasters at Remote Users Site

Natural calamity as deliberated here covers storm damage, fire, flood and other supernatural acts that cannot be controlled by human.

The probability of natural disasters as detailed above occurring at remote workers’ location is not common (below 7 percent per year). The exposure level during that kind of a tragedy is limited, since the tragedy should have to destruct the work associated computer equipment within the clinic (Pop and Croitoru, 2012).

The possibility of natural disasters happening at server farms where host servers are positioned is occasional. Typically, main hosting corporations like Digital Pacific would choose sites as well as having enough controls ready to minimize danger from natural tragedies to negligible level. When a natural calamity does not just does the server require to directly impact, however this risk is counter balanced through Digital Pacific’s offering backup services (Walter, Vitaldevara, and Rodrigues, Microsoft Corp, 2012). An average level of exposure is therefore allocated since some data might have not been backed?up using Digital Pacific before the disaster occurred. About $9,500 is the estimated price of restoring the servers.

Data AttacksOn Hosted Services

Threat

Trojan or Virus

Syslog indication from hosted servers of Unified health Clinic’s indicates that unplanned ports are investigated daily. Likewise, out-website has been vandalized in the past through Trojan haphazardly rewriting to php scripts and html files. The Virus was let on the hosted server since a programmer unwillingly left files and folders on the hosted server containing public write privilege (In Communications (COMM), 2012). From this proof, it might be observed that the possibility of exposing is almost assured, the exposure level is lower as regularly the records, directories have firm privileges to avoid write, as well as execution privileges to everybody but group members or owner. The price of the risk is approximately $8,000 based on the price of industry for the hosted server to be inaccessible for a week as well as man?power concentrated to restore services.

DoS and DDoS

The danger of DoS (Denial of Service) attacks or DDoS (Distributed Denial of Service) attacks is occasional.The risk rating depend on the circumstance that we haven’t suffered any attack like that the past as well as our public outline is lower, and that DDoS and DoS are usually directed at high?profile webs(Walter, Vitaldevara, and Rodrigues, Microsoft Corp, 2012). The exposure level is valued as average because there is 3 hosted servers with different URLs and IPs therefore all three servers would require to be besieged to make them unavailable. The price of the risk is approximately $ 8,000 based on the price of industry for the server to be inaccessible for a week as well as man?power channeled into reinstating services.

Employee and Patient data on the dedicated servers is minimal mainly in MySQL database. Even if majority of the information is test information with no value, several client and company configuration data is existent that might be exploited during succeeding attacks. Demonstrations forms of Unified health clinic apps, which use databanks are not openly accessible and therefore the possibility of exposing is occasional. Should such data be gained access to, the possibility that exploitable data’s exposure would be rare (Pop, and Croitoru, 2014). This threat has a price of eight thousand U.S Dollars which might be the price of a chief programmer spending per week probing for as well as fixing all SQL queries, which could reveal information.

Conclusion

The safety controls, which are currently available have functioned properly while the business was creating its software like SoftQuest Solutions. At that moment there were just 2 or 3 designers working faithfully. Safety measures were frequently discussed accurately over the table while encryption units were tested and monitored by Chief Programmers. Originally SoftQuest was a software developing sister business of Commslogic where the two enterprises operated from the same servers as well as office space. Since the designers were on?place where the making software was using feedback about software’s effectiveness was instant and any potential incidents or security incidents must be rectified rapidly.

Recently however, because of variations in the enterprise and the development of the Unified health Clinic, key areas of safety concern have been apparent and they might be articulated like the following security requirements:

• Clear security procedures and guidelines covering the points of accessibility to data, encryption, and safety of passwords.
• Regular dignified backups of remote data and hosted.
• Full documentation about software design.
• Authentication and lock down of tried production equipped code units.
• Usage of versioning controlling during development.
• Tight controls of rights on the servers.
• Rules for software safety in developed apps, which covers the testing, designing, as well as implementation of auditing and security features.

These variations goes around the necessity for new procedure and policy, rather than variations to the hardware or data system configuration. The significance of these variations should be appreciated by upper administration, mostly the CEO as well as the Board Members if they have to be applied affectively as well as the overall safety risk minimized.

In this sector the recommended variations to data system will be deliberated. In circumstances where prevailing controls are endorsed the orientations to the suitable subsection in unit two will be offered.

Currently, when developing apps there are several common user identifications passwords, which are utilized or known to all designers. These are naturally DB passwords and usernames where designers apply the same password as well as user ids as is applied by the app itself. The commended controls must be to assign individual passwords and user ids for DB accessibility. The password and user id utilized by the app, and the code utilized to link to the databank would be kept in a reference file, which only the Senior Programmer and Chief Programmer can access. The price of implementing is five thousand US Dollars based on daily work to adjust the existing DB passwords; as well as to modify and locate references to passwords and usernames used by apps within the present code base.

The usage of versioning controller like SVN must allow easy tracing of code variations, detailing that the variations each computer operator effected on the code bases as well as when they were effected. This would not only be of important use in cases where suspicious code alterations are alleged, but would as well assist in situations where viruses have been accidentally introduced and noticed some time later. Effective developers must not alter codes without utilizing versioning controlling systems because it will make sure that all alterations are traced. The price is predicted at around $3,800 for setting up as well as $2,670 recurrent cost per year centered on 15hrs at $40 per hour to create documentation and set up and about $23 by 10 minutes daily in 180 working days by three workers to utilize the versioning controller.

To make sure that tried code units are not tampered with there must be a rectify tool ‘lockdown’ on finished code unit. Locking down finished code units includes storage of code units within encrypted zip documents by use of a key only known by Chief programmers. A message verification code will therefore be produced through use of MD5 hash. The zip file and MD5 hash are kept separately as well as safely. Before the code is deployed the verification code is looked at to make sure that the details in the zip document have never been interfered with. The approximation price is about $1,600 to apply with year-to-year costs of approximately $2,600.00 centered on three days at 50 per hour to document and setup, and 1hr/ week at about $50 per hour for locking down established code units.

Caballero Gil, C., Molina Gil, J., Hernández Serrano, J., León, O. and Soriano Ibáñez, M., 2014. On the revocation of malicious users in anonymous and non-traceable VANETs.

Srivastava, K.S., Microsoft Technology Licensing LLC, 2015. Detecting a compromised online user account. U.S. Patent 9,117,074.

Gordon, A., Devasahayam, S., Zhao, L., Rouskov, Y., Arewar, P., Gopalakrishnan, V., Subramaniam, S.C. and Miron, T.C., Microsoft Technology Licensing LLC, 2017. Revoking sessions using signaling. U.S. Patent 9,537,851.

LoBean, D., Rodriguez, A.X. and Tewksbury, I.C., International Business Machines Corp, 2012. Controlled user account access with automatically revocable temporary password. U.S. Patent Application 13/091,249.

Chen, Y. and Chou, J.S., 2015. On the Privacy of” User Efficient Recoverable Off-Line E-Cash Scheme with Fast Anonymity Revoking”. IJ Network Security, 17(6), pp.708-711.

Jebalia, M., Letaifa, A.B., Hamdi, M. and Tabbane, S., 2014, July. A revocation game model for secure cloud storage. In High Performance Computing & Simulation (HPCS), 2014 International Conference on (pp. 1016-1017). IEEE.

Patterson, R.D., Sony Interactive Entertainment America LLC, 2013. Network account linking. U.S. Patent 8,388,440.

Jadhav, R. and Varshney, D., EFFICIENT DATA ACCESS CONTROL FOR MULTIAUTHORITY CLOUD STORAGE SYSTEM.

Harkous, H., 2012. Distributed Authentication in Anonymous Mobile Communities (No. EPFL-STUDENT-181757).

Byun, Y.B., Choi, B.S., Choo, H.G., Ju, S.H., Nam, J.H. and Hong, J.W., Electronics and Telecommunications Research Institute, 2013. Domain management method and domain context of users and devices based domain system. U.S. Patent 8,533,858.

Aarthi, P., 2016. A Survey on Cryptographic Role Based Access Control.

Pop, E. and Croitoru, V., 2014, December. Web Based Platform for Mobile Business Services. In ARA Annual Congress Proceedings (pp. 115-125).

Pop, E. and Croitoru, V., 2012, June. Web service based platform for Mobile business. In Communications (COMM), 2012 9th International Conference on (pp. 293-296). IEEE.

Walter, J.D., Vitaldevara, K. and Rodrigues, J.D., Microsoft Corp, 2012. Account Compromise Detection. U.S. Patent Application 13/107,129.