Rapid growth of technology
In the current season, the rapid growth of technology, communication and especially the large volume of information have led many companies and organizations to use IT systems for the management and the safety of information.
The main objective of this project is to implement a complete security assessment of the private hospital Â«ElpisÂ». The firms which effectively allocate their resources for the better understanding of the risks they face, can more easily avoid “unexpected” situations and release resources in other directions and profitable activities (i.e. new investments), that otherwise would have potentially rejected as very dangerous. Therefore, the adoption of procedures that focus on Risk Analysis and Management can substantially help firms to prevent or control risky situations. Once, firms have identified an efficient way to measure the relationship between their risk and rewards they could significantly improve their current operations or find new profitable activities.
This project investigates the risks related to the security of the hospital Â«ElpisÂ». Specifically, it focuses on the hospital organization, the sources of operational risks and provides detail description of available technologies that can ensure the management and control of these risks. The hospital is located in Athens having two other subsidiaries called Â«MiteraÂ» in Chalkida. We know that the private hospitals interchange important medical information concerning their patients. The central IT department is established in Athens dealing with various services such as the patient registration data, patient diagnoses, management of medical information, other data saving, etc. On the other hand, the IT department in Â«MiteraÂ» hospital is obsolete with limited ability to send and receive large volume of data. Therefore, this project aims to investigate all the required procedures that can ensure the integrity and confidentiality of medical information transmission between the hospitals and the incessant operation of the IT services.
Â«ElpisÂ» hospital is constituted by five departments: the Administrative Department, the Human Recourses Department, and Finance Department, the Secretariat-motion of Patient Department and the IT Department, while Â«MiteraÂ» hospital is organized into two departments, the Secretariat-motion of Patient Department and the IT Department. We analyse the IT department of Â«ElpisÂ» hospital which employs the head of the IT department, a network administrator, a medical software administrator, a database administrator and an information security administrator. Our analysis reveals some rules and practices that can ensure the information safety in the private hospital. Also, we have recognized significant sources of risk come from the outside environment and individuals that work in the hospital. The results of this report can be used in the improvement of medical information safety and the minimization of the possible risks.
Next, we present the potential technological solutions that the hospital can adopt at a total financial cost of EURO 5000. They include the Intrusion Detection System (IDS), Antivirus, Spyware, Adware and firewall, Implementation of RAID 5, automatic fire detection mechanisms, emergency generator UPS, automatic Air conditioning control, User policy and Password policy.
Description of the company’s IT infrastructure
In this section, we present organizational structure of Â«ElpisÂ» and Â«MiteraÂ» hospitals as well as their software part of their network. We continuous our analysis using the CRAMM methodology in order to uncover the threats and weaknesses of the IT departments. Finally, we present possible solutions that can face all these risks relevant with the operation of the IT department. The private hospital Â«ElpisÂ» is located in Athens at a building consist of 3 floors. In the first floor we find the hospital’s administration and a computer room with the IT equipment. In the second floor is the pathological and chirurgical clinic, the secretariat of the clinics and the medical library. The third floor accommodates the cardiologic clinic, the secretariat of the clinic and the room of telemedicine. All the offices for each roof are connected to the same LAN.
The organisational structure of private hospital Â«ElpisÂ» is constituted by five departments:
- The Administrative Department: has the total administrative responsibility of hospital. It applies the strategic decisions and rules which are taken through the administrative council. It aims in the appropriate allocation of responsibilities to employees and to provide the maximum good working environment. It has the responsibility for complaints and the implementation of regulation.
- The Human Recourses Department: Arrange for any matter relating to the official status of the hospital staff, as well as for the monitoring, organizing and control the personnel of all services of the hospital.
- The Finance Department: the care for the study of the economic needs of the hospital, and its contribution to preparing the budget of the hospital, making the expenditure, the liquidation of personnel acceptances and remaining compensations, procurement, management and storage of supplies and materials that needed to operate the hospital, the training of balance-sheet and assessment, the responsibility for the safeguarding of hospital fortune and the observation of economic statistical elements.
- The Secretariat-motion of Patient Department: arrange for any matter relating to the organization of secretarial support according with the decisions of management and other services at the hospital. It arranges the publication of tickets for admission of the sick, and compliance with waiting list admission. Also, it keeps detailed statistics of nursing movement and it grants certificates in the patients, afterwards the submission of relative application.
- The IT Department: has the responsibility for the organisation and operation of computerisation, processing and maintenance of computerized statistical data, providing and distribution of information in the services of hospital, in the Ministry of Health, Welfare and Social Welfare and in other relevant bodies and each other relevant work. It is responsible to research new technologies with aim to save money and increase productivity of the hospital. It provide technical support and training in the employees of hospital for each technology – program that using. Also it is responsible for the security of IT programs and IT hardware.
The IT infrastructure of hospital Â«ElpisÂ» consists of servers which running the medical application or others services and the ability to store all data, the network equipment (switches-Ethernet) which is used for connecting the computer room-servers and the personal computers of hospital staff and the firewall that is configured from the network administrator and monitor data traffic from the hospital on the Internet with specific criteria. In figure 1 presents the topology of the system.
Hardware of Hospital “Elpis”:
A Router (1 piece): The Router is a device which connects the workstation on the network of the hospital. The Router connects the local network of the hospital with the internet, using a leased line of 4 Mbps.
Firewall (1 piece): The Firewall is a device or software that prevents access to or from a private network for which it was authorized. The Firewalls can also be applied to hardware and software, or a combination of both. It used to deter unauthorized Internet users from accessing private networks. Also firewall controls the movement of data for the region that is responsible.
Switch (4 pieces): a hardware device and used to connect different components in the same network. The switches cutting useless Internet traffic and allow you an affordable high-performance network. The switch is can be used for splitting the physical LAN in two small LANs. In network of hospital this switch splits the physical LAN in two small LANs. A central switch is connected with three other switches which connect the workstations. While another switch connects the servers.
Database Server (1 peace): Database Server is a device that used by one or more machines as their database. By using a database server users of the hospital have the ability to manage and organize medical data
Web Server (1 peace): O web server is a computer, allowing other computers to access files that manage, using the HTTP protocol (Hyper Text Transfer Protocol). Please note that the basic web server administrator has the ultimate ‘control’ of the server, unlike a simple user The Hospital uses Apache Server.
Mail Server (1 peace): mail agent receives the e-mail from local users (incoming), and offered to surrender on outbound users. A computer dedicated to running such applications is also called a mail server. The transfer of medical results from the “Mitera” hospital to the hospital “Elpis” made via e-mails.
Backup Server (1 peace): A Backup Server is a way to save your important medical files into one single compressed file. The best part of Backup Server is its affordable and you can transfer the compressed file onto another computer or hard drive. In addition, backup server has the possibility to administrate the tape backup machine.
Tape Backup Machine (1 peace): Backup Machine provides the easiest way to backup your critical folders and files allowing access to local and network directories. The disk should be replaced at regular intervals and stored in a sheltered place.
Workstastion PC (50): Each office holds, one or more desktop pc only for internal services access and development.
Software of Hospital “Elpis”:
Microsoft Exchange Server 2003
Windows XP Professional
The Â«MiteraÂ» hospital has a Secretariat-motion of Patient Department, the Pathological clinic and the IT department. The medical information (patient’s data, patient diagnoses, etc.) is exchanged between hospitals with web-hosting or email. The communication as achieved with an ADSL 4 Mbps. The technical characteristics (see figure 2) of Â«MiteraÂ» hospital are the same with Â«ElpisÂ» hospital.
Hardware of Â«MiteraÂ» Hospital:
- A Router (1 piece),
- Firewall (1 piece)
- Switch (4 pieces)
- Mail Server (1 peace)
- Web Server (1 peace)
- Storage Devices (1): are used to store the medical data. The storage devices are one of the most important components of the computer system.
- Workstation Pc (5)
Members of the group will undertake to conduct the risk analysis in Chalkis hospital. They should be trained in project risk analysis in order to fulfill their goal. Specifically, the team has the following members:
- Director Management: He has the overall responsibility for the project in order to succeed. He is responsible for proper organization of the team and ultimately responsible for assessing the risk analysis.
- Chief: He is responsible for organizing team members. Has the responsibility to evaluate the job each team member. He is responsible for implementing the risk management program.
- Manager system and information’s: they have the responsible for the integrity and availability of systems and information
- Security Department: they have the responsible for security programs and to identify risks and their eliminate with using the risk analysis
- Security Practitioners: they have the responsible for the evaluation of security requirements for each IT systems.
In the previous section we described the organizational and informational structure of Â«ElpisÂ» and Â«MiteraÂ» hospitals. Now, we are describing the assets that are classified into three categories: a) software assets, b) hardware assets and c) data assets.
A system can be characterized as reliable and safe when it is: a) confidential: provide access only to authorized persons. They have access to important information (medical information, personal patient data), b) availability: the service that the IT facilities provide should be incessant, c) integrity: the system should be ready at any time to provide reliably any information. Also, the information should not change by unauthorized persons.
The hospital manages important medical information. Thus, the access to the internal network should not be free and the communication between the hospitals should be characterized by safety and reliability.
The data assets of private hospital Â«ElpisÂ» can contain the following:
- Patient Records: patient personal data (patient medical history)
- Personnel Records: staff personal data
- Financial Records: financial data concerning both hospitals
- Statistics records: statistical data related to the number of surgeries, patient entrances, deaths, etc.
In this project, we perform a risk analysis and management for two data assets, the patient files and the statistical data.
In this category, it is classified the physical assets like the equipment facilities, buildings. We focus our analysis on hardware assets. Specifically, the hardware assets of Â«ElpisÂ» hospital can be the followings:
- Application server: It is the most important part of the system. The medical application is installed on the application server where the medical data processing is implemented. Moreover, other staff and financial application are installed on the application server.
- Database server: It makes possible to the different software to ask for information, update and delete data.
- Backup server: It provide access to different saved data in the system relevant to medical data, patient personal data, staff data, and other general hospital data
- Mail server: It facilitates the interchange of mails between the Â«ElpisÂ» hospital and the hospital in Chalkida.
Also, we perform a risk analysis and management for the most important hardware assets: ?? application server and database server.
This category of applications contains software that the staff of hospital uses for data processing. The software assets of private hospital Â«ElpisÂ» can be divided into:
- Staff Software: They are applications that manage data of hospital staff. They permit new records, delete of records and modifications.
- Patient folders Software: These applications manage data relevant to the patients (personal data – patient medical history).
- Data Statistical analysis Software: They are applications that process statistical data and help in the creation of annual reports
DETERMINATION OF COUNTERMEASURES
In the above section was realised the analysis for the threats and the vulnerabilities for each assets (figure 3) . In this section we analyze the countermeasures which should be taken for each threat. In addition, we proposed solutions and technical relatively with the physical and hardware section as well as the architectures and security policies. The countermeasures will be supposed in such degree in order that the hospital working in an error-tolerant.
Each employee will have the appropriate privileges in system, in relation to the work which he performs. The password policy should be changed. Users must renew the password once a month and use string passwords. For devices that contain important medical information that password should be changed once a week and the rights of the user accounts to be examined by managers every two weeks. As a reference the user policy should describe the rules that will prevent the user from illegal operations (even if accidental) aiming at the confidentiality of data.
The company should implement a backup policy in order to store important medical information (patient file) and data which associated with the company (any company, personal information). The backups are major because there’s a danger of losing important data from the disaster of equipment or external threats or by human error (deliberate or accidental). The backup will be made every day and in time that the workload of the hospital is small. Also it should be created a monthly backup that will be stored in a separate location, in case where the initial copies have been destroyed by a natural disaster or damage of equipment or human error. The storage of data will be realised with technical of Raid 5 because the price of the disc is significantly reduced and the costs of implementation Raid 5 is now within most organisms’ budgets.
A measure that must be taken is the installation of an emergency generator UPS which will ensure continuous operation of IT equipment even if creates problems at the central UPS. Also an emergency generator UPS should be connected with the cooling system of the computer room.
In the computer room there is a simple cooling system which may not ensure the proper operation of IT systems. The most effective measure is the installation of an completed cooling system which will have automatic air conditioning control with aim to minimize the risk of a sudden increase in temperature.
The confidentiality and the data integrity is an important part of the hospital. The installation of IDS device provides control of the network and intrusion detection that can come from either inside or outside of hospital and detect violations of security policies. An IDS has the ability to produce reports on the above events.
In addition, a measure that must be taken is the installation of completed fire protection equipment in all spaces of the hospital (patient rooms, offices, computer room). The fire system will have the ability to detect smoke or fire and more generally the change in the temperature also in case of emergency the possibility of telephone connection with the local fire station and the police.
The education and training of hospital members in safety, confidentiality and organisation issues should are realised each 2 months. Thus, hospital members acquire feeling of personal responsibility and dexterities.
Finally, it should be installed Software applications which will protect the network of hospital from malicious programs. The installation of Antivirus – Spyware program will take place in server with a view to automatically install and update the antivirus programs on each workstation.
The main objective of this report was to evaluate safety in private hospital “Elpis” with the method of risk analysis. The hospital has implemented some measures for the correct and safe operation of hardware and software but these measures do not cover many of the threats.
The most important areas that should provide the hospital are the confidentiality, integrity and availability of data. These areas should be applied to a greater degree in the user policy and the security policy. Also, it should be implemented specific technologies which ensure in the hospital proper functioning. Access to sensitive patient information and medical research should be protected specifically by unauthorized persons. Finally, it suggested equipment to help in case of emergency.