Hospitals contain non-technical aspects of Security. Ahospital will

Hospitals are very complex institutions, in which the information is very important andone of the core valuable aspects of the system. The information security plays a vitalrole in securing the patient confidential medical records and handling thecommunications between different departments. Nevertheless, many hospitalssuffered from Hackers attacks and data breaches for many years (i.e., NHSWannaCry, 2016).Discuss confidentiality, integrity, and availability and explain theexpected authentication and non-repudiation challenges in a hospitalenvironment and how to address them.The hospital information system has become an integral part of health care. It is linkedto the health informatics that focuses mainly on the administrative functioning ofhospitals and clinics. It is a comprehensive information system designed to deliverevery administrative operation in the healthcare industry.Hospital information systems in recent years have evolved into digital systemsinvolving computers, instead of using older methods, such as filing cabinets and paper.A computerized health information system is made up of steps such as data input,processing, outputs, and boundary. The computer system receives the health data,which then get processed to finally produce the specified outputs, and there arepredefined boundaries to influence the outputs.Within a hospital organisation it will contain non-technical aspects of Security. Ahospital will have problems such as employee risk and personnel Security. Someexamples of Employee Risk could be Human Error, Fraud, Misuse of sensitiveinformation and sabotage.Human error can be a big problem within a big organisation such as a hospital. Anyhospital will have a lot of people working there and will have a lot of problems whenhumans are involved.A human could enter data wrong or could forget something important. Humans makemistakes and sometimes this must be considered as it can potentially be a problembut sometimes can’t be controlled. There are ways to mitigate against human errorthough. Some countermeasures to mitigate against these problems could be:? Provide a clear definition and structure of authorityYou must make a record of who is responsible for what and where it is. Ahierarchal system must put into place to keep track on which people must beput in charge of what.? Ensure any type of fraudulent behaviour requires collaborationThis makes sure there must be two members of staff present when anythingthat could be tampered with is taking place.C1402047 Information Security Coursework3 | P a g e? Rotate People within roles and responsibilitiesRotating roles and responsibilities will make sure the same person can’t makethe same mistake repeatedly.Confidentiality, integrity, and availabilityIn recent years, several studies have been carried out in the last decade to assess thepatient safety situation in hospitals and to monitor the effectiveness of the differentmethods adopted to enhance patient safety. Confidentiality, integrity, and availability(CIA) are the three basic concepts of security concerning computer systems.ConfidentialityLoss of confidentiality takes place when unauthorised access to information isgiven (read or copied) by individuals not authorised to access that information.Confidentiality of information can be compromised when it is shared or presenton an insecure network. Confidentiality can be achieved by using accesscontrol and authentication techniques. Confidentiality plays a big part in thehospital as there is a lot of valuable data that must be kept under propermanagement. The NHS works under 4 acts; the NHS Act 2006, the Health andSocial Care Act 2012, the Data Protection Act, and the Human Rights Act.A hospital works under strict supervision to keep the data and information aboutpatients hidden with serious security. This information cannot be shared andmust be kept confidential for both patient’s sake and the protect the NHS.IntegrityIntegrity is important, especially regarding Hospitals and their information. Lossof integrity can result in information being inaccessible or erased, thus beingunavailable to the people authorised to get it when needed. Loss of integrityresults from unexpected modification of information. Loss of integrity takesplace when unauthorized alterations of information are made, either throughintentional tampering or human error.AvailabilityAvailability can be regarded as the most vital attribute in the hospital businessrelated to information-dependent services (such as patient records or medicineinventory systems). Network availability itself becomes the most importantaspect as the business depends highly on network connections. The usersexperience a service denial when they try to gain access to the specific networkor services granted on a particular network.C1402047 Information Security Coursework4 | P a g eDevelop a security policy in an organization to cover the use ofemployee’s own smartphones at work?Just as with PCs and laptops, it is up to the user to ensure smartphones are secure.This is despite the updates that iPhone and Android automatically provide. A report bythe Telegraph points out that “all of the top 100 paid-for Android apps and 56% of thetop 100 paid-for Apple iOS apps have been hacked.” It is important to remember thatwhile technology companies can develop and adapt to new threats, hackers alsodevelop new ways to get into devices. These hackers can break into a device in 30seconds with the right equipment, and the right equipment is becoming much easierto acquire.There are, however, ways to counteract the effects of using personal devices in theworkplace. IT departments can put in place strict regulations with regards to securityof portable devices and usage of such devices when utilising business networks andWi-Fi systems. Businesses can also enforce strict usage policies, all of which shouldbe included in an employee handbook and regularly reviewed. If such guidelines arefollowed then smartphones become a highly useful tool within the workplace, ratherthan a high-level cyber security risk.Using this policyOne of the challenges facing IT departments today is securing both privately ownedand corporate mobile devices, such as smartphones and tablet computers. This policyis intended to act as a guideline for a hospital to implement or update their mobiledevice security policy.Background to this policyThe most common challenge is that users do not recognize that mobile devicesrepresent a threat to IT and data security. As a result, they often do not apply thesame security and data protection guidelines as they would on other devices such asdesktop computers.The second challenge is that when users use their own devices they often give greaterweight to their own rights on the device than to their employer’s need to protect data.This policy gives a framework for securing mobile devices, and should be linked toother policies which support the hospitals stance on IT and data security.C1402047 Information Security Coursework5 | P a g e1. IntroductionMobile devices can be important tools for the doctors and nurse at the hospital andtheir use is supported to achieve business goals.However mobile devices also represent a significant risk to information security anddata security as, if the appropriate security applications and procedures are notapplied, they can be a conduit for unauthorised access to the hospital’s data and ITinfrastructure. This can subsequently lead to data leakage and system infection.Any hospital has a requirement to protect its information assets in order to safeguardits patients, intellectual property and reputation. This document outlines a set ofpractices and requirements for the safe use of mobile devices.2. Scope1. All mobile devices, whether owned by the hospital or owned byemployees, that have access to corporate networks, data and systems,not including corporate IT-managed computers. This includessmartphones and, if used, tablet computers.2. Exemptions: Where there is a need to be exempted from this policy (toocostly, too complex, adversely impacting other hospital requirements) arisk assessment must be conducted being authorised by securitymanagement.3. Policy3.1 Technical Requirements1. Devices must use the following Operating Systems: Android 4.4or later, IOS 8 or later.2. Devices must store all user-saved passwords in an encryptedpassword store.3. Devices must be configured with a secure password thatcomplies with the hospital’s password policy. This passwordmust not be the same as any other credentials used within thehospital.4. With the exception of those devices managed by IT, devices arenot allowed to be connected directly to the internal network.C1402047 Information Security Coursework6 | P a g e3.2 User Requirements1. Users must only load data essential to their role onto their mobiledevice(s).2. Users must report all lost or stolen devices to the hospital ITimmediately.3. If a user suspects that unauthorised access to company data hastaken place via a mobile device they user must report the incidentin alignment with the hospital’s incident handling process4. Devices must not be “jailbroken” or have any software/firmwareinstalled which is designed to gain access to functionality notintended for the user.5. Users must not load pirated software or illegal content onto theirdevices.6. Applications must only be installed from official platform-ownerapproved sources. Installation of code from un-trusted sources isforbidden. If you are unsure if an application is from an approvedsource, contact IT.7. Devices must be kept up to date with manufacturer or networkprovided patches. As a minimum, patches should be checked forweekly, and applied at least once a month.8. Devices must not be connected to a PC which does not have upto-date and enabled anti-malware, spyware and virus protection,and which does not comply with corporate policy.9. Devices must be encrypted in line with the hospital’s compliancestandards.10. Users may must be cautious about the merging of personal andwork email accounts on their devices. They must take particularcare to ensure that company data is only sent through the hospitalemail system. If a user suspects that hospital data has been sentfrom a personal email account, either in body text or as anattachment, they must notify IT immediately.11. (If applicable) Users must not use hospital workstations to backupor synchronise device content such as media files unless suchcontent is required for legitimate hospital business purposes.C1402047 Information Security Coursework7 | P a g eThe policy and a risk assessment for the hospital are important because it can help mitigate any issuesthat might arise within the hospital. Risk assessments are very important as they form an integral partof an occupational health and safety management plan. They help to:• Create awareness of hazards and risk.• Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the public, etc.).• Determine whether a control program is required for a hazard.• Determine if existing control measures are adequate or if more should be done.• Prevent injuries or illnesses, especially when done at the design or planning stage.• Prioritize hazards and control measures.• Meet legal requirements where applicable.Describe an attack that may occur to the hospital?One in three People had their health records breached and this number is predictedto continue to increase as the number of data entry points to a patient’s medical recordgrows. For every opportunity for automation, there is also an increased security risk.Over the past year, there have been several types of visible cyber-attacks on healthsystems. The main reason for the increase in cyber-criminals targeting the healthcareindustry is for the ease with which hackers can pull vast amounts of personal datafrom aged systems that lack necessary security features.Data breaches are major threats to hospital security that come in various forms. Theyinclude cases involving criminal hackers wanting to steal the protected health caredata, a form of medical identity theft. In other instances, a health worker can view thepatient records without authorisation.Data breaches in the healthcare system are increasing at an alarming rate and arebecoming quite widespread. Therefore, hospitals, clinics, and other health careorganisations have to become more careful regarding protection of sensitiveinformation of patients, financial matters or other important data.Hospital and clinic security can be enhanced by using smart technologies, educatingthe employees, and increasing the physical security of the buildings.An attack that could happen to a hospital can be similar the WannaCry attack thathappened to the NHS in 2017. A massive ransomware attacked 16 hospitals acrossthe United Kingdom and shut them down. The attack froze systems and encryptedfiles. When employees tried to access the computers, they were presented with ademand for $300 in bitcoin, a classic ransomware tactic.The attack caused problems from cancelled appointments and general disarray, asmany hospitals are left unable to access basic medical records. It even left a hospitalto cancel all non-urgent operations as a result. According to a statement from the NHS,C1402047 Information Security Coursework8 | P a g ethe culprit was a ransomware known as the Wanna Decryptor (also known asWannaCry). While operations at the hospitals had been severely impacted, there wasno indication that patient data had been compromised.According to researchers, the attack makes use of an exploit called EternalBlue,believed to have been be developed by the NSA to break through Windows security.Microsoft issued an update to protect against the vulnerability more than a monthbefore the Shadow Brokers made it public, but the update didn’t make it to everyWindows machine, and it’s plausible the systems targeted, were still unpatched.As stated above, this attack caused many problems within the hospital system;appointments being cancelled, shutting down hospitals and having to cancel moreserious issues. This attack mainly focuses on encrypting files and not releasing themuntil either, the ransomware is patched, or the ransom is paid.Hospitals are a prime target for hackers, but providers can take steps to ensure theirsystems are better protected against ransomware and other cyber threats. Thegovernment has taken steps on the national level to improve cybersecurity, buthospital leaders can also encourage staff to engage in simple ways to preventcyberattacks. Hospital organisations can take steps to protect themselves, such as:? Ensure that internet browsers, computer operating systems and applicationsare updated regularly? Use strong, hard-to-guess passwords? Don’t open links or attachments that seem suspicious or come from unfamiliarsources? Back up important files on a routine basis