ABC Healthcare Company Essay

health c ar companies, like first principle health c atomic number 18, that operate as for-profit entities, be facing a multitude of challenges. The regulatory environment is becoming more restrictive, vir aims and winds are growing more pervasive and damaging, and alphabet Heathcares stakeholders are demanding more flexible entrance fee to their governing bodys.The healthcare industry is experiencing signifi fuckt regulatory pressures that mandate prudent in constellationation guarantor and systems solicitude radiation patterns. Furthermore, the continued pressure to nullify cost requires that prudence emphasis on streamlining operations, reducing forethought overhead and minimizing human intervention. The regulatory focus at ABC Healthcare is on the Health Insurance Portability and Accountability do work (HIPAA) and Sarbanes-Oxley (SOX).Both pieces of legislation highlight the rent for good systems administration and controls, but focus on assorted aspects of the bus iness. The briny focus of HIPAA is to protect personally specifi commensurate health information while SOX is concerned with data that impacts financial reporting. Violations may be met with both civil and criminal penalties. Therefore, the company moldiness be eer watchful of new threats to their systems, data, and business operations.The most prevalent security related threat to on-going business operations is the continued development and propagation of viruses and worms. Virus and worm prevention or containment is a vital component to the overall risk mitigation strategy. Virus and worm outbreaks fall in multiple cost aspects for the company including lost patient charges due to system unavailability, lost productivity because of recovery efforts due to infection, and potential regulatory impacts depending on the virus or worm payload. However, the company must balance risk with opportunities in order to serve the stakeholders and grow the business.ABC Healthcares stakehol ders include multiple groups that depend on or need ingress to clinical and/or financial systems in order to help support and grow the company. The access requirements and associated risk model varies by user group. The main access groups are internal exclusively users (i.e. nurses, hourly employee, etc.), internal/remote users (i.e. salaried employees, doctors, etc.), and business partners (i.e. collection agencies, banks, etc.). Risk mitigation solutions must be real for each user group to help ensure that the company recognizes the benefit that each group brings and to minimize the risk to business operations. The high-level management goals of the electronic meshwork design implementation are as followsSupport the business and balance security requirements without introducing signifi nookiet overhead and complexity Maintain and enhance security without outstandingly increasing management overhead or complexity Implement systems that are industry supported (standards where appropriate), scalable, and fault-tolerant Ensure that the design is implemented to help ensure residency with any and all applicable regulations Proper management of access control for legitimate users and malicious users is of the utmost importance for the security of the ABC Healthcare management system. The threat is non limited to outside malicious users but also legitimate users engaged in illegitimate activity.Based on the above description you are to provide a recommendation of how you would summateress each of the following ABC Healthcares computer network security requirements. Note, whereas cost is typically an important factor, this is not a consideration for this case analysis. Therefore, you do not need to include cost estimates. Your solution should hold back the right feel, patronage the lack of depth or flesh out necessary to be accepted by upper management. Be specific in your answers. Write them as if you were physical composition a proposal to your boss. You do not need to include citations. Since you are developing a solution to a specific circumstance, material that is copied from an outside extension bequeath not likely fit so everything should be in your own words.1.Describe your vision for addressing the security requirements in theoverall technical design of the ABC Healthcare network. This should include both internal and external (untrusted and trusted) aspects. Untrusted would include user connectivity to the Internet. The trusted network has the main purpose of supporting the business belongs of lie withn entities (i.e. partners, suppliers, etc.) which defy a business relationship with the company. Note that you are to concentrate on the high level, and you are not expected to provide low level details for your recommended design. (40 points)A threat is defined as a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause slander (Stallings & Brown, 2008, p. 13). In marrow a threat is a possible danger that may reveal vulnerabilities. There are more threats associated with online services especially when you add in personal information. The first threat to ABC Healthcare that should be identified is the continued development and propagation of viruses and worms In the development phase of the network design program managers has to ensure not only that there cater for be antivirus software which will be ran continuously (maybe a network s mass done daily after hours) but also ensure there are intrusion prevention and intrusion detection systems (IPS/IDS) in place that would find out network intrusions.A simple antivirus software like McAfee is easy to use and will not drastically increase their budget which in my opinion would be the first balanced approach. Although they may have to pay a little more for opposite(a) services to ensure a proper IPS or IDS many companies (including the Navy, uses SNOR T which is an open source product). another(prenominal) area that will have to be identified deals with both trusted users and untrusted users and that is unauthorized disclosure which in essence is the ability for someone to gain access to information which they shouldnt be allowed to view. This does not al trends have to be malicious in nature as it could manifestly be a glitch in the system which allows a user the ability to view others information indirectly.We also guttert get out the threat of deception, when dealing with medical information you want to ensure a patients privacy is kept as just that, private. To gain access hackers brook pose as someone who should have access to a system. This could be accomplished by simply calling a help desk and providing them withinformation and having them determine your password (which is one reason why I am glad we finally did away with the infamous mothers maiden name security question hale for the most part). The third threat wou ld be disruption which would challenge system availability and in some cases the integrity of the system.This threat could be carried out in numerous ways one would be a denial of service attack which would prevent users from accessing the website. Some more basic disruption techniques could be simply damaging network devices or even theft. Overall to prevent or reduce such(prenominal) threats ABC Healthcare will have to take the different defense-in-depth strategy (people, technology, operations) into consideration.Vulnerability is a flaw or weakness in a systems design, implementation, or operation and management that could be exploit to violate the systems security policy (Stallings & Brown, 2008, p. 13). One example of a vulnerability to this system would be system performance. A slow streamlet network is just a useless as one that is unavailable and as such will unremarkably result in users opting to find other means to conduct business. Although I can understand the importa nce of keeping the cost of network security low at times you will have to remind yourself that you get what you pay for. It is paramount that ABC ensures they have well trained and qualified IT force out to run their networks (hence my further education into the cybersecurity field)Not only do you have to ensure you have qualified and well trained IT support personnel you have to ensure that each user (employee) that is direct the system is well trained. The biggest threat to a network system is the end user as such they should be trained as to what to look out for such as social engineering. Social engineering could be simple questions asked to a user that they feel are innocent in nature but sincerely provide information to someone who they think would be using the information to help them but in essence be using the information to betray the user to gain access to network resources or patient information.Additionally, I would first ensure there is some type of disclaimer prov ided that the user would have to acknowledge stating something to the effect of the passing of medical records or privacy information is not recommendedunless you can for certain ensure the person you are passing it to will use the information as agreed. Though I am sure it could be written a tad bit better its important that users know even though theyre on a secure site their information could still be leaked and disseminated. By having this in place, if something were to happen IT personnel can refer back to this acknowledgment page as issues arise.To protect patients or other groups that utilize the network outside of the ABC Healthcare ecesis such as collection agencies and banks, along with the above disclaimer I would ensure that the website utilized port 443 for secure connectivity. Although it can still be breached and users can still become victimized, it adds an extra level of security and prevents sniffer attacks. 2.Discuss the way you will address requirements for syst em monitoring, logging, auditing, including complying with any legal regulations. (15 points)The first thing ABC Healthcare IT personnel should consider when conducting security checks is starting with a checklist. This will allow the administrator to ensure they are able to catch all necessities. This is where risk management should come into effect. According to Kathy Schwalbe, there are six major processes involved in risk management Planning risk management involves deciding how to approach and plan the risk management. Identifying risks involves determining which risks are likely to affect a network and document the characteristics of each. Performing qualitative risk analysis which involves prioritizing risks based on their probability and impact of occurrence. Performing quantitative risk analysis which involves numerically estimating the effects of risks on objectives. Planning risk responses involves taking steps to enhance opportunities and reduce threats. Monitoring and c ontrolling risk involves monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies. (Schwalbe, 2010, p.427).With auditing it is a good practice if using Microsoft to utilize the Event Viewer which would allow you to track events that occur on your system. Eckert and Schitka states that events that occur on a system are tracked and enter in different log files, and you can use Event Viewer to viewthe circumscribe of these logs. For example, you can use Event Viewer to view the contents of the Systems log to determine when and possibly why, a specific service failed to start (Eckert, J. & Schitka, M. 2006). It would also be a good idea to have a disclaimer on the login screen informing all users that they are subject to monitoring when using the IT asset that way the user (although it may not always help) will be aware that what they do on the network can be traced and the user has the poten tial to be brought up on disciplinary charges if the matter warrants.Another thing ABC Healthcare IT administrators should be doing is reviewing files and folders for accuracy. All common server operating systems provide the capability to specify access privileges individually for files, directories, devices, and other resources. By carefully setting access controls and denying personnel unauthorized access, ABC Healthcare IT personnel can reduce intentional and unintentional security breaches. For example, denying read access to files and directories helps to protect confidentiality of information, and denying unnecessary write (modify) access can help maintain the integrity of information. Limiting the execution privilege of most system-related tools to authorized system administrators can prevent users from making configuration changes that could reduce security. It also can restrict an attackers ability to use those tools to attack the server or other hosts on the Healthcares ne twork.3.Describe how the system will identify and authenticate all the users who attempt to access ABC Healthcare information resources. (15 points)ABC Healthcare administrators should consider Group Policies. According to Microsoft (2003) Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Additionally, Microsoft (2003) states that Group Policy settings are contained in Group Policy Objects (GPOs), which are linked to the following fighting(a) Directory service containers sites, domains, or organizational units (OUs). The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature of Active Directory (Microsoft, 2003). Active Directory in this case would be an added benefit to ABC Healthcare as it allows for the deployment of the Group Policy feature which in turn will allow networkadministrators the ability to manage each user and computer object.By creating security GPOs an administrat or can apply settings to affect the whole network and not just a standalone computer. This saves time and allows an administrator to affect multiple computers. Another benefit to using GPOs is the ability to define settings for wireless network connectivity. GPOs allow you to assemble which wireless networks workstations can connect to, and automatically configure Wireless Encryption Protocol (WEP) (Aubert & McCann, 2006). If ABC Healthcare ensures GPOs are set up and followed correctly, users will not be allowed to alter many functions without having advanced administrator privileges and with auditing in place if foul play is suspected it will be quickly noticed.The best form to ensure that a site is available to authorized users would be to enforce the use of a username and password. This would ensure that the right person is accessing their appropriate material. Some security concerns would be that a hacker may try to access a users account without the appropriate credentials. T here would be steps in place that would prevent access from repeated incorrect password attempts many times this is covered by having a lockout function. Additionally the ability for users to be able to utilize the forgot username and password function will be readily available. Another option that can be utilized (much like that in the armed services) would be the use of Common Access Cards (CAC) and Public Key Infrastructure (PKI) which will carry the non-repudiation clause that states that what is sent or uploaded is indeed authenticated by the user and as such cannot be disputed. 4.Discuss how the system shall recover from attacks, failures, and accidents. (15 points)In order to safely ensure that you will be able to maintain information that is stored on your network it is key to ensure IT personnel are conducting backups. Backing up the system is another quality assurance feature that should be viewed by the management personnel. It is paramount that IT management personnel en sure administrators are conducting daily, workweekly, and monthly backups of their network. A full backup should be conducted at least once a week with daily differential backups and, with maybe an incremental backup being performed mid-week. This will ensure that in theevent of a data loss IT personnel can restore lost material with minimal downtime.Ensuring there is a baseline in place that has all the original configurations is another way to ensure data safety. When looking at attacks if the system has the IPS/IDS and antivirus software installed the risk could be minimized. Michael Goodrich and Roberto Tamassia also states that administrators should ensure to have checksums and data correcting codes in place. Checksums are the computation of a function that maps the contents of a file to a numerical value. A checksum function depends on the entire contents of a file and is designed in a way that even a small change to the input file is highly likely to result in a different o utput value.Checksums are like trip-wires, they are used to detect when a breach to data integrity has occurred. Data correcting codes are methods for storing data in such a way that small changes can be easily detected and automatically corrected. These codes are typically applied to small units of storage, but there are also data correcting codes that can be applied to entire files as well (Goodrich & Tamassia, 2011).5.Discuss how the system will address User Account focusing and related security improvements. (15 points)ABC Healthcare would have to ensure they had proper polices, procedures, standards and guidelines in place to ensure user account management and the improvement of their network security. Although many times in conversation we tend to think that policies, procedures, standards, and guidelines are coupled together. Policies are set rules established by a company or organization. A policy usually is the stepping stone for the creation of standards, guidelines and p rocedures.A policy would not have to incorporate the other three whereas it would be virtually impossible to create standards, guidelines or procedures without the annex of a policy which is your governing documentation. Having a standard in a way would be a rule used to measure as to how something should be. In the military we have what is called Standard Operating Procedures which are rules that provide step-by-step instructions as to how to accurately operate equipment. Thisprevents users from using the I didnt know excuse.ABC Healthcare would have to have policies in place if they want to create a governing document that should be followed. This would establish rules that are to be followed by the organization. In order for a policy to be changed it must first be approved by leadership personnel. Having something like the militarys standard operating procedures wouldnt be a bad idea either. The procedures would be the instructions that a user would follow to ensure something is operating appropriately. Like stated in question 4 for base-lining they should also have standards. So it would be understood how something is to be completed.For security improvements ABC healthcare can for example create a policy stating that the use of USB drives on computer systems are no longer authorized (as evident by military policy). This is a governing documentation that if not followed could have punitive damages associated with it.ReferencesAubert, M. and McCann, B. (2006). MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced. Boston, MA draw Technology.Eckert, Jason W. and M. John Schitka. (2006). Linux+ guide to linux certification (second edition). Boston, MA. Course Technology.Goodrich, M.T. & Tamassia, R. (2011). Introduction to Computer Security. Boston, MA Pearson Education INC.Microsoft TechNet. (2003). Windows Server TechCenter. Retrieved Nov. 29, 2012. from http//technet.microsoft.com/en-us/library/cc779838(WS.10).aspx Stallings, W. and Brow n, L. (2008). Computer Security Principles and Practices. Upper Saddle River, NJ Pearson Educations, Inc.Schwalbe, K., (2010). Information Technology Project Management (sixth edition). Boston, MA Course Technology.