Information Systems and Identity Management

Information Systems and Identity Management

Introduction

The use of Information Technology in healthcare has exposed patients’ information to cyber-attacks. Cybercriminals exploit the loopholes found in the systems to access and use the information for malicious purposes. This issue has led to concerns about the safety of patient information in healthcare information systems. In this paper, the risks facing information systems and the solutions that can be used to mitigate the risks are discussed.

Section 13402(e) (4) of the HITECH Act requires the secretary of the U.S. Department of Health and Human Services to report all breaches of unsecured health information that affect 500 people or more. According to this report, CHI Health Orthopedics Clinic (Lakeside) reported over 48,000 incidences of health information breaches in 24 months by 30 September 2019 (“U.S. Department of Health & Human Services – Office for Civil Rights,” 2019). The reported breaches were a result of Hacking and I.T. incidents. The violations are said to have occurred at Desktop Computers, Electronic Medical Records, and the Network Server. This calls for urgent intervention to ensure that patients’ data is secure, as such incidents have a tremendous impact on the privacy of the affected patients.

Defining the Information System Infrastructure of the facility

The Information System of the CHI Health Orthopedics Clinic (Lakeside) is delivered by an outside provider but managed by the hospital’s internal I.T. department. They are responsible for maintaining the hospital’s telecommunications, networks, databases, software, and hardware. The I.T. department manages organizational I.T. policies and other procedures that are related to the Health Information System.

Organization Structure and Business Units

The highest level of management for the hospital is the hospital board of managers. They are responsible for making high-level decisions. It has experts from different fields. Below the board is the executive management. They are involved in the management of the organization. They make financial decisions for the hospitals and come up with the business strategy of the facility. The next level is the departmental administrators. These include the head of the I.T. department, the therapeutic services department, the diagnostic services department, and the support services department. They manage the day-to-day operations of various departments and report to the executive. They are mandated to ensure that their departments deliver the necessary services. Lastly, there are Supervising physicians and service providers.  These are in direct contact with the clients. They include doctors and nurses who provide services needed by the patients. They also maintain patient records. This organizational structure is represented in APPENDIX A.

The Patient Record System

In the CHI Health Orthopedics Clinic (Lakeside), the patient record system is considered critical. This system assists the nurses in automated monitoring for vital signs. Any delays or failures of the system could affect the operation of the facility.

High-level system description of the system’s hardware.

The facility’s patient record system consists of workstations. A workstation refers to hardware that holds everything needed by a physician to perform their functions (Stevenson & Nilsson, 2011). It may be a desktop, a laptop, or a tablet that hosts the hospital’s systems. A desktop is a fixed computer, while a laptop allows movement from one place to another. A tablet is a device that a healthcare provider can walk around with. It has handwriting recognition software that allows users to write on the screen.

How access to the system is restricted

Accountability

The users of the devices are required to be accountable for specific devices and activities that take place in the device. They are not allowed to grant unauthorized persons access to the data on the devices.

Access control

The devices are used within the hospital’s perimeter to ensure that they are used for relevant purposes. The hospital does not allow the users to leave the hospital premises with the devices.

Perimeter identification

Hospital employees are only allowed to access the devices they are permitted to. This helps in ensuring that they can only view data that is relevant to their duties.

How to protect (Protected Health Information.) PHI on the system

The following approaches have been taken to ensure that the information in the system does not fall into malicious hands:

Implementing a Virtual Private Network Encryption to ensure that hackers cannot view the information in the healthcare system

Implement user authentication procedures such as two-step authentication, regular change of passwords, use of strong passwords, and revoking employees who have transferred.

Implement restricted access where the user is only allowed to view the information that is essential to their duties.

The OSI model of the Health Information system

The application layer is a user-specific layer. For instance, the browsers that are used by the physicians to access the system. At this layer, login credentials, quality of services, and privacy are considered. FTP operates at this level. This layer is followed by the Presentation layer, which translates data from application format to network format and vice versa. At the facility, ASCII protocols are used for data encryption (Kołodziejczyk & Ogiela, 2012). It encrypts data being transmitted to avoid interception. It also provides freedom from data compatibility issues. The session layer establishes, manages, and terminates sessions between applications. It deals specifically with sessions and connection coordination. NFS protocols are used to manage user sessions at the healthcare facility. The transport layer allows different systems to connect and communicate. TCP protocols define how the systems discover one another and initiate communication. The network layer is responsible for packet switching and the establishment of virtual circuits. I.P. protocols are used for packet switching at the healthcare facility. Finally, the data link layer (IEEE 802.5/ 802.2 protocols) is concerned with encoding and decoding data into bits, and the physical layer conveys the actual electric, radio, and light signals. The Ethernet protocols are used in the facility to facilitate signal transmission.

Threats that face the system

CIA Triad

The three principles of the CIA triad are Confidentiality, Integrity, and Availability. Confidentiality can be compromised if a person accesses the data that they are authorized to. Integrity can be compromised is not presented the way it is supposed to (Aminzade, 2018). For instance, it may have been changed by an unauthorized person. The availability of data is said to have been compromised if data is not present when needed by the user.

Vulnerabilities in CIA at the facility

Many healthcare incidents lead to the compromise of patients’ data. Many such incidents end up with electronic health records as well as other valuable information into malicious hands. Without careful oversight, healthcare workers may contribute to this without their knowledge. Below are the common threats that expose data at the CHI Health Orthopedics Clinic (Lakeside) to a vulnerability that may compromise the CIA triad.

 Insider Threat

Healthcare employees have easy access to patients’ data during their day-to-day operations. Although they are expected to display integrity in the handling of this data, this does not guarantee that some of them won’t attempt to steal this sensitive information. In some cases, malicious employees can take patients’ credit card numbers and use them to commit fraudulent purchases. Some also steal social security and demographic information and use it to undertake a variety of crimes.

Intrusion Motives/ Hacker Psychology

Sophisticated malware can be planted into the healthcare information systems to steal login credentials. This can compromise the entire system as it can allow malicious attackers to access information in the system. It has been very challenging to deal with these issues because they use seemingly authentic links to establish their presence in healthcare systems. Some viruses mine healthcare records from the systems and automatically send them back to the original host.

Unsecured Medical Devices

Most healthcare facilities allow their employees to use mobile devices to log into their systems without assessing if the device meets security standards. This exposes the systems to malware attacks and hacking because the facility does not control how healthcare workers use their devices. This issue is common when the employees dispose of their equipment. Passwords and other network information might still be accessible, allowing criminals to exploit it for an attack.

Improper Disposal of Old Hardware

Hard drives used to access healthcare systems may contain credentials and network information even after being reformatted. If such hardware falls into malicious hands, it may be exploited to retrieve information and be used in malicious ways. Reformatting hard drives before disposal is, therefore, not a guarantee that the information is safe. Proper means of disposal must be adopted.

Identity management

Identity management involves the process of identifying and authenticating system users. It also involves the use of user rights in restricting the operations that the system users are allowed to perform. Below are some of the procedures that can be adopted to ensure efficient identification and management of the healthcare information system.

User authentication

The administrators should regularly investigate the system to ensure that the security standards in place are intact. For instance, they should ensure that two-step verification is enforced where anyone intending to make adjustments on data verifies their identity before the update is executed. They should also ensure that regular changes in passwords and the use of strong passwords are in place (Djellali, Belarbi, Chouarfia & Lorenz, 2015). The system review will also ensure that transferred employees are not allowed to access the system. Such regular audits will ensure that only authenticated employees are permitted to access the system and can only do what they are allowed to do.

Restrict data access

The system admin is required to determine the data needed by various employees to perform their tasks. This information is then used to ensure that employees are only allowed to view the data that is essential for their duties. In doing so, the incidences of data misuse will be minimized.

Password Cracking Tools

Malicious attackers may use various tools to guess system passwords to gain access to the system. Some of the techniques that may be used in this include brute force, rainbow attack, Cain and Abel, and John the Ripper (Tatli, 2015). These techniques become successful when the system passwords are not strong enough. It is for this reason that the users are encouraged to use strong passwords. Such passwords consist of a combination of alphanumeric characters and other symbols.

Cyberattacks

Some of the attacks that the Health Information system is exposed to include denial of service, phishing, and SQL injection.

Denial of service

This involves an attack that overwhelms the system resources to the extent that they cannot respond to service requests by an authentic user. The system resources are thus rendered unavailable for use.

Phishing

This attack involves malicious emails that appear legitimate. The emails either aim to gain personal information from the system user of they try to influence them to do something that may compromise the system. This could even be a link that when clicked downloads malware into the system.

Findings

Below are the findings of this study:

2019. Over 48,000 incidences of data breaches were experienced by CHI Health Orthopedics Clinic in a span of 24 months, as reported on 30 November 2019.
2020. The incidences related to hacking and I.T. incidents

• The surfaces of attack included Desktop Computers, Electronic Medical Records, and the Network Server.

1. It was established that, among other factors, the main contributors to healthcare system risks include:
2. Inappropriate use of the system by healthcare workers
3. Phishing and malware planted into the systems by hackers
4. Use of unsecured devices by the employees to access the system
5. And improper disposal of hardware that was used to access healthcare information

Recommendations

Various solutions can be put in place to protect the system from attack. The technical solutions involve having appropriate systems in place to ensure that healthcare information is adequately protected. These solutions include:

1. Understanding the scope of the system by use of technology that will make it possible to monitor all the devices connected to the network
2. Developing new updates from time to time to ensure that the vulnerabilities identified in the earlier versions are dealt with

• Implementing a Virtual Private Network Encryption to ensure that hackers cannot view the information in the healthcare system

1. Implement user authentication procedures such as two-step authentication, regular change of passwords, use of strong passwords, and revoking employees who have transferred.
2. Implement restricted access where the user is only allowed to view the information that is essential to their duties.

Conclusion

Just like other businesses, the healthcare industry is faced with the threat of data breaches and other information privacy concerns. Implementation of sophisticated networks in healthcare systems where a lot of information is shared has accelerated this issue. The employees using the information in the systems may expose it to vulnerabilities either intentionally or unknowingly. It is important to employ various security techniques, including technical and non-technical solutions, to protect the patient’s information. Healthcare facilities should hold the security of healthcare systems in very high regard because it could impact the privacy of the patients.

References

” U.S. Department of Health & Human Services – Office for Civil Rights. (2019). Retrieved 10 October 2019, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Aminzade, M. (2018). Confidentiality, integrity, and availability – finding a balanced IT framework. Network Security, 2018(5), 9-11. doi: 10.1016/s1353-4858(18)30043-6

Djellali, B., Belarbi, K., Chouarfia, A., & Lorenz, P. (2015). A user authentication scheme preserves anonymity for ubiquitous devices. Security And Communication Networks, 8(17), 3131-3141. doi: 10.1002/sec.1238

Kołodziejczyk, M., & Ogiela, M. (2012). Applying security mechanisms to middle and high layers of OSI/ISO network model. Theoretical And Applied Informatics, 24(1). https://doi.org/10.2478/v10179-012-0005-4

SlideShare. (2019). Organizational structure of_a_hospital [Image].

Stevenson, J., & Nilsson, G. (2011). Nurses’ perceptions of an electronic patient record from a patient safety perspective: a qualitative study. Journal Of Advanced Nursing, 68(3), 667-676. https://doi.org/10.1111/j.1365-2648.2011.05786.x

Tatli, E. (2015). Cracking More Password Hashes With Patterns. IEEE Transactions On Information Forensics And Security, 10(8), 1656-1665. doi: 10.1109/tifs.2015.2422259

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

---

Daily life requires us to have access to a lot of information, and information systems help us access that information. Desktop computers, laptops, and mobile devices keep us connected to the information we need through processes that work via hardware and software components. Information systems infrastructure makes this possible. However, our easy access to communication and information also creates security and privacy risks. Laws, regulations, policies, and guidelines exist to protect information and information owners. Cybersecurity ensures the confidentiality, integrity, and availability of the information. Identity management is a fundamental practice. Part of identity management is the governance of access, authorization, and authentication of users to information systems. Identity management is one part of a layered security defense strategy within the information systems infrastructure. Your work in this project will enable you to produce a technical report and nontechnical presentation that addresses these requirements. (use any major healthcare record bridge you can from this list to write this paper)

For Project 1, this list of healthcare organizations that have had breaches may be helpful. Organizations with 1M or more records stolen have a ton of information out there in the public realm.

Write a technical report on its information systems and identity management to the healthcare board. Your report should be a 6-7 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

1. Nontechnical presentation: This is an 8-10 slide PowerPoint presentation for business executives and board members.
2. Technical report: Your report should be a 6-7 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
3. Executive summary: This should be a 2-3 page double-spaced Word document.

a. Ensure your figures are properly cited in-text and in the references.  E.g., Figure 1. Hospital Organizational Chart (source, year). Even though you are using them as part of your hypothetical organization, you need to cite the original source.  The figures also need to be referenced in your text narration.  E.g. Figure 1 below describes …. You can always submit the final version of your paper to the Writing Center, and they should be able to check your paper for grammar and APA.  Also, if you include Appendices, you need to tell the reader (in the main body)  to go to the appendix to refer to it.

b. Add a section/subheading in your paper (towards the end) that includes a clear list of your findings and recommendations.  Sort them in order of importance based on your understanding.  E.g., Finding 1: It was found that … Recommendation 1: It is recommended that ….   You can include hypothetical findings related to Project 1’s topic (i.e., Identity Management issues).  This is a highly important recommendation for an ‘exceeds expectations’ evaluation.  In industry, your management wants a clear idea (bottom line) of the security issues and recommendations that you (the expert) found. Do not make him/her spend extra time digging them throughout the report. What usually happens is that important observations are missed.  After all, you want to make sure that proper resources are allocated in order to address security issues.