Introduction and Background
Delivering medical services to diverse patient populations is the primary purpose that healthcare providers strive to fulfill. For the most part, these providers have been able to execute this mandate. However, there are some challenges that are hampering the efforts of the providers. Cyber-security threats are among these challenges. Over the last few years, medical institutions have suffered cyber-attacks that have rendered them unable to offer quality care. For example, a ransomware attack that targeted hospitals in the United Kingdom left the hospitals unable to attend to the needs of patients. Given the critical role that they play in preserving human life and wellbeing, all necessary measures should be instituted to secure the networks and systems that the hospitals rely on for information management and service delivery. This handbook is among the steps that Horizon Health Care has adopted as part of its efforts to enhance security. All stakeholders are urged to adhere strictly to the provisions and stipulations contained in the handbook.
Section 1 Basic Procedures and Guidelines
Network Architecture and Security Considerations
In a bid to enhance security, Horizon Health Care has adopted various procedures that are built into its network architecture. One of the guidelines that all practitioners are required to follow as they use the network concerns least privilege. Essentially, this principle involves authorizing individuals to use the least information, access and resources that they need to perform their jobs (Anderson & Mutch, 2011). The network architecture is such that nurses, doctors and other practitioners are only able to access information and resources that are relevant and needed for their mandate. Layered security is another consideration that informed the design of the network architecture. Various layers of security protocols have been adopted to minimize the risk of attacks. Moreover, the layers are intended to promote accountability and ensure that access is only granted to those with authorization. The layered security protocols embedded into the network architecture include such defenses as intrusion detection, firewalls and surveillance using security cameras.
Delegate your assignment to our experts and they will do the rest.
It is common practice for large institutions such as hospitals to adopt multi-tiered network systems as part of their architecture. These systems tend to be secure, scalable and highly efficient (Xiao, 2016). In keeping with this practice, the network at Horizon Health Care will be composed of two tiers. These tiers are designed for distribution and access. The distribution tier is intended to facilitate the transfer of information across the hospital. On the other hand, the access tier involves processes and procedures for authorizing personnel to obtain information. Together, the two tiers make it possible for different departments and units to function independently while still enjoying access to information. Overall, the network architecture is designed with patient privacy and the security of information as the key considerations.
Wireless Security
Wireless networks have eliminated the need for wired connections. Horizon Health Care is among the institutions that are committed to adopting the latest technologies and trends. The hospital has developed security standards and guidelines designed to safeguard the integrity of its wireless networks. Encryption is among the measures that the hospital has instituted. Through encryption, organizations are able to ensure confidentiality and privacy. This is particularly important for such organizations as Horizon Health Care which handles sensitive and highly personal information. When using the wireless system, all personnel are required to enable wireless encryption on their devices. Moreover, the personnel are to use devices which support the Wi-Fi Protected Access 2 (WPA2) protocol. This protocol has been found to be the most secure as it addresses the vulnerabilities in the authentication systems used in previous years (Vacca, 2009). Since Horizon Health Care is yet to provide all its personnel with devices supporting the latest wireless security standards, some exceptions are allowed for the use of older devices. However, no personnel should use devices that only support the Wired Equivalent Privacy (WEP) standard. This protocol is understood to possess vulnerabilities that could expose the hospital to security threats.
Horizon Health Care understands that adopting encryption safeguards does not ensure protection against all threats. This understanding has led the hospital to combine encryption with authentication. To access the hospital’s wireless networks, personnel are required to provide their username and a corresponding password. New employees and those without these authentication details should visit the Information Technology Department located in Block D of the East Wing. So as to further enhance the security of its wireless networks, Horizon Health Care forbids all its personnel against sharing their authentication details with non-authorized individuals. The hospital works in an environment with stringent laws regarding the need to protect patient data. The prohibition of sharing information with individuals lacking authorization is part of the hospital’s effort to comply with these laws.
Remote Access Security
Horizon Health Care recognizes that there are situations which force its personnel to access information from remote locations. The network and information architecture accommodates such situations. To ensure that remote access does not compromise security, various guidelines have been developed. One, personnel are discouraged against accessing the hospital’s network remotely. Horizon Health Care has invested heavily in securing its network and information systems. However, the security benefits of this investment are mostly enjoyed when information is accessed within the hospital’s premises. While the hospital does not forbid remote access, all personnel are encouraged to use the network from within the safety of the premises. Should a situation require employees to engage remote access, they are strongly advised to leverage the encryption and authentication protocols that the hospital has built into the network. Moreover, the personnel should refrain from using public networks for remote access. These networks are notoriously weak and prone to attacks.
Laptop and Removable Media Security
Today, removable media have become an indispensable component of networks. However, these components introduce security threats which, if left unaddressed, could compromise an entire network (Tipton & Krause, 2009). Whereas Horizon Health Care permits its employees to use laptops and other removable media, it reminds them of the importance of adhering to stringent security measures and protocols. Whenever possible, all employees should use laptops and removable media that they have been issued by the hospital. These devices come equipped with strong encryption technologies. Furthermore, the hospital has taken steps to ensure that only authorized individuals are able to use the devices. In addition to requiring users to provide such details as passwords, the authorization protocols also accepts such biometric information as fingerprints and iris scans. For removable media not issued by the hospital, it is required that they should be subjected to rigorous scrutiny. The purpose of the scrutiny is to ensure that the media do not contain malware. Horizon Health Care also strongly urges all its employees to refrain from using removable media on multiple devices. Such use could fuel the spread of malware. Overall, all employees of Horizon Health Care should only use removable media as a last resort and even then, they should use the anti-virus programs installed on the hospital’s computers and network.
Vulnerability and Penetration Testing
In the past, Horizon Health Care has suffered a number of devastating attacks. While the attacks hampered operations, they prompted the hospital to institute measures so as to prevent a recurrence. Vulnerability and penetration testing are among these measures. Essentially, these measures are concerned with determining whether there are flaws in a system and evaluating if these flaws can be exploited to carry out an attack (Engebretson, 2013). Horizon Health Care encourages its employees to help it identify flaws in its systems. When an employee observes a flaw, they are to report it to the Information Technology department. They are not to attempt to perform a vulnerability and penetration testing. This is a complex procedure that should only be conducted by employees in the IT department. All employees should note that all components of the network and information system will be subjected to vulnerability and penetration testing every three months. The employees should understand that during the testing, the systems will be taken offline and will be unavailable for use for routine operations. Another issue that the employees need to recognize is that after the testing has been performed, the network will remain in a state of limited capacity and use for at least three days. During this time, the IT department will be gathering data on the outcomes of the vulnerability and penetration testing. It is only upon confirmation that the testing found no vulnerabilities and all identified flaws have been corrected that the systems will resume normal operations.
Physical Security
It is often said that in some situations, the traditional approaches are better than modern ones. This is true for securing information networks. For the most part, Horizon Health Care relies on such modern approaches as encryption and authentication. However, the hospital has also incorporated physical security into its strategy of safeguarding its network and information systems. One of the physical security measures that the hospital has instituted involves limiting access to the server room and other sensitive installations. Security guards will be stationed at the information technology department and other units which are vital to the operation of the network. The guards will be charged with the mandate of ensuring that only authorized personnel are able to access the network. In addition to requiring guards to man key installations, the hospital has also used laminate glass on the windows of the server room. The laminate glass enhances privacy and security. Cameras and alarms are other tools that the hospital is using as part of its campaign to tighten physical security. Whereas the hospital understands that the cameras may constitute a violation of the privacy rights of its employees, it reiterates that the cameras are needed to prevent attacks. Layers are another critical component of physical security at Horizon Health Care. Guards will be stationed at key locations so as to minimize the risk of intrusion. Overall, the physical security measures serve the purpose of supplementing the other protocols that Horizon Health Care has put in place.
Guidelines for Reviewing and Changing Policies
Flexibility and responsiveness are among the key principles of effective network and information security management. It is important for organizations to ensure that their practices keep up with the emerging security threats. Horizon Health Care strives to align its security approaches with the latest issues in network security. Reviewing and updating its policies is one of the steps that the hospital has taken to stay ahead of threats. Every three months, the hospital shall conduct a review of its policies. The purpose of the review will be to ensure that the policies are in line with best practices and latest trends. As part of the review, the hospital will compare its policies against the guidelines used by other healthcare providers. If any discrepancies are observed, steps will be taken to achieve alignment. Employees are encouraged to provide feedback regarding the appropriateness and the effectiveness of the policies. Since they are primarily affected by the policies, the employees are best placed to provide helpful feedback. The IT department is charged with implementing policy changes. Working closely with the hospital’s administration and other units, this department will gather input from all stakeholders before effecting changes. It is hoped that the successful implementation of policy changes will enhance the preparedness of Horizon Health Care to thwart attacks and promote security in healthcare information management.
Section 2 Policies
Acceptable Use Policy
The acceptable use policy is a set of guidelines that stipulates the activities that a user is allowed to engage in. Moreover, this policy outlines the behaviors that are unacceptable. Details of the acceptable use policy for Horizon Health Care are provided in the following section.
Policy Statement
All employees of Horizon Health Care should refrain from any and all activities that compromise network and information security. These activities include, but are not limited to, using devices known to be infected with malware, sharing passwords with unauthorized individuals, and using unsecure public networks. As they refrain from these behaviors and activities, the employees are urged to use the hospital’s information and network system in a manner that facilitates the delivery of quality care to patients.
Purpose
The acceptable use policy defined above fulfills a number of important purposes. One, this statement is designed to guide the employees in performing their jobs. Relying on the policy, the employees are able to understand the activities which are acceptable and the behaviors which may attract punitive action from the hospital. Two, the acceptable use policy stipulates the measures that employees should undertake so as to secure the information and network system. The hospital wishes to leverage the effort, skill and collaboration of its employees so as to identify and thwart attacks.
Objectives
The fulfilment of a purpose is made possible by the attainment of set objectives. In a bid to ensure that the purposes described above are fulfilled, Horizon Health Care has identified a number of key objectives that it wishes to achieve. Ensuring the proper use of information and network system is one of these objectives. By challenging its employees to adhere to the acceptable use policy, the hospital hopes to shield its systems against attacks. Another objective that the hospital pursues through the acceptable use policy is encouraging compliance. Horizon Health Care has set out to ensure that all the employees who use its network and information system strictly follow the guidelines and standards.
Standards
As part of the acceptable use policy, the hospital has created standards that the employees should follow when using the information and network system. These standards are listed below:
Using hospital property to access social media platforms is strictly prohibited.
All forms of harassment are forbidden.
Employees are to refrain from sharing their passwords with unauthorized individuals
All employees should take steps to protect the system against malware.
All access to information should be with the goal of performing mandated functions only.
Employees are to comply with any other guidelines issued by the Information Technology department regarding the use of the information and network system.
Procedures and Guidelines
The policy on acceptable use is accompanied by procedures and guidelines that employees are to follow. Among the procedures is obtaining authorization from the IT department. This guideline should be followed by all new employees and those whose access has been revoked. Employees are to report any and all violations of the acceptable use policy. Failure to report shall constitute a breach of the hospital’s regulations. All heads of departments should liaise with the IT department for their employees to be provided with copies of the acceptable use policy.
Responsibilities
Individual employees are responsible for ensuring compliance with the acceptable use policy. It is hoped that as they honor this responsibility, the employees will take personal initiatives to protect the system against unacceptable behaviors and activities. Department heads share in the responsibility of facilitating compliance. These leaders are charged with the mandate of monitoring how their employees use the system. Overall responsibility for ensuring compliance is a mandate of the IT department. Leveraging its expertise and resources, this department shall take all necessary steps to promote responsible use of the information and network system.
Review and Change Management
As is the case with all policies that Horizon Health Care adopts, the policy on acceptable use is subject to review and change. These processes are to be performed every three months and will involve all employees. However, the implementation of any changes will be conducted by the administration in conjunction with the IT department. Feedback from the hospital’s employees regarding changes that can improve the policy is strongly encouraged.
Password Policy
Passwords are among the key tools that Horizon Health Care relies on to protect its systems. The following section offers details on the policy governing the use of passwords.
Policy Statement
The passwords that employees choose should combine alphanumeric and special characters. Horizon Health Care understands that complex passwords that combine a range of character types are more secure. This is the primary reason why the hospital encourages all the employees to use long and complex passwords.
Purpose
Enhancing security is the primary purpose of the password policy. After conducting rigorous analyses of its system, the hospital has observed that weak passwords are among the vulnerabilities that expose it to the threat of attacks. To address this vulnerability, it is crucial for all employees to use strong passwords.
Objectives
Horizon Health Care strives to create an environment where all employees exercise responsibility and adhere to guidelines. It is for this reason that the organization has developed a list of objectives whose attainment will allow for the fulfilment of the purpose of the password policy.
Standards
As they work with the hospital to achieve the purpose and the objectives of the password policy, the employees should adhere to the following standards:
All passwords should be at least eight characters long. As already stated, longer passwords are more secure.
The passwords that employees create must combine alphanumeric and special characters. This is intended to further enhance the security of the passwords. Abcdef@123! Is an example of a password that complies with standards i and ii.
Employees need to understand that they will be unable to reset their password to any that they have already used previously.
Horizon Health Care advises its employees against using their usernames and passwords for other accounts.
All employees are to avoid sharing their usernames and passwords with their colleagues or any unauthorized party.
In cases where employees have to transfer their usernames or passwords, they should refrain from using such electronic means as emails.
Administrators reserve the authority to revoke the validity of usernames and passwords.
The administrators are to maintain a record of login attempts. Particular focus should be given to failed attempts which should be flagged as possible intrusions/breaches.
Procedures and Guidelines
Employees should not write their passwords down. They should attempt to memorize them instead. Writing down passwords tends to open up avenues that can be exploited by hackers. If they are unable to memorize passwords and are forced to write them down, employees should avoid writing the passwords alongside their usernames/account numbers. When employees forget their passwords, they will be prompted to provide their email address. A link for resetting the password will then be sent to the address. Employees should note that the link remains valid for 24 hours only. The hospital understands that there are situations when employees may lose their passwords or unauthorized individuals gain access to the passwords. In such situations, employees are to file reports with the IT department immediately. The department should proceed to disable the affected account. If this account is vital and cannot remain offline for an extended amount of time, the department should create a new account to insulate operations against interruptions.
Responsibilities
It is the responsibility of individual employees to follow the password policy. The hospital has taken steps to ensure that the policy is sufficiently simple yet exhaustive to encourage compliance. The employees can expect support from the IT department which is also charged with the mandate of ensuring compliance. In particular, this department is required to help employees who are struggling to create strong passwords which meet the standards set out above. Department heads and the hospital’s top leadership are also required to lead employees in adhering to the password policy.
Review and Change Management
The password policy will be updated to reflect changes in the operations, strategies and philosophy of Horizon Health Care. However, before any changes are made, the hospital will receive input from employees and other stakeholders. Moreover, the employees are encouraged to provide any helpful information that can be used to enhance the role that strong passwords play in securing the network and information system. Ultimate responsibility of reviewing and changing the password policy rests with the IT department.
Incident Response Policy
In the past, Horizon Health Care has witnessed multiple attacks. The hospital was able to contain the attacks thanks to the alerts that the IT department received from employees. In the following section, an overview of the practices and strategies that the hospital has adopted as regards incident response is offered.
Policy Statement
The incident response policy seeks to encourage action from employees by providing them with the information that they need to identify and report suspicious and potentially dangerous activity. This policy is guided by the principle “if you see something, say something.” Essentially, through this principle, the hospital hopes to encourage the employees to play active roles in promoting security.
Purpose
In designing the incident response policy, Horizon Health Care was driven by the purpose of encouraging support, vigilance and action among its employees. It is impossible for the hospital to insulate its systems without the full support and cooperation of its employees. The employees are uniquely placed to identify threats and to initiate action.
Objectives
There are various objectives which Horizon Health Care will strive towards as part of the campaign to inspire employees to take action. Reducing the levels of apathy is one of the key objectives. The hospital has observed that some of the attacks that it has suffered were the result of lack of action from employees. It appears that the employees do not take network and information security seriously. The incident response policy aims to challenge them to understand that security violations and breaches affect them as much as they do the hospital. The other objective that the hospital pursues is preventing attacks before they can cause damage. Working closely with its employees, Horizon Health Care hopes to ensure that the devastation that it suffered in the past does not occur again.
Standards
For the purpose and the objectives of the incident report policy to be achieved, all employees need to adhere to various standards. These standards are listed below:
If they witness such incidents as denial of access, physical breaches of security, system failures and unauthorized access, employees should report to the IT department immediately.
The employees should suspend their use of the information and network system upon noticing an incident. It is only upon confirmation by the IT department that the system is safe that the employees may continue to use it.
All employees should strictly follow the other policies outlined earlier. This will help to prevent incidents.
Procedures and Guidelines
To ensure that incident response occurs in an orderly fashion, the employees and the IT department should follow the following procedure and guidelines.
Working with the employee who has reported the incident, the IT department should begin by identifying and classifying the incident.
With the incident correctly identified, the IT department should proceed to assess it. The assessment should include an investigation focusing on the source of the incident and the impact that it could have on the hospital’s operations.
If it is determined that the incident is grave, the IT department should notify the hospital’s leadership. Procedures for containing and eradicating the incident should then be initiated.
Once the threat behind the incident has been eradicated, the IT department needs to document the incident. The purpose of the documentation is to facilitate learning and ensure that the hospital is better prepared to handle similar incidents.
Improvement is the last process that the IT department should undertake as part of incident reporting. This process involves taking practical steps to protect the hospital’s systems against similar incidents that could occur in the future.
Responsibilities
The employees have the primary responsibility of reporting incidents. Upon receiving reports of incidents, the IT department is to take action while following the procedure and guidelines outlined above.
Review and Change Management
Given the complexity of implementing a new incident response policy, Horizon Health Care will limit reviews and changes to this policy. This is not to say that the employees should not provide information that they believe can enhance the policy. It simply means that the hospital shall update the policy less often and only when it is satisfied that a review and change are warranted. The employees should not hesitate to approach the IT department with recommendations that can be incorporated in the next review of the policy.
User Awareness and Training Policy
The successful adoption of the policies in this handbook hinges on the full and active participation of employees who are the primary users of the network and information security. In this section, guidelines regarding awareness and training are outlined.
Policy Statement
The user awareness and training policy seeks to equip the employees of Horizon Health Care with the information and skills that they need to effectively and securely use the hospital’s information and network system. This policy states that it is the mandate of the hospital to conduct regular training sessions where employees are introduced to the system and how they can leverage it to deliver high quality services.
Purpose
Enabling employees to navigate the complexities of the network and information system is the primary purpose of the user awareness and training policy.
Objectives
The main objective that the hospital wishes to attain is to enhance the skills and knowledge of its employees. Through regular training, the hospital will introduce the employees to the system and provide them with the insights they need to use it effectively. Moreover, the hospital also seeks to transform the employees into competent professionals who are able to detect and respond to threats promptly and appropriately.
Standards
The following are the standards that will be followed as part of the user awareness and training:
The training will address such issues as the importance of and how employees can create strong passwords.
Focus will also be given to the use of such messaging platforms as email.
The employees will be reminded of their obligation to maintain privacy, confidentiality and security.
Training on how to detect and report incidents will be provided.
How they can manage their personal accounts is another issue that the training and awareness initiative will address.
The training will also explore the role that information technology and security plays in enhancing the operations of Horizon Health Care.
Laws and guidelines that govern patient information is another subject that the training will examine.
All employees are expected to participate in the training sessions.
It is the mandate of the training facilitators to ensure that they have all the information, tools and resources to conduct a smooth session.
The hospital leadership is mandated to provide all the funding and resources needed for awareness and training.
Procedures and Guidelines
The user awareness and training process will begin with an evaluation of the training needs of the employees. With these needs identified, focus will shift to developing a curriculum that accounts for the needs. Those charged with the task of conducting the training will also need to align the curriculum with industry standards and applicable laws. The training will be conducted every six months and will involve all of the hospital’s employees.
Responsibilities
The human resource department is charged with the function of delivering training and enhancing the awareness of the hospital’s employees. To execute this mandate successfully, this department should join forces with the IT department which is responsible for content development. Employees are also challenged to demonstrate enthusiasm and to participate actively in the training sessions.
Review and Change Management
As is the case with most of the policies of the hospital, the user awareness and training policy will also be subject to regular and extensive reviews. These reviews are designed to update the policy with emerging trends and information. The IT and the human resource department will manage the review and change of the policy.
Conclusion
The adoption of information technology is among the factors that have driven the success of Horizon Health Care. Thanks to information technology, this hospital continues to deliver quality care at low cost. Given the vital role that information technology plays in the hospital’s operations, it is important to provide the employees with the information they need to exploit the benefits of information technology. This is the purpose that this security administrator handbook seeks to fulfill. The handbook contains information on a wide range of issues that include password management and incident response. It is hoped that as they follow the policies, guidelines and procedures outlined in the handbook, the employees of Horizon Health Care will be able to leverage the power of information technology.
References
Anderson, B., & Mutch, J. (2011). Preventing good people from doing bad things: Implementing least privilege. New York City: Apress.
Engebretson, P. (2015). The basics of hacking and penetration testing: ethical hacking and Penetration testing made easy. New York City: Elsevier.
Tipton, H. F., & Krause, M. (2009). Information security management handbook. Sixth Edition. Vol. 3. Boca Raton, FL: CRC Press.
Vacca, J. R. (2009). Computer and information security handbook. Morgan Kaufman.
Xiao, Y. (2016). Security in sensor networks. Boca Raton, FL: CRC Press.
