Assignment: Cryptography, Data Governance and Identity Theft and Network Security
1.0 Introduction
Technology plays a crucial role in the medical field, especially in the healthcare system. The
advancement has made a significant contribution and improvement in the way the health of
patients is handled. Similarly, its use has seen healthcare improve the quality of healthcare
services, improved medical machines, laboratories, and clinical services. As technology
continues to develop, threats and other unlawful acts are emerging where unauthorized users,
especially hackers, are trying all meanings to access the information and use it to access
confidential information for the patients and healthcare facilities. Consequently, to prevent or
deny access to unauthorized people's information, regulations have been established to ensure the
confidentiality of the information.
Since more healthcare service sector is one of the targeted industries by hackers, this report will
investigate the requirements and measures that healthcare providers must observe to ensure the
patient information safeguard. The report will also analyze the encryption requirement by Health
Insurance Portability and Accountability Act (HIPAA) that information confidentiality, integrity,
and accessibility of electronically protected healthcare information (ePHI). More so, the report
will discuss information governance and the issue of identity theft and address two significant
issues that are limited information maintenance efforts by healthcare services. Lastly, the report
will analyze the network security for healthcare facilities as it analyses the assets involved in the
system. These threats are likely to affect the information and how such threats and vulnerabilities
are controlled to mitigate risks. The report consists of three major parts; Section A, on
cryptography, Section B, data governance and identity theft, section C, the network security for
the healthcare facility, and conclusion and recommendations.
Section A: Cryptography
2.0 Cryptography in Health Care
Cryptography is a way by which organizations are using codes to protect data and messages from
unauthorized access (healthitsecurity.com). Also, according to (Robichau 2014), many
healthcare and medical facilities have implemented Electronic Health Record (EHR) systems,
medical practice, and health system software to adhere to the Health Information Technology for
Economic and Clinical Health (HITECH) act and HIPAA federal regulations. While this has
4 | Page
been the current move in healthcare facilities, they seem to have overlooked patients' privacy
issues and security considerations (Abdmouleh et al., 2014). Encrypting texts ensures the
confidentiality of the message being transmitted.
2.1 Requirements of encryption in healthcare information systems
Many traditional healthcare service providers have shifted from traditional healthcare to modern
IT-based healthcare, or e-healthcare (Shankar and Tomar, 2016). Also, other necessary aspects
that the organization are required consider;-
HIPAA risk analysis
The HITECH act regulations to HIPAA required entities to conduct a risk assessment to
ascertain any threat and vulnerability that might affect the PHI. According to
(healthitsecurity.com), the scope of the analysis should not only include electrical medical
records and billing systems but a thorough and accurate analysis of potential risks and
weaknesses to ensure (1) information confidentiality, (2) integrity, (3) accessibility of Electronic
protected healthcare information (ePHI) maintained by the entity. Therefore, the analysis should
focus on how healthcare IT works and protects ePHI creation, transmission, and receipt, and
assess the gaps (Primeau and RHIA, 2017). According to the National Institute of Standards and
Technology (NIST) publication 800-30 (2010) guidelines, healthcare services should conduct a
risk assessment to determine the probability of compromise from unauthorized use of data or
disclosure public health information require reporting to Office for civil rights (OCR).
Implementation of encryption for data
The American Medical Association (AMA) recommends all PHI to be encrypted. Additionally,
HIPAA requires any organization that has breached the PHI to notify the affected patients unless
the machine or disk was also encrypted. Therefore, a healthcare service should encrypt the entire
PHI file, whether in the system or single files, which might consist of (1) electronic medical
archives, (2) medical images, (3) payment claims, (4) emails with PHI among others. The
organization should have and use keys to access these files and systems, and the keys should be
securely managed (healthitsecurity.com).
5 | Page
Use of best encryption algorithms without lag
According to AMA guidelines, it recommends healthcare organizations to use best available
encryption algorithms as contained in advanced encryption standards (AES) such as AES 256-
bite encryption which is unbreakable and more secure compared to AES 128-bit keys. However,
to ensure security, the health organization should safeguard the operating systems from exposure
to attacks (beckershospitalreview.com).
Use of encrypted portable storage devices
Losing a portable machine like a laptop could cause major loss of data; to prevent this,
physicians are encouraged to store PHI files in an encrypted external portable drive rather than
storing the information directly on the laptop. The encrypted portable device, once lost, cannot
be accessed without the physical key, unlike a laptop, thus making the information more secure.
HIPAA recommends encrypted EHR systems; therefore, mobile devices should be encrypted or
configured to prevent them from storing PHI outside the system. As a result, HIPAA prohibits
health personnel from sending patient information through webmail or messages from their
mobile phones since they are not encrypted (Hayhurst, 2014). Additionally, healthcare
organizations should ensure all portable storages devices connected to the serves are encrypted.
Disaster recovery and healthcare organization continuity plan
There are many unforeseen events such as fire, equipment failure, power outrage, among others,
that can affect a healthcare system or the entire facility. As a result, HIPAA requires all
healthcare facilities and their associates to have a disaster recovery plan that should involve the
entire personnel to collaborate in restoring and recovering the operations. According to (Fulmer,
2015), an organization with disaster and business continuity plans has reduced headache sway.
Therefore, a healthcare organization should ensure it has dependable recovery plans like robust
and secure storage systems.
2.2 Documents and messages to be encrypted and their security requirements
Electronic Health Records (EHR)
6 | Page
According to (Omotosho et al., 2017: Yaraghi, 2016), EHR is termed as the most secure system
that offers privacy to healthcare data, point-on-time and the best information resource system for
clinicians. As a result, the system is designed to provide unique features like unique fingerprints,
and iris characteristics meant to secure bio-cryptography keys, reducing the likelihood of
hackers’ access to PHI. EHR gathers patient and organization information such as hospital visits,
patient demographic, billing data, administrative information, laboratory data of the patient,
surgery information, and radiology reports for patients, patient’s allergies, immunization
prescription, and physician progress reports on patients, among others (Omotosho et al., 2017).
The HIPAA regulations requirements have three pillars or security safeguard themes that require
the healthcare organizations to use EHR systems to ensure administrative safeguarding of data,
physical safeguarding, and technical safeguard. Therefore, the techniques involve safeguarding
computers are located and using firewalls software to protect data, among others (Kruse et al.,
2017). Firewall and cryptography method are the most promising techniques of `EHR’s privacy
and security.
Electronic Patient Records (EPR)
The use of EPR is meant to merge clinical data like maternity records with administrative
information and bring them to one place. Also, the use of EPR ensures the legibility and
accuracy of clinical information and patient confidentiality. The system used an electronic smart
card (biometric-based authentication pattern), and a pin and sent electronic records every time
the patient data is accessed. The EPR supports patient care, and its application, the facility can
assign unique codes to patients’ electronic forms (Swinglehurst, 2014). Similarly, its use
improves patient experience through its enhanced performance and reduced human errors. The
HIPAA requires healthcare organizations to maintain high privacy and confidentiality of patient
information. They should ensure unauthorized users cannot trace patient information and that
patient anonymity is highly maintained (Islam et al., 2015).
2.3 The different objectives of the deployed cryptosystems
The main objective of deploying cryptosystems in the healthcare facility are;-
Confidentiality of the information- to ensure only authorized recipients have access and
can extra patient’s content of the cipher.
7 | Page
Non-repudiation/irrevocability- provides parties in the communication that cannot deny
the authenticity of their signatures on messages or documents.
Authentication- to ensure the receipt of the mail can determine the sender and verify if
the data originated from him.
Integrity- to ensure that the recipient can determine the originality of the massage if it
was altered during diffusion or not
2.4 Specific cryptographic algorithms and architectures available
The level of cryptographic protection depends on the strength of the key used and protocol
associated with it and machine effectiveness. Also, it depends on the key protection measure, and
how the keys are managed by ensuring secure key generation, how the keys are stored and
distributed, used, and annihilations (cryptomathic.com). According to (Barker and Roginsky,
2018), the National Institute of Standards and Technology (NIST) guidelines on sensitive data
protection practices recommend using cryptographic algorithms such as approved FIPS or
recommended by NIST. NIST has approved three cryptographic algorithms, Fig 1.
Fig 1: Different cryptographic algorithms and their characteristics
Source: (cryptomathic.com): Differences between Hash functions, symmetric and asymmetric
algorithms
i. Hash functions
8 | Page
Hash functions create "hash value" from big data through creating blocks that are used by an
organization in crucial management to provide.
The hash value or integer value map big data to a small integer used in hash tables. They can be
used in digital signature verification and generation (cryptomathic.com). Also, hash functions are
used to provide message authentication codes (MACs) through security authentication from the
source. According to Padhi and Chaudhari, (2017) research, SHA-254 cryptographic algorithms
show that if implemented to the hardware that is separated from the processor, it offers more
security and performance than in software implementation. SHA-254 algorithm, if compared to
other architectures, gives a high performance 1344.98 Mbps throughput, 170.75MHz maximum
clock frequency, and 2.2Mbps/slice efficiency according to Padhi and Chaudhari, (2017). Also,
the hash algorithm on FPGAs is flexible, offers convenience, and is upgradable. But
implementing hash algorithm requires hardware with high processing speed.
Advantages -Hash functions enable users to compare two files through the calculated hash
values and make it possible to identify if they are different. Hashing allows the user to recognize
a file's identity, allowing the organization to determine if the transferred data is corrupted and
making it easy to detect if the files are identical.
Drawbacks- According to (Mouha et al., 2018: Masjid et al., 2017: Rasjid et al., 2017), the bugs
on cryptographic hash functions can go unnoticed hence smoothly modifiable. Also, it is
challenging to use hash functions to analyze two messages with the same integer value. It has a
time complexity of O(1) when creating, looking up, or deleting stored information.
ii. Symmetric key algorithms
This cryptographic algorithm is also known as secret key algorithms and makes the data very
difficult to view by a person without the security keys. Symmetric cryptographic uses secret-key
cryptography (SKC), the key is known by a few persons’ and uses the same key to encrypt and
decrypt data Abdmouleh et al., (2014). The keys to create MACs and validate data, hence
providing privacy and confidentiality of the encrypt data and decrypt information. Among the
symmetric algorithms, AES is commonly used; the cipher has 128bits block size and can have
three different keys length, AES -128, AES-192 and AES-256 according to cryptomathic.com.
9 | Page
The symmetric algorithm requires special key life-cycle management software to maintain the
life cycle for the created keys.
Fig 2: Symmetric key cryptography
Source: Chandra et al. (2014)
Advantages- encryption process is easy if keys are shared for encryption and decryption of
messages.
Drawbacks- the use of too many keys requires an organization to have a secure channel to
exchange the secrete keys; hence, negation and authentication of the message cannot be
guaranteed.
iii. Asymmetric key algorithms
Asymmetric key algorithms, also known as public-key algorithms or public-key cryptography
(PKC) combine both private and public keys to perform the intended functions (Chandra et al.,
2014). The public key algorithm is publicly known while the secret key algorithm it’s controlled
by the owner. These algorithm keys are used computing digital signatures, ensuring identity
management and creating cryptographic keying materials. However, According to (Spies, 2017),
10 | Page
there is a challenge in binding algorithm keys to machines to user identity. The techniques
applied in asymmetric encryption are RSA, DSA and PKCS. Public key infrastructure (PKI)
system, which is meant to bridge email addresses, Domain name system addresses, among others
with cryptographic keys to authenticate or encrypt data is a complex system and difficult to
implement.
Fig 3: Symmetric key cryptography
Source: Chandra et al. (2014)
Advantages – it provides convenience and message authentication, easy detection of tempered
messages, provides for non-repudiation.
11 | Page
Drawbacks – public key encryption is slow, the process requires the use of more computers
resources and the loss of private key, lead to the loss of the information since received messages
cannot be decrypted.
2.5 Organization’s cryptographic policy
The development of the healthcare policy is based on the assumption that the healthcare
considered here is XYZ healthcare facility, and that the organization just started its operations
Appendices 1.
Section B: Data Governance and Identity Theft
3.0 Data Governance and Identity Theft
Identity theft has continued to be the main challenge for patients because criminals are
developing mechanisms to fraud members of the public and businesses (iii.org). According to the
Insurance Information Institute (iii.org) research, there were 16.7 million and 14.4 million
identity fraud cases in 2017 and 2018. Additionally, the study shows identity theft and fraud
complaints cases have been increasing over the years, Fig 4.
Fig 4: Identity theft analysis
12 | Page
Source: Insurance Information Institute (iii.org), Identity theft and fraud report, 2015-2019
For healthcare providers to ensure data governance, they should put a good measure to manage
data and controls that enhance data integrity, quality, and availability (Juddoo et al., 2018).
3.1 Identity theft: UW Medicine
UW medicine faced a lawsuit for disclosing patients' information that impacted around 974,000
patients (healthitsecurity.com). The facility failed to secure and safeguard its PHI and did not
notify patients or the HIPAA that its data was breached. This led to exposure of patient
information to third party due to misconfigured server by an employee lead to hacking and
exposing of the information. As a result, sensitive data on patients' health information, names,
and patient account information were disclosed. According to (Mulig et al., 2014) research, most
of these breaches relating to patient's privacy and confidentiality are the result of the increasing
number of identity theft claims. The most compromised information includes demographic
information, financial information, and clinical information.
3.2 Two issues for the Health Information Governance
The two main issues affecting health information governance are;
Privacy issue
Safeguarding of healthcare data and user identity has been a significant challenge faced by many
healthcare providers. According to (Wissmann 2015), managing all activities related to data
collection and managing healthcare information in all areas of the facility spectrum is a
significant challenge. Besides, there is an increasing need for health information exchanges
between patients and healthcare, insurance companies, and other players, hence the need for
better information management. As a result, data is shared and analyzed at a group level, wherein
most case patient data is licked to the third part unknowingly (Taylor et al., 2016). Therefore, to
meet and ensure the privacy and security of information, healthcare organizations need HIPAA
to provide programs that enable the facilities to meet the compliance requirements
HealthITSecurity.com.
13 | Page
Interoperability issue
Transfer and sharing of data from different healthcare stakeholder are making easy where the
various departments are interoperable. According to the Health Information and Management
System (HIMS), interoperability only efficient where the computer systems can communicate
and exchange data that is understandable by the machines. As such, where the patient has seen
different specialists, interoperability will not be achieved until the patient's information is
transported and shared effectively. Healthcare facilities find this clinical data transportation and
cross-collaboration approach as a challenge where there is inadequate infrastructure (Gordon and
Catalini, 2018). Additionally, (Kierkegaard, 2015) according to the challenges of interoperability
infrastructure, could result from the advancement in technology and strategies adopted by an
organization by limit EHR consolidation and implementation problems hence affect the entire
system.
3.2.1 Strength and weaknesses of the approach adopted by UW Medicine and their
symptoms
Strength
After the incident, UW medicines reviewed its protocols and procedures to prevent future re-
occurrence and reported the incident to the OCR as required by law.
Weakness
The health information management (HIM) system was weak, and the organization did not
adhere to OCR and HIPAA regulations regarding PHI and security measure. UW medicine took
time before reporting the case, an indication of concealment (Mendonça et al., 2019). Although
UW medicine claimed that the risk of identity theft was negligible, hacking of the demographic
information and clinical information exposes the patients' identity and other sensitive
information. Additionally, I would assume that the facility was not conducting frequent risk
analysis to check the vulnerability and risk exposure as required by while HIPAA risk analysis
(HealthITSecurity.com).
Symptoms
14 | Page
The implementation of the new EHR, which included expanded network of its other medical
canters though meant to cross-collaborate with other departments, involved working with
multiple IT systems from different sellers, which could affect its efficiency and complicate
information exchange and access between the facilities (ehrintelligence.com). However, the use
of a single outpatient and inpatient EHR system indicates the centralization of PHI would
streamline the UW medicine workflow and improve coordination, efficiency, streamlined
clinical documentation, and efficient time management.
3.2.2 Integrated System theory and AHIMA standards
The American Health Information Management Association (AHIMA) standards require
healthcare organizations to ensure accountability and integrity. Also, to protect all information,
compliance, and provide information access to stakeholders that all the information will be
retained as required by different regulations and disposition of any unneeded information in a
secure manner (ahima.org). Moreover, the Integrated System Theory suggests that healthcare
organizations should have cybersecurity policies in place. They should frequently assess and
manage risks, have internal control management measures, information process controls, and
audit information. Adherence to these measures will mitigate and reduce data exposure (Ismail et
al., 2014).
3.2.3 What I would do if faced with the problem of Health information governance and
network security
First, I will report the incident to OCR and HIPAA as per the regulation and start sending out
emails to affected patients. Also, I will hire an expert to manage the healthcare website. At the
same time, I will involve or the legal investigators to investigate the system to determine the
cause for the incident. As AHIMA requires a healthcare organization to have an employee who is
accountable and responsible for health information management, I would appoint qualified
personnel to manage the data. Also, the HIPAA security rule requires healthcare organizations to
conduct a risk assessment and risk analysis and document all risks available on ePHI. I will
perform this during OCR breach investigation and hold a compliance audit to assess what went
wrong (Goguen et al., 2017: Primeau and RHIA, 2017). All the risk assessment findings will be
documented to ePHI. To recover the lost data, I will put recovery control measures. According to
15 | Page
(HealthITSecurity.com: Awasthi, 2020), the security rules require all healthcare organizations to
have disaster recovery plans and backup for the PHI. To comply with this, I will ensure I have
them in place. Similarly, I will develop contingency plans that will help develop policies and
procedures that will be used in emergency response or system failures.
HIPAA regulations, recommends the use of encrypted EHR systems, and backups. For this
reason, we will review the backup policies and consider any other options. Additionally, as
HIPAA recommends, I will ensure regular backup and evaluate the infrastructure tools to ensure
PHI is well managed through administration, physically and all technical safeguards comply with
HIPAA. As Omotosho et al., (2017), highlights the importance of safeguarding PHI, I will
ensure proper security of EHR at all levels. For this reason, staff accessing PHI will be trained on
safety measures to ensure patient privacy and safety.
Additionally, I will consider training all the healthcare stakeholders since any hackers can target
any of the stakeholders and steal their identity if connected to the EHR and other systems. Since
OCR has no set regulation on a specific technology to be used on PHI, I will develop the
appropriate security measures depending on the audit report. Equally, I will weigh the option of
having a separate server set separately from other systems and ensuring information is backed up
regularly. I will make sure the entire PHI file in the system and single files are encrypted.
Therefore, all electronic medical archives, medical images, payment claims, healthcare emails
with PHI are encrypted; this way, I will minimize any likelihood of risk occurrence. According
to Ismail et al. (2014), having internal control measures files help manage the risks. Therefore, I
will ensure there are sufficient internal control management measures. The information process
controls and auditing of information are conducted according to the set regulations and (Tiffin et
al., 2019) recommends. These measures will enable us to mitigate and reduce data exposure.
Also, they will good control measures, ensure improved data governance and stewardship, and
help in ensuring compliance with relevant regulations.
Section C: Network Security
4.0 Network Security
According to (hhs.gov), HIPAA security regulations require healthcare organizations to secure
information during data creation, transmission, receipt, and maintenance. Similarly, the privacy
rules require that the technology, devices, process, and configuration designs ensure data
16 | Page
protection and confidentiality. Therefore, healthcare should use software or malware technology
to configure and protect devices accessibility integrity, confidentiality, and accessibility.
4.1 Specific assets relevant to a typical healthcare network
According to (HealthITSecurity.com), healthcare facilities are required to identify and document
assets in the organization. Some of the assets are as detailed in Table 1 below.
Table 1: Details of specific assets
Asset Category Specific Assets Asset details
Information Assets -Backup procedures, user
manuals, system and software
documents, PHI, database,
patient details, information
services, archived information,
and accounting ledger, among
others.
This includes disclosed patient
health information, operating
policies, and details of third
party contracts.
Physical Assets -Communication assets
(networks, routers, telephones)
-Computing equipment’
(computers, laptops, Firewalls)
-Mechanical equipment
(Dialysis equipment)
Physical assets own and held
by the healthcare facility.
Personal Assets -All personnel ( system
administrators, healthcare
practitioners, third part staff)
People are the key asset in a
healthcare organization; they
provide, manage, and use
patients’ data.
Software Assets -System applications (billing
systems, clinical medical
systems)
-Communication software
encryption tools, finance/HR
Software assets provide
information connecting
different networks within the
organization and offer
protection of the transmitted
17 | Page
systems, operating systems, and
licenses)
-Special systems (antivirus,
software)
information.
Intangible Assets Brand names, copyrights,
reputation, goodwill, trust
They are a valuable asset to an
organization; they determine
the continuity and image of
the business.
4.2 Threats and assess vulnerabilities
HITECH act regulations require healthcare providers to conduct a risk assessment to identify
threats and assess vulnerability (healthitsecurity.com). These threats will be based on the
assumption that healthcare under consideration is operating in one of the developing countries
where there is scarce of resources (Pankomera and van Greunen, 2017). As a result, I assume
that healthcare should consider below threats and vulnerabilities when assessing the risk that is
likely to affect its information system.
Table 2: Threats and vulnerabilities
Asset Category Threat Vulnerabilities
Information
Assets
-Breach of contractual
agreement
-Destruction of records
-Misuse of PHI
-Loss of information
-Poor infrastructure
-Information leakage
-Limited information
connectivity
-Lack of proper backup procedures
-Lack of secure storage room or systems
-Unprotect public network connections
-Lack of enough funds to improve the
infrastructure
-poor password management
Physical Assets -Unauthorized access to
telephones, computed and
restricted areas
-Careless control and access to offices or
rooms
-Poor machine maintenance and faulty
18 | Page
-Failure of supporting utilities
like electricity
-Hardware failure
-Fire
-Flooding
-Scarcity of key drugs or
equipment
installations
-Poor physical protection for buildings and
doors
Personal Assets -Interoperability infrastructure
-Fraud
-Access to network by
unauthorized persons
-Staff error
-Low or poor technology
acceptance and use
-Inadequate human capital
-Unsupervised work
-Lack third party staff monitoring system
-Non-existence of security awareness
-No log outs after using a system or
leaving work
-No segregation of duties
Software Assets -Unauthorized access and use of
software
-Software error
-Using software in an
unauthorized way
-Unlawful use of software
-Lack enough funding for
buying required software
-Poor password management by IT
personnel
-Lack of updated or use of outdate software
-Failure to remove access rights after staff
resignation or termination
-Lack of access control policies
Intangible Assets -staff violation of intellectual
property
-Lack of staff morale to work
4.3 Risk analysis
According to Pankomera and van Greunen, (2017), risk can be analysed through combining
likelihood of a threat happening and the level of impact can give rise to several risks. Table 3
below gives some of the risks likely to happen, based on the above assumptions.
Risk Likelihood Impact
19 | Page
Information Assets Healthcare is assumed to have
poor infrastructure; thus, the
risk of losing and misusing
information is high. Also,
looking of resources is high
since due to limited resource,
the assumption is that most of
the data is likely to leak from
one department to the other,
hence
high-risk rate of losing the
data or getting destroyed
Most sever type of impact if
data is lost
Physical Assets The likelihood of having
damage to physical assets is
low; in the assumption, there
is proper physical security to
the premises.
Low impact on network
security
Personal Assets Assuming that a single person
is allocated different
responsibilities, there is a high
likelihood of staff error, low
or poor use of technology due
to financial constraints
High
Software Assets Assuming the organization
currently has adequate
controls to protect
unauthorized access and use of
software, the likelihood of
such an assessment is
medium. Also, it believed that
most machines, software, and
Medium
20 | Page
files are encrypted
Intangible Assets There is no likelihood of any
occurrence or violation of
intangible assets, assuming
that there are effective
measures in place, and
employee morale is high.
Very low
4.4 Security controls mitigating the risk
The security controls to be developed are based on the assumption that in most developing
countries;-
There is no segregation of duties in most healthcare facilities.
Due to lack of financial capabilities, information security management is no well
established
Each organization has its challenges and that most small healthcare organizations will
combine multiple responsibilities to a single role
Most of the small healthcare organization will engage third party staff to work on
sensitive areas like doing surgery
Table 4 : Security controls, strengths and weaknesses
Security controls Strengths Weaknesses
-Implement audit
mechanisms and conducting
independent review
-Logical controls, clear and
practical security policies
-Conduction frequent audits
ensure consistency in the
application of safety measures
and identifying risk early
enough
-Develop and implement
internal control measures to
cover all systems and areas to
-Understaffing, in most of the
healthcare organization, might
render the exercise
unsuccessful and fail to attain
the intended objectives.
-Training on new systems
requires the third party's
involvement who might access
21 | Page
-Encourage use of manuals
and training
Use of antivirus
ensure security
-Restricting access to the
system limits the likelihood of
asset destruction
-Encourage the use of a
firewall to protect sensitive
data
-Training of staff increase to
their understanding of the
system, and helps in
mitigating some of the risks
-Using of antivirus as a guard
against malware and virus will
scan out any phishing emails
sensitive information without
the organizations' knowledge
-Where specialized staff
training is required, there
could be a probability of the
team determining management
measures hence there is high-
risk acceptance
-Advancement in technology
may render some of the
antivirus out-dated, making its
application unproductive
4.5 Formulation of Security policy for the organization in charge of network
Network Information Security Policy
Security policy is meant to document organizations' ways of protecting their assets from threats
and how to handle such conditions when they occur. The security policy keeps employees
updated on the organization's security policies and should be updated regularly, Appendices 2.
5.0 Recommendations and Conclusion
Access, identity theft, and breach of personal health information are on the rise. As a result, it is
essential for healthcare facilities to protect patients' data, records, confidentiality, and privacy of
the patient's data. Therefore, it is recommended that all the health providers mitigate the threats
and vulnerabilities of the information, systems, and healthcare assets. To attain this, healthcare
providers must work toward developing and implementing risk management policies that meet
22 | Page
all stakeholders' needs. Similarly, health organizations should consider employing measures that
protect the healthcare environment, including administrative, technological, physical safeguard,
and organizational measures, among others. This consists of training employees, ensuring
locking of office, encrypting machines, network, and information. Healthcare organizations
should develop contingency, disaster, and business continuity plans in the system or machine
failure and natural hazards, among others.
In conclusion, patients' information contains sensitive data that must be protected. Protecting
patients' information ensures privacy protection and confidentiality to the patient. Therefore,
healthcare providers should work as a team in providing information security. Additionally, it is
advisable for all healthcare facilities despite the size to adhere to various healthcare regulations
to avoid a breach of the agreement between the healthcare and patient as well as other
stakeholders. This will be made possible through ensuring efficient information maintenance.
Lastly, healthcare facility consists of a network of systems classified into various assets; these
assets contribute to healthcare operation. Therefore, organizations should ensure the protection
of network security, management, and mitigating risks.
Reference
Abdmouleh, M.K., Khalfallah, A. and Bouhlel, M.S., 2014, April. An overview on cryptography
and watermarking. In the International Conference on Computers, Automatic Control,
Signal Processing and Systems Science (pp. 2-4).
Awasthi, A., 2020. Disaster Recovery-Foundation Pillars. Int Sci Res, 9(1), pp.1360-1362.
Barker, E. and Roginsky, A., 2018. Transitioning the use of cryptographic algorithms and key
lengths (No. NIST Special Publication (SP) 800-131A Rev. 2 (Draft)). National Institute
of Standards and Technology.
Chandra, S., Paira, S., Alam, S.S. and Sanyal, G., 2014, November. A comparative survey of
symmetric and asymmetric key cryptography. In 2014 International Conference on
Electronics, Communication and Computational Engineering (ICECCE) (pp. 83-93).
IEEE.
Fulmer, K.L., 2015. Business Continuity Planning: A Step-by-Step Guide with Planning Forms.
Rothstein Publishing.
23 | Page
Goguen, A., Stoneburner, G. and Feringa, A., 2017. Risk management guide for information
technology systems and underlying technical models for information technology
security. Retrived from https://www. amazon. com/Management-Information-Technology-
Underlying-Technical/dp/0756731909.
Gordon, W.J. and Catalini, C., 2018. Blockchain technology for healthcare: facilitating the
transition to patient-driven interoperability. Computational and structural biotechnology
journal, 16, pp.224-230.
Hayhurst, C., 2014. Is your patient data secure?. Biomedical Instrumentation &
Technology, 48(3), pp.166-173.
https://ehrintelligence.com/news/180m-ehr-implementation-project-approved-at-uw-medicine
https://healthitsecurity.com/news/healthcare-data-encryption-not-required-but-very-necessary
https://www.cryptomathic.com/news-events/blog/differences-between-hash-functions-
symmetric-asymmetric-algorithms
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime
Islam, S.H., Khan, M.K. and Li, X., 2015. Security analysis and improvement of ‘a more secure
anonymous user authentication scheme for the integrated EPR information system’. PloS
one, 10(8), p.e0131368.
Ismail, S., Sitnikova, E. and Slay, J., 2014, August. Using integrated system theory approach to
assess security for SCADA systems cyber security for critical infrastructures: A pilot
study. In 2014 11th International Conference on Fuzzy Systems and Knowledge
Discovery (FSKD) (pp. 1000-1006). IEEE.
Juddoo, S., George, C., Duquenoy, P. and Windridge, D., 2018. Data governance in the health
industry: Investigating data quality dimensions within a big data context. Applied System
Innovation, 1(4), p.43.
Kierkegaard, P., 2015. Interoperability after deployment: persistent challenges and regional
strategies in Denmark. Int J Qual Health Care, 27(2), pp.147-153.
Kruse, C.S., Smith, B., Vanderlinden, H. and Nealand, A., 2017. Security techniques for the
electronic health records. Journal of medical systems, 41(8), p.127.
Mendonça, V., Gallagher, T. and Hendryx, N., 2019. Medical error: concept, characterization
and management. Saúde e Sociedade, 28, pp.255-266.
24 | Page
Mouha, N., Raunak, M.S., Kuhn, D.R. and Kacker, R., 2018. Finding bugs in cryptographic hash
function implementations. IEEE transactions on reliability, 67(3), pp. 870-884.
Mulig, E.V., Smith, M. and Stambaugh, C., 2014. Identity hack! Is your company
next?. Strategic Finance, December, 96(6), pp.33-39.
Omotosho, A., Emuoyibofarhe, J. and Meinel, C., 2017. Ensuring patients' privacy in a
cryptographic-based-electronic health records using bio-cryptography. International
Journal of Electronic Healthcare, 9(4), pp.227-254.
Padhi, M. and Chaudhari, R., 2017, December. An optimized pipelined architecture of SHA-256
hash function. In 2017 7th International Symposium on Embedded Computing and
System Design (ISED) (pp. 1-4). IEEE.
Pankomera, R. and van Greunen, D., 2017, May. Mitigating vulnerabilities and threats for
patient-centric healthcare systems in low income developing countries. In 2017 IST-
Africa Week Conference (IST-Africa) (pp. 1-11). IEEE.
Primeau, D. and RHIA, F., 2017. How Small Organizations Handle HIPAA
Compliance. Journal of AHIMA, 88(4), p.18.
Rasjid, Z.E., Soewito, B., Witjaksono, G. and Abdurachman, E., 2017. A review of collisions in
cryptographic hash function used in digital forensic tools. Procedia computer
science, 116, pp.381-392.
Robichau, B.P., 2014. Healthcare information privacy and security: Regulatory compliance and
data security in the age of electronic health records. Apress.
Shankar, S.K. and Tomar, A.S., 2016, May. A survey on wireless body area network and
electronic-healthcare. In 2016 IEEE International Conference on Recent Trends in
Electronics, Information & Communication Technology (RTEICT) (pp. 598-603). IEEE.
Spies, T., 2017. Public Key Infrastructure. In Computer and Information Security Handbook (pp.
691-711). Morgan Kaufmann.
Swinglehurst, D., 2014. Displays of authority in the clinical consultation: A linguistic
ethnographic study of the electronic patient record. Social Science & Medicine, 118,
pp.17-26.
Taylor, L., Floridi, L. and Van der Sloot, B. eds., 2016. Group privacy: New challenges of data
technologies (Vol. 126). Springer.
25 | Page
Tiffin, N., George, A. and LeFevre, A.E., 2019. How to use relevant data for maximal benefit
with minimal risk: digital health data governance to protect vulnerable populations in
low-income and middle-income countries. BMJ Global Health, 4(2), p.e001395.
Wissmann, S., 2015. Addressing challenges to the health information management profession: an
Australian perspective. Perspectives in Health Information Management, (International
issue).
Yaraghi, N., 2016. Hackers, phishers, and disappearing thumb drives: Lessons learned from
major health care data breaches. Center for Technology Innovation at Brookings.
Appendices
Appendices 1: Robust policy for XYZ Healthcare Facility
Information Security Policy
1.0 Aim
This policy purpose is to establish guideline on how cryptographic information will be
configured, maintained, and accessed by the relevant uses in the XYZ Healthcare facility.
Practical implementations of the policy will minimize unauthorized access to XYZ Healthcare
Facility protected healthcare information.
2.0 Scope
The policy applies to EHR and EPR systems owned and operated by, and registered under XYZ.
This policy ensures the safety of the systems and the information contained therein.
3.0 Policy
The authorized staffs should operate the systems responsibly and should administer system
safety. Each personnel must maintain the approved keys, administration and management
guidelines, and security measures. The IT personnel must monitor configuration compliance and
implement policies tailored to access to systems using mobile phones and webmail tailored to
XYZ.
26 | Page
Each department must establish proper exchange and handover of PHI keys.
The EPR and EHR systems, server, and all portable drives must be registered within the
organization's policies, have security keys, and be encrypted.
Information from EPR and EHR systems must be backed up and kept up to date
All machines and portable drives connected to the server must be encrypted.
Configuration changes must be per HIPAA and HITECH regulations.
All entire PHI files in the system or single files must be encrypted.
4.0 General guidelines
Access to services must be logged and protected through access controls
No trust relations will be allowed between systems and groups unless there is a disaster.
No operating servers, office computers, and laptops from the open area.
5.0 Monitoring
All related security events on EHR and EPR must be logged, and the audit trials saved.
Weekly back up should be safely
Monthly backups should be maintained for three years
Any security-related event or logs should be reported to the IT personnel
6.0 Compliance
System audits to be performed regularly by the authorized organization
7.0 Enforcement
Any XYZ healthcare personnel found to violate this policy will be subjected to disciplinary
action, and the organization may decide to terminate his contract.
Appendices 2: Formulated Network Information Security Policy
Document control
The electronic version of this document will be recognized as the only valid version to be used.
Document Location: <Where to access the policy>
27 | Page
Review Frequency: This document will be reviewed after every 1 year
Document Sensitivity: Highly sensitive
Approval History
Approver(s) Title Approved Date
<Approving body> <Title of approving/ Individual> <Date of approval>
Revision History
Version No. Version Date
<001> <4 th July 2020>
[1.] Purpose
The purpose of this policy is to develop and institute administrative procedures and technical
guidelines on asset protection to secure network security for <company name>.
[2.] Scope
The policy will apply to all areas of <company name> computer networks, computers,
telephones and data communication systems administered and owned by <company name>.
[3.] Policy
All information transmitted over the company networks that is not identified not to originate
from the party with whom the company has contractual agreement with to transport such
information will be deemed to be company’s asset. The company policy prohibits any
unauthorized access, duplication, disclosure or sharing of information, modification, misuse, loss
or destruction of company assets.
[4.] Responsibility
The IT manager is responsible for all the organization systems, operation, maintenance,
administering, and managing information system of the company. Also, the IT manager will be
responsible for the company IT infrastructure services, network and computer security. Any
other staffs in possession or operation of any company asset such as telephones, lab systems, is
responsible for the system, information and security on such asset
[5.] System access control
All computers connected to the company network must have passwords, and no unauthorized
28 | Page
access to such assets. Also, the end user of company password is obliged to effectively protect it
and protect the intellectual property of the company. All machines or systems must be logged off
after use. No trust relations will be allowed between systems and groups. Additionally, all
network access passwords must be revoked after a certain period and IT manager to provide new
passwords or keys. No local network should be established. All user must use and keep the
approved virus scanning software, and users will be held responsible for damages resulting from
viruses. All personal computer users are in charge of backing up information and period backups
will be taken. All information and systems will be encrypted using the company’s approved
encryption method.
[6.] Physical security
All company network assets and equipment’s must be physically protected and no access to
physically restricted areas. All employees much keep network information under key and lock.
Network system audits to be performed regularly by the authorized organization [8.] Enforcement
Any staff found to violate this policy will be subjected to disciplinary