Escolar Documentos
Profissional Documentos
Cultura Documentos
The NHS finance department claimed that 15% of its total budget is spent incollecting data; such a high figure indicates that information is one of the most valuable assets within the organization. The current government believes that the information technologies would benefit the economy , increase enterprises profits and national institutions performance as a whole, in fact, many organizations including the NHS rely on their IT assets to support their business missions and achieve their goals. As the IT can provide a huge amount of services, saves time and efforts, it is however important to consider the risks that it can present, the IT disaster that happened in 1992 in relation to the ambulance department is still regarded as a tough lesson for the NHS . Despite all the assets that the NHS IT disaster in 1992 compromised, senior managers still believe that the use of the IT in support of the information storage whether it is related to the staff or the patients is unavoidable. The head of the IT health department stated that the NHS understands the risks that the whole organizations faces, but he claimed that it is still worth devoting the computers to keep track on the patients records and the staff performance.
System characterization
An appropriate information gathering technique is essential to perform the risk assessment task, in fact, all IT departments in the NHS have a special budget to spend on their projects, and this budget is reviewed annually. The IT managers, who are responsible for the strategic missions of the IT projects make their decisions on the basis of the risk assessment report, whether it is made by the appropriate department from the company itself, or by an outsider. to carry out a proper risk assessment, it is crucial to have a deep knowledge about the current system in place, the hardware and software assets that are in use by the staff member should be documented as well as the system interfaces that the nurses usually deal with should be examined in order to come out with a system boundaries and better understand the data criticality. After analysing the current controls and determining the risks as well as their business impact, the risk analyst must propose the countermeasures to protect the integrity, availability and the confidentiality of the system in place.
Threat identification
The threat identification s considered as the most critical part of the process, therefore, a systematic research that has to follow a certain set of regulations and standards,legally speaking, ISO 27002 provides clear regulations that he risk analyst should comply with. The NHS is a very large organization that shares very complex network and wide geographic location, although it seems impossible to create a single statement for the vulnerabilities that can be exercised by an inside or an outside threat, however, the analyst should set a system boundaries to define the real scope of this process. The potential threat that can successfully exercise on a vulnerability can suggests to first investigating a vulnerability, the more weaknesses within the organization are known, the easier to propose the solutions and the countermeasures.
Vulnerability source:
Identifying a vulnerability will lead to also investigate the vulnerability source, this can be in intentional method to exploit a vulnerability, or a source of weakness that can accidentally trigger it ( the vulnerability) and allows the threat to be exercised.
The threat source may be defined as any circumstance which can cause harm to the system, it can be human , natural , or environmental. The human threat can be intentional, or not intentional, this part is later detailed in the table where the human threats are listed.
The table below shows the potential human threats, the sources of motivation and the threats actions than can be exercised: Threat Threat source ID Reason Motivation Threat action
Nurses, doctors and all insiders who interact with the system
T1
T2
Blackmail Revenge Disruption Denial of service System tampering Physical attacks( bombs for examples)
T3
Causing harm
T5 T6 T7 T8 T9 T10 T11 T12 T13 T14 T15 T16 T17 T18 Technical threats
Power failure National power suspension, fire , or deliberate act
Password hacking
Malicious softwares
of power suspension Attempt to get access to the patient database Out-dated security so
Viruses/worms/Trojan horses
The table above listed the potential human threats, however, it is also important to consider the natural threats , such as floods and fire, in todays buildings, health and safety regulations make the disasters caused by fire or floods unlikely. As regards, fire and flood threats can be caused by human through negligence, or they can happen as a result of a natural disaster, as well as earthquakes. Vulnerability identification: The flaw of a weakness in the system security implementation, or a security breach, present the risk of a threat to successfully exploit it, I have previously listed in the table the most common human threats as well as their source of motivation, now, I have added another table that indicates the association between the treats and the vulnerability pairs It is worth to note that in a proper investigation which should consist with the ISMS standards, the system put already in place should be documented. Vulnerability/threat associations: Vulnerability ID Vulnerability Threat source Definition Non technical vulnerabilities
Dismissed employee ID are not deleted from the NHS data base (Ex: doctors, nurses)
Threat action
V1
Terminated employees Using the old ID number who want to revenge or and accessing the for money gain purposes database, whether to compromise it or for a criminal attempt. Any patient or a member of staff walking around the premises
V2
(patients, visitors, cleaners, nurses, doctors) Flaw of weaknesses identified by the vendors, Outsiders/vendors but no action has been taken yet.
patient information.
V3
V4
CCTV available in the premises allow security guards to surf over the keyboards
Technical vulnerabilities V5
Inbound telnet are allowed by the firewall, the packets sent from a user with a guest ID can reach the NHS servers. Shared WIFI network Terminated employees, hackers, terrorists Using telnet packets to browse locked files
V6
Staff/visitors /outsiders
V7 V8 V9 V10 V11
The goal of the whole project is to propose an adequate solution for the weaknesses and threats within then system and the people interacting with it, the solution should be reasonable and does not contradict the organization mission. The electronic records within the NHS are relatively a new project, It is however unavoidable to assess the current controls already in place, if the current controls do not satisfy the security requirements, then they should be documented and taken into consideration.
The following table lists the most common requirements with a brief explanation in a topdown approach (from the senior management in the NHS until the technical department).
Security area
Management security
Is the assignment of responsibilities is done in a consistent manner? Is the security awareness training is done periodically? , do the nurses understand the risks they may face if they do not comply with the security in place? Is there an adequate security application in place? If so, does it respond to the threats identified in the table above? Is the electricity power supply control?
Operational security
Are there contingency plans if the power system breaks down? Is there fire, humidity, temperature, smoke alarms?
Technical security
Is the communication through the headquarters and hospitals network efficient? (This entails system interconnections and routers).
Not only these initial controls allow the NHS IT departments to have a better understanding about the risks they may face, but also provide a legal protection in case of a system breakdown or an employee misconduct.
Controlanalysis
Control methods: 1. Technical controls:
The access control mechanisms, intrusion detection systems, firewalls, and all the security features should be examined at this phase of the risk assessment; the faults of the system can be retrieved through the onsite interviews or questionnaires with the NHS technicals. The NHS uses a centralised network system that link the hospital servers with the headquarters and the GPs (nhscareer.nhs.co.uk). The most common disadvantages in this type of networks are the following:
y y y y
Heavy time consumption. Difficulty to reach the end users Inflexibility Increased dependence and vulnerabilities
According to the House of Commonsreport in relation to the new implementation, the points above were addressed accurately and the project managers assured that the system will still benefit the NHS.
The operational security department of the NHS is responsible for setting policies and procedures that the staff should comply with; it is also the responsibility of the security management to let the staff know that the breach of these policies will lead then to face a disciplinary againstthem. This type of control also entails the personnel, environmental and the physical security.
Control categories:
The risk assessment part of the ISO27002 standards suggests two categories of controls, detective, and preventive controls. With regards to the NHS case, I suggest the following:
Preventive controls: - CCTV control over the premises to detect any unacceptable behaviour towards to policies made in place. -Access control enforcement within the system, as the staff needs go through the authentication phase, this suggest any breach will automatically record the user information and report it in a special log file. Detective controls: This can be regarded as any sort sanction warning, audit trails and IDS methods.
Impact analysis
This part of the qualitative analysis deal with the potential losses in terms of the data quality and insurance System mission The system created is expected to store all the patients records as well as their medical history, the targets behind this implementation is to save the time and help the GPs to make their decisions with regards to the patient treatment. In case of a disaster occurred in result of the exploitation by any of the threats listed above can affect the integrity, confidentiality and availability of the patients information. Loss of integrity The loss of integrity can occur both intentionally or accidently, the lack of training of the staff interacting with the system make the patient data vulnerable to a deletion or a modification and can lead the doctors to make erroneous decisions. The loss of integrity also encourages successful attacks against the system in case of a deliberate act. Loss of availability
The loss the information in a time when it is the most needed exposes the patients lives to danger, especially if the same system is installed in the AnE, the department that usually deals with emergency situations. Loss of confidentiality This has been the main concern among the public opinions, the loss of confidentiality can bring the NHS to face a legal action, and this basically refers to the protection of the patient medical history against unauthorized disclosure. There several national and international regulations in relation to data confidentiality such as the data protection act 1998 and the computer misuse act.
The purpose from this step is to assess the level of risk and define the priorities to deal with it in connexion with their impact magnitude, the table below summarise the risks in order of priority with a given scale to each risk.
Risk matrix:
Risk ID
Risk description
Likelihood level
Magnitude of impact
Risk level
Impact on CIA
Loss of Confidentiality
R1
R2
Flaw of weaknesses identified by the vendors but no action has been taken yet. Creating an electronic file without the approval of the patient Security guards participating in a criminal act using CCTV The visitor can be a computer expert or a hacker
R3
R4
R5
Technical risks R6
Denial of service
R7
Inbound telnet are allowed by the firewall, the packets sent from a user with a guest ID can reach the NHS servers
R8
R9
R10
Quantitative approach:
This part of the process deals with the potential loss that may occur within the NHS department in an annual basis, each asset, whether it is tangible or intangible will be given a specific value that determines its criticality within the whole system. Although what makes a difference between a qualitative and the quantitative approaches is that the first one is opinion based, however, the values assigned to each asset may differ between experts. For the interest of fairness, although I have suggested different values for each asset, I have however given the general formula to calculate the potential loss in case any risk assessor does not agree with the values I have suggested.
Asset
Asset value
500.000
Exposure factor
%45
SLE
225.000
ARO
25%
ALE
56.250
Servers
300.000
%30
90.000
35%
31.500
40.000
10%
4000
50%
2.000
Patients
600.000
60%
36.000
65%
234.000
database Personnel
600.000 60% 36.000 50% 18.000
Keys:
SLE: Single loss expectancy. RO: The rate of occurrence during the year ALE: The annual loss expectancy.
Formulas:
SLE =ASSET VALUE X EF. ALE= SLE X RO.
The value given for each asset does not represent its real price, but the potential loss if it is compromised. In order to roughly calculate the cost benefit, I have added up the annual loss expectancy for each asset. Therefore, the ALE before implementing the countermeasure is: 56,250+31,500+2,000+234,000+1 8,000 = 341,750
Conclusion:
The cost of the countermeasure should not exceed 341,750
Risk mitigation
All the managers within the NHS need to come to terms that it is almost impossible to eliminate all the risk It is imperative to work out the least cost approach to respond to all the risks presented.
It is up to the senior management to decide whether the risks are acceptable or not, or whether they should be transferred. The NHS assumes that there are many risks related to their system. With regards to the hacking and deliberate corruption of the system, the potential loss is much bigger than the attacker gain; such a theory suggests the risks of a system attack are unacceptable. The example above is one of many risks that the company may face.
The table below shows the decisions that should be made with regards to the risks identified in the previous sections:
Risk
Priority
Action to be taken
Limitation
Limitation
Avoidance
Low
Transference
Update database without a prior consent from the neighbour Filling an opt-out form in behalf of another patient
High
Avoidance
Avoidance Medium
Require the patient signature unless under mitigating circumstances Devote the help desk to provide the necessary advice Assess the patient state of mind before deleting the records
Opting out may be too complex for elderly patients Nervous breakdowns lead the patients to delete their records
Low
Limitation
Medium
Limitation