Introduction:

The NHS finance department claimed that 15% of its total budget is spent incollecting data; such a high figure indicates that information is one of the most valuable assets within the organization. The current government believes that the information technologies would benefit the economy , increase enterprises profits and national institutions performance as a whole, in fact, many organizations including the NHS rely on their IT assets to support their business missions and achieve their goals. As the IT can provide a huge amount of services, saves time and efforts, it is however important to consider the risks that it can present, the IT disaster that happened in 1992 in relation to the ambulance department is still regarded as a tough lesson for the NHS . Despite all the assets that the NHS IT disaster in 1992 compromised, senior managers still believe that the use of the IT in support of the information storage whether it is related to the staff or the patients is unavoidable. The head of the IT health department stated that the NHS understands the risks that the whole organizations faces, but he claimed that it is still worth devoting the computers to keep track on the patients records and the staff performance.

The scope of the effort:

This report seeks to investigate and assess the risks that the recent electronic records system implemented within the NHS can present. The information collected to carry out this research has been brainstormed, as a proper investigation of the root problem should be rolled out by specific standards such as questionnaires and onsite interviews, which is beyond the scope of this project, I have however added a special appendix at the end of this report which contains sample questions to usually used with specialised companies to gather the information needed to carry out the risk assessment. Many newspapers and magazines took the NHS project as a matter of concern, commenting about few doctors statements , that some of them regard the implementation of the project as a giant step forward, whereas others believe that is a breach of the patients privacy, and the information retrieved from the system implemented and put in place for doctors is sometimes inaccurate, relying upon the fact that 10% of the records where uploaded wrongfully in some areas in Birmingham, and still present a high potential risk for both patients under treatment and doctors, as any mistakes made on the patient may bring doctors to face a legal action against them.

System characterization

An appropriate information gathering technique is essential to perform the risk assessment task, in fact, all IT departments in the NHS have a special budget to spend on their projects, and this budget is reviewed annually. The IT managers, who are responsible for the strategic missions of the IT projects make their decisions on the basis of the risk assessment report, whether it is made by the appropriate department from the company itself, or by an outsider. to carry out a proper risk assessment, it is crucial to have a deep knowledge about the current system in place, the hardware and software assets that are in use by the staff member should be documented as well as the system interfaces that the nurses usually deal with should be examined in order to come out with a system boundaries and better understand the data criticality. After analysing the current controls and determining the risks as well as their business impact, the risk analyst must propose the countermeasures to protect the integrity, availability and the confidentiality of the system in place.

Threat identification
The threat identification s considered as the most critical part of the process, therefore, a systematic research that has to follow a certain set of regulations and standards,legally speaking, ISO 27002 provides clear regulations that he risk analyst should comply with. The NHS is a very large organization that shares very complex network and wide geographic location, although it seems impossible to create a single statement for the vulnerabilities that can be exercised by an inside or an outside threat, however, the analyst should set a system boundaries to define the real scope of this process. The potential threat that can successfully exercise on a vulnerability can suggests to first investigating a vulnerability, the more weaknesses within the organization are known, the easier to propose the solutions and the countermeasures.

Vulnerability source:
Identifying a vulnerability will lead to also investigate the vulnerability source, this can be in intentional method to exploit a vulnerability, or a source of weakness that can accidentally trigger it ( the vulnerability) and allows the threat to be exercised.

The threat source may be defined as any circumstance which can cause harm to the system, it can be human , natural , or environmental. The human threat can be intentional, or not intentional, this part is later detailed in the table where the human threats are listed.

Motivation and threat actions:

This phase of the process customizes the reasons that drivepeople who interact with the NHS system to compromise the data or bring the IT system to a potential disaster; this can be done many different ways such as reviews the past reports from the employees or the help desk. Thisis relatively a very difficult task, as the risk analyst within the NHS should get this information from the employees themselves, the information has to be honest, and usually the employees find it difficult to give out the right information. According to ISO 27002, the information gathered from the employee should be strictly confidential, and to be disclosed to any supervisor, and the nurses or any member of staff who interacts with the statement needs to understand the risk that the company might face, it is also the duty of the risk analyst that assure that any previous breach or misconduct from the employee will not go into his personal file.

The table below shows the potential human threats, the sources of motivation and the threats actions than can be exercised: Threat Threat source ID Reason Motivation Threat action

Non technical threats

-Poor training -Lack of security awareness -Malicious behaviour -Negligence -Dishonesty -Terminated employees revenge -Outside business-related companies interest -Curiosity -Proving intelligence -Monetary gain. -Unintentional errors -Deletion -Spelling mistakes Input of false information (or falsified data) -Patient information trading (selling personal information to medicines companies) -Accessing the system without authorization -Illegal retrieval of the information -Unauthorised system penetration -Breach of personal privacy

Nurses, doctors and all insiders who interact with the system

T1

-Financial espionage -Competition

Industrial espionage from competitors

T2
Blackmail Revenge Disruption Denial of service System tampering Physical attacks( bombs for examples)

T3

Terrorists( including the case or a warfare )

Causing harm

T5 T6 T7 T8 T9 T10 T11 T12 T13 T14 T15 T16 T17 T18 Technical threats
Power failure National power suspension, fire , or deliberate act

Password hacking

Malicious softwares

of power suspension Attempt to get access to the patient database Out-dated security so

Showing competence, money gain

Password guessing, using staff Ids

Viruses/worms/Trojan horses

The table above listed the potential human threats, however, it is also important to consider the natural threats , such as floods and fire, in todays buildings, health and safety regulations make the disasters caused by fire or floods unlikely. As regards, fire and flood threats can be caused by human through negligence, or they can happen as a result of a natural disaster, as well as earthquakes. Vulnerability identification: The flaw of a weakness in the system security implementation, or a security breach, present the risk of a threat to successfully exploit it, I have previously listed in the table the most common human threats as well as their source of motivation, now, I have added another table that indicates the association between the treats and the vulnerability pairs It is worth to note that in a proper investigation which should consist with the ISMS standards, the system put already in place should be documented. Vulnerability/threat associations: Vulnerability ID Vulnerability Threat source Definition Non technical vulnerabilities
Dismissed employee ID are not deleted from the NHS data base (Ex: doctors, nurses)

Threat action

V1

Terminated employees Using the old ID number who want to revenge or and accessing the for money gain purposes database, whether to compromise it or for a criminal attempt. Any patient or a member of staff walking around the premises

V2

Available computers for patients and visitors

Gaining access to the database, selling the

(patients, visitors, cleaners, nurses, doctors) Flaw of weaknesses identified by the vendors, Outsiders/vendors but no action has been taken yet.

patient information.

V3

Getting access to sensitive information based on the system vulnerabilities

V4

CCTV available in the premises allow security guards to surf over the keyboards

Security guards participating in a criminal act

Getting hold of the passwords needed to access the database

Technical vulnerabilities V5
Inbound telnet are allowed by the firewall, the packets sent from a user with a guest ID can reach the NHS servers. Shared WIFI network Terminated employees, hackers, terrorists Using telnet packets to browse locked files

V6
Staff/visitors /outsiders

Finding a leakage within the packets and gaining access

V7 V8 V9 V10 V11

The goal of the whole project is to propose an adequate solution for the weaknesses and threats within then system and the people interacting with it, the solution should be reasonable and does not contradict the organization mission. The electronic records within the NHS are relatively a new project, It is however unavoidable to assess the current controls already in place, if the current controls do not satisfy the security requirements, then they should be documented and taken into consideration.

The following table lists the most common requirements with a brief explanation in a topdown approach (from the senior management in the NHS until the technical department).

Security area

Criteria (in question forms)

Management security

Is the assignment of responsibilities is done in a consistent manner? Is the security awareness training is done periodically? , do the nurses understand the risks they may face if they do not comply with the security in place? Is there an adequate security application in place? If so, does it respond to the threats identified in the table above? Is the electricity power supply control?

Operational security

Are there contingency plans if the power system breaks down? Is there fire, humidity, temperature, smoke alarms?

Is there a periodic system audit? Is the patient data encrypted?

Technical security

Is the communication through the headquarters and hospitals network efficient? (This entails system interconnections and routers).

Not only these initial controls allow the NHS IT departments to have a better understanding about the risks they may face, but also provide a legal protection in case of a system breakdown or an employee misconduct.

Controlanalysis
Control methods: 1. Technical controls:
The access control mechanisms, intrusion detection systems, firewalls, and all the security features should be examined at this phase of the risk assessment; the faults of the system can be retrieved through the onsite interviews or questionnaires with the NHS technicals. The NHS uses a centralised network system that link the hospital servers with the headquarters and the GPs (nhscareer.nhs.co.uk). The most common disadvantages in this type of networks are the following:
y y y y

Heavy time consumption. Difficulty to reach the end users Inflexibility Increased dependence and vulnerabilities

According to the House of Commonsreport in relation to the new implementation, the points above were addressed accurately and the project managers assured that the system will still benefit the NHS.

2. Non technical controls

The operational security department of the NHS is responsible for setting policies and procedures that the staff should comply with; it is also the responsibility of the security management to let the staff know that the breach of these policies will lead then to face a disciplinary againstthem. This type of control also entails the personnel, environmental and the physical security.

Control categories:
The risk assessment part of the ISO27002 standards suggests two categories of controls, detective, and preventive controls. With regards to the NHS case, I suggest the following:

Preventive controls: - CCTV control over the premises to detect any unacceptable behaviour towards to policies made in place. -Access control enforcement within the system, as the staff needs go through the authentication phase, this suggest any breach will automatically record the user information and report it in a special log file. Detective controls: This can be regarded as any sort sanction warning, audit trails and IDS methods.

Impact analysis
This part of the qualitative analysis deal with the potential losses in terms of the data quality and insurance System mission The system created is expected to store all the patients records as well as their medical history, the targets behind this implementation is to save the time and help the GPs to make their decisions with regards to the patient treatment. In case of a disaster occurred in result of the exploitation by any of the threats listed above can affect the integrity, confidentiality and availability of the patients information. Loss of integrity The loss of integrity can occur both intentionally or accidently, the lack of training of the staff interacting with the system make the patient data vulnerable to a deletion or a modification and can lead the doctors to make erroneous decisions. The loss of integrity also encourages successful attacks against the system in case of a deliberate act. Loss of availability

The loss the information in a time when it is the most needed exposes the patients lives to danger, especially if the same system is installed in the AnE, the department that usually deals with emergency situations. Loss of confidentiality This has been the main concern among the public opinions, the loss of confidentiality can bring the NHS to face a legal action, and this basically refers to the protection of the patient medical history against unauthorized disclosure. There several national and international regulations in relation to data confidentiality such as the data protection act 1998 and the computer misuse act.

Magnitude of the impact (Qualitative approach)

The purpose from this step is to assess the level of risk and define the priorities to deal with it in connexion with their impact magnitude, the table below summarise the risks in order of priority with a given scale to each risk.

Risk matrix:

Risk ID

Risk description

Likelihood level

Magnitude of impact

Risk level

Impact on CIA

Non technical risks

Selling the patient information to the interested companies for marketing purposes.

Loss of Confidentiality

R1

R2

Flaw of weaknesses identified by the vendors but no action has been taken yet. Creating an electronic file without the approval of the patient Security guards participating in a criminal act using CCTV The visitor can be a computer expert or a hacker

Loss of integrity/ confidentiality

R3

R4

R5

Unintentional Deletion of records

Technical risks R6
Denial of service

Using telnet packets to browse locked files

R7
Inbound telnet are allowed by the firewall, the packets sent from a user with a guest ID can reach the NHS servers

R8

R9

R10

Quantitative approach:

This part of the process deals with the potential loss that may occur within the NHS department in an annual basis, each asset, whether it is tangible or intangible will be given a specific value that determines its criticality within the whole system. Although what makes a difference between a qualitative and the quantitative approaches is that the first one is opinion based, however, the values assigned to each asset may differ between experts. For the interest of fairness, although I have suggested different values for each asset, I have however given the general formula to calculate the potential loss in case any risk assessor does not agree with the values I have suggested.

Asset

Asset value
500.000

Exposure factor
%45

SLE
225.000

ARO
25%

ALE
56.250

Servers
300.000

End user computers Routers, switches

%30

90.000

35%

31.500

40.000

10%

4000

50%

2.000

Patients

600.000

60%

36.000

65%

234.000

database Personnel
600.000 60% 36.000 50% 18.000

Keys:

SLE: Single loss expectancy. RO: The rate of occurrence during the year ALE: The annual loss expectancy.

Formulas:
SLE =ASSET VALUE X EF. ALE= SLE X RO.

The value given for each asset does not represent its real price, but the potential loss if it is compromised. In order to roughly calculate the cost benefit, I have added up the annual loss expectancy for each asset. Therefore, the ALE before implementing the countermeasure is: 56,250+31,500+2,000+234,000+1 8,000 = 341,750

Conclusion:
The cost of the countermeasure should not exceed 341,750

Risk mitigation
All the managers within the NHS need to come to terms that it is almost impossible to eliminate all the risk It is imperative to work out the least cost approach to respond to all the risks presented.

It is up to the senior management to decide whether the risks are acceptable or not, or whether they should be transferred. The NHS assumes that there are many risks related to their system. With regards to the hacking and deliberate corruption of the system, the potential loss is much bigger than the attacker gain; such a theory suggests the risks of a system attack are unacceptable. The example above is one of many risks that the company may face.

The table below shows the decisions that should be made with regards to the risks identified in the previous sections:

Risk

Priority

Decision Non technical risks

Action to be taken

Hacking, cybercrime, and breach of privacy. High

Limitation

Installing security software, setting IT security policies, Implementing appropriate IDS

Accidental mistakes from the staff. High

Limitation

Improve training and awareness. Appropriate access control

Shoulder surfing Medium

Avoidance

Appropriate places for computer, physical security within the premises.

Fire, floods, hurricanes...

Low

Transference

Transfer the risks to the insurance company.

Update database without a prior consent from the neighbour Filling an opt-out form in behalf of another patient

High

Avoidance

Discuss with the patient before update

Avoidance Medium

Require the patient signature unless under mitigating circumstances Devote the help desk to provide the necessary advice Assess the patient state of mind before deleting the records

Opting out may be too complex for elderly patients Nervous breakdowns lead the patients to delete their records

Low

Limitation

Medium

Limitation

Implementation via computer: risk assessment software

Evaluation and assessment

Good security practice

Keys for success

Risk assessment report outline