Risk management is a vital facet of business operation and success. Complete and total elimination of risks is a task that cannot be fully realized. As a result, most business would conduct a risk analysis from time to time in order to determine the scope and depth of risks that the business may be exposed to in the course of conducting its daily operations (Peltier, 2001). These analyses are meant to give management a clear understanding of the risks and how they can be mitigated to the lowest level possible.
The HIPAA security rule mandates that all covered business associates and entities, their subcontractors and agents, perform a risk analysis and put in place measures to sufficiently mitigate the identified vulnerabilities and risks to an appropriate and reasonable level (Peltier, 2001). This rule applies to a number of institutions and businesses including pharmacies. The standards which are applied in the execution of the risk analysis vary and depends on the kind of approach chosen by the organization in question. They include:
- The organization’s technical infrastructure, software and hardware security capabilities
- The costs of security measures
- The organization’s size, complexity, and capabilities
- The probability and criticality of potential risks to ePHI (Electronic Protected Health Information)(National Institute of Standards and Technology (U.S.), 1994)
In this case, the pharmacy will use the organization’s technical infrastructure, software and hardware security capabilities to conduct the security analysis.
Note: Vulnerability is the proneness of the system in question to a given kind of security hazard. These vulnerabilities can be rectified accordingly to give the system a much secure status. Threats on the other hand are given activities that will cause damage to the system, its patrons, or its facilities. These will generally include the given actions that undermine the overall security. (Peltier, 2001)
Physical Vulnerabilities and Threats
Given the technical and physical layout of the pharmacy, there exist numerous potential points of vulnerability, which also pose given threats to the security of the pharmacy. The following is a comprehensive analysis of these given vulnerabilities and threats.
The desktop computers do not have any visible physical vulnerabilities due to their secured location and reinforced security behind the server windows.
Dedicated T1 Connection
This connection serves as the network through which information is shared and transferred throughout the whole facility. The connection is received from the outside, therein lies the threat of an external attack should the connection be compromised from the outside.
The location of the file server together with the server 2008 domain controller causes the file server to be particularly vulnerable. This is because in the case where the server 2008 domain controller is compromised, all the ePHI will be compromised.
Windows 2008 Active Directory Domain Controllers
The windows 2008 active domain controller completely relies on the firewall for protection. As such it is vulnerable to external and physical attacks in the case where the firewall is down.
The firewall is particularly vulnerable to an internal physical attack should the server computer be compromised.
Should the desktop computers behind the service window be left on, connected to and logged into the dedicated T1 connection, there lies a threat of an external attack should the dedicated T1 connection be compromised.
Dedicated T1 Connection
Should the connection be left on, with all the computers logged into the file server, the connection poses a threat to all ePHI. This threat is particularly compounded in the instance where the firewall is down either through an external or internal attack, or in the case of maintenance procedures occurrences.
Though the file server lies behind the caged area, there lies the threat of a physical attack on the file server should the backdoor and the cage door be left open. This threat also poses a further threat of theft of the file server in the instance when the back door and the door to the server room are left unsecured.
Windows 2008 Active Directory Domain Controllers
The windows 2008 active domain directory domain controllers all houses all the SMTP, HTTP and DNS (Domain Name System) servers. In the case where the back door and the access door to the server room are compromised or left unsecured, all these servers could be compromised. In such a case all the servers would be affected, disrupting the distribution and flow of information within the facility.
In the case of maintenance services on the firewall, the firewall will be down and inactive. At this time the firewall ceases to protect the dedicated T1 connection and the file server. This will pose a threat to all ePHI and violate the HIPAA security rule.
Logical Vulnerabilities and Threats
Dedicated T1 Connection
The dedicated T1 connection may be prone to fraudulent links via emails, blogs and spam. This is because the dedicated T1 connection is an external connection that serves the entire establishment. There is also the vulnerability to external malicious codes such as Trojan horse, a virus worm or spyware.
The desktop computers are under the potential threat of malicious codes in the form of worms, or spyware. This can be realized when the users of the desktop computers download data that may be corrupted.
Windows 2008 Active Directory Domain Controllers and the File Server
The directory domain controllers house all the SMTP, HTTP and DNS (Domain Name System) servers. By the nature of its location in the same room as the file server, causes the directory domain controllers and the file server to be vulnerable to attack.
Potential Impact of Physical Vulnerabilities and Threats
In the case where the dedicated T1 connection is compromised, either through sabotage or external attack, the connectivity of the desktop computers and the file server together with the Windows 2008 Active Directory Domain Controllers will go down. This will lead to the halt of all the services from the desktop computers. All the information within the file server will be inaccessible from the desktop computers.
In the case where the firewall is down in the event of maintenance or an attack, all the ePHI will be accessible to unauthorized personnel.
In the event when the desktop computers and/or the dedicated T1 connection is attacked by external or internal malicious code, in the form of spam mail, Trojan horse or virus worm, the information within the connection serving the whole establishment and the file server, will be compromised, altered or deleted.
In the event the access doors to the restricted areas are left unsecured, i.e. the backdoor and the caged area, all the integrity of the information within the file server and the desktop computers will be compromised. This will lead to confidential clientele and business information ending up in the wrong hands.
Vulnerabilities in the Documented Network
Fraudulent Links (Network Automation)
The network is particularly vulnerable to fraudulent links in the form of blogs and spam. This is owing to the fact that the dedicated T1 connection is from an external server. In the event of an activated download from within the establishment of a file or data that may be corrupted, the malicious link will affect all the users connected to the network.
A more complicated and advance vulnerability of the network is the use of fast flux to advance spam links. This will involve using flux to return numerous, hundreds if not thousands of IP addresses for one given domain.
Electronic Health Records Security
The access of all electronic health records within the facility is not limited. All staff can access all the information from any of the computers connected to the file server in the server room. The data within the file server and the desktop computers is not encrypted making the data vulnerable to theft through copying.
There only exists one firewall that protects the server 2008 domain controller with the incoming dedicated T1 connection. This makes all the other computers including the server room computer, and the desktop computers vulnerable to attack.
Potential Impact of the Vulnerabilities in the Documented Network
In the case where the fraudulent links take effect in the network and the file server, the integrity of all ePHI will be compromised. This will lead to all this information accessible to unauthorized personnel.
In the case where the single firewall is surpassed or compromised, all the ePHI information will be compromised. This is owing to the fact that all the computers within the facility are not protected by a firewall.
The integrity of the ePHI is compromised when unauthorized personnel access the patient and business information that is considered private and confidential.
Physical Vulnerability Risk Management
The location of the file server and the server 2008 domain controller should be separated. By setting up these two facet of the server in separate locations, security is improved further by reducing the proneness of all the ePHI being compromised in the case one of the two is compromised.
Instituting access limits on all sensitive areas such as the file server room to only authorized personnel, will ensure that only the right people have access to sensitive information regarding the business and clientele.
Logical Vulnerability Risk Management
The instituting and installation of firewalls in each and every computer within the facility will serve to increase the security and integrity of all ePHI.
The installation of antivirus on every computer will aid in the identification and elimination of all potential malicious codes in the form of Trojan horses, virus worms and spam mail.
The creation of access passwords and unique user identification will ensure integrity of all ePHI by only allowing authorized personnel to access information within the clearance level.
By executing encryption and decryption techniques and software on all ePHI, the data within the file server will be secure and safe.
In conclusion, the physical layout of the pharmacy need to be altered to enhance security. The technical changes require software installation and use of new enhanced hardware.
Chavas, J. -P. (2004). Risk analysis in theory and practice. Amsterdam: Elsevier Butterworth-Heinimann.
Information Systems Security Association. (1992). Information systems security. Boston: Auerbach Publications.
National Institute of Standards and Technology (U.S.). (1994). Information systems security. Washington: The Institute.
Peltier, T. R. (2001). Information security risk analysis. Boca Raton: Auerbach.