2.4 Assignment: Threat Analysis
Threat Analysis of Healing Touch Hospital
Mandar Sathe
Indiana Wesleyan University
Threat Analysis of Healing Touch Hospital
Healing Touch hospital is a beacon for healthcare for many individuals around the district. Being the biggest hospital in the region, many individuals depend on it for various services, including special surgeries, emergency care, dialysis, and hospice care. The hospital is also nationally recognized for its services, and it is known for having some of the best and most well-trained nurses in the country.
However, the hospital has encountered serious challenges regarding computing security. The hospital has been victim to several instances of theft, where important computing supplies have gone missing or been stolen by known assailants. Though in many cases, those who are guilty are seen and arrested, there is a lot of time and resources spent in this pursuit, which costs the hospital more funds and decreases the quality because nurses and doctors are at times forced to rely on manual means such as recording data on their notebooks instead of inserting them into the system directly.
The organization has also been the victim of three separate denial-of-service attacks. The company has managed to keep the attacks out of the media by silently paying the attackers, but their impacts have been felt. In one instance, the attack was about three hours, forcing patients in the intensive care unit (ICU) to be transferred to different rooms because the attackers had interfered with the pronation beds in the hospital. The fact that this has happened three times has made the institution worry. This is made worse because the institution has been quick to pay the attackers, creating the insinuation that they are an easy target who pay quickly and easily.
Considering these factors, the organization has tasked my team to perform a threat analysis to determine where the institution is most vulnerable and implement strategies that will best protect the institution. The organization is determined to tighten the security in the hospital and is willing to do whatever it takes to ensure that theft and denial of service attacks come to an end.
Threat Analysis Steps
Identifying Threats
In computing security, a threat is a potential vulnerability that can harm the system (McCabe, 2007). Human actions or natural disasters can cause threats. In the organization’s case, the threats are mainly human. Threats can affect the hardware, software, services, and data. To determine the hospital’s threats, the team looked at the hospital’s history of data security and previous attackers’ methods to attack the institution.
The first threat that the team determined was that the hospital did not protect its hardware properly (Pfleeger & Pfleeger, 2012). The hospital’s security guards were old and not physically fit, making it easy for a thief to grab and dash. The guards could not run fast enough to catch the thieves. Though the hospital had security cameras, they were a proactive measure because they did little to stop attackers from stealing equipment from the hospital. The team also interviewed the security guards, who said they were understaffed and were mostly involved in incidents of unruly patients when the theft took place. An example was when a mentally ill patient was in the emergency department being treated for a cut, when he began acting unruly, forcing security guards and doctors to restrain him. When the fracas was over, the hospital realized two computer monitors were missing. There is also a risk that when the patients are acting disorderly, they can damage the hardware in the hospital.
The second threat is the reoccurring denial-of-service attacks. On investigation, we realized that the source of three attacks came from within the hospital. The first attack came when a nurse used the hospital’s computer to access unsecured websites. The hacker downloaded malicious software onto his computer when accessing these websites, which acted as the doorway to the hospital’s system. This reveals two elements to this: the human element, where the employee opened the door for the hacker to download the malicious software, and the system’s failure to detect the intrusion and the download of the malicious software.
The other two attacks were hardware-based. In one of the attacks, the attacker gained access to the server room, which was locked using a normal padlock. The attacker gently cracked the door open and accessed the server room, where he planted malicious software onto the server directly. After ensuring that the software was in place, he left the hospital and began the attack remotely. The other attack happened when the attacker inserted a USB drive that contained malicious software onto a nurses’ workstation computer. Again, in both of these instances, there are issues of human negligence.
Addressing the Threats
After identifying the threats, the conclusion is that addressing the issues in computer security requires a double-pronged approach. The fix needs to address the human element and the computing element. The human element deals with the humans that work with the security system. This includes the guards, nurses, doctors, and other personnel who interact directly with the system. Understanding the effect of the human element on the system is very important because it may help prevent future attacks and helps to mitigate the risks caused by threats.
The first step is to deal with the security guards. The recommendation to the hospital is that they should invest in more security guards. Outsourcing the job to an external entity is a viable solution, where they contract a company to provide security to the hospital. The hospital can also choose to hire directly, although they are unlikely to find good candidates due to the job’s stature. The best option for the hospital is to partner with a security company and increase the manpower in the hospital. The security personnel should be trained to be proactive, meaning that they have to detect danger before it happens. A plan needs to be set in motion to ensure that if someone snatches a piece of hardware, they are locked down and are not allowed to leave. The security personnel need to be trained on the basics of computing security to ensure that they can detect the dangers associated with computing security.
The next step is to train the faculty (nurses, doctors, and other personnel) on digital security. It may be that the individual who tried to access the harmful sites had no knowledge that they existed. This education is also to protect the system from harm caused from inside the system. The hospital can also place policies that advocate against using office equipment for personal use. The existence of consequences for such offenses in the policies will help improve the system’s security from internal issues.
The computing element is also an important aspect to analyze and inspect. The recommendation is that the hospital invests in an in-house IT team responsible for updating and revamping the current system. Their first task will be installing appropriate intrusion detection systems to prevent external parties from accessing the system illegally. The team will also be responsible for ensuring the safety of the servers and other hardware in the hospital by implementing better security systems such as password-controlled locks on the doors of the server rooms. This will help prevent the servers from physical intrusion. The IT team will also be responsible for ensuring a balance between confidentiality, integrity, and availability that suits the hospital. They will also help the hospital stop an intrusion after they are successful, preventing the organization
‘s harm or loss of data.
Implementing better security features will take time and require all parties involved to be committed and patient as the results are being achieved. The support of upper management in providing finances and implementing policies will be crucial to ensure the success of the new changes.
Computing security is a serious issue for many organizations after experiencing the effects of not addressing computing security. Healing Touch hospital has made it its mission to upgrade its system and policies to ensure that they protect the hospital and its needs. Though the journey is a marathon, not a sprint, in the long-term, the decision to uphold computing security will prove to be very helpful for the organization.
McCabe, J. D. (2007). Security and Privacy Architecture. Network Analysis, Architecture, and Design, 359–383.
Pfleeger, S. L., & Pfleeger, S. L. (2012). Analyzing Computer Security. Prentice-Hall.