Information system security is an every growing challenge that managers in various fields have to address these days. There are potential threats to a business ranging from the environmental conditions to the risks and vulnerabilities present in the realm of information technology (Microsoft, 2013). The uses of advanced technology and information systems are a must for every type of business; they are used by various organizations, large or small. The health industry has also adopted industry has adopted information systems to improve health care, manage the files and records of patients, reduce the time lose in paperwork, and automate various processes to make their business more efficient and effective. Considering the use of information technology and its use in all the operation of the business, there are numerous threats and vulnerabilities that arise when using information systems (Dhillon, 2007).
Some of these threats include privacy, confidentiality and intergrity issues. This report looks at security issues in e-health, identifies the soltions and analyses them to chose the best option.
Security Problems in e Health
There are many security issues that are present in the information systems used in the health industry. These issues can be categorized into two namely, physical and logical risks. These risks if not tackled have the potential to disrupt the whole health system and put the lives of patients at risk. The risks which health systems are at risk of is indicated below.
Physical risks are risks that that arise from the external environment to the material objects are known as physical risk. They are those risks and vulnerabilities that are associated with the physical layout and the physical components. Such risks are related to the information technology hardware installed in the business (Kim & Solomon, 2011). They can also be related to the other supportive physical components that are used to maintain the information systems, such as the cooling or heating units.
Some of these identified issues regarding information systems at the health institutions that can potentially cause harm to the business and pose a threat are; the risk of theft, the potential breakdown of the cooling system or the air conditioning used to maintain the temperature of the information system hardware, the threat of the door and locks not being adequate, the risk of fire, any short circuit or power outage can cause loss of information, the threat of information leakage regarding customer details, the different employees can steal data or use customer information to obtain drugs and medicines from the pharmacy (Anonyms, 2012). In addition to the above there is also the risk that financial information about the hospital can be stolen. The risk of network design and the topology used can also expose the business to certain threats and vulnerabilities.
In the context of information systems, the logical risks are the threats and the vulnerabilities related to the software used in these information systems (Anonyms, 2012). The major issue that is a cause of concern in the logical systems is of gaining access to sensitive information, utilizing the data for personal gains, as in the case of insider trading, and other risks arising out of information technology (Talabis & Martin, 2013).
The logical risk that are inherent in e health are; loss of data confidentiality, the risk of exposing data encryption information, the loss of passwords and key user information, the theft of online data, the vulnerability in the backup systems, employees gaining access to privileged information for which they are not intended to, the threat to the different components of system networks, the financial data being changed or being used for illegal activities, customer information being tampered, the threat of malware, computer viruses, Trojan and spyware software, and employees sharing data with each other or with other third parties (Microsoft, 2013).
Vulnerabilities in Documented Network
Vulnerabilities in Networks
The documented network is the blueprint of the company's entire network program. It shows the link between the application and components that is used by the company. An extensively recorded network will aid the company in planning and implementing different technological innovation techniques (Daya, n.d.). It serves as the basis for incorporating the correct type of application and components to be used by the company. There are various probabilities that can cause weaknesses in the documented network. These weaknesses can hinder the functioning of the work as all the techniques are linked over the network.
Impact of Risks
There are adverse consequences and impacts of the risks and threats that have been highlighted in the previous section. This part explains in detail the impact of physical risks and the logical risks associated to the networks and the pharmacy.
The effect of actual risks and the threats can be harmful and dangerous for the health system and the network program that is in place. There is the chance of the organizations information being stolen or the physical hardware also being stolen. The effect of this risk on the health would be in monetary terms and would involve theft of computer systems. Similarly, the details program components contains details about the various medication, and the personal details about customers. These stolen records can affect the privacy and confidentiality requirements and have a negative impact on the health system
Among the logical risks outlined, the risk of getting private details and leakage of such information over the network is of major concern (Daya, n.d.). The medical records of a person if stolen can cause the person to be a victim of fraud; the patients information on the database can used to forge false identities. Similarly, the risk of economical details being hacked or thieved from the details systems can lead to unfavorable repercussions for the hospital (SANS, 2013). The financial and other information stolen can in the wrong hands serve as a loss of competitive advantage for the organization against their competitors.
Solutions and Analysis
There are four strategies that can be used to handle the risks identified. These are risk mitigation, risk assignment, risk acceptance, and risk avoidance. In addition four strategies can be used independently, or in combination to handle these security issues namely administrative, preventive, detective and corrective controls.
The risk of theft of the medical products and the information system hardware can minimized using the strategy of risk mitigation and also risk assignment to third party. The use strong security measures can help minimize and prevent these risks. The risk of short circuits, power outage, and fire causing loss of information can be handled by a using risk acceptance strategy. The issue of financial information and customer privileged data being stolen can also be be handles using a risk mitigation strategy.
The threat of gaining access to confidential data and employees gaining access to privileged information for which they are not authorised can be controled by limiting the accessibility of employees to such information (Duncan, 2002). The risk of exposing data can be handled through various means such as encryption information using AES and DES. The loss of passwords and key user information should be immediately reported so effors can be made to immediately curtail the effects. Threats of the theft of online data theft can be minized by using access control methods whilst the threat of malware, computer viruses, Trojan and spyware software can be controlled using the appropriate anti virus and anti malware systems, all can be minimized by using the appropriate antivirus/malware program. In all the above however an effective risk mitigation strategy shouls be in place to guide these activities.
The risk of exposing data encryption information, the loss of passwords and key user information, the theft of online data, the threat of malware, computer viruses, Trojan and spyware software, all can be minimized by using detective, preventive and corrective controls (SANS, 2013).
It can be noted that various threats exist in the management of electronic records. These threats are both technological and social in nature. These threats have the potential of causing havoc both to the health system and to the patients whose medical records are being stored. There are however various measures by which such as encryption, auntentication and access control measures for keeping such information secure.
Anonyms, (2012), Information Security, Queensland Government, data retrieved from http://www.qgcio.qld.gov.au/products/qgea-documents/549-information-security/2704-information-security-is18
Anonyms, (2012), Network Security, Athena Information Solutions Pvt. Ltd, data retrieved from http://search.proquest.com.ezproxy.apollolibrary.com/docview/1010257091?accountid=458
Daya, B., (n.d), Network Security: History, Importance and Future, University of Florida Department of Electrical and Computer Engineering, data retrieved from http://web.mit.edu/~bdaya/www/Network%2520Security.pdf&sa=U&ei=gfhCU7rbMIq3yQOJ9IH4BA&ved=0CB4QFjAA&usg=AFQjCNH6OkjV3nkGAJB79aaF41JhP9a9jw
Dhillon, G., (2007), Principles of information systems security: Text and cases, Hoboken, NJ: Wiley, data retrieved from http://books.google.com./books?id=mTkkAQAAIAAJ&q=Information+Systems+Security&dq=Information+Systems+Security&hl=en&sa=X&ei=YXqqUsGdMI_07Ab6yYBY&ved=0CD0Q6AEwAQ
Duncan, R., (2002), An overview of Different Authentication Methods and Protocols, SANS Institute, data retrieved from
Kim, D., Solomon, M., (2011), Fundamentals of information systems security, Sudbury, MA: Jones & Bartlett Learning, data retrieved from
Marchany, R., Luker, M., Peterson, R., (2003), Conducting a Risk Analysis, Educause, data retrieved from
Microsoft, (2013), Security Threats, Micorsoft TechNet, data retrieved from http://technet.microsoft.com/en-us/library/cc723507.aspx
SANS, (2013), Security Best Practices for IT Project Managers, data retrieved from http://www.sans.org/reading-room/whitepapers/bestprac/security-practices-project-managers-34257
Talabis, M., Martin, J., (2013), Information security risk assessment toolkit: Practical assessments through data collection and data analysis, Amsterdam: Elsevier, data retrieved from