Calibration of "Ease of Attack" for Four New Requirements
The iTrust database contains information relating to the patients and issued by the doctors and the patients for contact and even prescribing medicine. Emergency responder plays a pivotal role and can greatly benefit from the information contained in the iTrust database. The emergency responders first role if included in the iTrust database should be risk analysis and management. The current situation is that their current roles include health care professionals, voluntary workers in the health care setting, as well as, secretarial support. Thus, the entity there should add the emergency responder role to assist in determination and respond to any emergency issue that may occur to those in the database. The job may be given to a police, a fire disaster emergency specialists, or medically trained professionals charged with the responsibility of providing in an emergency site.
The role of emergency responder is to obtain data from patients who have important information to present to the relevant authority. This data is available in the iTrust database and can ease their work. The information is on the health status, allergies, short-term diagnosis and long-term diagnosis, and the history of drug prescription. The patients may also be required to provide information concerning their immunization history (Department of Health and Human Sciences, 2007). All this and contact information of the patients is available in the database. Their role would therefore be to access this data and use it in case of emergencies. They have a role they can play if integrated in the database that can make their service delivery better.
Vulnerability refers to a flaw or weakness experienced in the system of security procedures, design and implementation. It also refers to internal controls which may be executed in the workplace. Moreover, vulnerabilities may be accidentally triggered or intentionally exploited, and may contribute to a security breach or considered as violation of the system's security policy. Therefore, vulnerabilities of all kinds, whether triggered accidentally or intentionally exploited may lead to a security incident. Vulnerabilities may be classified as technical and non-technical. Thus, existence of flaws or weaknesses in the development of information system, or information systems which are not configured correctly may result into technical vulnerabilities. These vulnerabilities are real in the case of the data contained in the database and if a security breach was to take place, the personal information pertaining to the patients would land in the wrong hands. This would break the trust patients have on the system. The database would be vulnerable to manipulation by the large number of people accessing it.
Threats refer to potential of an individual or an item to exercise, accidentally trigger or intentionally exploit a given vulnerability in the IT system. There are many forms of threats which may happen in the IT system or operating systems in a workplace environment. Threats are classified in general categories, such as natural, human induced, or environmental. The moment those accessing the data base increases by adding the emergency responders the possibilities of exploiting the vulnerabilities available in the system increases. This would put the patients information at risk because the emergence responder can leak this information to third parties who may manipulate it. The great number could also highjack the functions of the database and use that information to attack patients emotionally by revealing their personal information to the public which is very easy in this era of social media.
Computing security risk for adding ER role
It is easy to understand the meaning of risk once vulnerability and threat are defined. Therefore, risk refers to the possibility of occurrence of a particular threat, either committed accidentally or intentionally, with a resultant effect. A threat must have the ability to trigger or change vulnerability. It is vital to understand that a vulnerability triggered or exploited by a threat equals to risk. Security risk occurs mainly from unauthorized disclosure and alteration or modification of information.
The security risk associated with the addition of emergence responder is quite high due to their large number. These responders are not under any Hippocratic Oath to ensure that the confidential information regarding patients they access does not get to the public domain. The access of the database by different stakeholders would make it easier for hackers and other people who would be interested in accessing this information for their personal gain. This would be exploited by insurance agencies when negotiating insurance contracts with patients due to the information they have. These risks can be greater if the responders were to manipulate this data by editing it. This would lead to great consequences because doctors would end up prescribing wrong medication to the patients based on what they find in the database which may be doctored.
Reducing security risk for adding ER role
The security risk associated with the first responders inclusion in the iTrust database can be minimized by setting up regulations that can guide access to the database. First responders would be interested in gaining information regarding the health status of a patient in case of emergency to enable them to deal with the case easily. This means that they have a reason to have access to the database but this access needs to be regulated to minimize security threats that would arise from that.
The system can be set in a way that only selected people in the emergence responders department have access to the database. This would reduce the amount of traffic in the database minimizing the possibilities of the database crashing due to congestion. This limited access would also ensure that the responders can only access the limited data pertaining to a case. This is the information that would be deemed important for the responders to deal with the problem at hand easily. Information such as the health status of the patient and the medication the patient is using can be released without releasing other personal information that is available in the database.
The risks can also be reduced by creating a link between the responders website and the database. This link would enable responders to access the limited information about the patient during times of emergence. This would be better than limiting access to the selected few individuals which would overburden them when multiple emergence cases are reported simultaneously and the responders need to be given crucial information regarding victims before they engage in the rescue mission (Ian & Raman, 2005).
Based on the added role of the emergency responder, it will be possible to manage a system which provides the covered entity with a thorough understanding of risk management and appropriate security measures required to manage the risks and provide protection against any anticipated future risks. The importance of adding the emergence responders to the database is great but the risks are also serious. With proper planning, the emergence responders can be integrated into the system with little security problems though that will require constant monitoring of the system to ensure that the responders are not misusing it.