Hospital XYZ has a Microsoft SQL database server that stores out-patient clinic information. David, the security consultant, has just conducted a vulnerability assessment of the database server and has made the following observations.
- Unsecured Physical security of Servers
- The server has a robust anti-virus program.
- No error detection or correction or fault tolerance
- Encryption key is not secure
- There are access control measures installed. Each user has a profile; however profiles allow extra permissions than what is needed.
- Incompetent administrators, lack of training and understanding of system
- Backups are unreliable, unsecured.
- Sensitive documents containing patient information are in unsecured trash bin.
- Administration fails to make patches; holes in OS leave vulnerabilities in Database Software
- No locking of records when changes are being made. Integrity of record may be affected.
The total value of patient data on the out-patient clinic server is valued at $800,000. The database currently holds 2000 patient records. Additionally the proprietary patient processing software is valued at $100,000.
The following are the typical end-users of the hospital out-patient database
Vendor Staff – Remote Access
David’s notes on Physicians:
- Physicians have made mistakes in the past. On one occasion a registered patient was prescribed incorrect drug dosage. A law suit was filed and jury awarded the patient $5000.
- Some physicians access chat websites from their office computers
David’s notes on Nurses:
- After the law suit, nurses confirm the drugs prescribed by physicians
- Some nurses forget to minimize or close patient data screens while attending other patients.
David’s notes on IT Personnel:
- There are no dedicated IT personnel for the out-patient department.
- The IT personnel are also not adequately trained and do not have a complete understanding of HIPPA regulations.
David’s Other Notes:
- Over the past two years there have been at least 4 incidents of fire in the staff kitchen which is adjoining the server room.
- Last year a laptop of a vendor staff was stolen.
- Based on the David’s notes identify the threats to the database system (any 10).
- Quantify the risk from each threat and identify the top 5 risks to the database system. (Calculate ALE value)