Security Audit for FX Hospital EHR/EMR Systems
The study carries out the security audits for the FX Hospital EHR/EMR information systems to identify the vulnerabilities in the systems. The study uses the BackTrack as an auditing tool to penetrate the website, and outcomes of the auditing reveal that the website is not secure and can be subject to different vulnerabilities. After carrying out the auditing, the study is able to collect as much patients' data as possible revealing the website can be subject to vulnerable attacks. One of the vulnerabilities identified is that the website URL starts from HTTP showing that an attacker can easily break into the website and collect sensitive information. Moreover, all the data in the website are not encrypted making them easy for an attacker to collect patients' data.
By consequence, the FX Hospital can face lawsuits for failing to protect patients' data because if patients' data are stolen by an unauthorized individual and are misused for personal gains, the issue can lead to a lawsuit. The paper suggests different strategies that FX Hospital can employ to protect the website from the vulnerabilities. The study suggests converting the website's URL from HTTP to HTTPS. The HTTPS is a combination of HTTP and SSL (Secure Socket Layer) that offers an effective security protocol for the website. The HTTPS will encrypt all the data in the website, which will consequently protect the data from being stolen by an authorized individual. The paper also suggests using the combination of IDS and IPS and firewall to detect and prevent unauthorized access to the website. The integration of a powerful antivirus is also recommended to protect the website from virus and worms attacks.
The IT (information technology) can inherently associated with risks and vulnerabilities based on the poorly configuration of firewalls, and unsecured SQL databases. The vulnerabilities can make organizations to lose enormous amount of revenue if a hacker is able to penetrate the dataset of an organization. In the United States, websites of healthcare organizations can contain sensitive information of patients and employees such as SSN (Social Security Number), credit card information and other sensitive information. If an attacker is able to penetrate an organizational website and collect sensitive information, the organization can lose enormous amount of money from law suits, which can consequently damage business image.
The following healthcare website http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO15 can be vulnerable to attack since it seems that website does not integrate the encryption or cryptographic security protocol to protect it from an unauthorized access. Moreover, the website does not have the firewall to protect it from an unauthorized network intrusion. Additionally, the "IDS (intrusion detection systems) and IPS (intrusion prevention systems)" (Abdel-Aziz,2009, p 10) are not integrated in the system to detect and prevent potential vulnerabilities. Based on the loopholes identified in the system, the study carries out the security audit of the website to uncover the vulnerabilities in the website.
Objective of this project is to carry out the security audit of the website listed below:
The outcomes of the audits assist in providing security recommendations for the website
Methodology and Tools to Perform the Security Audit
The "vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system. Vulnerabilities can be exploited by a malicious entity to violate policies-for example, to gain greater access or permission that is authorized on a computer." (Mell, Bergeron, & Henning, 2005 p 7).
Security audits are the strategy of identifying vulnerabilities in the website. Wai, (2002) identifies penetrating testing as the effective strategy of identifying vulnerabilities. A penetration test involves attacking a website using a trusted individual. The penetration test can also involve scanning the IP address in order to identify the machines that are vulnerabilities.
The paper uses the BackTrack software to perform the security audit and penetrating testing. The modern website in the contemporary IT environment has faced increasing security challenges because of the security vulnerabilities, and changing of hacker's tactics. Moreover, modern application and websites are extremely complex because business stakeholders are increasingly facing challenges to build a secure website that can be fool proofed to hacking. One of best strategies...
Typically, an ethical hacker assists in identifying the vulnerabilities, and suggests the strategies to build a secured website. In this sense, the study explores the vulnerabilities of the website, and the identification of the vulnerabilities assists in designing the strategy to protect the information systems using different methods. The strategy used to practice the ethical hacking of the website is discussed as follows:
The paper uses the BackTrack software to audit the website. The BackTrack is one of the hacking tools that can be used to penetrate the database of websites of different organizations. With the BackTrack tool, a hacker can penetrate the website and collect sensitive information. As being revealed in Fig 1, it is easy to collect data from the website by selecting BackTrack and information gathering from the database of the website.
Fig 1: Information Gathering
After clicking the sqlmap, the screen in the Fig 2 opens.
Fig 2: Open the Sqlmap
After hacking the website, the study has been able to collect different patients' data from the website. The data collected include name of patients, DOB (date of birth), bill month, and balance as being revealed in table 1 .
Table 1 "FX HOSPITAL EHR/EMR SYSTEM"
"Administrative Personnel Only"
3.Security Vulnerabilities identified and Method to Mitigate the Vulnerabilities
The website contains the electronic health records as well as electronic medical records of the hospital that contain private information of patients. After carrying out the auditing of the website, it is revealed that the website is not protected and can be subject to different vulnerabilities. Typically, different vulnerabilities are discovered in the website, which an attacker can take advantages for a personal purpose. The following vulnerabilities are discovered in the website after the audits.
First, the website below is not secured because the URL starts with HTTP, which is vulnerable to attack.
http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO15 Typically, a website that starts with HTTP is a not a secured website, any attacker can penetrate the website and collect sensitive information.
SQL Injection: Moreover, the website is vulnerable to SQL injection. The SQL injection is the strategy of using malicious code to corrupt the database content, which will assist the attacker to have access to the content in the database.
XSS (Cross-Site Scripting): The website is also vulnerable to XSS attack. The vulnerability is used in conjunction to phishing and other browser exploit. The attacker injects malicious client-side scripts or HTML in the web browser to bypass the access control with the goal of stealing sensitive data from the web.
Information Leakage: The website is also vulnerable to information leakage. The information leakage is the strategy of obfuscating or removing the signatures of the web technology platform to have access to the database contents.
Brute Force: A brute force attack is another website vulnerabilities that refers to a dictionary attack. The strategy is to defeat authorization scheme and cryptographic authentication using possible keys to discover a password combination.
"In brute-force attack, the attacker tries every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve success." (Stallings, 2011, p 36).
The brute force attack can be successful by accessing the unprotected directories and break authorization and authorization layers.
Denial of Service: The website is also vulnerable to DoS (Denial of Service) attack. The DoS is an attack of preventing a webpage from serving a normal activity. In essence, the attack attempts to consume all the website resources that include memory, CPU, and disk space to make the website inaccessible.
Lack Cryptographic Protocol: The website is also not secure because of lack of Cryptographic protocol. An information leakage can occur if a website does not use an appropriate encryption to protect the data from an unauthorized access. Typically, attackers can have access to the credit card information and Social Security Number through an information leakage because of an unsecure cryptographic systems.
RFI (Remote File Inclusion): The website is vulnerable to RFI. The RFI is an attack mechanism on web application using malicious code to access the web file remotely.
Viruses and worms: The website is also vulnerabilities to virus and worms attack. The worm and virus can bypass the login procedures to have access to patients' data
Insecure Direct Object: This strategy…
One of the major reasons for this vulnerability is the increased and widespread presence of these groups within the American home soil. As a result of the various operations in about 40 states in America, the sleeper cells are carefully planning and waiting for their next attacks. The second major reason for America's vulnerability to operations of sleeper cells is that the country's first-line defenders are neither adequately trained
S. Department of Energy). Q3. Discuss the internet of things and its likely consequences for developing an enforceable information assurance (IA) policy and implementing robust security architecture. The internet of things refers to the inevitable connectedness of all things in all regions of the world through the internet. "The fact that there will be a global system of interconnected computer networks, sensors, actuators, and devices all using the internet protocol holds so
Security Information is the Power. The importance of collecting, storing, processing and communicating the relevant information presently is viewed as crucial in order to achieve success in almost all the fields be it business firms, individuals or organizations. An integrated set of components assisting collection, store, process and communication of information is termed as information system. Increasing dependence on information systems is noticed in order to excel in the respective fields
Security Management Strategies for Increasing Security Employee Retention Design Effective Job Characteristic Model Skill Variety Task Identity and Task Significance Autonomy and Feedback Meeting Expectations Market Competitive Package Strategies for Increasing Security Employee Retention Security employees constitute the most important component of organizational workforce. It is because; they ensure the core survival of organization and its assets. However, the ironic fact is the security employees are considered blue collar workers and their compensation packages are low (Hodson & Sullivan,
Security management is "described in some quarters as a function of risk management," (Bulletin 2, Part 2). Although there is some crossover with public sector security functions, such as policing, security management is generally considered a private sector domain. "Whilst private security has a predominantly commercial basis, it should not be forgotten that it does interact with the public to a considerable degree," (Bulletin 2, Part 2). Security management is
Security in Cloud Computing Security issues associated with the cloud Cloud Security Controls Deterrent Controls Preventative Controls Corrective Controls Detective Controls Dimensions of cloud security Security and privacy Compliance Business continuity and data recovery Logs and audit trails Legal and contractual issues Public records The identified shortcomings in the cloud computing services and established opportunities for growth regarding security aspects are discussed in the current research. The security of services is regarded as the first obstacle. The opportunity for growth is provided as combination