A.2 Protection Strategy for MedSite
The protection strategy outlined in Table A-1 focuses on improving the security posture of the entire MedSite organization. We developed the protection strategy after analyzing the results of the surveys completed by senior and operational area managers as well as general and information technology staff members during processes 1 to 3 of the OCTAVE Method. We also considered the risks identified during OCTAVE when developing the strategy. The protection strategy is organized according to the structure of the OCTAVE catalog of practices. The results of the security practice surveys are contained in Section 4 of this report.
Table A.1. Protection Strategy for MedSite
Security awareness and training |
Security awareness and training is sporadic. Provide all newcomers with baseline training.
Develop a long-range plan to upgrade training for all personnel and provide periodic refresher training.
Provide annual training in physical security for all staff (including staff in outlying clinics).
Enhance training for IT staff to address all job requirements.
Reduce reliance on on-the-job-training.
Update training plan in next six months to include formal training.
Find an easily obtained, inexpensive security training product (CD or take-home program).
Establish a baseline for security-related training and upgrades.
Establish uniform procedures for systems training.
Conduct joint training with ABC Systems.
|
Security strategy |
Incorporate results from this analysis team into the MedSite strategic plan, upon approval of the executive committee.
Determine overall time line for implementing these security improvement measures at the strategic planning level.
|
Security management |
Allocate greater funds for system security. Annual budgeting should weigh expenditures to forecast future needs adequately.
Reexamine results from this analysis team in one year.
Clearly define staff roles and responsibilities and communicate to all personnel.
Meet with human resources to determine what security-related issues need to be included in hiring/firing procedures and criteria.
Begin a review of security status reports from IT at biweekly managers' meeting.
|
Security policies and regulations |
Disseminate revised policies and procedures at all levels and actively enforce them.
Document, publish, and disseminate specifications to all personnel outlining sanctions for security violations.
Currently, security policies and procedures are neither clearly understood nor consistently enforced at all levels of the organization. Review all policies and procedures, compare them to other medical treatment facilities considered to have best practices, and revise them.
Ensure that laws and regulations are understood at all levels of the organization and that they are incorporated into revised policies, procedures, and training.
|
Collaborative security management |
Review and update the current policies and procedures for working with third parties, especially service providers.
Develop a set of checklists and tools to set up contracts with third parties with clear instructions concerning disclosures, restrictions, and verification of compliance.
Establish/enhance dialogue with ABC Systems.
Invite ABC Systems to attend joint management meetings.
|
Contingency planning/disaster recovery |
Review contingency plans and procedures annually and brief all personnel during medical readiness training.
Coordinate contingency plans with the network service provider and ABC Systems.
Update business continuity plan to include electronic/network access.
|
Physical security |
Enforce the security badge policy with spot checks.
Continue joint exercises to challenge our physical security measures.
Continue security challenges to outlying clinics.
Identify the outlying clinics' physical security measures to the appropriate custodians.
Review, update, and enforce our policies on workstation use.
Review the physical security requirements for computers in free-flow areas in conjunction with their usage requirements. Institute adjustments in usage, physical location, or other measures to maintain physical security.
Identify key system components' locations and verify the physical security of the components on a recurring basis (from both internal staff and external organizations).
Enforce software installation security procedures at all levels and ensure they are adhered to both internally and externally.
Establish a mechanism for the safety committee to verify that each section is aware of identified physical vulnerabilities. Include a member of IT on the committee to help it deal with computer systems' physical security requirements.
Clearly establish and communicate that both internal and external personnel are responsible for physical security.
|
Information technology security |
Develop a long-range plan for modernization of security-related services. Recommend assigning this to the executive committee.
Establish clear policies and procedures for information technology security services.
Investigate the need for encryption on patient information that is emailed on unsecured lines.
Assign a small task force to look into our use of PDAs.
Ask ABC Systems to set up a review meeting for next quarter to discuss whether our security requirements and the current network design allow for ways to improve security without affecting work efficiency.
Investigate the use of user profiles to restrict access to sensitive information during off-hours and weekends.
Enforce user password policies (e.g., do not share passwords).
Add time-outs to workstations in treatment rooms and open-access areas.
Establish the vulnerability management practice and consider making this a joint effort with ABC Systems.
|
Staff security |
Document clear procedures and reporting mechanisms for incident identification and reporting.
Immediately provide a "call list" of whom to contact and under what circumstances.
Ensure dissemination of procedures and "call list" to lowest operator level, and conduct periodic incident exercises to verify compliance.
Incident management is not currently defined. Address this high-vulnerability area immediately. Establish clear policy and guidance for the authority to terminate use, seize equipment, and notify chain of command and law enforcement agencies, and for the authority to disable accounts.
|
Issues |
While the management team is a logical first place for all of these strategies to be considered, it may not be the best group to actually accomplish these tasks. Some consideration is needed to determine the best way to distribute responsibility without losing sight of the overall plan. |
A.2.1 Near-Term Action Items
In addition to the protection strategy, we also recommend several short-term action items. Table A-2 summarizes the action items identified during the evaluation.
Table A-2. Action List for MedSite
Look for vulnerabilities in selected components of all the key classes of components.
Analyze the results of the new vulnerability evaluations and prioritize the vulnerabilities to determine immediate, mid-term, and long-range goals (e.g., standard policy for password changes for all systems).
Analyze proposed solutions from both systems and operators' perspectives.
|
Responsibility:
IT and ABC Systems
Completion date:
within the next 30 days
Required management actions:
Address budget and staffing concerns to complete actions
|
Develop a pocket card for administrators to clearly identify other administrators and their capabilities, the points of contact, wiring diagram of administrators, and program oversight (e.g., "X controls virus management").
Update and distribute annually.
Use as a part of administrators in-processing.
|
Responsibility:
management team
Completion date:
within the next 90 days
Required management actions:
none
|
|
Responsibility:
management team, IT, and ABC Systems
Completion date:
within the next 120 days
Required management actions:
none
|
|
Responsibility:
management team
Completion date:
within the next 90 days
Required management actions:
none
|
|