REASEARCH REPORT
1
ACKNOWLEDGEMENT
I Santosh Kumar Pandey, would firstly like to thank my faculty guide Prof. Vivek Kumar
Srivastava (assistant professor, IMS MGKVP, VARANASI) for supervising and guiding me
during this research study, who was an ideal guide in true sense. The way he guided and helped
me wherever possible and needed in areas such as, the
topic of the research, for suggesting alternative solutions and sharing his personal valuable
experience &knowledge with me.
This research program helped me to apply my theoretical knowledge in practical field, hence
enhance my knowledge and information about brand perception of Dell laptops and consumer
satisfaction after purchasing it
Besides this, I would also like to give my sincere gratitude to all the respondents and workers of
Dell store who participated in the survey, without which this research would be incomplete.
2
PREFACE
Study was provided to management students to apply their research skill and the find the solution
of given problem. Such part of management education provides a
Framework of knowledge relating to the concepts and practices of the assigned related to course
of management
The research study is an integral part of the course curriculum of Master of Business
Administration. In this the student is in position to analyze the real problem-solving situations
with mature eyes and understand the dynamics in a better manner.
This particular research has been conducted in Varanasi. In the first phase of
Research project, there is an introduction of the topic as well as initiation of the study, which is
given. After that a market research was performed with a sample size of 100 units.
The research study was limited to Varanasi. Here, in my survey, I have conducted the
respondents through personal interviews and Google forms with the help of questionnaires.
3
DECLARATION
I assert the statements made and conclusions drawn are an outcome of my research work.
I further certify that:-
i) The work contained in the report is original and has been done by
me under the general supervision of my supervisor.
ii) The work has not been submitted to any other Institution for any other
degree/diploma/certificate in this university or any other University of India or
abroad.
iii) We have followed the guidelines provided by the university in writing the
report.
iv) Whenever we have used materials (data, theoretical analysis, and text)
from other sources, we have given due credit to them in the text of the report
and giving their details in the references.
4
CONTENTS
INTRODUCTION ..............................................................................................................
HEATHCAREINDUSTRYOVERVIEW .......................................................................
CURRENTBUSINESSPROBLEMS ..............................................................................
GOALSANDOBJECTIVES ...........................................................................................
METHODOLOGY .............................................................................................................
SUMMARYOFSTEPS ...................................................................................................
ASSUMPTIONS ............................................................................................................
FINDINGS .........................................................................................................................
NETWORKARCHITECTURE ......................................................................................
ACCESSLAYER ........................................................................................................
NETWORKMANAGEMENT........................................................................................
PERFORMANCEARCHITECTURE ..........................................................................
QoS ...........................................................................................................................
SECURITYMODEL ....................................................................................................
5
A SWOT ANALYSIS OF INFORMATION TECHNOLOGY AND THE
HEALTHCARE INDUSTRY…………………………………………………………
SECURITYMETRICS ......................................................................................................
RISKANALYSIS..............................................................................................................
PROTECTIONMECHANISM .........................................................................................
ENDPOINTSECURITY ...............................................................................................
NETWORKSECURITY ...............................................................................................
CONTENTSECURITY ................................................................................................
QUESSTIONNAIRE
BIBLIOGRAPHY
2 6
Abstract
Information Technology (IT) is poised to revolutionize healthcare trade through new
thresholds in human connectivity. This paper focuses on the expanding role of IT in three distinct
but related categories: (a) design and development of healthcare products and services, (b)
delivery systems, and, (c) healthcare administration. Through information power that IT enables,
capacities of decision-makers are continually transformed in how they link with each other, in
the here and now. This not only promotes trade in services and e-commerce and facilitates
worldwide convergence in several aspects of healthcare management and organization. However,
this process also raises fears and anxieties because the pervasive nature of IT and its uneven
diffusion increase some vulnerabilities where policy safeguards be needed. The process of IT
diffusion occurs at many different points of impact the international economy. Thus, policy
choices have to cater to a wide range of national and regional needs and circumstances
concerning rights to health, rights to trade and rights to development. National policies and
international regimes need to strike a harmonious balance between these sets of rights.
The persistence of unresolved conflicts of rights and conflicts of interests point to the need for
new international arrangements to be mandated and resourced. The extent to which this can be
achieved is uncertain. This uncertainty is traceable to the ways responsibility for healthcare,
authority to design healthcare products and systems, and the power to organize healthcare
delivery remain separate or come together. The restructuring of private investments to integrate
IT with life sciences in public-private partnerships is a sign of the growing significance of IT in
healthcare. It is also a reminder of how powerfully IT could be harnessed in pursuit of millenium
development goals.
7
INTRODUCTION
HEATHCARE INDUSTRYOVERVIEW
CURRENT BUSINESSPROBLEMS
Instant messaging and pager services for emergency alerts to the staff
8
Video conferencing capabilities between the physicians and patients
or between the physicians
9
GOALS AND OBJECTIVES
Our team has decided to address the various challenges faced by the
healthcare industry and provide a robust IT infrastructure and security
solution. We will look into the existing architecture in the healthcare
firms which does not have a complete integration and end to end data
availability.
METHODOLOGY
SUMMARY OFSTEPS
2. Requirement Gathering
3. Flow Analysis
4. Network Architecture
5. Network Management
6. Performance Architecture
7. Threat Analysis
8. Security Model
9. Security Metrics
ASSUMPTIONS
REQUIREMENTGATHERING
HIPAA
Security HIPAA and Govt. Govt.
and the Access
of the HITECH regulatio regulatio H
Security of HITECH Controller
healthre compliant ns ns
EMR(EHR) compliant
cords
Pharmacy Medical
# of
system/ Labs / Synchroni File equipme
devices /
Medical ze with conversion Connector Legacy nt
type of M
Equipment other in expected s LDAP systems Integrato
output,
need to device formats rs
input file
communicate available
Back up
Availabilit Distribute
24x7 servers/ Single
y (% Availability- d
Medical Operation power to point M
uptime/d 99.999% networki
emergency has s ensure failure
owntime) ng
no fixed time availability
11
at time of
failure
Patient
Scheduled Maintena
Loss of medical Back-up Storage 1 history
Storage Jobs for nce of H
records is of data TB needs
back up record
common to
recorded
Regular
Patient
Patient Faster Server
Query history
monitoring analysis <5 sec DB Server Computin M
Time needs to
helps in early of data g Speed
analyzed
diagnosis
FLOWANALYSIS
12
Delay Latency created in
different
Applications. With
life support system to
have the minimum
and the customer
applications to be
allowed to have the
maximum.
13
Delay: minimum delay for the application and
network involved in life support system and other
medical equipment. Though minimum delay of around
100 ms is accepted in the applications like VOIP
messaging, other communications.
Reliability: maximum for the medical equipment and
the life support system of around 99.9999%. We try
to achieve 6 sigma availability. While for other
application some downtime is accepted.
NETWORKARCHITECTURE
CORE LAYER
14
ACCESS LAYER
Firstpointofentryintothenetworkforedgeservicessuchasmedicaldevices,portable
Computers, end stations etc.
Provides demarcation between computing devices and network infrastructure.
It provides QoS, security and policy trust boundary.
NETWORK MANAGEMENT
15
PERFORMANCEARCHITECTURE
For achieving high availability of 99.999 percent and above, there needs to
be hardware redundancy the network, and diagnostics that are capable of
recognizing a fault condition and failing over to a secondary or load-
sharing device. The overall goal is to provide a highly available end-to-
end MGN that includes clinical systems and biomedical devices. In many
cases, however, the clinical systems (EHR, EMR, practice management,
lab, pharmacy, radiology, and soon)are not architected to provide
99.999percent availability.
Clinical applications increasingly are consuming more data centre storage
resources plus network resources. In addition, today’s broadly distributed
imaging services can be multi- vendor, resulting in Imaging centers spread
in multiple disparate locations, making it
challengingforthenetworkarchitecttodesignanetworkthatmeetstheexpectati
onsofthe client. PACS which is, Picture Archiving and Communication
system, images are not distorted by packet loss or delay. These properties
only affect the rendering time. Since PACS vendors have service-level
agreements (SLAs) for this purpose, it is necessary to understand the
impact and extent of this on the workflow. Patient care can be impacted by
severe network congestion which can delay an image by 1 minute in
reaching radiologist or a surgeon who is preparing to perform emergency
surgery.
16
QoS
Quality of service (QoS) is measures transmission quality and service
availability of a network. Traffic on IP networks compete for valuable
resources like transmission band width and equipment processing time
which are very scarce. This leads to packet loss
17
Packet delay, and jitter (defined as variance of packet delay).These have a
very negative effect on applications. It can lead to interruptions or stoppages
of real time services like video call or voice call and may also slow down
applications. As healthcare networks are increasingly getting more and more
congested, failure of network is becoming a very distinct possibility. Routers
and switches must be placed in a well thought out manner so that consistent
application experience can be obtained in varying traffic conditions.
Healthcare network traffic is a mixture of high priority and low priority
traffic which includes applications, medical devices traffic, imaging data,
voice and video traffic, guest services, emails and so on.
THREATANALYSIS
The following table represents the threat analysis for the Healthcare Industry.
20
21
Electronic health record security Model:
22
HIPPA Security Rule is divided into 6 parts. It uses these
particular standards to describe the security standards:
General Rules
Administrative Safeguard
Physical Safeguard
Technical Safeguard
Organizational Safeguard
Policies, Procedures and documentation safeguards.
23
required functions. Proper security in the shutdown and
disposal of the system should be maintained. Disposal of data
should be in a secured manner. Security modeling inn over all
is a combination of measures distributed physically and
logically.
A SWOT ANALYSIS OF IT INFRASTUCTURE AND HEALTHCARE
INDUSTRY
INTERNAL STRENGTHS
IMPROVED PATIENT SAFTY; patients safety as expressed in the Hippocratic Oath Classical
version I will keep them from harm and injustice, is an underlying principle of professional
healthcare throughout the world. Improving patients safety is a primary objectives at all levels of
the healthcare industry. The strategy initiative to increase the role of IT in the healthcare can
advance the cause of greater patient safety by enhancing the quality of the care.
With comprehensive data available in a timely manner, healthcare providers can make better
decision about their patients care there by reducing errors due to incomplete of insufficient
information at the point decision (Goldberg, Kuhn, and Thomas, 2002).
Lenz (2007)agree IT has a huge potential to improve the quality of healthcare and that this aspect
has not been fully explored by current IT solutions. Advanced process management technology
is seen as a way to improve IT support for healthcare process by improving the quality of the
process.
Lieber (2007)reports the use of electronic health records could save as much as $8 billion yearly
in California alone through improvements in delivery efficiency.
Picture archival and communication systems (PACS) not only save providers costs for file room
storage space and film supplies, but also decrease time spent reporting, filing and retrieving
records. Web access enables physician to view radiological images from their offices, homes or
other remote facilities .IT provides emergency rooms with tools for electronic prescriptions,
order entry, provider documentation and after care instruction for patients and their families.
Updating electronic instruction is quick and easy. Purchasing departments are aided by the
ability to buy product for specialty areas such as anesthesia, infection control, substance abuse
programmes, and home health care.
24
Current investment in IT
Is there a hospital in the United State that has not already made an investment in there IT
infrastructure? Probably not. In the past ten years, advances in health information technologies
have occurred at an unprecedented by increasing their IT investments threefold (Burke and
Menachemi, 2004).
Today, albeit at varying levels of sophistication, all hospital use IT to run their core
administrative and clinical application systems, that is, patient accounting, insurance billing,
human resources, staff and facilities scheduling, pharmacy, laboratory results reporting, and
radiology(Cohen, 2005).Most healthcare organizations in the U.S. are spending between2.1%
and 10% of their capital operating budget on IT (Conn, 2007b).
INTERNAL WEAKNESSES
Lack of system integration:
Integrated system offer seamless data and process integration over information systems(Landry,
Mahesh, and Pushpendra, 2005).Since a patient treatment involves receiving services from
multiple budgetary units in a hospital, information system integration should exist between the
computer-based applications within a single hospital. When healthcare organization coordinate
and integrate their internal data, they can improve operations and decision making; however,
most healthcare organizations are not liked, and financial systems are not linked, and as a result,
many healthcare institutions are not yet maximizing their IT potential(Cohen, 2005).
More cover, system integration need not be confined to applications within a single facility.
There are many types of healthcare providers and healthcare network.
User resistance
User resistance, more commonly termed user acceptance in the information systems
literature, is nothing new to IT. The original Technology Acceptance Model (TAM) put
forth by Davis (1989) states a user’s level of system acceptance is explained by two factors:
the system’s perceived usefulness and its perceived ease of use.
Perceived usefulness is defined as the degree to which a person believes that using a particular
system would enhance job performance, while perceived ease of use is defined as the degree to
which a person believes that using a particular system would be free of effort. Subsequent
research across a variety of research settings confirms perceived usefulness as the strongest
predictor of user acceptance (Adams, Nelson, & Todd, 1992; Taylor & Todd, 1995; Venkatesh &
Davis, 1996; Mahmood, Hall, & Swanberg, 2001). Some believe that IT implementations in the
healthcare environment, however, encounter more resistance than in any other environment
(Adams, Berner, & Wyatt, 2004).
A study of 12 critical access hospitals found barriers to health information technology included
funding, staff resistance to change, staff adaptation to IT and workflow changes. Other user
25
resistance was noted by the time constraints on small staff, facility and building barriers, and lack
of appropriate IT support. While all agree that IT will improve safety and reduce errors, barriers to
implementation are numerous and must be addressed (Hartzema, Winterstein, Johns, de Leon,
Bailey, McDonald, & Pannell, 2007).
Slow It Adoption
Traditionally, healthcare has been slow to adopt IT and has lagged significantly behind other
industries in the use of IT (Ortiz & Clancy, 2003; Adams et al., 2004). A 2005 report from the
National Academy of Engineering and the Institute of Medicine agrees healthcare’s failure to adopt
new strategies and technologies has contributed to the list of problems now associated with the
industry: thousands of preventable deaths a year, outdated procedures, billions of dollars wasted
annually through inefficiency, and costs rising at roughly three times the rate of inflation. Lack of
competition, resistance to change, and capital costs are among the major causes for healthcare’s
slowness to adopt IT (Hough, Chen, & Lin, 2005).
There are signs of progress, however, which offer promise of accelerated change.
Many hospitals and physician groups are now digitizing their medical records and
clinical data (Hough et al., 2005). As noted earlier, some hospitals like Cincinnati
Children’s Hospital, Baylor Healthcare System in Dallas, and The Heart Center of
Indiana have adopted IT at advanced levels (Cohen, 2005; Kay & Clarke, 2005).
These hospitals are models for the industry, forging a path for other healthcare
organizations to follow, and emerging as healthcare leaders in IT whose techniques
can be benchmarked, emulated and implemented. As the healthcare technologies are
developed to greater sophistication and functionality, it will be possible for other
healthcare organizations to “leapfrog” over the slow, expensive evolutionary learning
process experienced by the leaders (Conger & Chiavetta, 2006).
The following section outlines external opportunities and threats facing IT
and health- care. Specific opportunities are the Internet, the national environment, and
industry standards. Key threats include legal compliance, loss of patient trust, and the
costs of IT systems, training, implementation, and support.
External Opportunities
The Internet
Across the industry, healthcare facilities and providers are in various stages of incorporating the
Internet into their operations to allow new ways to communicate with the general public, specific
patients, patient groups, physicians, other providers, and employees. Notable Web- based
services include public Web sites, various telemedicine applications for targeted patient audiences,
physician portals, physician education sites, and facility intranets which serve an organization’s
internal audiences. Generally, there is an increased focus throughout the healthcare industry to
improve all Web-based applications (Sternberg, 2004).
The Internet is also redefining communication channels between doctors and
26
patients, as well as between healthcare providers and other healthcare-related agencies.
DeShazo, Fessenden, and Schock (2005) suggest the top two emerging trends in
healthcare are (1) online patient/physician communication and hospitals, labs,
pharmacies, and physicians. Advances in home technology coupled with the aging of the
baby-boom generation have created the demand for better communications with patients
about their on-going care and monitoring. Improving the communication between the
patient’s at-home technology and the provider’s technology is also a growth opportunity.
Based on the adequacy of information transmitted to the healthcare provider, the
physician saves appointment times and patients are freed from excessive office visits,
thereby lowering transaction costs (Flower, 2005).
The Internet and other advances in IT have enabled new models for electronic
delivery of a variety of healthcare services. Kalyanpur, Latif, Saini, and Sarnikar (2007)
describe the market forces and technological factors that have led to the development of
Internet-based radiological services and agree the Internet has provided the platform for
cost-effective and flexible radiological services. Wells (2007) agrees the practice of
evidence-based medicine requires access to the Internet, mobile devices, and clini-cal
decision-support tools to assist practitioners in improving preventable medical errors.
27
prescription drugs (Lubell, 2007).
Industry standards
The development of industry standards for both data communications and data
taxonomies may be the most profound of all the opportunities currently facing
healthcare. As a crucial first- step in modernizing the U.S. healthcare system, all
industry participants—providers, payers, and regulators—are being urged to adopt
interoper- able systems and common data standards for existing federal, state, and
health networks along with standard practices to promote data sharing and protection
of patient privacy (Swartz, 2006b). Standard data communications technology and
standard data definitions are essential for such health information technologies as
electronic health records and e-prescribing (Brailer, 2004).
A recent study of several disability com- pensation programs within the U.S. found
each program uses its own terminology and disability definitions causing non-standard
interpretation of terms, misinterpretation of data, and delay in the disability
evaluation process. The study suggests defining and adopting a standard for disability
evaluation could not only eliminate process inefficiencies in determining disabilities but
could also facilitate innovative disability technology practices (Tulu, Hilton, &
Horan, 2006).
System standards resulting in a greater level of systems integration is a pressing need. Conn (2007a)
reports the compromise reached by two rival standards groups for data communications standards
can help to bridge the gap between physicians’ offices and hospitals in the electronic health record
systems they use. The Continuity of Care Document standard combines the independent works by
two standards development organizations on creating electronic summaries of care for discharged
patients.
External Threats
Legal compliance
The Health Insurance Portability and Account- ability Act (HIPAA), enacted by Congress
in 1996, is the most significant Federal legislation affecting the U.S. healthcare industry
since the Medicare and Medicaid legislation of 1965. Title I of HIPAA legislates
improved portability and continuity of health insurance cover- age for American workers.
Title II addresses “administrative simplification” requiring the development of standards
for the electronic exchange of personal health information (PHI). Administrative
simplification requires rules to protect the privacy of personal health information, the
establishment of security requirements to protect that information, and the development of
standard national identifiers for providers, health insurance plans, and employers. Two
significant sections of HIPAA are (1) the Privacy Rule and (2) the Security Rule.
The Privacy Rule legislates in detail the collection, use, and disclosure of personal health
information. To be in compliance with the Privacy Rule, covered entities must notify
28
individuals of uses of their PHI, keep a record of all disclosures of PHI, and document
and disclose their privacy policies and procedures. Covered entities must have designated
agents for receiving complaints and they must train all members of their workforce in
proper procedures.
The Security Rule complements the Privacy Rule and presents three types of security safe-
guards designated as administrative, physical, and technical. For each type, the Rule
identifies various security standards and names (1) required implementation
specifications which must be adopted and implemented as specified in the Act and (2)
addressable implementation specifications which are more flexible and can be
implemented by the covered entities as deemed appropriate.
Cost
One of the most immediate barriers to wide- spread adoption of technology is the high cost of
implementation. A report by the Annals of Internal Medicine estimated that a National Health
Information Network (NHIN) would cost $156 billion in capital investment over five years and
$48 billion in annual operating costs. Approximately two-thirds of the capital costs would be
needed to acquire the functionalities and one-third for interoperability. The present level of
spending is only about one-fourth of the amount estimated for the model NHIN. While an NHIN
would be expensive, $156 billion is equivalent to 2% of annual healthcare spending for 5 years
(Kaushal et al., 2005). Industry re- ports from Data monitor, Gartner, and Dore fest & Associates
predict increased spending on IT by healthcare providers at an annual rate of between 10% and
15% (Broder, 2004). A study conducted by Partners Healthcare System, Boston, concluded that a
national healthcare information system would cost $276 billion, take 10 years to build, and
require another $16.5 billion annually to operate. However, the study also concluded that such a
system would save U.S. hospitals $77.8 billion annually because of more efficient
communication (Anonymous, 2005a).
29
Discussion AND Conclusions
Table 1 summarizes the current SWOT analysis of IT implementation in the healthcare
industry in the U.S. The healthcare industry faces multi-faceted challenges to improve
patient safety and assure information security while containing costs and increasing
productivity. The key area for addressing these concerns is more investment in IT to
facilitate the flow of information and offer access to providers and partners along the
healthcare supply chain, reduce medical errors, and increase efficiency. Implementation of
IT networks to achieve the required level of information and data communications is
complicated by the variety of systems already used by provider organizations as well as the
lack of system integration within provider organizations.
Table 1
SWOT Analysis
Strengths Weaknesses
• Improved Patient Safety • Lack of System Integration
• Greater Efficiency of Operation • User Resistance
• Current Investment in IT • Slow IT Adoption
Opportunities Threats
• The Internet • Legal Compliance
• Favorable External • Loss of Patient Trust Costs
Environment
• Industry Standards
30
KEY CYBER SECURITY RISKS FOR HEALTHCARE
PROFESSIONALS
31
We have examined the regulatory landscape for healthcare firms and both the trends and risks
that drive cyber security threats in the industry. What should healthcare organizations be doing to
strengthen cyber security defenses, particularly in light of the fact that healthcare is the only
industry in which employees are the primary threat vector for data breaches? Here are the best
practices.
32
• Develop a cyber security strategy for your organization
Do the internal research to identify the specific threats faced at your organization, including a
complete audit of current security tools, training programs, and security practices. This needs to
be a comprehensive and enterprise-wide assessment, not a piecemeal approach. Elements include
identifying specific risks, such as computers still running Windows XP, medical devices with un
patched operating systems, and printers in locations that non-authorized people could access.
Assess the effectiveness of training programs, pulling data on metrics such as key offenders,
repeat offenders, and the types of attacks that are consistently being successful despite training
efforts. If outdated or vulnerable medical devices are of particular concern, work with the
original vendor to develop solutions to the problem. When evaluating current and potential IT
security vendors, look for those who are innovating at the rate of current threats, not those stuck
in neutral. If your organization lacks the cyber security skills in-house to execute such a strategy,
engage a specialist external consultancy to lead the effort.
SECURITYMETRICS
33
factor to be considered while selecting a particular IT
infrastructure. Prioritization of individual metrics is equally
important within an organization. Healthcare IT needs
prioritize among various requirements such as 24*7
availability, Remote Access, Data Security, Wireless
Connectivity etc. Performance target for the network is to be
determined. As network requirements of Healthcare IT is very
critical, Performance target should be close to 100%.
Percentage space of remote access points used to gain
unauthorized access is to be determined. Possible Security
breaches into the network is to be calculated. Healthcare IT
has multiple remote access points. So all those remote access
points needs to be secured eliminating most of the
vulnerabilities. Average frequency of audits and the training
given to personals is also to be accounted for the
measurements. Percentage of physical security incidents are
also calculated while measurements.
34
the vulnerability of the
network.
Number of critical Helps in identifying the Security of important
applications in critical application e.g. life support and other
operation. life support system, critical applications
Risk Assessment MRI etc. and risks Replacement cost
Coverage associate to these associated with the
applications. application failures
Fulfillment of Service Helps to realize the Helps in achieving the
Levels Agreements commitment towards ROI.
Service provided to the the patient and the
patients service provided.
Information Security Level and requirement Budget planning for the
Budget Allocation in justification for the security system.
Healthcare IT. budget for IT security.
Patch and upgrades to Maintenance to an Better knowledge of
the application critical updated level of the available patches and
network. system. upgrades present in
sector.
Vulnerability scan of Management of the Helps in better
the complete network. vulnerabilities to which recognition of the
the network is exposed. vulnerabilities to which
the network is exposed.
RISKANALYSIS
The risk analysis was performed and the following table represents our
findings and the associated costs.
Threats Cost/Incident Frequency of Occurrence Cost per Incident (SLE) ARO Starting ALE
Hacked Medical Equipment $ 10,000,000.00 Once every 10 years $ 10,000,000.00 0.1 $ 1,000,000.00
Hacked Network attached devices $ 20,000.00 Once every 10 years $ 20,000.00 0.1 $ 2,000.00
Hacked internet facing personal health data $ 2,000,000.00 Twice every year $ 2,000,000.00 2 $ 4,000,000.00
Hacked surveillance cameras/ security $ 1,000,000.00 Once every three years $ 1,000,000.00 0.33 $ 333,333.33
equipment
Theft or Loss of data $ 4,000,000.00 Once every year $ 4,000,000.00 1 $ 4,000,000.00
Unauthorized Access $ 100,000.00 Thrice every year $ 100,000.00 3 $ 300,000.00
Viruses, Worms, Macros, Denial of service $ 2,000,000.00 Once every year $ 2,000,000.00 1 $ 2,000,000.00
Equipment Failure $ 4,000,000.00 Once very two years $ 4,000,000.00 0.5 $ 2,000,000.00
Service issues from Service providers $ 500,000.00 Twice every year $ 500,000.00 2 $ 1,000,000.00
Insider misuse $ 500,000.00 Twice every year $ 500,000.00 2 $ 1,000,000.00
Patient Records Breach $ 1,000,000.00 Once every year $ 1,000,000.00 1 $ 1,000,000.00
35
COST BENEFIT ANALYSIS
The following table represents the results of the Cost Benefit Analysis.
The control measures and the associated cost have been listed as well
which were used for the analysis.
CBA= Starting
Frequency of Cost of ALE- EndingALE-
Threats Cost/Incident occurrence ALE (Prior) ARO ALE (Post) Controls Type of Control Costofcontrols
Physical/Software
Hacked Medical Equipment $ 10,000,000.00 Once every 10 years $ 1,000,000.00 0.5 $ 500,000.00 100,000 Security $ 400,000.00
Hacked Network attached devices $ 20,000.00 Once every 10 years $ 2,000.00 0.25 $ 500.00 15,000 Physical Security $ (13,500.00)
Hacked internet facing personal health data $ 2,000,000.00 Twice every year $ 4,000,000.00 1 $4,000,000.00 70,000 Firewall $ (70,000.00)
Physical/Software
Hacked surveillance cameras/security equipment $ 1,000,000.00 Onceeverythreeyears $ 333,333.33 0.15 $ 50,000.00 75,000 Security $ 208,333.33
Theft or Loss of data $ 4,000,000.00 Once every year $ 4,000,000.00 0.5 $2,000,000.00 1,000,000 Backups $ 1,000,000.00
Unauthorized Access $ 100,000.00 Thrice every year $ 300,000.00 1 $ 300,000.00 900,000 Software Security $ (900,000.00)
Viruses, Worms, Macros, Denial of service $ 2,000,000.00 Once every year $ 2,000,000.00 0.3 $ 600,000.00 150,000 Antivirus $ 1,250,000.00
Equipment Failure $ 4,000,000.00 Once very two years $ 2,000,000.00 0.2 $ 400,000.00 175,000 Physical Security $ 1,425,000.00
Service issues from Service providers $ 500,000.00 Twice every year $ 1,000,000.00 0.7 $ 700,000.00 90,000 Insurance $ 210,000.00
Insider misuse $ 500,000.00 Twice every year $ 1,000,000.00 0.8 $ 800,000.00 100,000 Software Security $ 100,000.00
Patient Records Breach $ 1,000,000.00 Once every year $ 1,000,000.00 0.4 $ 400,000.00 150,000 Software Security $ 450,000.00
PROTECTIONMECHANISM
Thissectionprovidesanoverviewofanarchitecturethathelpsmeetsecurityrequ
irements associated with securing clinical systems and devices, biomedical
devices/servers, IT endpoints, and their associated applications.
ENDPOINT SECURITY
Like in any other industry, healthcare has very diverse and complex set of endpoints.
Healthcareprovidersuseaplethoraofbothwiredandwirelessdevicesforclinical
needs. These devices need to be secure from data loss, data theft, and
privacy invasion, and must also meet the local country and state security
law. Some Products that can help with end point security are Host
Intrusion Prevention software, Wireless LAN Controller (WLC), Antivirus
software and Trojan-ware removal tools.
Securing end points adequately following things must be done:
Enforce security policies for users and devices.
Identify and restrict users and devices that violate policies.
Manage identities and control users on specific devices.
Inspect device health, and quarantine and remediate devices with security issues
NETWORK SECURITY
OneofthemostfundamentalelementsoftheMedicalnetworksisnetworksecur
which is designed to protect the integrity of the network infrastructure
itself, where entire network segments may be the target of attacks such as
theft of service, service abuse, denial of service (DoS), and data loss.
Firewalls must be used to separate the network and prevent unauthorized
access. Additionally, Network security can be enhanced by using Security
Appliances provided by vendors such as Cisco. VPN must be used for
accessing the Medical network from outside. Routers also must be
provided with firewalls. Infrastructure protection must be given on
Routing/Switching platforms.
CONTENT SECURITY
Healthcare facilities are, like all others, vulnerable to attacks on
data and content. Spam, phishing attacks launched through e-
mail, and attacks launched for stealing web content have all
been used to provide an attacker access to a target system. For
adequate content security within the Healthcare architecture
products which facilitate email filtering and checking, Web
security against malicious websites and intrusion prevention
systems must be employed.
SYSTEM NETWORK AND EVENT MANAGEMENT
System tools keep a check on the health of the entire system
whereas network management tools help in automating,
simplifying, and integrating networks to reduce operational
costs. Tools that deal in the area of access control systems,
enterprise management and infrastructure security
management can be obtained from vendors.
organizations and governments in complex value chains across borders, IT can play an
important role in enabling the world’s poor to access essential health products and
services in innovative forms as discussed in Sections 2 and 3 of this paper.
IT has promoted efficiency by enabling information to be available and cheaply
distributed and improved the prospects for countervailing institutions to function for
reasons detailed in Section 4. These benefits are observable in less developed countries
too with IT diffusion. Information is a pre-requisite of good stewardship and IT enables
governments to know what to regulate and how best making it less likely that commercial
interests would claim precedence over people’s health. More open information flows on
deliveries and deliverables would set norms and standards and new forms of partnership.
Old institutional ties like Hisba, Ombudsman, Panchayat could be revitalized as stewards
in local communities or new ones built if even 5 % of total resources allocated to country
specific projects were earmarked for investments in action-research to organize its role
inefficient ways of delivery under local control. This will also help compare
performances, conduct reasoned discourses on alternatives and provide feedbacks on much
needed public-private partnership experimentation. Decentralized networks and IT
reinforce each other whereas IT costs and risks require syndication and these two contrary
tendencies pull in opposite directions. Investments in IT for healthcare could be treated as
global public goods and financed internationally.
Policy conflicts between health, trade and development goals over rights and interests
require international regimes for distributed enterprising, particularly with regard to how
biological resources are shared. The dissolution of traditional industry boundaries between
pharmaceuticals, biotechnology and IT for life sciences has irreversibly transformed the
contestable healthcare arena changing its scope from national to global. Cross-border
trade in health-related IT services has attracted record amounts of FDI for healthcare
development and healthcare administration but not as much for healthcare delivery. The
scale and scope effects for industrial structures point to continuing consolidation and a
reduction in the number of global players in health care businesses.
This poses new challenges to anti-trust legislation and competition policies which would
need to be harmonized globally.
Digitalized connectivity has improved transparency, expanded choice and created new
value chains for all concerned but its impact on costs of healthcare is unclear. This
deserves to be researched further with respect to disease burdens, cost per diagnosis and
cost per treatment for more clarity on policy perspectives. All the potential gains from the
role of IT in healthcare in less developed countries are not yet visible in actual gains to
date. This is partly because stewardship requirements in less developed countries are
greater and different from developed countries and because IT is not a substitute for some
of the critical factors contributing to healthcare such as safe drinking water, nutrition,
hygiene and sanitation or poverty. The diffusion of IT to rural areas is also constrained by
non-availability of electricity and the difficulties of maintaining computer equipment in
dust-free and humidity-free settings. The positive impact of IT on healthcare exports,
growth, and employment has to be weighed against resource diversions, depletions and
strains on public finances. In countries where global networks present limited points of
contact, the positive spillover effects for human capital and infrastructure are negligible.
The reach and power conferred by IT does not translate easily into capacity creation. Not
much can be concluded about motives and powerbases of those influencing policy without
better clarity through more research and empirical analysis at disaggregated levels in
specific developing countries and in specific kinds of IT applications among clusters of
healthcare service providers and communities. The questions raised in Figure 1 of Section
8 constitute an ongoing research agenda. More research is needed to understand how
marketandnon-marketsolutionsproposedwouldactuallywork.Governmentsneedto
Encourage experimentation on syndication of risks across public systems and private enterprises
through innovations in health insurance and IT investments for healthcare.
The use of IT has spawned and proliferated new fields of knowledge for profit in
healthcare. These have prompted discussions on international collaborations (including
public-private-voluntary intersect oral partnerships) for transnational governance of new
risks for the bundling of product-services linkages as analyzed in Section 5. The
involuntary extraction of data from humans across borders requires a review of
standards of privacy and data protection laws. Complex questions of personal data
protection, privacy, remote liability and vicarious liability where national treatments are
yet to be harmonized must remain on the research and policy agenda of the WHO.
Considerable uncertainty remains about prospects for IT-enabled global databases
concerning microorganisms from which the next generation of IT-assisted life-saving
medicines would emerge. This poses health security hazards on an unprecedented scale,
besides rendering TRIPS partially unimplementable. The normative aspects of digitalized
transfers of data are not determined by IT alone and government scrutiny over such
communications is constraints for the notion of seamless connectivity. The responsibility
for healthcare and for IT is naturally global in certain respects. Global governance and
public-private partnerships need to be designed to secure public health, human privacy,
data integrity, intellectual property rights and telemetric trade as discussed in Sections 6 to
8 of this paper.
A. An official policy
B. A contingency plan
C. A strategy
D. A benchmark
E. A project
2. All the features below, except one, are common to current complex
emergencies. Identify which one is NOT A COMMON characteristic:
A. Increased mortality
B. High levels of violence against civilians
C. High food insecurity
D. High number of battle-deaths
E. Large population displacement
A. Precision
B. Timeliness
C. Accuracy/validity
D. Cost
E. Relevance
A. Household surveys, like the Demographic and Health Survey, or the Multiple
Indicators Cluster Survey
B. Surveillance systems
C. Academic journals
D. Civil registration systems
A. The health workforce tends to contract, due to violence, disease, famine and
outward migration.
B. The proportion of internal health expenditure absorbed by salaries tends to
increase.
C. There is a large influx of health workers from the Diaspora.
D. Staffing patterns at PHC level tend to improve.
7. The relationships between protracted conflict and HIV transmission has been
studied in several countries. Available evidence suggests that:
1. Google.com
2. www.wikipedia.co
3. www.slideshare.com
4. www.cisco.com
5. www.academia.com
6. www.who.com
7. Research gate.net