A

REASEARCH REPORT

ANALYSIS OF IT INFRASTRUCTURE USES IN THE HEALTH

CARE INDUSTRY

Submitted in partial fulfillment of MBA program

2017-2019

SUBMITTED TO: SUBMITTED BY:

Prof. Ajit Kumar Shukla Santosh Kumar Pandey
(Director of IMS) MBA-IV Sem.
Roll no. 10018527051

UNDER THE GUIDANCE

Mr.Vivek Kumar Srivastava
Assistant Professor IMS, MGKVP

INSTITUTE OF MANAGEMENT STUDIES

MAHATMA GANDHI KASHI VIDYAPITH
VARANASI (U.P)

1
 ACKNOWLEDGEMENT

I Santosh Kumar Pandey, would firstly like to thank my faculty guide Prof. Vivek Kumar
Srivastava (assistant professor, IMS MGKVP, VARANASI) for supervising and guiding me
during this research study, who was an ideal guide in true sense. The way he guided and helped
me wherever possible and needed in areas such as, the
topic of the research, for suggesting alternative solutions and sharing his personal valuable
experience &knowledge with me.

This research program helped me to apply my theoretical knowledge in practical field, hence
enhance my knowledge and information about brand perception of Dell laptops and consumer
satisfaction after purchasing it

Besides this, I would also like to give my sincere gratitude to all the respondents and workers of
Dell store who participated in the survey, without which this research would be incomplete.

2
 PREFACE
Study was provided to management students to apply their research skill and the find the solution
of given problem. Such part of management education provides a
Framework of knowledge relating to the concepts and practices of the assigned related to course
of management

Without research, management education is meaningless. So long with the theory;

The research study is an integral part of the course curriculum of Master of Business
Administration. In this the student is in position to analyze the real problem-solving situations
with mature eyes and understand the dynamics in a better manner.

This particular research has been conducted in Varanasi. In the first phase of
Research project, there is an introduction of the topic as well as initiation of the study, which is
given. After that a market research was performed with a sample size of 100 units.

The research study was limited to Varanasi. Here, in my survey, I have conducted the
respondents through personal interviews and Google forms with the help of questionnaires.

3
 DECLARATION

I the undersigned solemnly declare that the project report on ANALYSIS OF IT

INFRASTRUCTURE USES IN HEALTHCARE INDUSTRY is based on my own work
carried out during the course of our study under the supervision of Prof. Vivek Kumar
Srivastava (Assistant prof. IMS, MGKVP)

I assert the statements made and conclusions drawn are an outcome of my research work.
I further certify that:-

i) The work contained in the report is original and has been done by
me under the general supervision of my supervisor.

ii) The work has not been submitted to any other Institution for any other
degree/diploma/certificate in this university or any other University of India or
abroad.

iii) We have followed the guidelines provided by the university in writing the
report.

iv) Whenever we have used materials (data, theoretical analysis, and text)
from other sources, we have given due credit to them in the text of the report
and giving their details in the references.

Santosh Kumar Pandey

Place:
Date:

4
CONTENTS
INTRODUCTION ..............................................................................................................

HEATHCAREINDUSTRYOVERVIEW .......................................................................

CURRENTBUSINESSPROBLEMS ..............................................................................

GOALSANDOBJECTIVES ...........................................................................................

METHODOLOGY .............................................................................................................

SUMMARYOFSTEPS ...................................................................................................

ASSUMPTIONS ............................................................................................................

FINDINGS .........................................................................................................................

REQUIREMENT GATHERING ...................................................................................

FLOW ANALYSIS ........................................................................................................

NETWORKARCHITECTURE ......................................................................................

CORE LAYER ...........................................................................................................

DISTRIBUTION LAYER ..........................................................................................

ACCESSLAYER ........................................................................................................

ADVANTAGES OFHIERARCHICALDESIGN .......................................................

NETWORKMANAGEMENT........................................................................................

UNDER FAULT MANAGEMENT: HOST INTRUSION DETECTION SYSTEM9

UNDER CONFIGURATION MANAGEMENT-PROVISIONING:

IDENTITYSERVICEENGINE ..................................................................................

UNDER PERFORMANCE MANAGEMENT:APPLICATIONMANAGER ...........

PERFORMANCEARCHITECTURE ..........................................................................

ACHIEVING SIXSIGMAAVAILIBITY .................................................................

QoS ...........................................................................................................................

MEDICAL GRADENETWORKAPPLICATIONS .................................................

THREAT ANALYSIS ..................................................................................................

SECURITYMODEL ....................................................................................................

5
 A SWOT ANALYSIS OF INFORMATION TECHNOLOGY AND THE
HEALTHCARE INDUSTRY…………………………………………………………

KEY CYBER SECURITY RISKS FOR HEALTHCARE

PROFESSIONALS…………………………………………………………………

BEST PRACTICES FOR CYBER SECURITY DEFENSES…………………………...

SECURITYMETRICS ......................................................................................................

RISKANALYSIS..............................................................................................................

C0ST BENEFIT ANALYSIS .......................................................................................

PROTECTIONMECHANISM .........................................................................................

ENDPOINTSECURITY ...............................................................................................

NETWORKSECURITY ...............................................................................................

CONTENTSECURITY ................................................................................................

SYSTEM NETWORK ANDEVENTMANAGEMENT ..............................................

RECOMMENDATIONS AND COCLUSION.....................................................................

QUESSTIONNAIRE

BIBLIOGRAPHY

2 6
 Abstract
Information Technology (IT) is poised to revolutionize healthcare trade through new
thresholds in human connectivity. This paper focuses on the expanding role of IT in three distinct
but related categories: (a) design and development of healthcare products and services, (b)
delivery systems, and, (c) healthcare administration. Through information power that IT enables,
capacities of decision-makers are continually transformed in how they link with each other, in
the here and now. This not only promotes trade in services and e-commerce and facilitates
worldwide convergence in several aspects of healthcare management and organization. However,
this process also raises fears and anxieties because the pervasive nature of IT and its uneven
diffusion increase some vulnerabilities where policy safeguards be needed. The process of IT
diffusion occurs at many different points of impact the international economy. Thus, policy
choices have to cater to a wide range of national and regional needs and circumstances
concerning rights to health, rights to trade and rights to development. National policies and
international regimes need to strike a harmonious balance between these sets of rights.

The persistence of unresolved conflicts of rights and conflicts of interests point to the need for
new international arrangements to be mandated and resourced. The extent to which this can be
achieved is uncertain. This uncertainty is traceable to the ways responsibility for healthcare,
authority to design healthcare products and systems, and the power to organize healthcare
delivery remain separate or come together. The restructuring of private investments to integrate
IT with life sciences in public-private partnerships is a sign of the growing significance of IT in
healthcare. It is also a reminder of how powerfully IT could be harnessed in pursuit of millenium
development goals.

7
INTRODUCTION

HEATHCARE INDUSTRYOVERVIEW

The healthcare industry is undergoing an intense transformation as there is

a shift from traditional procedures towards automated and sophisticated
systems. The outdated non IT practices which exists in most of the
healthcare firms aren’t efficient to handle the high amount of data
processing and storage needs. Also, data sharing across multiple locations
and ease of access of information is also a growing problem. The various
medical equipment that are present on the premises produce large amounts
of data in the form of patient records. This data needs efficient handling
and timely processing. The medical devices need to be integrated with the
software systems so that they can be controlled remotely, which exposes
these equipment and software to an array of threats. Most of the internet
facing portals can be accessed remotely by doctors, patients and the
management which calls for stricter protocols to ensure data security.

CURRENT BUSINESSPROBLEMS

 Current issues faced by the healthcare industry in terms of IT infrastructure

 Physical records maintained on paper

 EMRs work in a silo without end to end integration

 Integration between medical devices doesn’t exist

 Non-existence of a nurse portal; verbal instructions provided to the medical staff

 Integration of patient data in the patient portal

 Data flow and timely availability between different facilities

 Instant messaging and pager services for emergency alerts to the staff

 Data backup for emergency

 Infrastructure backup to handle emergency situations

8
 Video conferencing capabilities between the physicians and patients
or between the physicians

 Integration of data flowing from external vendors needs to be done

 Electronic integration of the ancillary and drugstore services

 Old non efficient infrastructure

 Security of confidential patient information and hospital data

9
GOALS AND OBJECTIVES

Our team has decided to address the various challenges faced by the
healthcare industry and provide a robust IT infrastructure and security
solution. We will look into the existing architecture in the healthcare
firms which does not have a complete integration and end to end data
availability.

METHODOLOGY

SUMMARY OFSTEPS

The following steps were followed in this project:

1. Business problem analysis

2. Requirement Gathering

3. Flow Analysis

4. Network Architecture

5. Network Management

6. Performance Architecture

7. Threat Analysis

8. Security Model

9. Security Metrics

10. Risk Analysis

11. Protection Mechanism

ASSUMPTIONS

Since we are looking at healthcare industry as a sector, certain data

points were such as the number of cyber-attacks that this industry faces
on yearly basis were not available. Also, unlike businesses Healthcare
sector is not mandated by law to disclose all their dealings. Thus,
assumptions were made were necessary.
10
FINDINGS

REQUIREMENTGATHERING

Objective Related Target Critical Affecting Modify in Expected

Applications s Metric Value Resources Factors g Factors Benefits

HIPAA
Security HIPAA and Govt. Govt.
and the Access
of the HITECH regulatio regulatio H
Security of HITECH Controller
healthre compliant ns ns
EMR(EHR) compliant
cords

Peak data 10GB LAN

rate link, 100GB
Tradition
(PDR),sust WAN link. Wireless
al HIT act
ained Limited communicat
Channel method mandates
CT Scan, data rate Storage ion M
Capacity of using electronic
Pagers, X ray (SDR), Capacity of between
paper in records
all the traffic minimum 4Tera bytes devices
reports
needs to data rate of data
Routed (MDR) (4000GB

Electronic Error &

UDP
records should Loss
protocols
be Rates – TCP
1-2.5% as do not
created/stored Accurate BER/CLR/ protocol TCP if lost
acceptable provide H
/transferred results CMR/ should be is re-send
packet loss recovery
accurately to Frame & used
of lost
depict true Packet
packet
health state Loss

Pharmacy Medical
# of
system/ Labs / Synchroni File equipme
devices /
Medical ze with conversion Connector Legacy nt
type of M
Equipment other in expected s LDAP systems Integrato
output,
need to device formats rs
input file
communicate available

Back up
Availabilit Distribute
24x7 servers/ Single
y (% Availability- d
Medical Operation power to point M
uptime/d 99.999% networki
emergency has s ensure failure
owntime) ng
no fixed time availability

11
 at time of
failure

Patient
Scheduled Maintena
Loss of medical Back-up Storage 1 history
Storage Jobs for nce of H
records is of data TB needs
back up record
common to
recorded

Regular
Patient
Patient Faster Server
Query history
monitoring analysis <5 sec DB Server Computin M
Time needs to
helps in early of data g Speed
analyzed
diagnosis

FLOWANALYSIS

Network Flow analysis helps the network administrators to get an insight

to the network as well prioritize the parts of network on the basis of its
requirements and availability. Flow analysis starts with the mapping of
the entire device in that particular network and assigning a level of
priority to those components. It gives an idea of the traffic rate and the
volume in the particular network which helps to set per-application policy
controls as well as the quality of service. For example: network services
to web based application for the customer can be restricted to a particular
level giving a priority to the level of bandwidth assigned to the life
support system applications. Flow analysis also provides us the added
information about the response time of the applications, optimization of
flow. It helps in the selection of optimal path using the network and
business requirements. Flow Characteristics can be broadly classified as
specified in the below table.

Flow Features In Reference to

Characteristic Healthcare IT
s
Capacity (bandwidth) Capacity of the
Performance Infrastructure used
Requirements according the
healthcare budget.

12
 Delay Latency created in
different
Applications. With
life support system to
have the minimum
and the customer
applications to be
allowed to have the
maximum.

Reliability Maximum for the life

support applications.

Quality of service Levels Highest for the life

support and network
used by the medical
Applications.

Business/Enterprise/provid Depends on the type

e of healthcare
Importance industry
and priority (large/Medium/Small
Levels )

Social On less priority level.

Directionality of the Bidirectional or

Others Network. Unidirectional.
Scheduling of network.
Protocols used.
Security requirements.

Health IT infrastructure consists of unit-directional as well bi-directional

directional network. Unidirectional networks are the one ones used for the
reporting of the patient`s status in the system. Unidirectional networks are
very few in use in the healthcare network. Bidirectional network with a
large bandwidth are most common in use for the networks large level
healthcare organizations. Some of the applications are provided the highest
priority hence provided bi-directional guaranteed type of flow. Flow
analysis is done the basis of Capacity, Delay and reliability of the network.
Application in the healthcare IT is evaluated on the following parameters:
Capacity: It is maximum for the applications used for life support system
and other medical equipment like CT Scan MRI etc. with best network
capacity available in the market. It could be as high as 1.2 GB/s for
important applications to 500kb/s for the application related to customer
support.

13
  Delay: minimum delay for the application and
network involved in life support system and other
medical equipment. Though minimum delay of around
100 ms is accepted in the applications like VOIP
messaging, other communications.
 Reliability: maximum for the medical equipment and
the life support system of around 99.9999%. We try
to achieve 6 sigma availability. While for other
application some downtime is accepted.
NETWORKARCHITECTURE

The proposed architecture is a hierarchical model.

CORE LAYER

The interconnection of layers described above can occur in a

variety of ways using combination of layer 2 and layer 3
technologies. Biomedical devices, clinical applications and
associated security requirements influence the layer 2 and
layer 3 designs.
CORE LAYER
 Serves as the backbone of the network
 A minimalist design configuration is adopted
for core layer to reduce complexity.
 For high availability in Hierarchical
networks , blocks are interconnected
DISTRIBUTION LAYER
 Serves as services and control boundary between access and core layers.
 Acts as logical isolation point in the event of failure in access layer.
 Load balancing, QoS, ease of provisioning are key considerations in this la

14
ACCESS LAYER
 Firstpointofentryintothenetworkforedgeservicessuchasmedicaldevices,portable
 Computers, end stations etc.
 Provides demarcation between computing devices and network infrastructure.
 It provides QoS, security and policy trust boundary.

ADVANTAGE OF HIERARCHICAL DESIGN

 In a hierarchical design, the capacity, features and functionality of specific device are
Optimized for its position in the network and the role it plays.
 A Hierarchical design avoids the need for a fully meshed network in
which all nodes are interconnected.
 The functions are distributed at each layer.
 The building blocks of modular networks are easy to replicate. There
is no need to redesign the whole network each time a module is added
or removed.
 Distinct building blocks can be put in-service and taken out-of-service
without impacting the rest of the network.
 The Hierarchical design capability enhances troubleshooting, problem
isolation and network management.
 Mission critical applications such as EMR and patient vital signs
monitoring systems take advantage of these designs.

NETWORK MANAGEMENT

To ensure the service level and optimization of available resources

network management has been incorporated in network architecture.
UNDER FAULT MANAGEMENT
This helps in notifying when a breach occurs. This should place
alongside all the firewalls. The trigger alarm should be set at a threshold
level that is accordance with a threat.
UNDER CONFIGURATION MANAGEMENT
This helps in provisioning with defining access levels to users/devices
reasoning interconnections logically and policy wise. The medical devices
should be identified and provisioned accordingly.
UNDER PERFORMANCE MANAGEMENT
This helps in dynamic load sharing and provides end to end encryption.
The load balancing helps in keeping the network utilized well and
ensuring service level targets.

15
 PERFORMANCEARCHITECTURE

For achieving high availability of 99.999 percent and above, there needs to
be hardware redundancy the network, and diagnostics that are capable of
recognizing a fault condition and failing over to a secondary or load-
sharing device. The overall goal is to provide a highly available end-to-
end MGN that includes clinical systems and biomedical devices. In many
cases, however, the clinical systems (EHR, EMR, practice management,
lab, pharmacy, radiology, and soon)are not architected to provide
99.999percent availability.
Clinical applications increasingly are consuming more data centre storage
resources plus network resources. In addition, today’s broadly distributed
imaging services can be multi- vendor, resulting in Imaging centers spread
in multiple disparate locations, making it
challengingforthenetworkarchitecttodesignanetworkthatmeetstheexpectati
onsofthe client. PACS which is, Picture Archiving and Communication
system, images are not distorted by packet loss or delay. These properties
only affect the rendering time. Since PACS vendors have service-level
agreements (SLAs) for this purpose, it is necessary to understand the
impact and extent of this on the workflow. Patient care can be impacted by
severe network congestion which can delay an image by 1 minute in
reaching radiologist or a surgeon who is preparing to perform emergency
surgery.

ACHIEVING SIX SIGMA AVAILABILITY

Meticulously planned networks which have well thought out implementation
Procedures and time tested tools for actively managing the network lead to
achieving six sigma availability. For a “six-sigma” service, it can be out for
only 31.53 seconds every year. Such high level of availability at network
layer can indeed be achieved within data centers that host EMR/EHR
systems. Many times, the applications designed to support
clinicalstaffarenotdesignedforthishighlevelofavailabilityandleadtodowntimes.
Most of these outages occur because of software upgrades or patches being
installed, or sometimes involve failure in upstream systems like external
testing labs. The outage or unavailability occur within the organization
because of the software updates orthepatches being applied. In order to
increase the availability up to six sigma, we use IN Service Software
Upgrade. It provides a feature of software upgrade while system continues to
forward the data packet. It eliminates the downtime and hence increasing the
total availability of the system. Here two routes are maintained one active
and the other one at standby. In the event one becomes inactive traffic flows
through the other as traffic is synchronously relayed to both routes.

16
QoS
Quality of service (QoS) is measures transmission quality and service
availability of a network. Traffic on IP networks compete for valuable
resources like transmission band width and equipment processing time
which are very scarce. This leads to packet loss

17
Packet delay, and jitter (defined as variance of packet delay).These have a
very negative effect on applications. It can lead to interruptions or stoppages
of real time services like video call or voice call and may also slow down
applications. As healthcare networks are increasingly getting more and more
congested, failure of network is becoming a very distinct possibility. Routers
and switches must be placed in a well thought out manner so that consistent
application experience can be obtained in varying traffic conditions.
Healthcare network traffic is a mixture of high priority and low priority
traffic which includes applications, medical devices traffic, imaging data,
voice and video traffic, guest services, emails and so on.

QOS model for Medical grade Networks:

Network performance issue arises from bottlenecks in the networks either

caused by low bandwidth links or underpowered devices which QOS an
important factor to consider. Data and clinical application is critical in
creating an effective QOS.
We recommend a Platinum Service SLA for the Healthcare industry as
high RMA values are needed for proper functioning.
Application Reliability Capacity Delay Loss in
Revenue

Clinical 99.999 Guaranteed <5sec High

Applications
Imaging services 99.999 Guaranteed <5sec High -
Medium
Communication 99.99 Best Effort <5sec Medium -
equipment Low
Monitoring 99.999 Guaranteed <5 sec High
Equipment
MEDICAL GRADE NETWORK APPLICATION
Monitoring Equipment feed continuous streams of data to central nurse’s
station. These datafeedarerelativelylowbandwidthwithaconstantbit-
rateforreducingjitter.DelayorInterruption in data feed to the nurses’ station
may not directly impact patient safety but
18
They do lead to loss in reaction time in detecting of physiological conditions.
This kind of traffic would be classified as high priority and would require a
high queuing policy.
We recommend a Platinum Service SLA for the Healthcare industry as
high RMA values are needed for proper functioning.
Strategy Performance Requirement Measurement
Sensitive  Continuous monitoring of  Intrusion
information must the systems for any scan reports
be protected factors causing downtime  Security
 Timely reporting of assessment re
incident and follow up orts
RMA of  The entire system  Defined
mission downtime must be requirement
critical minimal of 99.999%
applications  The entire system must be availability
reliable throughout  Capacity
metric tracking

THREATANALYSIS
The following table represents the threat analysis for the Healthcare Industry.

Effect/Likelihood Hardware Servers NetworkDevices Software

Data Medical EquipmentEHR/EMR
Hacked Medical Equipment A/A B/B A/B B/B A/A A/A B/B
Hacked Network attached B/B B/B A/A B/C B/B B/A C/C
devices
Hacked internet facing personal B/B A/B B/C A/B A/B B/B A/B
health data
Hacked surveilliance A/A B/C B/B B/B B/B C/D C/C
cameras/security equipment
Theft or Loss of data A/B A/B B/C A/B A/A B/C A/B
Unathorized Access B/B B/B B/B A/B A/B C/C A/A
Viruses, Worms, Macros, Denial B/B B/B B/C A/B A/B C/C B/A
of service
Equipment Failure A/B B/C A/B B/B B/C A/B C/C
Service issues from Service C/A A/B A/B B/C B/C B/C B/C
providers
Insider misuse C/A B/C A/B B/B B/C B/B B/B
Patient Records Breach B/A A/B B/B B/B A/B B/B A/A

Effect: A–Destructive B- Disabling C-Disruptive D- No

impact Likelihood: A- Certain B- Likely C-Unlikely
D–Impossible
SECURITYMODEL
IT implementation in Health Care industry has begun to transform the
Healthcare sector completely with modern technology advancements
made to change the sector all together. Electronic Medical records and
record exchanges have improved to become more secured and reliable.
Medical Institution have become more accountable for the patient data
and records.IT infrastructure models in Healthcare also consists of remote
19
Patient monitoring, remote medicine consulting or telemedicine, hence
requiring high network availability as well as security. Access through
mobile devices to the secured medical records of the patients and the other
business application increase the severity of the requirement of a secured
model.

Security Issues faced in Healthcare IT infra-structure can be broadly classified as:

Ownership of information: Sense of ownership is required towards
the patient`s medical information to prevent any unauthorized
access to the data related to the patients. The team, organization or
the person who created the patient data is responsible to maintain
and secure the data. Data related personals can be divided into
three categories: Creator, Author and Manager. The personal
responsible to generate the data is referred as the creator of the
data. In case EMR Laboratory staffs can be considered as the
creators. Author of data can be referred to as the clinician.
Manager to the EMR is the patient self. Sometimes there could be
some third party involved at this particular level. Protection of
ownership could be performed using encryption or water marking
techniques.
Authentication of data: Authentication of data is required to assert
that particular data set is true and error free. Endpoint
Authentication is observed in most other network architecture. It
prevents any form of man in the middle attack. Several protocols
are used to have secured web browsing, mails and faxing, VOIP.
Non- repudiation: It acts as the electronic signature to validate the
transaction. It prevents any denial between parties after the
completing of any particular transaction.
Authorization and Confidentiality of data: Patient can allow or
deny the sharing and usage of data for any purpose other than his
diagnosis. So the attributes to access the data is maintained
properly. Confidentiality of data is defined by ISO- 17799
ensuring the access only to those who are authorized to access the
data.
Availability of data: For EHR to work at the optimum must have
high availability. So all the systems associated to maintenance
and the usage of EHR should be available 24*7 preventing any
sort of service disruption. Security and Privacy protection and
HIPPA compliance help us to attain there requirement.

20
21
Electronic health record security Model:

In a particular scenario of a patient entering into the hospital with a

diagnosed disease needs to be attended by the doctor from the hospital as
well as experts from other hospitals. This case requires the access of EHR
by several parties. It includes her data to be accessed by regular doctors,
specialist from the hospital as well as from other hospitals of the region. It
may also need to be accesses by the family doctor of the patient who lies
completely out of the chain. So the access list to the document needs to be
managed and altered several times by the patient or with the patient`s
consent. Now the security model consist of three components:

Electronic health Record Storage and access management: Secured storage

servers are to be maintained along with proper access database.
Cryptography can also be used for access control.
Electronic Secure Usage Model: It consists of proper signature
maintenance and verification.

With Increase in the number of cases of security breach or the theft of

patient data, healthcare organization need to adopt security compliance
at the earliest. Security standards such as HIPPA, NIST, and PCI should
be adopted and implemented. HIPPA has established privacy
requirements for electronic health records. HIPPA is enacted to insure
the private and confidential data from loss and makes it available in a
secured manner.

22
 HIPPA Security Rule is divided into 6 parts. It uses these
particular standards to describe the security standards:
 General Rules
 Administrative Safeguard
 Physical Safeguard
 Technical Safeguard
 Organizational Safeguard
 Policies, Procedures and documentation safeguards.

In order to have a secured IT infrastructure model, Security

should be considered as an integral part of system design. It
can be both difficult as well as costly to implement security
measures after the system has been developed, it should be
integrated fully during the system life cycle process.
Information should be protected at all three phases: being
processed, transit and in storage. Potential trade-offs should be
identified between reducing risks and increasing the costs.
Security model should always have the upgrade and patch
installation option available. Publically accessed system
should be kept separate from the mission critical systems to
enhance the network security. Access should be limited to be
provided, no more authorization than necessary to perform

23
 required functions. Proper security in the shutdown and
disposal of the system should be maintained. Disposal of data
should be in a secured manner. Security modeling inn over all
is a combination of measures distributed physically and
logically.
A SWOT ANALYSIS OF IT INFRASTUCTURE AND HEALTHCARE
INDUSTRY

INTERNAL STRENGTHS
IMPROVED PATIENT SAFTY; patients safety as expressed in the Hippocratic Oath Classical
version I will keep them from harm and injustice, is an underlying principle of professional
healthcare throughout the world. Improving patients safety is a primary objectives at all levels of
the healthcare industry. The strategy initiative to increase the role of IT in the healthcare can
advance the cause of greater patient safety by enhancing the quality of the care.
With comprehensive data available in a timely manner, healthcare providers can make better
decision about their patients care there by reducing errors due to incomplete of insufficient
information at the point decision (Goldberg, Kuhn, and Thomas, 2002).

Lenz (2007)agree IT has a huge potential to improve the quality of healthcare and that this aspect
has not been fully explored by current IT solutions. Advanced process management technology
is seen as a way to improve IT support for healthcare process by improving the quality of the
process.

Greater efficiency of operation:

Information technology or the digital world of bits and bytes. Delivers information faster,
smarter, and cheaper (conger and chiavetta, 2006). In health care, IT has improved operational
efficiency and increase productivity by reducing paperwork, automating routing process, and
eliminating waste and duplication.

Lieber (2007)reports the use of electronic health records could save as much as $8 billion yearly
in California alone through improvements in delivery efficiency.

Picture archival and communication systems (PACS) not only save providers costs for file room
storage space and film supplies, but also decrease time spent reporting, filing and retrieving
records. Web access enables physician to view radiological images from their offices, homes or
other remote facilities .IT provides emergency rooms with tools for electronic prescriptions,
order entry, provider documentation and after care instruction for patients and their families.
Updating electronic instruction is quick and easy. Purchasing departments are aided by the
ability to buy product for specialty areas such as anesthesia, infection control, substance abuse
programmes, and home health care.

24
Current investment in IT
Is there a hospital in the United State that has not already made an investment in there IT
infrastructure? Probably not. In the past ten years, advances in health information technologies
have occurred at an unprecedented by increasing their IT investments threefold (Burke and
Menachemi, 2004).

Today, albeit at varying levels of sophistication, all hospital use IT to run their core
administrative and clinical application systems, that is, patient accounting, insurance billing,
human resources, staff and facilities scheduling, pharmacy, laboratory results reporting, and
radiology(Cohen, 2005).Most healthcare organizations in the U.S. are spending between2.1%
and 10% of their capital operating budget on IT (Conn, 2007b).

INTERNAL WEAKNESSES
Lack of system integration:
Integrated system offer seamless data and process integration over information systems(Landry,
Mahesh, and Pushpendra, 2005).Since a patient treatment involves receiving services from
multiple budgetary units in a hospital, information system integration should exist between the
computer-based applications within a single hospital. When healthcare organization coordinate
and integrate their internal data, they can improve operations and decision making; however,
most healthcare organizations are not liked, and financial systems are not linked, and as a result,
many healthcare institutions are not yet maximizing their IT potential(Cohen, 2005).

More cover, system integration need not be confined to applications within a single facility.
There are many types of healthcare providers and healthcare network.

User resistance
User resistance, more commonly termed user acceptance in the information systems
literature, is nothing new to IT. The original Technology Acceptance Model (TAM) put
forth by Davis (1989) states a user’s level of system acceptance is explained by two factors:
the system’s perceived usefulness and its perceived ease of use.
Perceived usefulness is defined as the degree to which a person believes that using a particular
system would enhance job performance, while perceived ease of use is defined as the degree to
which a person believes that using a particular system would be free of effort. Subsequent
research across a variety of research settings confirms perceived usefulness as the strongest
predictor of user acceptance (Adams, Nelson, & Todd, 1992; Taylor & Todd, 1995; Venkatesh &
Davis, 1996; Mahmood, Hall, & Swanberg, 2001). Some believe that IT implementations in the
healthcare environment, however, encounter more resistance than in any other environment
(Adams, Berner, & Wyatt, 2004).
A study of 12 critical access hospitals found barriers to health information technology included
funding, staff resistance to change, staff adaptation to IT and workflow changes. Other user

25
resistance was noted by the time constraints on small staff, facility and building barriers, and lack
of appropriate IT support. While all agree that IT will improve safety and reduce errors, barriers to
implementation are numerous and must be addressed (Hartzema, Winterstein, Johns, de Leon,
Bailey, McDonald, & Pannell, 2007).

Slow It Adoption
Traditionally, healthcare has been slow to adopt IT and has lagged significantly behind other
industries in the use of IT (Ortiz & Clancy, 2003; Adams et al., 2004). A 2005 report from the
National Academy of Engineering and the Institute of Medicine agrees healthcare’s failure to adopt
new strategies and technologies has contributed to the list of problems now associated with the
industry: thousands of preventable deaths a year, outdated procedures, billions of dollars wasted
annually through inefficiency, and costs rising at roughly three times the rate of inflation. Lack of
competition, resistance to change, and capital costs are among the major causes for healthcare’s
slowness to adopt IT (Hough, Chen, & Lin, 2005).
There are signs of progress, however, which offer promise of accelerated change.
Many hospitals and physician groups are now digitizing their medical records and
clinical data (Hough et al., 2005). As noted earlier, some hospitals like Cincinnati
Children’s Hospital, Baylor Healthcare System in Dallas, and The Heart Center of
Indiana have adopted IT at advanced levels (Cohen, 2005; Kay & Clarke, 2005).
These hospitals are models for the industry, forging a path for other healthcare
organizations to follow, and emerging as healthcare leaders in IT whose techniques
can be benchmarked, emulated and implemented. As the healthcare technologies are
developed to greater sophistication and functionality, it will be possible for other
healthcare organizations to “leapfrog” over the slow, expensive evolutionary learning
process experienced by the leaders (Conger & Chiavetta, 2006).
The following section outlines external opportunities and threats facing IT
and health- care. Specific opportunities are the Internet, the national environment, and
industry standards. Key threats include legal compliance, loss of patient trust, and the
costs of IT systems, training, implementation, and support.

External Opportunities

The Internet
Across the industry, healthcare facilities and providers are in various stages of incorporating the
Internet into their operations to allow new ways to communicate with the general public, specific
patients, patient groups, physicians, other providers, and employees. Notable Web- based
services include public Web sites, various telemedicine applications for targeted patient audiences,
physician portals, physician education sites, and facility intranets which serve an organization’s
internal audiences. Generally, there is an increased focus throughout the healthcare industry to
improve all Web-based applications (Sternberg, 2004).
The Internet is also redefining communication channels between doctors and

26
patients, as well as between healthcare providers and other healthcare-related agencies.
DeShazo, Fessenden, and Schock (2005) suggest the top two emerging trends in
healthcare are (1) online patient/physician communication and hospitals, labs,
pharmacies, and physicians. Advances in home technology coupled with the aging of the
baby-boom generation have created the demand for better communications with patients
about their on-going care and monitoring. Improving the communication between the
patient’s at-home technology and the provider’s technology is also a growth opportunity.
Based on the adequacy of information transmitted to the healthcare provider, the
physician saves appointment times and patients are freed from excessive office visits,
thereby lowering transaction costs (Flower, 2005).
The Internet and other advances in IT have enabled new models for electronic
delivery of a variety of healthcare services. Kalyanpur, Latif, Saini, and Sarnikar (2007)
describe the market forces and technological factors that have led to the development of
Internet-based radiological services and agree the Internet has provided the platform for
cost-effective and flexible radiological services. Wells (2007) agrees the practice of
evidence-based medicine requires access to the Internet, mobile devices, and clini-cal
decision-support tools to assist practitioners in improving preventable medical errors.

Favorable External Environment

There is growing support worldwide for the utilization of more IT in healthcare (Caro,
2005). Reports from Australia, Great Britain, India, Italy, and Norway, for example,
document local, regional and national healthcare projects and initiatives utilizing IT
(Sharma, 2004; Grain, 2005; Marino & Tamburis, 2005; Bergmo & Johannessen, 2006;
Fitch & Adams, 2006).
In 2005, the Agency for Healthcare Re- search and Quality, part of HHS, awarded over $22
million in grants to 16 institutions in 15 states to aid in implementing healthcare IT projects
emphasizing patient safety and healthcare quality. The grants were designed to encourage the
sharing of information among providers, labs, pharmacies, and patients, with the specific goal of
decreasing medication errors and duplicate testing. Eleven of the 16 grants were awarded to small
and rural communities (Anonymous, 2005c).
In his 2004 State of the Union address, President Bush called for the transformation of electronic
health records within the next ten years in the United States and urged more healthcare
organizations to consider implementing such health information technologies as electronic
healthcare records (EHR), computerized ordering of prescriptions and medical tests, clinical
decision support tools, digital radiology images, and secure exchange of authorized information,
emphasizing that all of these technologies have been shown to improve patient care quality and
reduce medical errors (Abrahamsen, 2005). In President Bush’s 2008 budget proposal, there is
funding for a healthcare system and IT is the starting point for the system. Carolyn Clancy,
Director of the Agency for Healthcare Research and Quality, agrees the data generated from the
healthcare system could answer various medical inquiries and could draw on the data of EHRs of
millions of individuals to advance the evidence base for clinical care. She further suggests the
data could reveal why costs are increasing and what risks and benefits are associated with particular

27
prescription drugs (Lubell, 2007).

Industry standards
The development of industry standards for both data communications and data
taxonomies may be the most profound of all the opportunities currently facing
healthcare. As a crucial first- step in modernizing the U.S. healthcare system, all
industry participants—providers, payers, and regulators—are being urged to adopt
interoper- able systems and common data standards for existing federal, state, and
health networks along with standard practices to promote data sharing and protection
of patient privacy (Swartz, 2006b). Standard data communications technology and
standard data definitions are essential for such health information technologies as
electronic health records and e-prescribing (Brailer, 2004).
A recent study of several disability com- pensation programs within the U.S. found
each program uses its own terminology and disability definitions causing non-standard
interpretation of terms, misinterpretation of data, and delay in the disability
evaluation process. The study suggests defining and adopting a standard for disability
evaluation could not only eliminate process inefficiencies in determining disabilities but
could also facilitate innovative disability technology practices (Tulu, Hilton, &
Horan, 2006).
System standards resulting in a greater level of systems integration is a pressing need. Conn (2007a)
reports the compromise reached by two rival standards groups for data communications standards
can help to bridge the gap between physicians’ offices and hospitals in the electronic health record
systems they use. The Continuity of Care Document standard combines the independent works by
two standards development organizations on creating electronic summaries of care for discharged
patients.

External Threats

Legal compliance
The Health Insurance Portability and Account- ability Act (HIPAA), enacted by Congress
in 1996, is the most significant Federal legislation affecting the U.S. healthcare industry
since the Medicare and Medicaid legislation of 1965. Title I of HIPAA legislates
improved portability and continuity of health insurance cover- age for American workers.
Title II addresses “administrative simplification” requiring the development of standards
for the electronic exchange of personal health information (PHI). Administrative
simplification requires rules to protect the privacy of personal health information, the
establishment of security requirements to protect that information, and the development of
standard national identifiers for providers, health insurance plans, and employers. Two
significant sections of HIPAA are (1) the Privacy Rule and (2) the Security Rule.
The Privacy Rule legislates in detail the collection, use, and disclosure of personal health
information. To be in compliance with the Privacy Rule, covered entities must notify

28
individuals of uses of their PHI, keep a record of all disclosures of PHI, and document
and disclose their privacy policies and procedures. Covered entities must have designated
agents for receiving complaints and they must train all members of their workforce in
proper procedures.
The Security Rule complements the Privacy Rule and presents three types of security safe-
guards designated as administrative, physical, and technical. For each type, the Rule
identifies various security standards and names (1) required implementation
specifications which must be adopted and implemented as specified in the Act and (2)
addressable implementation specifications which are more flexible and can be
implemented by the covered entities as deemed appropriate.

Loss of Patient trust

The Institute of Medicine (IOM) of the National Academy of Sciences released a report in 1999 that
caused much attention to be focused on the
U.S. healthcare industry. The report stated medical errors caused between 44,000 and 98,000
preventable deaths annually, and medication errors alone caused 7,000 preventable deaths (Kohn,
Corrigan, & Donaldson, 1999). Within two weeks of the report’s release, Congress began
hearings and the President ordered a government-wide feasibility study for implementing the
report’s recommendations for (1) the establishment of a Center for Patient Safety,
(2) Expanded reporting of adverse events, and (3) development of safety programs in healthcare
organizations. According to a study by Health grades, a leading healthcare ratings organization,
during the period 2000–2002 the estimated number of accidental deaths per year in U.S.
hospitals had risen from the 98,000 reported by the IOM in 1999 to 195,000 (Shapiro, 2006).

Cost
One of the most immediate barriers to wide- spread adoption of technology is the high cost of
implementation. A report by the Annals of Internal Medicine estimated that a National Health
Information Network (NHIN) would cost $156 billion in capital investment over five years and
$48 billion in annual operating costs. Approximately two-thirds of the capital costs would be
needed to acquire the functionalities and one-third for interoperability. The present level of
spending is only about one-fourth of the amount estimated for the model NHIN. While an NHIN
would be expensive, $156 billion is equivalent to 2% of annual healthcare spending for 5 years
(Kaushal et al., 2005). Industry re- ports from Data monitor, Gartner, and Dore fest & Associates
predict increased spending on IT by healthcare providers at an annual rate of between 10% and
15% (Broder, 2004). A study conducted by Partners Healthcare System, Boston, concluded that a
national healthcare information system would cost $276 billion, take 10 years to build, and
require another $16.5 billion annually to operate. However, the study also concluded that such a
system would save U.S. hospitals $77.8 billion annually because of more efficient
communication (Anonymous, 2005a).

29
Discussion AND Conclusions
Table 1 summarizes the current SWOT analysis of IT implementation in the healthcare
industry in the U.S. The healthcare industry faces multi-faceted challenges to improve
patient safety and assure information security while containing costs and increasing
productivity. The key area for addressing these concerns is more investment in IT to
facilitate the flow of information and offer access to providers and partners along the
healthcare supply chain, reduce medical errors, and increase efficiency. Implementation of
IT networks to achieve the required level of information and data communications is
complicated by the variety of systems already used by provider organizations as well as the
lack of system integration within provider organizations.
Table 1
SWOT Analysis

Strengths Weaknesses
• Improved Patient Safety • Lack of System Integration
• Greater Efficiency of Operation • User Resistance
• Current Investment in IT • Slow IT Adoption

Opportunities Threats
• The Internet • Legal Compliance
• Favorable External • Loss of Patient Trust Costs
Environment
• Industry Standards

30
KEY CYBER SECURITY RISKS FOR HEALTHCARE
PROFESSIONALS

• Large attack surface

Medical care is no longer the domain of the generalist, but rather a complex collaboration
between multiple medical specialists working for different organizations and interacting using
disparate IT systems. Healthcare organizations have multiple geographical locations once
different hospitals and outpatient clinics are accounted for. A modern hospital can have
thousands of workstations, specialist medical devices running embedded operating systems,
specialist medical software, mobile devices, and both on-premises and cloud based services.
Shared workstations are used by an ever-changing roster of healthcare professionals, and the
urgency of the work means that generic user credentials are often used rather than individual user
accounts. This means that systems are left wide open. With the push to interoperable electronic
health records, sensitive patient data is continually flowing in-and-out of healthcare systems.
These factors add up to an increased risk of being compromised, hacked, or breached.
• Phishing and Spearphishing
Phishing and spearphishing are very common ways of distributing malicious email attachments
and Web links. The banality of the subject matter for phishing, and the assumed-validity of spear
phishing can make it difficult for time-pressed and stressed workers to identify when something
isn't quite right. When the infection is an advanced persistent threat that lingers undetected for
many weeks or months, the damage from these threats is significant.
• CEO Fraud, BEC, Whaling
Carefully crafted emails that target the C-suite with spoofed addresses and calls for
confidentiality can lead to CFO transferring money to a criminal's account without being aware
of the misdeed until it's too late. If the infection is a persistent threat on the other hand, given the
generally wide access rights to data and systems held by senior executives, the threat of data
breaches of health information, loss of corporate secrets, and being held up for extortion is high.
• Ransom ware
Ransom ware is a significant threat to the data and systems of all organizations, but especially
threatening to healthcare organizations due to the life-and-death consequences of not being able
to run a hospital or other facility. With modern forms of ransom ware able to not only infect the
first machine but also automatically sniff out other vulnerable targets across the network,
healthcare professionals can't afford to be the one person who gets it wrong. While medical
records are among the most valuable data for sale on the black market, ransom ware gets
criminals an immediate payoff without having to sell anything.
• Identity theft
Healthcare records contain all of the data points on an individual that are needed for identity
theft, in addition to financial, tax, insurance and medical fraud. The healthcare industry has an
abysmal track record in protecting patient data, with tens of millions of healthcare records
breached in 2016 alone.

BEST PRACTICES FOR CYBER SECURITY DEFENSES

31
We have examined the regulatory landscape for healthcare firms and both the trends and risks
that drive cyber security threats in the industry. What should healthcare organizations be doing to
strengthen cyber security defenses, particularly in light of the fact that healthcare is the only
industry in which employees are the primary threat vector for data breaches? Here are the best
practices.

• Take the risks seriously

There is sufficient evidence across the healthcare industry that cyber threats including
ransomware are a present and growing problem. Healthcare decision makers will need support
from the C-suite and board of directors to elevate the importance of erecting appropriate
defenses, and securing the appropriate budget and headcount. The vast majority of health IT
decision-makers say security is rarely talked about at board meetings, which in light of its
potential devastating effects, is a reality that needs to change. Senior executives play a vital role
in setting the tone and culture of security mindedness within a firm; enhanced cyber security
cannot be just an IT-initiative led by the IT team.

• Build cyber threat awareness

Your organization faces generalized and specific cyber threats: generalized threats include
ransomware, malware, and data breaches, and specific intensities of those threats due to the
nature of the healthcare industry and its systems.

32
• Develop a cyber security strategy for your organization
Do the internal research to identify the specific threats faced at your organization, including a
complete audit of current security tools, training programs, and security practices. This needs to
be a comprehensive and enterprise-wide assessment, not a piecemeal approach. Elements include
identifying specific risks, such as computers still running Windows XP, medical devices with un
patched operating systems, and printers in locations that non-authorized people could access.
Assess the effectiveness of training programs, pulling data on metrics such as key offenders,
repeat offenders, and the types of attacks that are consistently being successful despite training
efforts. If outdated or vulnerable medical devices are of particular concern, work with the
original vendor to develop solutions to the problem. When evaluating current and potential IT
security vendors, look for those who are innovating at the rate of current threats, not those stuck
in neutral. If your organization lacks the cyber security skills in-house to execute such a strategy,
engage a specialist external consultancy to lead the effort.

• Establish thorough and detailed policies

Translate your cyber security strategy into an appropriate number of thorough and detailed
policies. These should include the communication and collaboration systems which are
appropriately protected and secured for use (and those which are not), security tools that must be
used (for perimeter, endpoint, and data protection), security practices that must be followed (such
as keeping systems up-to-date), and acceptable and unacceptable use of corporate resources and
personal devices connecting to the healthcare network. If healthcare professionals are permitted
to use their own devices for enterprise purposes, what protections are necessary to ensure
security of patient data, mitigate against lost or stolen devices, and protect the network from
compromised devices or apps?

SECURITYMETRICS

Infrastructure Security metrics is application of statistical and

quantitative approaches of mathematical analysis to the
process of measuring the activities and outcomes of the
program. Measure gives an aggregate, higher-level results as
well as the return of investment for the infrastructure model.
Security metrics should must be able to demonstrate it value to
the organization. CMMI (Capability, Maturity model
Integrated) can be used to measure the performance and the
process improvement.

Before creating the Infrastructure metrics, info security

measures are required. Time Estimate is to be found out to
implement the Infrastructure security model. Healthcare IT is
changing with time and requirement of the security models
have increased, so duration of implementation is an important

33
factor to be considered while selecting a particular IT
infrastructure. Prioritization of individual metrics is equally
important within an organization. Healthcare IT needs
prioritize among various requirements such as 24*7
availability, Remote Access, Data Security, Wireless
Connectivity etc. Performance target for the network is to be
determined. As network requirements of Healthcare IT is very
critical, Performance target should be close to 100%.
Percentage space of remote access points used to gain
unauthorized access is to be determined. Possible Security
breaches into the network is to be calculated. Healthcare IT
has multiple remote access points. So all those remote access
points needs to be secured eliminating most of the
vulnerabilities. Average frequency of audits and the training
given to personals is also to be accounted for the
measurements. Percentage of physical security incidents are
also calculated while measurements.

The criteria applied to select a good Information security Metrics:

 Confidentiality
 Integrity
 Availability

It should cover all the business aspects and should be up to date.

Metric Rationale Pros/Cons

Impact of Downtime – Network Availability is Planning Budget for the
Loss of Business ($) and crucial. Lack of security secured IT
brand image of the can result to attacks and infrastructure.
organization. breaches made in the
system.
Incident Occurrence Early and accurate Knowledge about
Rate Identification, handling Incident occurrences
Mean Time to Incident and recovery from the recovery and handling.
discovery security incident. Better resourcing of IT
Mean Time to incident team.
recovery
Downtime (hours) Reporting downtime Helps in better time
would help to analyze management and
mitigation.

34

Number of critical
applications in
operation.
Risk Assessment
Coverage
Fulfillment of Service
Levels Agreements
Service provided to the
patients
Information Security
Budget Allocation in
Healthcare IT.
Patch and upgrades to
the application critical
network.
Vulnerability scan of
the complete network.
the vulnerability of the
network.
Helps in identifying the
critical application e.g.
life support system,
MRI etc. and risks
associate to these
applications.
Helps to realize the
commitment towards
the patient and the
service provided.
Level and requirement
justification for the
budget for IT security.
Maintenance to an
updated level of the
system.
Management of the
vulnerabilities to which
the network is exposed.
Security of important
life support and other
critical applications
Replacement cost
associated with the
application failures
Helps in achieving the
ROI.
Budget planning for the
security system.
Better knowledge of
available patches and
upgrades present in
sector.
Helps in better
recognition of the
vulnerabilities to which
the network is exposed.

Mean time to mitigate

the vulnerabilities
present in the network

RISKANALYSIS

The risk analysis was performed and the following table represents our
findings and the associated costs.
Threats Cost/Incident Frequency of Occurrence Cost per Incident (SLE) ARO Starting ALE
Hacked Medical Equipment $ 10,000,000.00 Once every 10 years $ 10,000,000.00 0.1 $ 1,000,000.00
Hacked Network attached devices $ 20,000.00 Once every 10 years $ 20,000.00 0.1 $ 2,000.00
Hacked internet facing personal health data $ 2,000,000.00 Twice every year $ 2,000,000.00 2 $ 4,000,000.00
Hacked surveillance cameras/ security $ 1,000,000.00 Once every three years $ 1,000,000.00 0.33 $ 333,333.33
equipment
Theft or Loss of data $ 4,000,000.00 Once every year $ 4,000,000.00 1 $ 4,000,000.00
Unauthorized Access $ 100,000.00 Thrice every year $ 100,000.00 3 $ 300,000.00
Viruses, Worms, Macros, Denial of service $ 2,000,000.00 Once every year $ 2,000,000.00 1 $ 2,000,000.00
Equipment Failure $ 4,000,000.00 Once very two years $ 4,000,000.00 0.5 $ 2,000,000.00
Service issues from Service providers $ 500,000.00 Twice every year $ 500,000.00 2 $ 1,000,000.00
Insider misuse $ 500,000.00 Twice every year $ 500,000.00 2 $ 1,000,000.00
Patient Records Breach $ 1,000,000.00 Once every year $ 1,000,000.00 1 $ 1,000,000.00

35
COST BENEFIT ANALYSIS
The following table represents the results of the Cost Benefit Analysis.
The control measures and the associated cost have been listed as well
which were used for the analysis.
CBA= Starting
Frequency of Cost of ALE- EndingALE-
Threats Cost/Incident occurrence ALE (Prior) ARO ALE (Post) Controls Type of Control Costofcontrols
Physical/Software
Hacked Medical Equipment $ 10,000,000.00 Once every 10 years $ 1,000,000.00 0.5 $ 500,000.00 100,000 Security $ 400,000.00

Hacked Network attached devices $ 20,000.00 Once every 10 years $ 2,000.00 0.25 $ 500.00 15,000 Physical Security $ (13,500.00)

Hacked internet facing personal health data $ 2,000,000.00 Twice every year $ 4,000,000.00 1 $4,000,000.00 70,000 Firewall $ (70,000.00)

Physical/Software
Hacked surveillance cameras/security equipment $ 1,000,000.00 Onceeverythreeyears $ 333,333.33 0.15 $ 50,000.00 75,000 Security $ 208,333.33

Theft or Loss of data $ 4,000,000.00 Once every year $ 4,000,000.00 0.5 $2,000,000.00 1,000,000 Backups $ 1,000,000.00

Unauthorized Access $ 100,000.00 Thrice every year $ 300,000.00 1 $ 300,000.00 900,000 Software Security $ (900,000.00)

Viruses, Worms, Macros, Denial of service $ 2,000,000.00 Once every year $ 2,000,000.00 0.3 $ 600,000.00 150,000 Antivirus $ 1,250,000.00

Equipment Failure $ 4,000,000.00 Once very two years $ 2,000,000.00 0.2 $ 400,000.00 175,000 Physical Security $ 1,425,000.00

Service issues from Service providers $ 500,000.00 Twice every year $ 1,000,000.00 0.7 $ 700,000.00 90,000 Insurance $ 210,000.00

Insider misuse $ 500,000.00 Twice every year $ 1,000,000.00 0.8 $ 800,000.00 100,000 Software Security $ 100,000.00

Patient Records Breach $ 1,000,000.00 Once every year $ 1,000,000.00 0.4 $ 400,000.00 150,000 Software Security $ 450,000.00

PROTECTIONMECHANISM
Thissectionprovidesanoverviewofanarchitecturethathelpsmeetsecurityrequ
irements associated with securing clinical systems and devices, biomedical
devices/servers, IT endpoints, and their associated applications.

ENDPOINT SECURITY
Like in any other industry, healthcare has very diverse and complex set of endpoints.
Healthcareprovidersuseaplethoraofbothwiredandwirelessdevicesforclinical
needs. These devices need to be secure from data loss, data theft, and
privacy invasion, and must also meet the local country and state security
law. Some Products that can help with end point security are Host
Intrusion Prevention software, Wireless LAN Controller (WLC), Antivirus
software and Trojan-ware removal tools.
Securing end points adequately following things must be done:
 Enforce security policies for users and devices.
 Identify and restrict users and devices that violate policies.
 Manage identities and control users on specific devices.
 Inspect device health, and quarantine and remediate devices with security issues
NETWORK SECURITY
OneofthemostfundamentalelementsoftheMedicalnetworksisnetworksecur
which is designed to protect the integrity of the network infrastructure
itself, where entire network segments may be the target of attacks such as
theft of service, service abuse, denial of service (DoS), and data loss.
Firewalls must be used to separate the network and prevent unauthorized
access. Additionally, Network security can be enhanced by using Security
Appliances provided by vendors such as Cisco. VPN must be used for
accessing the Medical network from outside. Routers also must be
provided with firewalls. Infrastructure protection must be given on
Routing/Switching platforms.
CONTENT SECURITY
Healthcare facilities are, like all others, vulnerable to attacks on
data and content. Spam, phishing attacks launched through e-
mail, and attacks launched for stealing web content have all
been used to provide an attacker access to a target system. For
adequate content security within the Healthcare architecture
products which facilitate email filtering and checking, Web
security against malicious websites and intrusion prevention
systems must be employed.
SYSTEM NETWORK AND EVENT MANAGEMENT
System tools keep a check on the health of the entire system
whereas network management tools help in automating,
simplifying, and integrating networks to reduce operational
costs. Tools that deal in the area of access control systems,
enterprise management and infrastructure security
management can be obtained from vendors.

RECOMMENDATIONS & CONCLUSION

What difference does IT make to worldwide production and trade of healthcare?

Commodities and services? This central question was examined by analyzing the
embeddedness of IT in development, delivery and administration of healthcare
commodities and services in cross-border value chains of the international economy with
the following conclusions and recommendations:

 TeleHealth provides means by which the allocation of healthcare resources can be

improved together with trade promotion. In linking individuals, groups, communities

organizations and governments in complex value chains across borders, IT can play an
important role in enabling the world’s poor to access essential health products and
services in innovative forms as discussed in Sections 2 and 3 of this paper.
 IT has promoted efficiency by enabling information to be available and cheaply
distributed and improved the prospects for countervailing institutions to function for
reasons detailed in Section 4. These benefits are observable in less developed countries
too with IT diffusion. Information is a pre-requisite of good stewardship and IT enables
governments to know what to regulate and how best making it less likely that commercial
 interests would claim precedence over people’s health. More open information flows on
deliveries and deliverables would set norms and standards and new forms of partnership.

Old institutional ties like Hisba, Ombudsman, Panchayat could be revitalized as stewards
in local communities or new ones built if even 5 % of total resources allocated to country
specific projects were earmarked for investments in action-research to organize its role
inefficient ways of delivery under local control. This will also help compare
performances, conduct reasoned discourses on alternatives and provide feedbacks on much
needed public-private partnership experimentation. Decentralized networks and IT
reinforce each other whereas IT costs and risks require syndication and these two contrary
tendencies pull in opposite directions. Investments in IT for healthcare could be treated as
global public goods and financed internationally.

 Telematic connectivity conferred by Its easily diffused technically but structural

impediments inhibit its diffusion in less developed countries. Since the new generation of
healthcare commodities and services are IT-intensive and access to naturally occurring and
mutated microorganisms highly skewed, the digital divide could aggravate the bio power
divide. However, this could be mitigated by aligning financial means and bio- information
needs of firms in developed countries with financial needs and information rationalized in
developing countries through new global institutions and partnerships.
 The tension between efficiency and equity is at the core of how IT affects designs of trade
in healthcare services in several important ways:
• in design of therapeutic products due to new ways of discovering, synthesizing and
testing drugs but incentives require to be structured for IT-intensity to be used for
underfinanced neglected diseases;
(c) in design of networks where transfer pricing of value created at different locations and
e-commerce are a crucial determinant of profitability and growth through cost control
and differential pricing and can reduce response times for development, delivery and
administration of healthcare;
(d) in design of healthcare systems where developing country governments struggle to
build national health systems with strain on public finances while at the same time
investing in telemetric capabilities, IT and human capital for cross-border services
trade in health care. Attention to the framework presented in Section 8 would call for
policies that ensure that higher healthcare costs induced by IT are commensurate with
benefits by spreading the costs.

 Policy conflicts between health, trade and development goals over rights and interests
require international regimes for distributed enterprising, particularly with regard to how
biological resources are shared. The dissolution of traditional industry boundaries between
pharmaceuticals, biotechnology and IT for life sciences has irreversibly transformed the
contestable healthcare arena changing its scope from national to global. Cross-border
trade in health-related IT services has attracted record amounts of FDI for healthcare
development and healthcare administration but not as much for healthcare delivery. The
scale and scope effects for industrial structures point to continuing consolidation and a
reduction in the number of global players in health care businesses.

This poses new challenges to anti-trust legislation and competition policies which would
need to be harmonized globally.

 IT enables distance consultation and cross-referrals among professionals where density of

medical professionals is highly variable across urban and rural areas and the expertise of
specialism difficult to replicate at every location. By promoting low cost distance interaction
among groups for exchange of information, IT expands choices, enables more productive use of
medical resources, and encourages innovations in cross-border supply of services as detailed in
Sections 2 to 4. Alternative forms of medical treatment such as kampo, homeopathy, ayurveda,
unani, acupuncture, herbal medicine etc. would be more thoroughly scrutinized and facts
separated from conjectures on the basis of information and experiences shared on websites and
in internet discussion groups.

 Digitalized connectivity has improved transparency, expanded choice and created new
value chains for all concerned but its impact on costs of healthcare is unclear. This
deserves to be researched further with respect to disease burdens, cost per diagnosis and
cost per treatment for more clarity on policy perspectives. All the potential gains from the
role of IT in healthcare in less developed countries are not yet visible in actual gains to
date. This is partly because stewardship requirements in less developed countries are
greater and different from developed countries and because IT is not a substitute for some
of the critical factors contributing to healthcare such as safe drinking water, nutrition,
hygiene and sanitation or poverty. The diffusion of IT to rural areas is also constrained by
non-availability of electricity and the difficulties of maintaining computer equipment in
dust-free and humidity-free settings. The positive impact of IT on healthcare exports,
growth, and employment has to be weighed against resource diversions, depletions and
strains on public finances. In countries where global networks present limited points of
contact, the positive spillover effects for human capital and infrastructure are negligible.
The reach and power conferred by IT does not translate easily into capacity creation. Not
much can be concluded about motives and powerbases of those influencing policy without
better clarity through more research and empirical analysis at disaggregated levels in
specific developing countries and in specific kinds of IT applications among clusters of
healthcare service providers and communities. The questions raised in Figure 1 of Section
8 constitute an ongoing research agenda. More research is needed to understand how
marketandnon-marketsolutionsproposedwouldactuallywork.Governmentsneedto
Encourage experimentation on syndication of risks across public systems and private enterprises
through innovations in health insurance and IT investments for healthcare.

 The use of IT has spawned and proliferated new fields of knowledge for profit in
healthcare. These have prompted discussions on international collaborations (including
public-private-voluntary intersect oral partnerships) for transnational governance of new
risks for the bundling of product-services linkages as analyzed in Section 5. The
involuntary extraction of data from humans across borders requires a review of
standards of privacy and data protection laws. Complex questions of personal data
protection, privacy, remote liability and vicarious liability where national treatments are
yet to be harmonized must remain on the research and policy agenda of the WHO.
Considerable uncertainty remains about prospects for IT-enabled global databases
concerning microorganisms from which the next generation of IT-assisted life-saving
medicines would emerge. This poses health security hazards on an unprecedented scale,
besides rendering TRIPS partially unimplementable. The normative aspects of digitalized
transfers of data are not determined by IT alone and government scrutiny over such
communications is constraints for the notion of seamless connectivity. The responsibility
for healthcare and for IT is naturally global in certain respects. Global governance and
public-private partnerships need to be designed to secure public health, human privacy,
data integrity, intellectual property rights and telemetric trade as discussed in Sections 6 to
8 of this paper.

 Information and communication technologies now enable abusive experimentation to be

undertaken from a distance in the twenty first century. The perversion of medical
knowledge and skills towards involuntary, uninformed and coercive participation in trade
of genetic material, expropriation of organs, biological experiments in eugenics, human
safety and ergonomics, is very hard to prevent. In the twentieth century such
experimentation occurred on minorities in a number of countries on a large scale. The
greatest transformative impact of IT has arisen in robotics involving the design of expert
systems approximating artificial intelligence with learning capability. IT systems, on the
basis of learning, could be making decisions not under the control of identifiable humans
or collectivities of human agents and be communicating amongst themselves in languages
not immediately intelligible even to their original programmers .The solutions to introduce
human supervision to mitigate this would further complicate issues of privacy and data
protection. There are also implications for the law of extra-territorial liability and the
doctrine of remoteness and international agreement would be needed to keep pace with
differing national interpretations and avoid the pitfalls listed in Section 6 and analyzed
further in Sections 7 and 8.
 Questionnaire

1. Examine the following sentence: “The objective of improving the access of

refugees to primary health care will be achieved through increased funding of
NGO outreach activities”. Does this sentence refer to an example of:

A. An official policy
B. A contingency plan
C. A strategy
D. A benchmark
E. A project

2. All the features below, except one, are common to current complex
emergencies. Identify which one is NOT A COMMON characteristic:

A. Increased mortality
B. High levels of violence against civilians
C. High food insecurity
D. High number of battle-deaths
E. Large population displacement

3. Which one of the following desirable characteristics of health information is

THE LEAST IMPORTANT in a crisis context?

A. Precision
B. Timeliness
C. Accuracy/validity
D. Cost
E. Relevance

4. In a country affected by a protracted crisis, which, among the following, is not

an appropriate information source?

A. Household surveys, like the Demographic and Health Survey, or the Multiple
Indicators Cluster Survey
B. Surveillance systems
C. Academic journals
D. Civil registration systems

5. Consider the following (true) sentence:

“The Angolan hospital network is oversized and concentrated in large towns. It
absorbs a large proportion of available resources.” Given such a picture, which one
of the remarks listed below is CORRECT?

A. the Angolan hospital network suffers from a severe resource shortage.

B. Existing hospitals should be rehabilitated and fitted with state-of-the-art
equipment.
C. the Angolan health sector suffers from a severe allocative inefficiency.
D. Large hospitals are necessarily the main providers of health care in urban
settings.

6. Decide which of the following sentences is TRUE.

During a protracted conflict:

A. The health workforce tends to contract, due to violence, disease, famine and
outward migration.
B. The proportion of internal health expenditure absorbed by salaries tends to
increase.
C. There is a large influx of health workers from the Diaspora.
D. Staffing patterns at PHC level tend to improve.

7. The relationships between protracted conflict and HIV transmission has been
studied in several countries. Available evidence suggests that:

A. Protracted conflict consistently accelerates HIV transmission.

B. HIV transmission is faster within the poorest population groups.
C. In most protracted conflicts HIV prevalence is lower than expected.
D. In most protracted conflicts HIV prevalence is higher than expected.
8. In the 1990s, the levels of health expenditure per capita per year of Afghanistan,
the Democratic Republic of the Congo, Somalia and Southern Sudan were
surprisingly similar. They fell within one of the following ranges:

A. below 10 US$ per capita per year

B. 10–20 US$
C. 21–30 US$
D. 31–40 US$
E. Above 40 US$

9. Drugs donations are commonplace in crisis contexts. Which one of the

following statements holds TRUE in most disrupted health sectors?

A. Drugs donations are a vital component of an emergency response, and should be

encouraged.
B. Without adequate controls, the negative effects of drugs donations are likely to
offset their benefits.
C. No major effort should be devoted to regulate drugs donations, because their
weight is usually marginal.
D. Recent research has highlighted the positive effects of drugs donations on
healthcare provision in crisis-affected health sectors. Thus, international agencies
are actively trying to promote them.

10. Which one of the following statements is TRUE?

In a complex emergency in a low-income country,

A. user fees do not have a negative impact on equity.
B. the coverage of health insurance is limited.
C. private health spending represents an insignificant proportion of total spending.
D. government spending is redirected to capital expenditure.
 BIBLIOGRAPHY

1. Google.com
2. www.wikipedia.co
3. www.slideshare.com
4. www.cisco.com
5. www.academia.com
6. www.who.com
7. Research gate.net