The first lecture focused on the importance of information security and highlighted various factors that affect information systems. An organization has to deal with various security issues and it should also be aware about risk estimation. Information security can be categorized as network security, administrative and organizational information security, physical security, data/information security and security of usage. There are several challenges that an organization has to face while implementing security. For example, there are human and technological factors which pose challenges to the organization. In our case discussion, we found that Sunnylake had the problem of hacking because of these two challenges.
Our discussion was particularly based on three issues:
- Immediate solution to the problem,
- The mistakes that led to that situation,
- Security plans for the future.
Regarding the immediate solutions, most of us agreed to pay the hackers because the hospital could not risk their reputation and life of patients. After paying the hackers, if they got access to the system, most of us agreed on printing the records, inform the police and isolating the network from the internet.
Out of all mistakes, there were two points which matched exactly what we had learned in the lecture. That can be categorized as technical and human factors. Sunnylake faced the situation when someone was downloading antivirus or uploading an existing application, this is the human factor. It seems that the IT department does not have efficient security tools for restricting the execution of some bugged software without the approval of IT administrator and they do not have updated or upgraded security system, this is the technical factor.
Security plans for the future include, implementation of strict security policies, installation of network based infection detection system, limited access to the users, blocking potentially dangerous ports and websites, email filtration, isolating the intranet from the Internet, upgrading the system with trained IT security professionals and training the staffs. There are also some good points that can be taken from lecture notes. As for example, critical information should have an individual owner. Information security should be included in staff agreements, so that no one can be careless about executing bugged software. User validation, restriction, and security awareness can greatly reduce IS misuse and promote security environment.
How should Sunnylake deal with the attack?
My opinions on the discussion questions are as follows:
Case of Sunnylake is very complicated where people have to take uncertain decisions rationally. Decisions can be risky and consequences may not appear as expected and that sometimes become matter of luck.
This clearly shows that the hospital needs the information instantly and they cannot wait any longer. And, if they wait for Jacob to solve the problem and anything goes wrong with the patient, the hospital may have to pay thousands of dollars as compensation to the patients and for legal procedures. Therefore, it would be wise to pay the hackers and get access to the system.
Once they get access to the system, they can instantly make a backup of the records or they can print. Then they can isolate their Intranet from the Internet. Then, they can go for other options, like calling police, or making another systems, making security policies, etc.
What if they want more?
I would say it merely depended upon how Paul bargained with the hackers. There was also the chance that, the hackers would have kept on demanding more and more once he paid. If hackers had asked for more money then, they could have been sure that they could never access their information and they had to rely upon their own IT team and waited till Jacob solved it in his way. There could be other possibilities, like "what if the hackers give limited access?"
So, these things do not have any perfect reasoning.
Do you think the staff, patients and maybe the media knows about the blackmail/missing EMR?
Regarding, the information leakage, if they call the police, media may know about the blackmail. If they became late to deal with the hackers, the nurses/staffs would definitely know, because, they also rely upon EMR. After that, the patient will know and it will soon be news in media.
How could Sunnylake avoid these kinds of incidents in the future?
Regarding the last question, I believe that there are two main factors that affected ending up to the described situation.
- Lack of security training:
- Lack of efficient security tools:
Actually, the case states that they faced this situation when someone was downloading antivirus or uploading an existing application. So, if the staffs were trained about security, they would not have faced this problem.
It seems that the IT department does not have efficient security tools for restricting the execution of some bugged software without the approval of IT administrator. And it also seems that IT department had not updated or upgraded their security system.
In my idea, except from security tools and Training, I think they should try Linux operating system and its secured features. It is believed that Linux offers highest security environment.
And, they can isolate their network from rest of the Internet. If patient information is so important for them, then they can isolate their computers(used for medical information)from the outer world.
If they need Internet access, they can use other computers which doesnot have access to Medical records.