Database security assessment. Overview for the Vendors

Database Security Assessment
Institution Affiliation
Students Name
Course
Date
Database Security Assessment
Overview for the Vendors
The National Military Hospital is an American based academic health center and also the leader for the military medical readiness. The mission of the National Military Hospital is providing care for those that are privileged to serve and supports military beneficiaries and lead the world through transforming the teaching and practices of military medicine. The National Military Hospital cannot continue to provide excellence and quality care to their patients if they cannot ensure the security and availability of their patient’s Protected Health Information (PHI) (Snell, 2016). NMH in collaboration with their System Security Engineers (SSEs) Team is seeking proposals to transition all health records to a new medical healthcare database management system to maintain Electronic Health Records (EHR). There is an urgent need to transition all health records to Electronic Health Records (EHR) due to the recent cyber-attacks on the Healthcare Industry.
Database are usually considered to be the foundation to any use of information and this Request for Proposal (RFP) will represent a request for estimates on performing, delivering the tech, and giving service. The RFP will tailor to each endeavor and is imperative in the world of IT contracting and acquisitions. The SSEs will determine the security specifications for the medical healthcare database management systems. The RFP will outline the requirements for the system and give a standard applied in weighing the performance of the vendors. The research will be done by the Security System Engineers to discover the different methods of attack, prevention and what the potential vendors require.
The overall data on the medical healthcare database management system will be confidential and sensitive and contain Personal Identifiable Information (PII) and PHI. It is incredibly important for this data to be protected through compliance requirements, so it remains confidential and available to authorized personnel. Also, PHI data is considered more valuable to cybercriminals than PII and therefore it needs to be safeguarded due to it being highly sought after and the sensitive nature of the data to patients. Patients need to be able to rely on the National Military Hospital ensuring the confidentiality, availability, and integrity of their PHI (Snell, 2016). The National Military Hospital is determined to prevent a cyber-attack or data loss and will continue to make it their highest mission to help their patients.
The context for the work
The hospital information system (HIS) will maintain databases for patient registration, centralized storage of patient information, order entry, management of charges and billing, patient arrivals and procedure management, and will maintain the master patient index (MPI). The database attributes will include data fields for patient name, date of birth, ethnicity, gender, address, alias, SSN, service type. The functional requirements are detailed below.
The Health Insurance Portability need the care givers and any of their business associate which transmits the health data in electronic form to protect it from any reasonably anticipated threat to the security or integrity of the data. Security insurance means that the level of confidence which the security requires of a system are met and can be met by using one of the seven Evaluation Assurance Levels for functional security requirements.
Vendor Security Standards
Every vendor is required to address the areas of Database and system Security and is also needed to abide with the federal regulations so that they can incorporate the Federal Information Security Modernization Act (Cobb, 2013). FISMA needs that every federal agency to come up with, document and make implementation of an agency-wide program to provide data information security for the information security and the systems which support the operations. Because this is a medical facility for the military it falls under the common criteria and evaluated assurance level.
The common criteria are considered to be an international standard for the computer security set up to evaluate IT systems and determine the level at which the system and resources are protected. Common Criteria was created by six countries to help engineers in evaluating a specific system against a set of already defined security requirements. Vendors must complete a Security Target description to get a product evaluated. A Security Target may claim that the target product conforms to one or many of the Protection Profiles. The target will be evaluated through the Security Functional Requirements in its Security Target. The process gives the vendor of the product to tailor it to the intended capabilities. In the Evaluated assurance level, it is the process through which the Security Assurance Requirements try to come up with a level of confidence for their products (Dark & Andrrews, 2012). The Evaluated Assurance Level is the part of the CC method of ranking the IT product or systems and determining at which level they are being tested. The ranking is done on a scale of 1-7, with 1 as the lowest and 7 the highest. The higher the level, the more confidence the consumer can have in the product and that its functional security needs have been achieved.
Defense Models
The following list provides several examples of best practices for hardening the physical and logical security of databases (Dark & Andrrews, 2012). Maintaining database hardening best practices will help the healthcare organization store HIPAA data, as well as prevent general loss data or unauthorized access to the database.
Physical database Security
The first line of defense, when properly securing a database, is improving the physical security of the database hardware. The hardware should be stored in a secured, locked and monitored space. By doing so, database administrators (DBAs) can control access to the hardware; preventing unauthorized entry to space, theft, or physical damage. The database server should also be partitioned from any application or web servers the organization may be running on the network.
Firewalls
Databases must also be protected on the logical network. Industry best practices call for database servers to be located behind a firewall. No one other than DBAs should have access to the database server (Hamidovic, 2012). As such, the firewall’s rules should be set to deny all non-DBA traffic by default. If the server is needed for daily operations, such as an established connection between the database and a web server, then the DBA must maintain a whitelist of devices and users with approved access.
Database Software
Often overlooked, the database software must always be updated. Software updates contain security patches and bug fixed that are identified by the developers as potential sources for network vulnerabilities (Dark & Andrrews, 2012). Additionally, all unused functions of the software must be removed or turned off. Limiting the database to only what is necessary for operations prevents unwanted misuse of the database. Password security is also of vital importance to database security. It is the responsibility of the DBA to change all default passwords stored in the database, as well as maintain a password log.
Application/Web Servers
Should the database be used in daily operations, such as by establishing and maintaining a secure connection to a web server, all endpoint systems must meet the minimum-security threshold maintained on the database server. Should the endpoint system become compromised, there can be no means by which an attacker can hop from an application or web server to the database server. Particularly in the healthcare industry, such an event would be catastrophic and expose thousands of sensitive patient medical records to the attack.
Requirement Statement for System Structure
Requirement Statement for System Structure will help to explain better the database and its web input interface, which health care providers and patients will use to take a look at the data, obtain, modify and update the information in the data that is in the database. This document is directed to all the participants within the hospital sector staff, patients, doctors, and developers. The main objective of the software is to take in information that is provided by patients and keeps its hospital database (Cobb, 2013). The stored data is to be used to keep track of the interaction of doctors with their patients who are affiliated to that hospital. After a unique patient number is generated for the patient at the end of the process, it is then used in for future visits from that individual. The system will also keep track of the count of the patients, and also giving a current up to date state of how the organization is running. Financial experts to create a budget for the upcoming years will then use the information gathered from that. Requirements statement will then include the results of both system and business analysis efforts. Further detail will now be provided for the user characteristics, general constraints, description of the product, as well any assumptions for the system.
This system will perform multiple functions related to the healthcare services that are being provided by the hospital (Cardon, 2018). It gives patients the ability to contact the authorities, find a suitable doctor, and make appointments as well as provide services for someone seeking a job at th...