100%(2)2 out of 2 people found this document helpful
This preview shows page 10 - 13 out of 14 pages.
Access Control Concepts and CapabilitiesWhen determining the appropriate access controls, it is important to identify the criticalsystems ranging from high to low. Once these systems have been identified the appropriatecontrols can be set in place. In a hospital environment, PII is used often from check-in andcheckout systems, electronic records and other various medical systems (Hamidovic, 2012).Security models are implemented to define which users are allowed or disallowed accessto levels of information (Incapsula, 2014). Some examples of security models that will bediscussed are the Biba Integrity Model, Bell-LaPadula model, Lipner model, and the Brewer-Nash, or Chinese wall, model. About the MILS architecture, security models provide theassurances for the integrity and confidentiality of data.The Biba Integrity Model focuses on data integrity. Integrity levels are assigned toobjects (data) and only users that are assigned permissions for the same or higher levels ofintegrity, or accuracy, can read this data. Data modification in the Biba Model is only allowed byusers with the same permission level as the data; no modification of higher-level data is allowed.The Bell-LaPadula Model ensures data confidentiality. The Bell-LaPadula rule can besummarized as a way through which a user can modify the information at the same or higherlevels, but cannot modify information at a lower level (Tipton & Hernandez, 2013, p.934).
DATABASE SECURITY ASSESSMENT11Tipton & Hernandez (2013, p. 934) state that the limitation with this model is that it cannot limitor allow access based on need-to-know and does not cover any concerns of integrity oravailability.The Brewer-Nash (Chinese wall) Model is concerned with data that can be associatedwith conflict of interest (Tipton & Hernandez, 2013). A user cannot access data about more thanone client in any given competitive field, which limits a user’s ability to share competinginformation with vendors in the same field and also means that the access rules in this modelchange depending on the type of data a user accesses first. Accurate implementation of the security model for protecting confidentiality andintegrity of sensitive data involves ensuring that risk analysis has been completed and potentialrisks and vulnerabilities have appropriate mitigations in place and that the safeguards in place fore-PHI are HIPAA compliant. Insecure handling incidents must be addressed as soon as theincident is discovered and a report to the hospital Chief Information Officer (CIO) immediatelyso the full impact can be investigated and reported as per HIPAA Breach Notification Rule.Test Plan RequirementsTo ensure the database works according to specifications, it is recommended that testingis conducted before implementation of the product. It is important to prevent information leakageand improper error handling within the database. If an error takes place within the database,error messages should not be displayed (Incapsula, 2014). The intent of not displaying the errormessage is to limit the amount of information about the database for public viewing; attackscould be based off messages associated with errors. This can be avoided by conducting a codereview for improper handling and limit error handling. This task will be time-consuming, butwell worth it to protect the database containing medical health records.
DATABASE SECURITY ASSESSMENT12The database will, also, be tested for database dumps or other associated errors.