Page 390 -
P. 390
14.1 Security risk management 373
important difference between these processes is that you now have information
about information representation and distribution and the database organization for
the high-level assets that have to be protected. You are also aware of important
design decisions such as the software to be reused, infrastructure controls and pro-
tection, etc. Based on this information, your analysis identifies changes to the secu-
rity requirements and the system design to provide additional protection for the
important system assets.
Two examples illustrate how protection requirements are influenced by decisions
on information representation and distribution:
1. You may make a design decision to separate personal patient information and
information about treatments received, with a key linking these records. The
treatment information is much less sensitive than the personal patient informa-
tion so may not need as extensive protection. If the key is protected, then an
attacker will only be able to access routine information, without being able to
link this to an individual patient.
2. Assume that, at the beginning of a session, a design decision is made to copy
patient records to a local client system. This allows work to continue if the
server is unavailable. It makes it possible for a health-care worker to access
patient records from a laptop, even if no network connection is available.
However, you now have two sets of records to protect and the client copies are
subject to additional risks, such as theft of the laptop computer. You, therefore,
have to think about what controls should be used to reduce risk. For example,
client records on the laptop may have to be encrypted.
To illustrate how decisions on development technologies influence security,
assume that the health-care provider has decided to build a MHC-PMS using an off-
the-shelf information system for maintaining patient records. This system has to be
configured for each type of clinic in which it is used. This decision has been made
because it appears to offer the most extensive functionality for the lowest develop-
ment cost and fastest deployment time.
When you develop an application by reusing an existing system, you have to
accept the design decisions made by the developers of that system. Let us assume
that some of these design decisions are as follows:
1. System users are authenticated using a login name/password combination. No
other authentication method is supported.
2. The system architecture is client-server, with clients accessing data through a
standard web browser on a client PC.
3. Information is presented to users as an editable web form. They can change
information in place and upload the revised information to the server.
