Suppose we have resources that have value for users or institutions. For example

Question

Suppose we have resources that have value for users or institutions. For example, in a medical information system, we keep sensitive information about patients. Unrestricted disclosure of this data would violate the privacy of the patients, while unrestricted modification could jeopardize thier health. We need a way to control access to resources, otherwise any active entity could access any resource and we could have confidentiality and integrity problems.

Design a system that can control who is authorized to access specific resources;

- sepcify its system structure

- security policy principle

- and access control model

Thank you, and it would be nice if the answer is written clearly and explained well! :)

Explanation / Answer

To secure the system it requires proving the authentication in each and every step to enter into the main system to get the complete access of the patients. A monitoring team is necessary to be formulated to keep a close eye on the employees or staffs who are using the system to get access to the patient databases.

Some factors to keep the highest security are required to be initiated in the system:  

Specify its system structure: The system structure should excel with the proper authentication measures. Each and every staff working in the healthcare organization should have been properly authenticated by their identity and must have got the security access keys so that only with the validation, staffs will get to access the patient’s databases. Each data accessed with the exact visit time are likely required to be monitored by the administrator so that if any leakage of data occurs then it can be easily identified from the system.  

Security policy principle: Several policies are needed to be mandated to increase the security of the system. Likewise, apart from authentication, any staffs from the organization cannot use any external devices or drives to transfer any file from the system. It is necessary to be strictly prohibited. The use of the internet should be done only for the official purpose of the working process. No use of any other access should be made from the system as it could hack or leak the confidential data’s outside the world. Email transfer and other documentary part are done via the internet should be made as per the necessary requirements of the organization.

Access control model: Authentication is the mandatory approach to access the system. Each authentication should involve the details of the user who has accessed the system. The control and limitation should be highly made and proctored by the administrator so that all the unauthorized access can be strongly secured and stopped immediately so to ensure the complete end to end encryption of the system. From a single page access to file download and time duration spent on the system all are required to be monitored correctly so to ensure better security and control of the access done by the staffs or by any other person. To ensure the encryption of the medical information proper authentication with highly restricted access is desired to enable into the system.   

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.