Tft2 Task 2

1405 words 6 pages
Presented Problem After examining the incident, there are some key things that stick out as major risks, these include: • Accounts existed before EHR system was deployed. • Accounts were undocumented. • Non Authorized remote users had access to the EHR application. • Undocumented account was created/added to a new system. • Method or Vulnerability to gain privilege escalation outside of change control policy. This led me to propose three policies, each address some of these key issues from separate fronts. The three policies include a Remote Access Policy, Application Deployment, and a Routine Maintenance policy. The Remote Access policy aims to correct the issue that non-authorized users were able to access the EHR …show more content…

3. Only computers, PDAs, and Cellular Phones that are issued and inventoried by the hospital will be eligible for use. Acceptable Uses 1. Home patient care - access will be limited to using Virtual Desktop access. 2. After hours prescription services - access will be limited to Physicians, and Nurse Practitioners. 3. All other purposes will be handled by a case-by-case basis, and reviewed by the Security and Information Technology Committee. 4. Governing Standards Asset Inventory Control (ISO 27002:2005, 7.1.1) (NIST, 164.312(a)(1))
Protection from Malicious Software (NIST, 164.308(a)(5)(ii)(b))
User Authentication for External Connections (ISO 27002:2005, 11.4.2)
Isolation for Sensitive Systems (ISO 27002:2005, 11.6.2)
Acceptable use of assets (ISO 27002:2005, 7.1.1) New Application Deployment and Testing Procedure 1. Purpose This policy defines standards for new application testing and deployment. These standards are designed to ensure that new applications and services are properly hardened, and all test data and accounts removed before placing into production. 2. Scope This policy applies to all applications that connect to and/or get installed on any asset that is managed by hospital IT. This policy includes all web applications, database connectors, desktop software, and server application services. 3. Policy General 1. All