Medical facility network designDocument Transcript
LIS4482 sECTION 1 MGT NETWORKS & TELCMLeon County Medical Facility Medical Facility Network Design 12/3/2012 GROUP MEMBERS: Nephtalie Pierre John Idasetima KensleyAgenor
I: EXECUTIVE SUMMARYWe understand that there are plans for a new medical facility. There is a definite need for anefficient and dependable networking infrastructure to support a facility of this type. Afterreceiving your requests and requirements, our group is confident that we can implement anetworking infrastructure that: • Requires minimum upkeep costs • Supports an organization of 225 users with room for expansion • Meets the requirements of HIPAA • Supports offsite workstationsThe purpose of this report is to give a better understanding for the new plans that we have forthis new medical facility. We will give an overview of the written description of the Physical andlogical network diagram that will be on Appendix A and B. Also, this report will includenetwork policies for standard operating procedures (SOP) for Internet Access, Printing, Storageallocation, E-mail usage, User Administrations, Naming Conventions, Protocol Standards,Workstation Configuration (hardware & software), Network Device Placement, EnvironmentalIssues, Power and applying Patches to operating systems. We will also include documentation ofSecurity policies. This document will include procedures for user account access, passwordrequirements, network access, hardware firewalls, encryption use, logging practices, physicalbuilding/hardware access rules, Intrusion Detection System (IDS)/Intrusion Prevention (IPS)System & regular vulnerability assessments. Procedures for these will be included. It will includeprocedure on handling security violations as well.
NETWORK POLICIES1.0 IntroductionTechnologies have become an integral part to the lives of medical patients everywhere and ourmedical staffs depend on them to insure patient safety and overall good health. Thesetechnologies can make the difference between life and death situation if not used effectively andcorrectly.This Standard Operating Procedure applies to all integrated medical staff, medical patients, andusers who will be utilizing the following: Access to Internet, printers, Storage allocation, E-mailusage, User Administrations, NamingConventions, Protocol Standards, Workstation Configuration (hardware & software), NetworkDevice Placement, Environmental Issues, Power and applying Patches to operating systems. TheStandard Procedure that follows explains how we intend to do this in order to help protectmedical records, staff, patient, users information, privacy, and the overall performance of thenetwork.1.1 Internet AccessAccess to the Internet and the other networking component can put medical staff and patient inpotential danger if used inappropriately due to sensitive documents and medical records. Allusers with Internet access need to abide by the following rules:Authorized access or sharemedical records and other personal information with 3rd party company are prohibited.The sharing / distribution of personal images of patients or medical staff at work without an
individual’s consent or knowledge is prohibited.· Do not access to unsuitable video (pornography) / Internet games, etc.· Illegal downloading of music or video files or any download not work related is not allowed.· Potentially excessive use of the Internet for personal use of social networking (Facebook,Twitter, LinkedIn, etc.) may result in termination of Internet access.Remember that access to the Internet is a privilege and not a right. Failure to follow the basicrules and guideline above may result in serious consequences: loss of job, fines, and possibleimprisonment. SECURITY POLICY The Leon County Medical Facility local area network is critical to the provision ofinformation services to Leon County Medical Facility staff and patients. Specific securitymeasures and procedures will be implemented to protect the confidentiality of informationtransactions being processed on the network and to keep critical systems operational. Because allemployees of LCMF are encouraged and expected to use the network for work related activities,security risks have increased and more stringent practice in protecting resources is necessary.These security procedures are addressed in the following network security policy. The purpose of this policy is emphasizing to all LCMF employees the importance ofnetwork security in the medical facility and their roles in maintaining that security.The goal for the LCMF Information Security Policy isto preserve the integrity, availability andconfidentiality of all employees and patientsinformation. The LCMF Network Access Policyapplies equally to all individuals with access to any LCMF network. The intent of this SecurityPolicy is to protect the information assets owned by LCMF.
This security policy will give an overview of procedures for the following: user accountaccess, password requirements, network access, hardware firewalls, encryption use, loggingpractices, physical building/hardware access rules, Intrusion Detection System (IDS)/IntrusionPrevention (IPS) System & regular vulnerability assessmentsUser Account Access: All user access attempts will be authenticated by a user name and password. There willbe specific permissions provided to account access rights according to employees job position(i.e. system admin, CIO, Doctors, etc.). The user name and password assigned to employeesshould NOT be shared. If an employee is found violating this policy, disciplinary actions will beapplied. User accounts will also organized into groups. Rights and access permissions will begranted individually to users or to agroup, in which case they also apply to the group’s members.There will also be Special user accounts, (also known as maintenance accounts), theseindividuals will be used for maintaining and managing the network. These accounts will berenamed and only used for performing maintenance functions. Standard accounts will be used forregular day-to-day activities. Additional rights and permissions will be added to users only if itis needed for the job duty or promotion of job that require it. When a user account is no longerneeded the account will either be deleted (i.e. if an employee leaves the company) or disabled(i.e. if the employee will be gone for an extended period), so that no one has access.Password
Passwords are a very important to information security. Passwords must be at least eightcharacters long .Password should also have three of the following requirements: include uppercase characters lowercase characters numbers (0-9) And/or non-alphanumeric (For example:!, $, #, or %) Three password attempts are allowed. If failure to login occurs, user will be locked outand Administrative password will be required for access. We will also enforce password history,users will also have to create at least 25 passwords (includes current one). This will keep usersfrom reusing old ones making the network more secure. There will be a maximum password age.Users will be notified days before to change passwords. The user must be changed every 60days. Employees may not disclose their passwords to anyone or display it anywhere where itmay be seen.Network access We will be using a network management system to monitor and maintain the network.This program is crucial for the up-to-date information on the health of the network. Networkmanagement system reduces the time involved in managing the network by performingperformance checks, configuration changes as well as notifying of network failures. Employeesare permitted to use only those network addresses issued to them by LCMF information securitypersonnel. Employees cannot extend or re-transmit network services in any way. This means youmust not install a router, switch, hub, or wireless access point to the LCMF network withoutLCMF information security personnel approval. Employees cannot install network hardware or
software that provides network services without LCMF information security personnel approval.Employees are not permitted to alter network hardware in any way. Desktop workstations will only have wired access. Laptop can use wired or wirelessaccess. Also, Wireless access will be secured by WPA2.Encryptions usePhysical building/ Hardware access rule The Server room can only be accessed with a passcode as key. Only IT administrativeemployees will have access. The room will be kept at 70 degrees Fahrenheit.Intrusion Detection System Intrusion detection is very important in enforcing organizational security policy Intrusiondetection systems provide assurance that the systems and networks are secure from identifiablethreats and/or threat agents.Audit logs from the perimeter access control systems will bemonitored/reviewed daily by the security analyst. System integrity checks of the firewalls andother network perimeter access control systems will be performed on a monthly basis. Hostbased intrusion tools will be checked on a weekly basis. All trouble reports will be reviewed foranything that indicates intrusive activity. All suspected and confirmed instances of successfuland attempted intrusions must be immediately reported.Procedure for violating security policy
If any employees are found guilty of violating these security policy procedures, they aresubject to the following: Verbal/ written warning, Final warning, and/or Suspension orTermination.DISASTER RECOVERY POLICY The Disaster Recovery Plan ensures data integrity and redundancy in the case of unexpected dataloss (i.e. power outage, fire, water damage). Since the information being held by this facility is so critical,we suggested having two separate disaster recovery plans. These plans can be separated into the onsitedisaster recovery plan and offsite disaster recovery plan.Onsite Disaster Recovery Plan Our Onsite Disaster Recovery begins with having generators in the case of sudden powerfailure. There will be generators to support each building on the facility’s campus. These generatorswill be powered by the electricity that they constantly store during normal electrical utilityconditions. Though the servers provided in the proposal are top-of –line, we have also included a plan inthe case of a server failure. This plan entails having two complete servers to run the facility. Therewill be a third stand-alone server strictly used for back-up. This server will daily conduct a full back-up of each of the other two servers. This server will also take hourly images of each of the servers tostay up-to-date through-out the day.Offsite Disaster Recovery Plan The Offsite Disaster Recovery Plan is in the case of loss of communication with all three ofthe onsite servers. Our Offsite Disaster Recovery Plan involves a third party. This party is the CernerCorporation. Cerner provides a service called Skybox that is a cloud backup of a medical facility’s
medical files. The files are sent from the facility’s servers to the cloud daily. These files areencrypted. The files are accessible by the medical facility at any time through Cerner programs andthe online cloud.BUDGET
PHYSICAL NETWORK AND LOGICAL DIAGRAM WRITTEN DESCRIPTIONNetworking/Logical Design The network design perfectly suits the situation of this facility. Let’s begin with the fourservers that will be implemented.The Bridges Since the two buildings cannot be connected through a physical means, the buildings willbe wirelessly connected through two Cisco WET200 Wireless-G Ethernet bridges. One bridgewill be located in the main building and the other in the datacenter. These bridges have anuninterrupted line of sight.Servers Dell Power Edge 1620 Power servers will be used for this project. There will be 3 serversat the data center. 1 of these servers will be for the patient’s files. Another server will beallocated for the website, email, print, and employee files. The third and final server will be usedsolely as a backup server for the other two (For more information on this server, please refer tothe Onsite Disaster Recovery section). The fourth and final server will be a print server. It will belocated in the main building. Each of these servers will be secured by an individual firewall.Switches This proposal calls for multiple switches to organize the many departments. There will be
one switch to separate the 3 servers located in the data center. There will be one more switch alsolocated in the data center for the IT department that is within the building. The other 9 switcheswill be used to separate the numerous departments in the main building.Wireless Routers There will be a Cisco 891W Gigabit EN Security Wireless Router on each floor of thefacility. The routers will be WPA2 protected. The router access will only be available toemployees.Desktop Workstations The onsite workstations will have HP Compaq Pro 4300 All-in-one PC. Each of theseworkstations will run Windows 7 and only Windows 7.Laptops A Dell Latitude E5430 laptop will be to each employee that requires a mobilecomputer. These laptops will be pre-imaged to have all of the programs necessary for theemployee’s job. (The operating systems and specs of all computers will be standardized to an extent sothat maintenance is simpler.)
Group Member Contributions Nephtalie Pierre contributed to the final product in many ways. Nephtalie was in chargeof researching and writing the following: Executive summary, Security policy, and the budgetfor the network policy. The executive summary just consists of the basic overview of the wholereport. The security policy was the longest part to do. Nephtalie researched a lot on the differenttype of security policies and then proceed to write the network security policy from there withhelp of the book as well as other internet resources. The budgetwas also time consuming.Researching included: finding the best hardware that would best compliment the new networkdesign as well as looking for the most cost efficient equipment. She also initiated and organizedmeetings for this group project. She also compiled the final product together.