It describes the threats and vulnerabilities in the healthcare organization

1. THREATS AND VULNERABILITIES
OF HOSPITALS
RAVI PRASAD D
MHA
SRM INSTITUTE

2. INTRODUCTION
The use of electronic health records over paper based systems and the need to
exchange health information over the network have become part of the global
trend.
Using mobile devices and other medical connected gadgets to disseminate health
information has improved the coordination of care of patients across the globe.
These trends require that information is secured and delivered in a cost-effective
manner.
However, these developments have escalated the proliferation of vulnerabilities and
other security threats.
Most health systems are vulnerable and therefore they are exposed to a number of
threats.
This subsequently poses a risk which is usually a probability of occurrence of an
undesired event.
This risk is normally expressed as a product of threat, vulnerability and
consequence or impact.

3. Health providers and health consumers collaboratively work together to exchange
health information, which must be protected from an unauthorized access.
This increases the engagement of patients in decision making and access to health
information.
However, this also raises some security issues because of the threats and
vulnerabilities that are prevalent in healthcare systems.

4. Vulnerabilities and Threats:
It is well-known that low income countries face a number of challenges.
There are a number of threats that hamper the adoption of patient centric
healthcare services in the developing countries such as:
• Poor and inadequate infrastructure ,
• Financial constraints ,
• Lack of political will ,
• Diverse culture , overpopulation,
• Low technology acceptance ,
• Minimal research ,
• Limited connectivity ,
• Lack of interoperability standards,
• Low literacy levels,
• Scarcity of essential drugs and equipment ,
• Inadequate human resource ,
• Lack of policies and
• Legal framework and high prevalence rate of non-communicable diseases.

5. Contd……
In an effort to provide quality service, health providers need to conduct a security
risk analysis in order to quantify and manage health risks.
There are a number of steps which are recommended.
Firstly, there is a need to identify the threats and vulnerabilities that may
compromise the security of health information.
Secondly, the quantification of the potential threats must be assessed. This analysis
can take the form of either qualitative or quantitative.
Thirdly, possible solutions must be sought to mitigate the security risks. While these
solutions are implemented, they need to be monitored and evaluated in order to
find out if they effectively solve the security problems.
They must be reviewed and well documented. This discussion of the vulnerabilities,

6. WEB APPLICATION VULNERABILITIES
There are weaknesses and flaws in the application software, which threat agents
take advantage to attack a health system. It is not surprising that health care
organizations are becoming a target for hackers to obtain valuable health
information.
The Open Web Application Security Project (OWASP) provided a list of 10 most
serious vulnerabilities which threat agents may take an advantage to exploit web
applications .
1. INJECTION
2. BROKEN AUTHENTICATION AND SESSION MANAGEMENT
3. CROSS-SITE SCRIPTING(XSS)
4. INSECURE DIRECT OBJECT REFERENCE
5. SECURITY MISCONFIGURATION
6. SENSITIVE DATA EXPOSURE

7. 8.CROSS SITE REQUEST FORGERY (CSRF)
9.USING COMPONENTS WITH KNOWN VULNERABILITIES
10.UNVALIDATED
Due to low financial resources, health providers in low-income countries may opt to
use open source software which may have a number of vulnerabilities.
The impact of these is that they may compromise privacy, integrity and
confidentiality of Electronic Health Records (EHR).

8. Spyware are malicious programs that install themselves on the computer without the knowledge of
the user.
They monitor every activity of the user thereby compromising the privacy of the user.
They may capture keystrokes of the user and send them to a third party thereby potentially
exposing usernames and passwords.
Eventually this may compromise confidentiality and privacy of health information.
They may also install unwanted advertising programs called adware. Spyware may automatically be
downloaded from websites. Some free or pirated software may contain spyware.
Others come as an attachment to the email as spam. Anti-spyware must be installed as a preventive
measure. Once the anti-virus or anti-spyware has been installed, then real time scans or manual
scans or heuristic scans of the computer may be performed. Real time scans check for malicious
code in the file when it is accessed.
Manual scans check for malware in all files present in the hard drive. Heuristic scans are used to
detect new and unknown malware in the system that has not yet been identified .
MALWARE

9. Equipment and software failure With limited financial resources in developing countries, hospital
facilities lack vital medical equipment .
Most of the equipment is funded by donor partners. Unfortunately, once they break down, it
becomes difficult to repair the equipment due to the lack of expertise .
This compromises the availability of health services in the public health sector. Poor network
infrastructure remains a big problem.
Most hospitals are not well networked.
Software failure is another threat. Due to the short supply of human resources including
information technology experts, once the software crashes, becomes a hassle as this may take
time to fix the problem. Donors are therefore advised to put aside some funds in the training of
personnel for the usage of the equipment and health applications. There is also a need to supply
user manuals together with the equipment. With these user manuals, when the equipment fails,
users may be able to repair the equipment without delay
EQUIPMENT AND SOFTWARE FAILURE:

10. They say that to error is human but such an error in a health sector may be disastrous. It may
lead to the compromise of trust and even the loss of a precious life.
Due to high levels of illiteracy, it is very difficult to embrace technology. For instance, there is a
high illiteracy rate in developing countries.
The high illiteracy rate has impacted on the quality of the delivery of health services.
EXAMPLE:
High illiteracy levels contributed to the poor quality of data sets that was collected from the
health information system.
This may pose a threat to the integrity of the health data.
Generally, medical errors emanate from a number of factors including poor communication,
ineffective or poor team work, cultural barriers, inappropriate resource management and
inadequate staff training.
HUMAN AND MEDICAL ERROR:

13. Can include anything that stands in the way of your success
No practice is immune to threats, but too many people miss, ignore or minimize
these threats, often at great cost
Threats could include:
•a competitor has an innovative product or service
•a new competitor(s) in your home market
•adverse changes in reimbursement or regulations
•changing insurance plans and/or contracts for major area employers
•competitors have superior access to channels of distribution
•economic shifts
•loss of key staff or associates
•new or increased competition
•seasonality
•shifts in market demand or referral sources
THREATS

16. Seven simple rules for successful SWOT analysis
1. Be Specific: Avoid gray areas, vague descriptions or fuzzy definitions.
2. Be Objective: Ask for input from a well-informed but objective third party;
compare it with your own notes.
3. Be Realistic: Use a down-to-earth perspective, especially as you evaluate
strengths and weaknesses. Be practical in judging both sections.
4. Apply Context: Distinguish between where the organization actually is today,
and where it could be in the future.
5. Contrast and Compare: Analyze (realistically) in relation to your competition i.e.
better than or worse than your competition.
6. Short and Simple: Avoid needless complexity and over-analysis.

17. The global trend to adopt a patient-centric approach has indeed enabled the sharing of electronic
health records worldwide.
This has, however, opened up potential threats and vulnerabilities.
Many low-income countries face a number of challenges such as limited financial resources, poor
health facilities, shortage of health professionals, poor network infrastructure and lack of legal
framework.
These challenges have compounded the problems of privacy and security issues.
The paper has endeavoured to highlight the threats and vulnerabilities that are prevalent in
patient-centric health care systems.
With the adoption of a cloud computing platform, most health systems exchange information over
the web.
This paper has therefore outlined the ten most critical web applications vulnerabilities with respect
CONCLUSION

18. These vulnerabilities are injection; broken authentication and session
management; CrossSite Scripting (XSS); insecure direct object references;
security misconfiguration; sensitive data exposure; missing function level access
control; Cross-Site Request Forgery (CSRF) and using components with known
vulnerabilities.
threats are malware; social engineering; equipment and software failure; natural
hazards; human and medical error; theft, malice and strategic attack; insider
abuse of access privileges; insider unauthorised access and outsider intruders.
It must be emphasised that respective solutions and recommendations have
been also succinctly elucidated.
The holistic approach is to devise customised solutions that meet the local
needs of patient-centric systems in a constrained resource environment
specifically in low-income developing countries.