Today, more than ever before, healthcare organizations are increasingly becoming dependent on computer-based systems to access critical patient data and provide treatment solutions remotely via virtual private networks (VPNs).
Consequently, any kind of disruption targeting these information systems may occasion consequences ranging from inconvenience to catastrophe (Loch, Carr & Warkentin, 2002).
But while research in both academia and industry has developed effective technological and software-based solutions to protect information systems against possible threats and attacks (Stajano & Wilson, 2011), only a handful of the articles found in various databases pay close attention to the physical aspect of information security (Huigang & Yajiong, 2010).
This paper is devoted to outlining some of the fundamental steps that need to be considered for the physical security of computers used in an urgent care center to access patient data and their email system via a VPN.
Stajano & Wilson (2011) note that effective countermeasures against security threats to information systems depend on first strengthening the human element to make users understand how they can naturally fall victim to fraudsters.
This therefore implies that users, in this case physicians and other health practitioners, need to be exposed to some form of training on how they can use the system without compromising the security aspect of the network.
For instance, system users could be exposed to formal training on how to discard used electronic media containing sensitive patient information through available techniques instead of leaving the information on the computer drives.
Purging is one such technique that could be used by the practitioners to completely erase sensitive files which may have been deleted from the computer drives but not overwritten with other data (Walters, 2007).
From a holistic security engineering standpoint, computers are often vulnerable to instances of theft and other possible attacks if the immediate physical environment is not secured (Stajano & Wilson, 2011).
This therefore implies that doors leading to the computer rooms must not only be secure, but must be kept under lock and key and windows adequately grilled to curtail any occurrence of unauthorized access to the computer rooms (Walters, 2007).
Indeed, many organizations have a policy that restricts entry to the computer and server rooms to authorized personnel, in most occasions a systems analyst or administrator. It should be noted that this aspect of physical security is fundamentally important since all the other factors are dependent on how safe the computer or server room is from possible attacks and illegal access.
Engaging trained security personnel and dogs to physically protect the information systems is yet another physical aspect of information security that is intrinsically important yet seldom considered by many organizations (Loch et al, 2002).
Patient data is sensitive in nature, thus the need to engage all efforts that may be deemed necessary to protect the computers from theft or illegal access.
Consequently, trained security personnel forms a critical aspect of the physical security of information security needed to secure the computer rooms and the immediate environment from possible attacks, which may result in the theft of computers and by extension the loss of critical data (Perrig, Stankovic & Wagner, 2004). Dogs are always useful in repelling thieves from accessing the urgent care center.
Access to computer areas and server rooms should be restricted through the use of identification badges or authorization cards to ensure that only the authorized health practitioners gain access to these critical areas (Perrig et al, 2004).
For instance, the organization may invest in electronic identification badges that must first be accepted by the system or the door lock for them to gain access to the information stored in the computers.
Research has demonstrated that identification cards and access control points inarguably decrease the possibility of attackers to physically tamper with information stored in computer systems or to even have access to areas where such computers may be located (Loch et al, 2002).
Physical security of information systems cannot be complete without engaging the authentication processes via personal identification numbers (PIN), passwords, computer locks, and other devices that may be used to limit access to authorized users only.
According to Renaud & De Angeli (2009), “…authentication is required to verify that the user’s proffered identity is valid” (p. 135). It is only plausible for physicians and other health practitioners using the VPN to access sensitive patient data to memorize their PINs and/or passwords rather than writing them down on a piece of paper because such information could be accessed by other employees or external individuals harboring ulterior motives.
Computer locks could always be employed to prevent other employees or strangers from gaining access to the data stored in the computer or from manipulating computer hardware configurations with the aim to steal data or remotely control the computer system (Stajano & Wilson, 2007).
Lastly, the environmental factors need to be effectively controlled to make the physical security of information systems a reality.
Instances of fire outbreak, flooding of computer areas and server rooms, extremely high temperatures, electricity variations and other environmental concerns need to be effectively managed to prevent loss of use and loss of productivity of the information systems (Perrig et al, 2004).
For instance, flooding of the server room may occasion protracted dysfunctions of the server system, leading to loss of connectivity and subsequent loss of access to critical patient data even among the authorized users. Going by this example, therefore, the urgent care center should invest in an effective drainage system to prevent instances of flooding.
Reference List
Huigang, L., & Yajiong, X. (2010). Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems, 11(7), 394-413. Retrieved from Business Source Premier Database.
Loch, K.D., Carr, H.H., & Warkentin, M.E. (2002). Threats to information systems: Today’s reality, yesterday’s understanding. MIS Quarterly, 16(2), 173-186. Retrieved from Business Source Premier Database.
Perrig, A., Stankovic, J., & Wagner, D. (2004). Security in wireless sensor networks. Communication of the ACM, 47(6), 53-57. Retrieved from Business Source Premier Database.
Renaud, K., & De Angeli, A. (2009). Visual passwords: Cure-all or snake-oil? Communications of the ACM, 52(12), 135-140. Retrieved from Business Source Premier Database.
Stajano, F., & Wilson, P. (2011). Understanding scam victims: Seven principles for systems security. Communications of the ACM, 54(3), 70-75. Retrieved from Business Source Premier Database.
Walters, L.M. (2007). A draft of an information systems security and control course. Journal of Information Systems, 21(1), 123-148. Retrieved from MasterFILE Premier Database.