Overview of the assessment
This module is assessed by coursework only. There are two separate briefs, one covering the first week, the other covering the second. Each is worth 50% of the total module mark.
This document covers the second week’s assessment, comprising Cryptography, Network Security and Data Governance. It consists of three separate parts:
Part A: Cryptography (Dr Martin Tunnicliffe) – worth 50%
A small private healthcare organization has contracted you to investigate the requirements of encryption in their information systems and to develop a robust policy for its use. Write a formal report outlining your findings and presenting your recommendations.
Some topics you could address:
1.The range of documents and messages to be encrypted, e.g. Electronic Health Records (HER), Electronic Patient Records (EPR) and their security requirements.
2.The different objectives of the deployed cryptosystems, i.e. Confidentiality, Authentication and Non-repudiation.
3.The specific cryptographic algorithms and architectures available, along with their relative advantages and drawbacks. Which will be best suited for which purposes?
4.How will the cryptographic protection of static documents (e.g. those stored on a server) differ from that of documents in transit (e.g. transferred within and between sites)?
5.Will there be issues of compatibility between the organization’s cryptographic policy, and that of the NHS?
6.How will your solution scale with the possible future development of the organization?
7.How will cryptographic keys (and certificates) be created and managed?
8.How will the different levels of authorization within the organization be managed?
9.How will the effectiveness of your solution be monitored and assessed?
These are only suggestions: your report will likely not cover all of them and you may discover others of equal importance which you might want to address. (Please contact the assessor if you have any concerns.) You may draw upon the material taught in class and/or your own independent research, but make sure you cite all your information sources. Feel free to make any assumptions you feel are necessary, but state and justify these.
Suggested word-count: 2,000
Section B: Data Governance and Identity Theft (Dr Nada Philip) – worth 30%
Select an identity theft story from the media or from the literature or stories you heard of or experienced. In order to contain the scope of the assignment, it is suggested you focus on two issues for the Health Information Governance.
In this section you are required to Identify and discuss the following:
·The strength and weaknesses of the approach that was adopted. Describe the symptoms of what went well or badly.
·What the theory and standards suggest you should do. Based on the course materials or other sources, describe what the theory suggests that you should do.
·Say what you would do if you had time again or if faced with the same problem of Health information governance and network security.
Suggested word-count: 1,500
Section C: Network Security (Dr Martin Tunnicliffe) – worth 20%
Network infrastructures allowing access to biomedical information, accounting, and admissions can potentially improve patient care and lower medical costs. However, they also introduce security threats due to malware, unauthorized access and human error.
There are many network security tools available to combat these threats but these are only effective if used in accordance with a well-structured security policy, and monitored and assessed in line with established best practices.
1.Identify and discuss the specific assets relevant to a typical healthcare network.
2.For a subset of critical assets, identify typical threats and assess vulnerabilities.
3.Building upon the above, perform a risk analysis for this typical healthcare network.
4.Design security controls mitigating the risk as identified. Discuss the strengths and weaknesses of these controls and how they complement each other in an effective secure design.
5.On the basis of this formulate an appropriate basic security policy for an organisation in charge of that network.
Feel free to make any assumptions you feel are necessary, but be sure to state and justify these.
Each section will be assessed by a separate report, but these should be combined into a single document for submission. These should include diagrams, tables etc. where appropriate. (Where these are taken from other documents, references should be cited).