Healthy Body Wellness Center Case Study
Healthy Body Wellness Center (HBWC) Mission and Vision
The Healthy Body Wellness Center’s mission is to help patients take responsibility for their overall wellbeing and educate members of the local community in the practice of wellness. The HBWC includes an Office of Grants Giveaway (OGG), responsible for distributing a variety of medical grants designed to investigate multiple facets of community wellness, with the majority of grants disbursed to small hospitals, defined as having 250 beds or less. HBWC is planning to modernize employee payroll and benefits management across the company through the use of an outsourced provider, such as Workday, ADP, or Peoplesoft. HBWC is also planning to upgrade its research database and develop a cloud-based grant tracking system. The company wants an analysis of the feasibility and planning for conversion to be added for consideration to the overall design for HBWC’s future infrastructure and services.
Office of Grants Giveaway (OGG) Mission and Vision
The mission of the HBWC’s OGG is to promote improvements in the quality and usefulness of medical grants through federally supported National Institutes of Health (NIH) research, evaluation, and sharing of information. The Small Hospital Grant Tracking System (SHGTS) is the primary application used to manage this data. Grant funding takes place using automated clearing house (ACH) processing. The SHGTS contains the hospital-specific banking data needed to process ACH payments.
The SHGTS assists in the assignment and tracking of small hospital grants and is a single-user system running on a desktop computer. The OGG assigns a grant to one hospital for one month and then any unused grant funds are rotated to another hospital for the next month. The SHGTS tracks the initial delivery of the grant funds, stores pertinent information, and then follows the grant through the next five hospital facilities.
Only executive OGG staff can assign grant funds, but all principal investigators must complete their grant evaluations in the application. With the Paper Reduction Act, the federal government is moving their application from paper-based to an online submission system. Each week the OGG executive officer receives a grant status report. Each month, each principal investigator is briefed on the status of their current grants via reports generated by the SHGTS. The OGG is expecting to receive more medical grants from the NIH and needs a way to grow the office’s staff while upgrading the infrastructure to support the current workforce, which consists of part-time workers, work-from-home employees, and contractors. As the OGG expands granting and resources for grant seekers, the creation of remote office branches to meet those needs is also being considered. OGG is also collecting the requirements for a new, web-based portal for use by recipients of grants and researchers. This portal will contain patient-sensitive and other nonpublic information (NPI) that must be adequately protected during processing, storage, and transmission. Access to this resource will be managed by OGG staff with the appropriate privileged access.
HBWC’s current LAN administrator and security manager, who is responsible for most of the technology that is presently in place at OGG, is retiring next month. You have been promoted to assume this role upon the manager’s departure. Endothon Security Consulting completed a security assessment report (SAR) on behalf of the HBWC, therefore in your new position, you will be responsible for the following tasks
- conducting a thorough analysis of what’s in place technology—and applications-wise
- finding out which elements already in place are no longer able to support the operations
- synthesizing business, technical, security, and regulatory requirements for fitness in ongoing operations
- conducting a threat analysis of the applications and infrastructure to understand network and application security needs
- designing a replacement network to the existing LAN to support secure employee remote access, secure ACH data transmissions, secure NPI and patient data to the required levels and to support third-party extranet connections to cloud-based SaaS providers of services to OGG
HBWC is primarily Microsoft-based and wishes to preserve their relationship with Microsoft to ease migration from older-MS products to the newer suites of tools they offer (e.g., Office 365, SQL Server, ASP.NET). HBWC has a small staff of programmers needed to maintain existing applications and is fluent in C# and VB.NET. HBWC’s internet service provider (ISP) is Pogtech Communications, which provides broadband access for internal and planned external users of their resources and services.
System Overview
The SHGTS is a Microsoft Access 2010 database that resides on the Windows 2008 R2 application server. The SHGTS application and its data are protected by built-in security mechanisms supported by the hardened Windows 2008 R2 platform. Microsoft will stop supporting Windows 2008 in January 2020 and then Access 2010 in October 2020. This means that Microsoft will no longer supply patches for the software after 2020. MS Access is unsuitable for use by multiple simultaneous users and will need to be migrated to a MS SQL server with a new infrastructure. New access via the internet will also be required for sharing data among NIH, HBWC, and the hospitals they serve. A persistent link to NIH may be required to exchange data among multiple users and potentially multiple sites that might be needed for processing grants. To segregate functions in support of SHGTS, three technical support personnel (members of the administrator group) have administrative rights to manage the Windows 2008 R2 server. The SHGTS database administrator (DBA) does not have administrative privileges to the Windows 2008 R2 operating system (OS). The SHGTS database has been customized for group security to protect the application from design changes such as altering the visual basic for applications (VBA) code or modifying database objects. There are three categories of users for the SHGTS:
- Administrative: full control of the application, including the ability to alter code and modify database objects
- Executive: access to all reports and the ability to update key fields dealing with the assignment of grants
- Basic: access to most forms and the ability to update key fields relating to information about assigned grants
A virtual private network (VPN) firewall appliance is in place for users that require remote access to the SHGTS. Knowledge of the VPN is limited to users with a mission-essential need. Users access the VPN via Pulse Secure software using a token or a personal identity verification (PIV) badge. Payroll is currently handled on HBWC’s premise using QuickBooks with paper checks. Direct deposit has not been implemented. Grant money is also provided by paper checks. Checks can be obtained from the office manager or sent through the mail. HBWC’s patient information and other research data are kept in Excel spreadsheets. Patients have a patient number assigned to them throughout the research period and a conversion sheet between the patients and their associated numbers are also listed in Excel to maintain patient confidentiality. Principal investigators at each hospital are allowed to keep their data proprietary for one year while they are writing their research report. The NIH then becomes proprietor of all data. A hard copy of the research report is then saved in a file cabinet at the OGG and stored on the server. This makes it difficult for potential principal investigators to mine the data for information that could be used in future research.
System Interfaces
The SHGTS exchanges data with the NIH but does not give or receive any data to or from any other major application (MA) or a group system support (GSS). The SHGTS resides on Windows 2008 R2, but otherwise does not interface with any other system. It is accessed from local application running on HBWC workstations connected to the LAN. HBWC staff may access this database when they connect remotely through the VPN connection. The HBWC uses a QuickBooks database for employee payroll, which is housed on the Windows 2008 R2 server and is a standalone database that can be accessed from the client workstations similar to the SHGTS. The research raw data and reports are housed on the HBWC’s server in a fileshare.
Data
The SHGTS database contains private health information (PHI), other healthcare information, and proprietary data in its tables. Data stored in the SHGTS includes specific attributes about the grants such as control number, grant category, amount, distribution schedule, and sunset date. Information detailing grant distribution particulars, such as sponsoring staff, the directing official, and date assigned, is also stored in the system. The research data is only attributable to an individual if the conversion table is viewed along with the raw data. QuickBooks contains personally identifiable information (PII) data on HBWC employees including social security numbers, salaries, home addresses, emergency contacts, phone numbers, and next of kin.
Criticality
The HBWC’s Information Systems Criticality Definition Process defines automated information resources whose failure would not preclude HBWC from accomplishing core business operations in the short to long term (a few hours to a few weeks) but would have an impact on the effectiveness and efficiency of day-to-day operations being needed for daily processing of grants. The SHGTS also includes the research data, and the failure of the SHGTS would not preclude the HBWC from accomplishing core business operations in the short to long term (a few hours to a few weeks), but loss of the research data would require notification to NIH that the results of the research they funded is not available. However, failure of the system would have not an impact on the effectiveness or efficiency of day-to-day operations. Consequently, the SHGTS database is considered mission supportive. Failure of the QuickBooks database could prevent employees from getting paid. A paper backup is maintained in case the server goes down, but the data may be a day old at minimum.
Sensitivity
The criteria used to measure a system’s sensitivity include confidentiality, integrity, and availability. The sensitivity areas for the SHGTS and QuickBooks are described below:
Confidentiality
SHGTS: Low
There is no Privacy Act or proprietary data to protect. No awardee information is tracked on the grants; the system only tracks grant-specific data. If unauthorized personnel read data that they are not authorized to see, administrative action (such as grant suspension or a letter of reprimand) would be the most severe consequence. If competing grant candidates discovered the grant rating system, the financial impact would be under $100,000.
Research data: High
The research data contains medical information on research subjects and needs to be compliant with HIPAA regulations and protected from employees that do not have a need to know. The research data also needs to be protected so that only the principle investigator can have access to it for the first year.
QuickBooks: Medium
There is Privacy Act data included in the QuickBooks database and the information should not be shared outside the payroll office.
Integrity
SHGTS: Medium
The data maintained on the grant ratings does affect recommendations for particular grants. Since entire medical research establishments use these recommendations, the financial impact of manipulated ratings could be between $150,000 and $300,000, but less than $1,000,000. Anyone involved with such data manipulation would possibly be sued but not sent to jail.
Research Data: High
The integrity of the research data must be paramount since the loss of data or any change in the data may show incorrect results of the research.
QuickBooks: High
The integrity of the data for salaries and other information regarding employees needs to be accurate to make sure that everyone receives the appropriate salary, based on job title and length of service.
Availability
SHGTS: Low
The reports are much easier to prepare with the database and it would be inconvenient if the database were unavailable to locate specific grants. However, manual inspection of invoices (for receipt information) and filed hard copies (to locate grants) could be used. The consequences of the database being unavailable would be viewed as an inconvenience but does not require a robust business continuity plan for continued access. The extra manpower required to manually prepare the reports would be less than $100,000 since, at worst, a contractor could be hired to prepare the most important reports for less than that amount.
Research Data: Medium
The research data does not need to be available 24 hours, but the information should be available when the principal investigator is preparing the final research report. A service-level agreement (SLA) and uptime schedule will be provided to researchers upon gaining approval to use the application.
QuickBooks: Medium
The information in the QuickBooks database needs to be available on paydays (every Friday). Hard copies are made of the information and stored in a filing cabinet, but that information may be dated.