Identity and Access Management in Nursing Home: Analytical Essay

Do you need this or any other assignment done for you from scratch?
We have qualified writers to help you.
We assure you a quality paper that is 100% free from plagiarism and AI.
You can choose either format of your choice ( Apa, Mla, Havard, Chicago, or any other)

NB: We do not resell your papers. Upon ordering, we do an original paper exclusively for you.

NB: All your data is kept safe from the public.

Click Here To Order Now!

Executive Summary

This report will focus on the CISSP Domain 5 – Identity and Access Management in Nursing homes. With brief overview of what nursing home is to -how the identity of resident managed in nursing home is covered in the report. The report also contains in root analysis of how authentication and authorization management is carried out in nursing home. This report will also discuss about the different types of information stored in nursing homes and how they are stored in these environments.

Furthermore, this report includes detailed information about access and authorization management like MAC, DAC, RBAC, and procedure taken to maintain the privacy and confidentiality of the residents in nursing home. This report will also analyze and discuss the possible threats to identity and access management in nursing homes and ways to minimize or eradicate all those risk. Some of the related incidents and scenarios will also be discussed in this report.

Introduction

Nursing Homes are special-purpose facility which provides accommodation and other types of support, including assistance with day-to-day living, intensive forms of care, and assistance towards independent living, to frail and aged residents. All these facilities are accredited by the Aged Care Standards and Accreditation Agency Ltd to receive funding from the Australian Government through residential aged care subsidies (AIHW,2010).

In 2017, over 1 in 7 Australians were aged 65 years and over. Today more than 17 % of the Australian population is aged 65 and over 13 % of them are 85 or older. These means there are lot of people who needs places like nursing homes to get better facility and better care. So, it’s important that the nursing home not only take medical care of the aged people (residents) but also of all their data and information. Privacy is very important in aged care homes as they have the most sensitive data collected from their residents and with the increasing threats and vulnerabilities data storage, it vital for nursing homes to have proper identity and access management.

Resident Identity Management

Residential care and supported accommodation for aged persons are also defined in terms of the level of care provided, as assessed through the Aged Care Funding Instrument (ACFI), which assesses care needs as a basis for allocating Australian Government funding. Upon receiving and reviewing these ACFI either through community services or from families of resident, the care facility manager of the aged care home admits the residents based on the services they provide.

Resident Profile

When a resident is admitted, a separate folder is created for them which will include all the information like medical history, hospital records, their general details, emergency contact, their medication and all. An URN number is created which is unique for every resident. Their picture is taken by the admins. A profile is created is for them which helps other staff to recognize and get the basic information about them. Medication and care information are passed to the Registered Nurses (RNs) and Assistant in Nursing (AINs) and their dietary requirements are given to the catering and kitchen staff.

Figure 1 Resident Profile in Nursing home

Types of Resident Information

Usually, the information related to the residents are categorized into two types non-clinical and clinical information. Most of the time, this information can be given by hospital, Aged Care Assessment Team (ACAT). My aged Care provides the aged care home information on residents about their medical status, their condition, their funding source, and other records related to the resident.

Non-clinical Information

Information that are not related to residents’ medical status are considered nonclinical. Usually, this information would also include general details about them like names, dates of birth, gender, and emergency contact information. Apart from that, information related their finance, their funding source, their banking details and their previous personal life history like crime, housing, profession also falls under this category.

The financial information is considered highly confidential.

Clinical Information

Resident clinical information includes all their medical records including medical history, evidence of physical examination, diagnosis, investigations, treatment, procedures, interventions, and progress for each treatment episode. Medical management plan, medication charts, dialysis, allergies, infections, all this information are included in this clinical information.

Since, in aged care home, residents are given care and medication daily, so it’s important to track their progress like dietary, bowel movement, behavior, weights, blood pressure, heart rate, and other hygiene matters. All these are clinical information and managed by nursing staff and qualified medical staff. All the medical records are very confidential.

Figure 2 Resident Clinical information example

Resident Information Storage

Generally, in nursing homes, the resident information both clinical and non-clinical are stored either electronically or physically.

  • Electronic/Digital storage:

An electronic health record, or electronic medical record, is the systematized collection of patient and population electronically-stored health information in a digital format. The information and data recorded in cloud-based server or computers folders depending on the size of the aged care. These records can be shared across different health care settings. Records are shared through network-connected, enterprise-wide information systems or other information networks and exchanges. Most of the nursing homes these days have cloud-based data storage servers which offers a complete range of electronic data storage, backup, disaster recovery, business continuity and cloud computing solutions. Electronic storage helps to keep the records up-to date and accurate and reduce the time by eliminating the hassle of tracking the resident old physical record by using electronic records.

Not everyone working in the nursing home can view all the types of information of the residents available, they differ according to the role of the staffs that can only view specific information of resident.

Figure 3 Sample- Electronically stored resident information

  • Physical storage:

Many information related to residents are mostly paper based, meaning these hardcopies are stored in physical places like cabinets, folders. Physical records are such as paper, that can be touched, and which take up physical space. These records must be stored in such a way that they are accessible and safeguarded against environmental damage. Usually these physical paper-based documents are stored in filing cabinets or drawers in an office which are locked for security and confidentiality reason and only be accessed by the authorized documentation handling staff.

Staff Identification

It’s very crucial for staff to be easily identified in aged care facility for their job performance, effective care service and security reasons as well.

  • Staff ID:

Upon employment staff are given an identity card with their photo and job position. This is for identification purpose not only among the staff but also with the visitors, so that visitors can know who they are talking to and make enquiry only related to their job.

  • Staff Uniform:

Each staff are assigned uniform as per their job roles. Registered Nurses (RN), Assistant in Nursing (AIN), Lifestyle Officer (LS0), Admins, General Service Officers (GSO), Food Service Attendants (FSA), Chefs, Maintenance Officer, Clinical Nurse Manager (CM), General Manager(GM), all have different uniform. This is to distinguish among the staff. If their job title doesn’t have uniform for it, proper staff ID is to be carried all the time.

Figure 4 staff uniform according to their duties

Authentication

Authentication is the process or action of verifying the identity of a user or process. In nursing home environment, one of the first steps of access control is the identification and authentication of staffs. There are three common factors used for authentication:

  • Something staffs know (such as a login password)
  • Something staffs have (such as a smart card, keys)
  • Something staffs are (such as a fingerprint or other biometric method)

Figure 5 Need PIN to enter through the restricted door in Nursing home

Staffs are authenticated when they provide both their username and correct password. Permissions, rights, and privileges are then granted to staffs based on their proven identity. The something staffs know factor is the most common factor used and can be a password or a simple personal PIN provided to staffs.

Something staffs have can be a smart car, which is a credit-card sized card that has an embedded certificate used to identify the holder. The staffs can insert the card into a smart card reader to authenticate the individual. Also, sometimes staff can have physical lock keys which can be used to access to lockers and medication cabinets. These are only used once the user has set their authentication using pin code and their Id.

Biometric methods provide the something staffs are factor of authentication. In most nursing home care, fingerprints are used as the biometric authentication factor.

Figure 6 Example of different types of authentication method

Multifactor Authentication

Multifactor authentication uses any two or more authentication factors. A key part of this is that the authentication factors must be in at least two of the categories. For example, staffs using their smartcard and then a physical key to get medicine from a treatment room is multifactor authentication.

Figure 7 Smart card and key is required to access treatment room where medications are stored in a nursing home. (Picture : Opal aged Care – Ashfield)

Access Management

In most nursing homes, access to the network, data base server, and general electronic devices like computers are given to very few staffs only. It’s mostly to maintain privacy and maintain integrity of the information as well.

General Manager (GM) and Regional Manager are the facility managers and have the access to all the information of resident and the aged care home and its staff. Clinical Nursing Manager, Registered Nurse have access to only the medical information. Admin are given access to almost most of the information. LSO are only given electronic access to record the residents exercise and lifestyle activities. Chefs and Kitchen Staffs are only given access to the dietary requirements of the residents.

Authorization Management

Authorization management is concerned with people’s access to different objects, most often to data or physical objects, such as land, buildings, rooms or infrastructure. Access control prevent access to someone who does not have authorization and allow it only to those who should have it. In most nursing homes following authorization management are used:

Mandatory Access Control (MAC)

In this type of access control, operating systems objects or denies the access to some object or information and restrains the ability to change them depending on the authorization rule and attributes of the users. MAC makes decisions based upon labelling and then permissions. MAC supports a security requirement of confidentiality more so than DAC & RBAC. For example, LSO are given access to the resident behavior and social skills charts but restrains them from changing it.

Discretionary Access Control (DAC)

In type of access control governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. In simple words, the way to go to let people manage the content they own. DAC makes decisions based upon permissions only. DAC supports the availability of the information. For example: Admins can make some change or add some information on resident profile owned by them.

Role Based Access Control (RBAC)

In type of access controls, governs the ability of user to access or restrict their access to objects depending on their role and position. RBAC is made for separation of duties by letting users select the roles they need for a specific task. RBAC makes decisions based upon function/roles. RBAC supports the integrity of the information and data. Its implemented in most aged care along with MAC & DAC.

For instance, Admin in nursing home can add patient/resident but they cannot read and write the prescription for residents. Doctors cannot add new residents themselves in the system. Similarly, RNs can read the prescriptions but cannot change or write other prescriptions. The AINs cannot read or write prescription as they are only care takers. The catering department of nursing home only gets the dietary information of the residents but cannot change the information. The care manager or RNs in approval of care manager can change the dietary requirements of the resident after consulting through a doctor.

Figure 8 Role-Based Access Control in Nursing home

  • Authorization revoke:

Under the Health Insurance Portability and Accountability Act (HIPPA) rules, patients have the right to revoke their authorization to share their health information at any time. However, the revocation must be in writing and signed by the patients or patients listed friends or families and it may take a little while to go into effect.

But authorization revoke is not applied when the circumstances is crucial and requires the health information to be shared.

Vulnerabilities and Threats

Recently, there has been lot of incidents in nursing home where data breach, system hacked or malfunction from malware has occurred. In 2017 out of all the reported breaches to Australian Information Commissioner, 33 per cent of breaches involved health information.

These aged cares are established with the main purpose of providing services to aged, ill, people and their focus is on resident care and service, rather than their electronic system and data. So, this leaves them vulnerable to many possible threats. In Aon’s 2017 Global Risk Management Survey, 45 per cent of healthcare industry respondents identified cyber as a Top 10 Risk and Top 5 emerging risk in 2020. It is unlikely to abate any time soon.

Physical Threat

The data and information being lost or stolen is also very likely in nursing home environment. There are many threats like fire, environmental disaster like flood that can damage the physical record stored in the facility. Apart from these events, other likely physical threat to these records can be stealing. Several cases have occurred where the credit cards, photo cards have been stolen from residents and that information has been used to create fake profiles and accounts.

Figure 9 Nurse stealing credit card of patients and demanding her credit card information. More reading at https://www.dailymail.co.uk/news/article-5584587/Sydney-nurse-stole-elderly-cancer-patients-credit-card-1-000-refuses-say-sorry.html

  • Solutions:

Physical copies of the data and information should be stored in secure and locked cabinet. Physical security is essential in nursing home to protect those sensitive data. Physical locks with keys can be used to protect the cytotoxic drugs, and files stored in cabinets. These cabinets can be locked using physical keys. Electronic lock for doors is another viable and secure options. Electronic lock works by means of an electric current and is usually connected to an access control system. A key card lock operates with a flat card that needs to successfully match the signature within the key card. Most of the hospital and advanced aged care home are adapting to these systems.

Social Engineering

According to current research, over 2.7 Australians aged 65 or over use the internet each day. And most of them are not tech-savvy person which makes them vulnerable to social engineering attacks like someone pretend to call from bank or insurance to ask credit card information, bank details, etc. over phone or emails.

Figure 10 Resident being scammed pretending to be ATO. More reading at https://www.abc.net.au/news/2018-04-23/scam-call-threatens-arrest-warrant-legal-action-ato/9686796

  • Solutions:

Social engineering is a very common attack and elderly people are the most vulnerable to these attacks. The residents residing in nursing home should be made aware about these types of attacks. The residents who have their personal mobile phones and computer should be monitored of their actions. Residents calls, and relative meeting should be registered by the AIN and admins to keep track of their visitors. Staff should be trained in this topic and should be made aware about any suspecting activities performed by the residents and the concerned parties should be made informed. Phones call for residents can be passed through admins which will help to prevent scam.

Malware Attack

Malware or malicious software is any software intentionally designed to cause damage to a computer, server or computer network. Usually most common malwares are ransomware, trojan horse, virus.

The hospital, based in Greenfield, Ind., revealed that a successful ransomware attack on 2018,held the hospital’s IT systems hostage, demanding a ransom payment in Bitcoin (BTC) in return for a decryption key. This malware targets vulnerable servers and after being installed on one machine propagates and spreads to others in the same network. Hancock Health has paid hackers $55,000 to unlock systems following a ransomware infection.

Figure 11 Malware attack on healthcare in Washington D.C. More reading at https://www.npr.org/sections/alltechconsidered/2016/04/01/472693703/malware-attacks-on-hospitals-put-patients-at-risk

  • Solutions:

Network security is the basic and most important of all to prevent any sort of malicious attack. Some commons ways are:

Firewalls: Firewall are the basic network security measures which only allows authorized access or data to pass through and blocks any malicious packets. For an aged care home, Best practice is to allow only required network access and block all other connection attempts.

IDS AND IPS: Intrusion detection and prevention system checks all the application within your network to detect any malicious attack or code and prevents it from affecting the network by blocking it. IPS takes in-depth examination of the network to prevent any harmful activities. IDS & IPS should be placed in various parts of the network.

Malware detection and prevention should be adopted by the company to prevent any infected codes or virus from entering the network. Web filtering can be used to authenticate the source of website and its contents.

References

  1. Aon. (2018). Aged Care faces significant cyber risk. [online] Available at: http://www.aon.com.au/australia/insights/cyber-risk/2018/aged-care-facessignificant-cyber-risk.jsp [Accessed 16 May 2019].
  2. Gadens. (2018). Data Breaches by Aged Care Providers – Complying with The Mandatory Data Breach Scheme | Gadens. [online] Available at: https://www.gadens.com/legal-insights/data-breaches-aged-care-providerscomplying-mandatory-data-breach-scheme/ [Accessed 16 May 2019].
  3. Meteor.aihw.gov.au. (2018). Residential aged care facility. [online] Available at: http://meteor.aihw.gov.au/content/index.phtml/itemId/384424 [Accessed 16 May 2019].
  4. Marketing, M. (2018). Cyber Security for patient-centric care. [online] Moqdigital.com.au. Available at: https://www.moqdigital.com.au/insights/cybersecurity-for-patient-centric-care [Accessed 16 May 2019].
  5. Gibson, D. (2018). Understanding the Three Factors of Authentication | Understanding the Three Factors of Authentication | Pearson IT Certification. [online] Pearsonitcertification.com. Available at: http://www.pearsonitcertification.com/articles/article.aspx?p=1718488 [Accessed 22 May 2019].
  6. Roizen, M.(2017). Revoke authorization of health information. Available at https://www.sharecare.com/health/revoke-authorization-to-share-health-information.
  7. Security Stack. (2018). Access Control. [online] Information Security Stack Exchange. Available at: https://security.stackexchange.com/questions/63518/macvs-dac-vs-rbac [Accessed 24 May 2019].
  8. Wikipedia. (2018). Electronic health record. Available at https://en.wikipedia.org/wiki/Electronic_health_record [Accessed 22 May 2019]
  9. Osborne, C. (2018). US hospital pays $55,000 to hackers after ransomware attack | ZDNet. [online] ZDNet. Available at: https://www.zdnet.com/article/us-hospital-pays55000-to-ransomware-operators/ [Accessed 25 May 2019].
  10. Wikipedia, (2018). Role-based access control, Available at: https://en.wikipedia.org/wiki/Role-based_access_control [Accessed 5 Nov.2018]
  11. Wikipedia; (2018). Security Devices Lock. [online] Available at: https://en.wikipedia.org/wiki/Lock_(security_device) [Accessed at 3 May 2019]
  12. Williams, P. (2018). Latest ‘low-life scammer’ claiming to be from the ATO. [online] ABC News. Available at: https://www.abc.net.au/news/2018-04-23/scam-callthreatens-arrest-warrant-legal-action-ato/9686796 [Accessed 5 May 2019].
Do you need this or any other assignment done for you from scratch?
We have qualified writers to help you.
We assure you a quality paper that is 100% free from plagiarism and AI.
You can choose either format of your choice ( Apa, Mla, Havard, Chicago, or any other)

NB: We do not resell your papers. Upon ordering, we do an original paper exclusively for you.

NB: All your data is kept safe from the public.

Click Here To Order Now!