Security of Pharmaceutical Systems

I am in charge of guaranteeing the security of the system at the recently opened pharmacy because I work in information technology. I have to put in place a number of security measures to make sure that medical funds and private health information are protected. I will start the essential process of determining the threats, hazards, and controls required to safeguard the facility because the pharmacy needs a mix of both physical and logical controls.

Information systems are constantly vulnerable to physical dangers brought on by illegal physical access to system software and hardware. Threats are either created by outsiders, employees, or just human error. Thus, some of the most common forms of physical threats include theft of hardware and software components, vandalism, unstable power supply, accidental errors and fires (Jouini, Rabai & Aissa, 2015). Hence, it is proper for the IT system to have the necessary security measures that will prevent unauthorized access to the servers as well as restrict access to the pharmacy.

Physical Security Controls

Access to systems makes it easier to compromise the security of systems much easier. Individuals or rather employees who have access to the system have the capability of stealing hardware components as well as confidential information while at the same time compromise the system security. In that case, there is need to protect the human resource information, financial statement as well as inventory levels. Thus, researchers have resorted to various administrative, preventive, corrective and detective controls.

Administrative Controls

Administrative controls or rather measures make up the crucial part of the information network security. Mainly, it involves the implementation of procedures and policies that guide the users on the proper usage of the system. In that case, as an IT expert, I will undertake a crucial role in ensuring policies are in place to guide access to information storage such as servers and hard drives to prevent access to human resource and finance information (Peltier, 2016). For instance, I will ensure there is a good hiring practice that will focus on providing training to the new employees on issues such as handling spam emails as well as proper use of IT components for security purposes. Also, administrative policies can take the form of restricting who is allowed and who is not allowed into the Pharmacy servers. Comparatively, the people should be given security level clearances such as biometric devices.

Preventive Controls

Preventive controls include all the measures necessary to prevent the pharmacies information from being stolen, altered or damaged. Preventive measures in a setting like a pharmacy involve coming up with policies that will prevent access to different part of the system or rather parts of the system (Kim & Solomon, 2016). In that case, they can take the form of passwords and biometrics that determine who have access to different parts of the system. For instance, the pharmacy should have password or pin controlled server doors that will allow only the authorized individuals to access the servers. Also, security procedures should be in place to ensure hardware components do not enter and leave the pharmacy anyhow. Furthermore, preventive measures can take the form of installation of power generators to prevent damages that may arise due to power failure. Similarly, it may take the form of installing extinguishers and fire suppression systems at different and designated areas to prevent or minimize damages due to natural occurrences or even fire.

Detective Controls

Detective controls come in handy to ensure that breaches are detected and reported to the relevant stakeholders. Therefore, to ensure instances such as thefts are detected before or after they have occurred, the organization can install surveillance cameras that monitor activities within the system. The surveillance will allow the organization to determine the occurrences in the system in real time or at a given point in time (Kim & Solomon, 2016).

Corrective Measures

Corrective measures in IT systems are aimed at ensuring that damages are corrected just in time. In such case, the pharmacy should have a backup system that will guarantee that all the servers are backed up either to the cloud or in secure physical locations. In doing so, it will be easier to restore the system back to normal in case of theft of hard drives and other system components (Kim & Solomon, 2016).

Logical Threats

Statistically, more than 50 percent of the computer systems threats are attributed to logical threats. Logical threats they are non-physical threats that are likely to result in loss of confidential information, disrupt business operations and loss or rather the corruption of key company information (Jouini, Rabai & Aissa, 2015). Thus, some of the common threats include phishing, denial of service attacks, spyware, worms and Trojan horse. Therefore, there is need to undertake different measures that will ensure confidential information is safe from unauthorized personnel.

Worms

Worms are system threats that can affect an organization's operations if not taken seriously. Hackers who work on the worms ensure they infect the system and copy themselves from one computer to the other. The worst thing about the malware is that it can easily copy itself without user intervention. If not managed, it can send user emails to the hackers’ emails or even open up ports that can be used by hackers as entry points (Jouini, Rabai & Aissa, 2015).

Phishing

Phishing is a logical threat that involves a malicious attempt to obtain confidential information such as usernames, credit card details, passwords and other confidential information. In most cases, it targets system users whereby they receive emails or rather text messages that appear to have been sent from an authorized system user. When the message which contains a malicious link is opened, it gets into the system and tries to retrieve details such as user passwords and usernames. Comparatively, the users can be convinced into giving out their usernames and passwords.

Denial of Service Attacks

Denial of service attacks commonly called DOS is a logical attack where the perpetrator aims at making different system resources unavailable to the user by intentionally disrupting relevant services. Comparatively, the event makes it hard for a legitimate user to access a certain device as well as network resources. In that case, measures need to be put in place because it is among the various ways through which hackers gain access to the system by preventing proper functioning of different services. Consequently, the attacker, can black mail the organization into giving out certain confidential information.

Trojan Horse

A Trojan horse is a common threat that is likely to impact a computer system. It involves the use of a malicious program to gain access to the system using the affected computers. In which case, it is used by attackers and hackers to gain access to the system by tricking users into executing programs into the systems and once activated; the program takes control of the system (Olson & Wu, 2017). In the event, the hackers can delete, copy and modify any existing data in the system. For instance, we have backdoor Trojans that upon taking control of the infected computer, they give the hacker administrative control of the system.

Spyware

Spyware is a program created by hackers with the main aim of gathering users’ information without their consent or rather knowledge. In most cases, they are used in monitoring users’ activities over the web for the purposes of obtaining information such as login details. A good example of spyware is Keyloggers that can be used to obtain users authentication details as they enter from the keyboard (Olson & Wu, 2017). Furthermore, it is difficult to identify or detect since it comes with most of the software downloaded from the internet.

Logical Security Controls

Logical measures consist of administrative, corrective, preventive and detective measures that facilitate software safeguards. They are measures that need to be in place to ensure only authorized individuals have access to the system resources.

Administrative Controls

Administrative controls involve the overall policies and procedures that are in place to ensure restrictions access to the Pharmacies information. Since the company is making use of the active directory, it is important to come up with policies that will define who creates and assigns users accounts (Peltier, 2016). Thus, there should be a password and user account policies that will determine when the passwords are created as well as the frequency at which they should be changed. Comparatively, users should account for all the activities taking place on their respective workstations. Also, a procedure should be determined or privileges assigned to prevent or rather restrict access to the file servers.

Preventive Controls

Preventive measures are aimed at ensuring the system is safe from the impending threats or rather anticipated breaches. In that case, I will recommend the pharmacy to install firewalls that facilitate the process of monitoring and filtering the incoming and outgoing traffic or rather packets. Hence, firewalls will only grant connections to authorized connections in case there is need to connect to external networks for instance when using the services of a network service provider. Just as the policies state, users should be assigned unique passwords to prevent unauthorized access to different system workstations as well as the file servers.

Detective Controls

In the case of detective control, the system should make good use of the active directory. Active directory is the most effective type of preventive measure that ensures monitoring all the user login times as well as their activities. Since all users are assigned different accounts, AD logs can be used to determine anomalies in the system and any associated inside attacks. Thus, such controls can come in handy when detecting phishing as well as the presence of spyware. Also, firewalls can be used to detect any forms of Denial of service attacks by prevention of any form of artificial packets.

Corrective Controls

Corrective controls apply when an attack has already occurred in which case measures need to be undertaken to take the system back to normal. In which case, the system should be able to use a centralized file system where users will be able to access the files via their active directory user folder. In that case, whenever, one workstation is affected, the chances are that it can be restored while other parts of the system are still up and running.

Strategies for Preventing Physical Threats

Theft

The system should be designed in such a way that only the employees use the back door to either maintain the servers or collect drugs. In that case, It is proper to use risk avoidance by ensuring the back door can only be accessed using the assigned card readers or biometric devices (Olson & Wu, 2017). This will prevent customers and any unauthorized persons from accessing the backend.

Unstable Power Supply

It is evident that unstable power supply can interfere with the servers and other computer components leading to information loss. In that case, the best strategy is to install standby generators as well as backup batteries to keep the system running even during power shortages. This is a risk avoidance strategy that will ensure there is less exposure to the risk or rather risk of losing data through the unstable power supply.

Accidental Human Errors

Human errors are unavoidable in a working environment. In that case, a strategy should be adopted to ensure that the errors are minimized as much as possible. Hence, I will advise the organization to make use of training to ensure that employees have knowledge of handling equipment and different components. Therefore, it will take the form of risk control that will ensure the risk is reduced to a minimum. For instance, the users should be trained on how to handle hardware components to avoid losing data.

Fires

Fires are prone in situations where electricity is used and can be caused by natural events such as lightning. In that case, the best strategy will be risk mitigation that will ensure control of the process through installing fire controls such as automatic sprinklers to suppress the fire during a calamity (Olson & Wu, 2017). Also, it is proper to have in place lightning arresters to prevent incidences of lightning strikes.

Vandalism

Vandalism is also prone in work environments and can easily lead to loss of confidential information. In that connection, the best strategy will be risk avoidance involving training the users of how to keep components such as computers. For instance, water can damage system components such as hard drives and other storage devices.

Strategies for Addressing Logical Threats

Denial of Service Attacks

DOS is a logical attack on a given system, and without coming up with the right strategy, the system is likely to be compromised. Thus, the best strategy will be risk avoidance involving the use of firewalls and network monitoring software to prevent any form of artificial packets or rather traffic.

Spyware

Spywares such as keyloggers are used for the sole purpose of attaining information without the systems consent. It can access the login details of a given user and later use the details to gain control of the system. Since users workstations are the main sources of entry, it is proper to use risk avoidance strategy by ensuring necessary steps are taken to eliminate the risk (Olson & Wu, 2017). Thus, it is proper to install antivirus software such Kaspersky to ensure such programs are scanned and eliminated.

Trojan Horse

Just like spyware, Trojan horse is used to gain access to a system by tricking users to install malicious programs that later take control over the system. Thus, this threat or rather a risk can be addressed using risk avoidance to ensure necessary measures are in place to prevent any attacks on the system.

Phishing

Phishing is among the most prominent system threats in any organization that embraces information systems. Since it takes the form of emails and text messages that lure users into giving confidential data, it is proper to make use of risk mitigation strategy (Olson & Wu, 2017). Risk mitigation can take the form of training that will educate the user on the best ways of handling emails messages.

Worms

Worms are dangerous malware since they copy themselves without human intervention in which case it is proper to avoid risk by ensuring the necessary antivirus software are installed. Also, it is necessary to undertake frequent scanning to ensure the infection is not severe.

Conclusion

In conclusion, the new pharmacy faces a lot of threats from both inside and outside attackers. From inside attackers can take physically steal or tamper with confidential information while outsiders can use techniques such as spyware and DOS to gain access to the system. Thus, as an IT expert, I will recommend the use of various risk mitigation and implementation of the necessary controls to ensure availability, reliability, and confidentiality of the pharmacy’s information and assets.

References

Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2015). Classification of security threats in information systems. Procedia Computer Science, 32, 489-496.

Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Jones & Bartlett Learning.

Olson, D. L., & Wu, D. D. (2017). Information Systems Security Risk. In Enterprise Risk Management Models (pp. 145-160). Springer Berlin Heidelberg.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Verma, K. (2017). IP-CHOCK Reference Detection and Prevention of Denial of Service (DoS) Attacks in Vehicular Ad-Hoc Network: Detection and Prevention of Denial of Service (DoS) Attacks in Vehicular Ad-Hoc Network. In Handbook of Research on Advanced Trends in Microwave and Communication Engineering (pp. 398-420). IGI Global.