Consensus policy resource community remote access polic
Medical facility network design
1. LIS4482 sECTION 1 MGT NETWORKS & TELCM
Leon County Medical
Facility
Medical Facility Network Design
12/3/2012
GROUP MEMBERS:
Nephtalie Pierre
John Idasetima
KensleyAgenor
2. I: EXECUTIVE SUMMARY
We understand that there are plans for a new medical facility. There is a definite need for an
efficient and dependable networking infrastructure to support a facility of this type. After
receiving your requests and requirements, our group is confident that we can implement a
networking infrastructure that:
• Requires minimum upkeep costs
• Supports an organization of 225 users with room for expansion
• Meets the requirements of HIPAA
• Supports offsite workstations
The purpose of this report is to give a better understanding for the new plans that we have for
this new medical facility. We will give an overview of the written description of the Physical and
logical network diagram that will be on Appendix A and B. Also, this report will include
network policies for standard operating procedures (SOP) for Internet Access, Printing, Storage
allocation, E-mail usage, User Administrations, Naming Conventions, Protocol Standards,
Workstation Configuration (hardware & software), Network Device Placement, Environmental
Issues, Power and applying Patches to operating systems. We will also include documentation of
Security policies. This document will include procedures for user account access, password
requirements, network access, hardware firewalls, encryption use, logging practices, physical
building/hardware access rules, Intrusion Detection System (IDS)/Intrusion Prevention (IPS)
System & regular vulnerability assessments. Procedures for these will be included. It will include
procedure on handling security violations as well.
3. NETWORK POLICIES
1.0 Introduction
Technologies have become an integral part to the lives of medical patients everywhere and our
medical staffs depend on them to insure patient safety and overall good health. These
technologies can make the difference between life and death situation if not used effectively and
correctly.
This Standard Operating Procedure applies to all integrated medical staff, medical patients, and
users who will be utilizing the following: Access to Internet, printers, Storage allocation, E-mail
usage, User Administrations, Naming
Conventions, Protocol Standards, Workstation Configuration (hardware & software), Network
Device Placement, Environmental Issues, Power and applying Patches to operating systems. The
Standard Procedure that follows explains how we intend to do this in order to help protect
medical records, staff, patient, users information, privacy, and the overall performance of the
network.
1.1 Internet Access
Access to the Internet and the other networking component can put medical staff and patient in
potential danger if used inappropriately due to sensitive documents and medical records. All
users with Internet access need to abide by the following rules:Authorized access or share
medical records and other personal information with 3rd party company are prohibited.
The sharing / distribution of personal images of patients or medical staff at work without an
4. individual’s consent or knowledge is prohibited.
· Do not access to unsuitable video (pornography) / Internet games, etc.
· Illegal downloading of music or video files or any download not work related is not allowed.
· Potentially excessive use of the Internet for personal use of social networking (Facebook,
Twitter, LinkedIn, etc.) may result in termination of Internet access.
Remember that access to the Internet is a privilege and not a right. Failure to follow the basic
rules and guideline above may result in serious consequences: loss of job, fines, and possible
imprisonment.
SECURITY POLICY
The Leon County Medical Facility local area network is critical to the provision of
information services to Leon County Medical Facility staff and patients. Specific security
measures and procedures will be implemented to protect the confidentiality of information
transactions being processed on the network and to keep critical systems operational. Because all
employees of LCMF are encouraged and expected to use the network for work related activities,
security risks have increased and more stringent practice in protecting resources is necessary.
These security procedures are addressed in the following network security policy.
The purpose of this policy is emphasizing to all LCMF employees the importance of
network security in the medical facility and their roles in maintaining that security.
The goal for the LCMF Information Security Policy isto preserve the integrity, availability and
confidentiality of all employees and patientsinformation. The LCMF Network Access Policy
applies equally to all individuals with access to any LCMF network. The intent of this Security
Policy is to protect the information assets owned by LCMF.
5. This security policy will give an overview of procedures for the following: user account
access, password requirements, network access, hardware firewalls, encryption use, logging
practices, physical building/hardware access rules, Intrusion Detection System (IDS)/Intrusion
Prevention (IPS) System & regular vulnerability assessments
User Account Access:
All user access attempts will be authenticated by a user name and password. There will
be specific permissions provided to account access rights according to employees job position
(i.e. system admin, CIO, Doctors, etc.). The user name and password assigned to employees
should NOT be shared. If an employee is found violating this policy, disciplinary actions will be
applied.
User accounts will also organized into groups. Rights and access permissions will be
granted individually to users or to agroup, in which case they also apply to the group’s members.
There will also be Special user accounts, (also known as maintenance accounts), these
individuals will be used for maintaining and managing the network. These accounts will be
renamed and only used for performing maintenance functions. Standard accounts will be used for
regular day-to-day activities. Additional rights and permissions will be added to users only if it
is needed for the job duty or promotion of job that require it. When a user account is no longer
needed the account will either be deleted (i.e. if an employee leaves the company) or disabled
(i.e. if the employee will be gone for an extended period), so that no one has access.
Password
6. Passwords are a very important to information security. Passwords must be at least eight
characters long .Password should also have three of the following requirements:
include uppercase characters
lowercase characters
numbers (0-9)
And/or non-alphanumeric (For example:!, $, #, or %)
Three password attempts are allowed. If failure to login occurs, user will be locked out
and Administrative password will be required for access. We will also enforce password history,
users will also have to create at least 25 passwords (includes current one). This will keep users
from reusing old ones making the network more secure. There will be a maximum password age.
Users will be notified days before to change passwords. The user must be changed every 60
days. Employees may not disclose their passwords to anyone or display it anywhere where it
may be seen.
Network access
We will be using a network management system to monitor and maintain the network.
This program is crucial for the up-to-date information on the health of the network. Network
management system reduces the time involved in managing the network by performing
performance checks, configuration changes as well as notifying of network failures. Employees
are permitted to use only those network addresses issued to them by LCMF information security
personnel. Employees cannot extend or re-transmit network services in any way. This means you
must not install a router, switch, hub, or wireless access point to the LCMF network without
LCMF information security personnel approval. Employees cannot install network hardware or
7. software that provides network services without LCMF information security personnel approval.
Employees are not permitted to alter network hardware in any way.
Desktop workstations will only have wired access. Laptop can use wired or wireless
access. Also, Wireless access will be secured by WPA2.
Encryptions use
Physical building/ Hardware access rule
The Server room can only be accessed with a passcode as key. Only IT administrative
employees will have access. The room will be kept at 70 degrees Fahrenheit.
Intrusion Detection System
Intrusion detection is very important in enforcing organizational security policy Intrusion
detection systems provide assurance that the systems and networks are secure from identifiable
threats and/or threat agents.Audit logs from the perimeter access control systems will be
monitored/reviewed daily by the security analyst. System integrity checks of the firewalls and
other network perimeter access control systems will be performed on a monthly basis. Host
based intrusion tools will be checked on a weekly basis. All trouble reports will be reviewed for
anything that indicates intrusive activity. All suspected and confirmed instances of successful
and attempted intrusions must be immediately reported.
Procedure for violating security policy
8. If any employees are found guilty of violating these security policy procedures, they are
subject to the following: Verbal/ written warning, Final warning, and/or Suspension or
Termination.
DISASTER RECOVERY POLICY
The Disaster Recovery Plan ensures data integrity and redundancy in the case of unexpected data
loss (i.e. power outage, fire, water damage). Since the information being held by this facility is so critical,
we suggested having two separate disaster recovery plans. These plans can be separated into the onsite
disaster recovery plan and offsite disaster recovery plan.
Onsite Disaster Recovery Plan
Our Onsite Disaster Recovery begins with having generators in the case of sudden power
failure. There will be generators to support each building on the facility’s campus. These generators
will be powered by the electricity that they constantly store during normal electrical utility
conditions.
Though the servers provided in the proposal are top-of –line, we have also included a plan in
the case of a server failure. This plan entails having two complete servers to run the facility. There
will be a third stand-alone server strictly used for back-up. This server will daily conduct a full back-
up of each of the other two servers. This server will also take hourly images of each of the servers to
stay up-to-date through-out the day.
Offsite Disaster Recovery Plan
The Offsite Disaster Recovery Plan is in the case of loss of communication with all three of
the onsite servers. Our Offsite Disaster Recovery Plan involves a third party. This party is the Cerner
Corporation. Cerner provides a service called Skybox that is a cloud backup of a medical facility’s
9. medical files. The files are sent from the facility’s servers to the cloud daily. These files are
encrypted. The files are accessible by the medical facility at any time through Cerner programs and
the online cloud.
BUDGET
10.
11. PHYSICAL NETWORK AND LOGICAL DIAGRAM WRITTEN DESCRIPTION
Networking/Logical Design
The network design perfectly suits the situation of this facility. Let’s begin with the four
servers that will be implemented.
The Bridges
Since the two buildings cannot be connected through a physical means, the buildings will
be wirelessly connected through two Cisco WET200 Wireless-G Ethernet bridges. One bridge
will be located in the main building and the other in the datacenter. These bridges have an
uninterrupted line of sight.
Servers
Dell Power Edge 1620 Power servers will be used for this project. There will be 3 servers
at the data center. 1 of these servers will be for the patient’s files. Another server will be
allocated for the website, email, print, and employee files. The third and final server will be used
solely as a backup server for the other two (For more information on this server, please refer to
the Onsite Disaster Recovery section). The fourth and final server will be a print server. It will be
located in the main building. Each of these servers will be secured by an individual firewall.
Switches
This proposal calls for multiple switches to organize the many departments. There will be
12. one switch to separate the 3 servers located in the data center. There will be one more switch also
located in the data center for the IT department that is within the building. The other 9 switches
will be used to separate the numerous departments in the main building.
Wireless Routers
There will be a Cisco 891W Gigabit EN Security Wireless Router on each floor of the
facility. The routers will be WPA2 protected. The router access will only be available to
employees.
Desktop Workstations
The onsite workstations will have HP Compaq Pro 4300 All-in-one PC. Each of these
workstations will run Windows 7 and only Windows 7.
Laptops
A Dell Latitude E5430 laptop will be to each employee that requires a mobile
computer. These laptops will be pre-imaged to have all of the programs necessary for the
employee’s job.
(The operating systems and specs of all computers will be standardized to an extent so
that maintenance is simpler.)
13. Group Member Contributions
Nephtalie Pierre contributed to the final product in many ways. Nephtalie was in charge
of researching and writing the following: Executive summary, Security policy, and the budget
for the network policy. The executive summary just consists of the basic overview of the whole
report. The security policy was the longest part to do. Nephtalie researched a lot on the different
type of security policies and then proceed to write the network security policy from there with
help of the book as well as other internet resources. The budgetwas also time consuming.
Researching included: finding the best hardware that would best compliment the new network
design as well as looking for the most cost efficient equipment. She also initiated and organized
meetings for this group project. She also compiled the final product together.