Database Security Assessment

Modern healthcare systems incorporate databases for effective and efficient management of patient healthcare. Databases are vulnerable to cyberattacks and must be designed and built with security controls from the beginning of the life cycle. Although hardening the database early in the life cycle is better, security is often incorporated after deployment, forcing hospital and healthcare IT professionals to play catch-up. Database security requirements should be defined at the requirements stage of acquisition and procurement.

System security engineers and other acquisition personnel can effectively assist vendors in building better healthcare database systems by specifying security requirements up front within the request for proposal (RFP). In this project, you will be developing an RFP for a new medical healthcare database management system.

Parts of your deliverables will be developed through your learning lab. You will submit the following deliverables for this project:

An RFP, about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report.
An MS-Excel spreadsheet with lab results.

Step 1: Provide an Overview for Vendors

As the contracting officer’s technical representative (COTR), you are the liaison between your hospital and potential vendors. It is your duty to provide vendors with an overview of your organization. To do so, identify information about your hospital. Conduct independent research on hospital database management. Think about the hospital’s different organizational needs. What departments or individuals will use the Security Concerns Common to All RDBMS, and for what purposes?

Provide an overview including the types of data that may be stored in the system and the importance of keeping these data secure. Include this information in the RFP.

After the overview is complete, move to the next step to provide context for the vendors with an overview of needs.

Step 2: Provide Context for the Work

Now that you have provided vendors with an overview of your hospital’s needs, you will provide the vendors with a context for the work needed.

Since you are familiar with the application and implementation, give guidance to the vendors by explaining the attributes of the database and by describing the environment in which it will operate.

It is important to understand the vulnerability of a relational database management system (RDBMS). Read the following resources about RDBMSs.

error handling and information leakage
insecure handling
cross-site scripting (XSS/CSRF) flaws
SQL injections
memory leakage
insecure configuration management
authentication (with a focus on broken authentication)
access control (with a focus on broken access control)

Describe the security concepts and concerns for databases.

Identify at least three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders.

Include this information in the RFP.

In the next step, you will provide security standards for the vendors.

Step 3: Provide Vendor Security Standards

In the previous step, you added context for the needed work. Now, provide a set of internationally recognized standards that competing vendors will incorporate into the database. These standards will also serve as a checklist to measure security performance and security processes.

Read the following resources to prepare:

Database Models
Common Criteria (CC) for information technology security evaluation
evaluated assurance levels (EALs)
continuity of service

Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks.

Include these security standards in the RFP.

In the next step, you will describe defense models for the RFP.

Step 4: Describe Defense Models

Now that you have established security standards for the RFP, you will define the use of defense models. This information is important since the networking environment will have numerous users with different levels of access.

Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles.

Read these resources on enclave computing environment:

enclave/computing environment
cyber operations in DoD policy and plans

Explain how enclave computing relates to defensive principles. The network domains should be at different security levels, have different levels of access, and different read and write permissions.

Define enclave computing boundary defense.

Include enclave firewalls to separate databases and networks.

Define the different environments you expect the databases to be working in and the security policies applicable.

Provide this information in the RFP.