Capital University of Science and Technology

Department of Computer Science

SUBMITTED BY:

REGISTRATION NO:

COURSE CODE:

CS3713
SUBMITTED TO:

1
 TABLE OF CONTENT:

1. Title page  
2. Introduction  
 Introduction to Security Policies  
3. Analysis 
 Communication Security  
 Application Security  
 Risk Assessment 
4. Discussion on Findings 
5. Conclusion and Recommendation 
6. References 

2
ORGANIZATION NAME:

INTRODUCTION:
Barnsley Hospital NHS Foundation Trust (the Trust) recognises its responsibility to
have effective security measures in place in order to provide a safe environment
for its patients, staff and visitors, by the reduction of security hazards and
minimisation of crime on the premises under its control. This responsibility needs
to be achieved whilst still recognising the need for the site to be easily accessible
to patients and visitors.

INTRODUCTION TO SECURITY POLICIES:

This policy outlines the processes by which the Trust/BFS manages the provision
of security services and to encourage all staff to work together, and with external
agencies, to minimise risk of security breaches.

At Barnsley Hospital, we prioritize the security and confidentiality of patient information, as well as the
overall protection of our systems and resources. To achieve this, we have implemented comprehensive
security policies that outline the guidelines and procedures for maintaining a secure environment. This
introduction aims to provide an overview of our security policies and their key components.

Information Security Policy:

3
 This policy establishes the framework for safeguarding patient information and other sensitive
data.
 It outlines the responsibilities of staff members regarding the protection, handling, and disposal
of confidential information.
 It emphasizes the importance of data privacy and compliance with relevant laws and
regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

1. Access Control Policy:

 The Access Control Policy defines the procedures for granting and managing user access to our
systems and resources.
 It specifies user authentication methods, such as strong passwords and multi-factor
authentication, to prevent unauthorized access.
 It outlines the process for granting and revoking access privileges based on job roles and
responsibilities.

2. Incident Response Policy:

 This policy outlines the steps to be followed in the event of a security incident or data breach.
 It defines the roles and responsibilities of the incident response team, which includes members
from IT, security, legal, and management.
 It emphasizes the need for timely detection, containment, and resolution of security incidents to
minimize potential harm or impact.

3. Physical Security Policy:

 The Physical Security Policy addresses the protection of physical assets, including servers,
networking equipment, and storage devices.
 It defines access controls, surveillance measures, and visitor management protocols to
safeguard physical areas within the hospital premises.
 It ensures that only authorized personnel have access to sensitive areas, such as data centers
and server rooms.

4.Security Awareness and Training Policy:

4
  This policy promotes a culture of security awareness and provides guidelines for staff training
programs.
 It requires regular security awareness sessions to educate employees about potential threats,
best practices, and their role in maintaining security.
 It emphasizes the importance of reporting security incidents, suspicious activities, or breaches
promptly.

These policies serve as a foundation for maintaining a secure environment at Barnsley Hospital. Regular
review and updates ensure their relevance and effectiveness in the face of evolving security threats. All
staff members are expected to familiarize themselves with these policies and adhere to them to protect
patient information and support the overall security objectives of the hospital.

ANALYSIS:
 Implementation of data protection measures to safeguard patient information and sensitive
data.
 Secure storage and management of electronic and physical medical records.
 Encryption and access controls to ensure confidentiality and integrity of patient data.
 Secure communication channels and messaging systems for sharing sensitive information
among healthcare professionals.

 Secure Wi-Fi networks with encryption protocols to ensure safe wireless communication within
the hospital premises.
 Implementation of access controls, authentication mechanisms, and input validation techniques
to prevent unauthorized access and protect against common security vulnerabilities.

NETWORK SECURITY:
Network security is a critical aspect of maintaining the security and integrity of information systems
within any healthcare institution, including Barnsley Hospital. For the most up-to-date and accurate
information, it is best to contact Barnsley Hospital directly.

5
1. Firewalls:
Firewalls act as a barrier between the hospital's internal network and external networks,
monitoring and controlling incoming and outgoing network traffic based on predetermined
security rules. They help protect against unauthorized access and potential threats from the
internet.

2. Intrusion Detection and Prevention Systems (IDPS):

IDPS tools are employed to detect and respond to potential intrusion attempts and malicious
activities on the hospital's network. These systems analyze network traffic patterns, detect
anomalies, and raise alerts or take proactive measures to prevent or mitigate security breaches.

3. Secure Wi-Fi Networks:

Hospitals often have secure Wi-Fi networks that use encryption protocols (such as WPA2 or
WPA3) to protect wireless communications. Access to the Wi-Fi network is typically restricted
and requires authentication through strong passwords or other secure methods.

4. Virtual Private Networks (VPNs):

VPNs create secure and encrypted connections between remote locations and the hospital's
network, allowing authorized personnel to access network resources securely from outside the
hospital premises. VPNs help ensure that data transmitted over public networks remains
confidential and protected.

5. Network Segmentation:
Hospitals often employ network segmentation to separate different departments or areas of
the network. By isolating sensitive systems and limiting access to specific user groups, the
impact of a potential security breach can be minimized, and unauthorized lateral movement
within the network can be restricted.

6
 6. Regular Patching and Updates:
Keeping network infrastructure devices, such as routers, switches, and servers, up to date with
the latest security patches and firmware updates is crucial. This helps address known
vulnerabilities and ensures that the network remains protected against emerging threats.

7. User Access Controls: Strong user access controls are implemented to ensure that only
authorized personnel can access the hospital's network resources. This includes the use of
strong passwords, multi-factor authentication, and role-based access controls that grant
permissions based on job responsibilities.

8. Security Monitoring and Logging: Hospitals employ security monitoring systems to

monitor network activity, detect suspicious events, and generate logs for analysis. This helps
identify potential security incidents and enables timely response and investigation.

It's important to note that network security practices can vary based on the specific needs and
infrastructure of Barnsley Hospital. To obtain the most accurate and up-to-date information on Barnsley
Hospital's network security measures, it is recommended to contact the hospital's IT department or
relevant authorities responsible for network security.

COMMUNICATION SECURITY:

7
Barnsley Hospital, like any healthcare institution, places a high priority on communication security to
protect patient confidentiality and sensitive medical information. It's important to note that specific
practices may have changed or evolved since then, so it's always best to contact Barnsley Hospital
directly for the most current information.

 Secure Messaging Systems:

Hospitals often use encrypted messaging platforms to transmit sensitive information securely.
These systems ensure that only authorized personnel can access patient data and prevent
unauthorized interception or eavesdropping.

 Access Controls:
Barnsley Hospital likely has strict access controls in place to restrict access to patient
information. This includes implementing unique user logins, strong passwords, and role-based
permissions that limit access to only those who require it for their job functions.

 Secure Networks:
Hospitals employ secure network infrastructures with firewalls, intrusion detection and
prevention systems, and other security measures to protect against unauthorized access and
external threats. This helps prevent unauthorized individuals from intercepting or tampering
with communications.
 Staff Training:
Hospitals typically provide regular training sessions for staff on privacy and security protocols.
This ensures that employees understand the importance of protecting patient information and
are aware of the best practices to follow when communicating sensitive data.

 Compliance with Regulations:

Hospitals must comply with data protection regulations, such as the General Data Protection
Regulation in the European Union or the Health Insurance Portability and Accountability Act in
the United States. Compliance with these regulations ensures that appropriate security
measures are in place to protect patient information.

8
Remember, these are general measures commonly employed by hospitals to ensure communication
security, and specific practices may vary.

APPLICATION SECURITY

Application security is a crucial aspect of maintaining the security and integrity of software applications
used within healthcare institutions like Barnsley Hospital.

 Secure Development Lifecycle:

Barnsley Hospital likely follows secure software development practices to ensure that
applications are designed, coded, and tested with security in mind. This includes conducting
security requirements analysis, performing secure coding practices, and conducting thorough
testing and vulnerability assessments during the development process.

 Access Controls:
Applications used within Barnsley Hospital likely employ access controls to ensure that only
authorized personnel can access and use the applications. This includes implementing user
authentication mechanisms, strong password policies, and role-based access controls that limit
user privileges based on job responsibilities.

 Encryption:
Sensitive data transmitted or stored within applications may be encrypted to protect it from
unauthorized access. Encryption helps ensure that even if the data is intercepted, it remains
unreadable and unusable to unauthorized individuals.

 Input Validation:
Applications typically employ input validation techniques to prevent common security
vulnerabilities like SQL injection, cross-site scripting (XSS), and other forms of code injection

9
 attacks. Validating and sanitizing user input helps protect against potential exploits and
vulnerabilities.

 Regular Patching and Updates:

It is essential to keep applications up to date with the latest security patches and updates
provided by the application vendors. Regular patching helps address known vulnerabilities and
ensures that applications remain secure against emerging threats.

 Secure Configuration:
Applications should be configured securely, following best practices and guidelines provided by
the vendors. This includes disabling unnecessary features and services, configuring strong
authentication mechanisms, and utilizing appropriate encryption protocols.

 Security Testing:
Barnsley Hospital likely conducts regular security testing and assessments of their applications.
This may include penetration testing, vulnerability scanning, and code reviews to identify and
address potential security weaknesses and vulnerabilities.

 User Awareness and Training:

Staff members using applications within Barnsley Hospital should receive training and
awareness programs to understand the importance of application security and follow best
practices. This helps prevent human errors and ensures that personnel are aware of potential
risks and how to mitigate them.

It's important to note that specific application security practices may vary based on the specific
applications used within Barnsley Hospital.

10
RISK ASSESSMENT
Barnsley Hospital, like any healthcare institution, regularly conducts risk assessments to identify
potential hazards, evaluate risks, and implement appropriate measures to mitigate those risks. It's
important to note that specific practices may have changed or evolved since then, so it's always best to
contact Barnsley Hospital directly for the most current information.

 Hazard Identification:
The first step in a risk assessment is to identify potential hazards or risks within the hospital
environment. This can include physical hazards, such as slippery floors or faulty equipment, as
well as operational hazards like medication errors or infection control issues.

 Risk Evaluation:
Once hazards are identified, the next step is to assess the level of risk associated with each
hazard. This involves evaluating the likelihood of an incident occurring and the potential severity
of its consequences. Risks are often categorized based on their level of priority or urgency.

 Risk Mitigation:
After evaluating the risks, strategies and measures are put in place to mitigate or minimize
those risks. This can involve implementing safety protocols, providing staff training and
education, improving equipment maintenance procedures, enhancing infection control
measures, or making physical modifications to the hospital environment.

 Monitoring and Review:

Risk assessments are not a one-time event; they are an ongoing process. Hospitals continually
monitor the effectiveness of the implemented risk mitigation measures and regularly review and
update their assessments as new risks emerge or existing risks change.

 Compliance with Regulations:

Hospitals must adhere to regulatory requirements and guidelines related to risk management.
This includes compliance with standards set by regulatory bodies such as the Care Quality

11
 Commission (CQC) in the UK. Compliance ensures that the hospital is meeting the necessary
standards for patient safety and risk management.

It's important to note that the specific risk assessments conducted by Barnsley Hospital may cover a
wide range of areas, including patient safety, information security, infection control, emergency
management, and more. Each area may have its own specific risk assessment protocols and procedures.

Discussion on Risk Management:

The information provideded in Barnsley Hospital, is accurate and aligns with standard practices in risk
management. Risk assessments are indeed an essential part of ensuring patient safety and mitigating
potential hazards in healthcare settings.

In summary, the information provideded accurately reflects the key steps and concepts involved in risk
assessments within healthcare institutions like Barnsley Hospital. Risk assessments are integral to
identifying, evaluating, and mitigating potential hazards, and they contribute significantly to patient
safety and the overall quality of care.

Conclusion and Recommendation:

The security policies outlined cover various aspects, such as information security, access control,
incident response, physical security, and security awareness and training. These policies demonstrate
the hospital's dedication to protecting patient information, maintaining a secure network infrastructure,
ensuring secure communication channels, and implementing secure software applications. The analysis
section discusses the implementation of specific security measures, such as data protection, access
controls, encryption, network segmentation, and security monitoring. It emphasizes the importance of
regular patching, user training, and compliance with regulations. The discussion on risk management
underscores the significance of hazard identification, risk evaluation, risk mitigation, monitoring, and

12
compliance with regulatory standards. Overall, Barnsley Hospital appears to have comprehensive
security measures in place to safeguard patients, staff, and sensitive information.

References:

https://www.barnsleyhospital.nhs.uk/uploads/2017/02/Security-Policy.pdf
https://www.barnsleyhospital.nhs.uk/

13