Chapter FIVE: Recommendation AND CONCLUSIONS
This survey aimed at placing schemes for hazard direction of wellness information systems. In order to place these schemes, the survey used Kisumu county’s three wellness installations as a instance survey as it embarked on implementing HMIS solutions in its wellness sector with an purpose of bettering quality of its wellness services.
After analysing the information in the empirical scenes and informations analysis subdivision of this research, the following are the schemes that this research has uncovered for hazard direction of wellness information systems.
5.1.1Security Policy and Procedures
- Agreements with 3rd parties, such as IT sellers, which involve accessing, processing, pass oning with or pull offing the organisation ‘s information or information processing installations, or adding merchandises or services to information processing installations must cover all relevant security demands.
- Contracts between concern associates and covered entities must turn to administrative, physical, and proficient precautions that moderately and suitably protect the confidentiality, unity, and handiness of information.
- Hazard appraisals must be sporadically conducted to place, quantify, prioritise and pull off hazards. The prioritization should be accomplished by making and utilizing standards for hazard credence and aims which are of import to the organisation.
- A preparation course of study for employees should be established to educate and develop users for right and unafraid usage of applications and engineering solutions.
- As portion of footings of employment or contractual understandings, employees, contractors and 3rd party users must hold and subscribe the footings and conditions of their employment contract, which should province their duties and the organisations duties for information security.
- Clear processs must be in topographic point to guarantee the decently managed issue from the organisation of employees, contractors or 3rd parties and that all equipment is returned and the remotion of all entree rights are completed.
- A installation security program should be implemented, which protects the installation with appropriate entry/exit controls to guarantee that merely authorized forces are allowed entree, remotion of equipment from the installation is restricted to authorised persons, and repair/modification of physical constituents of the installation are documented and monitored. Workstations should be protected from remotion by unauthorised persons. A eventuality program should be implemented for allowing and enabling physical entree to jump authorised persons ( e.g. in the event primary authorised persons are ill or non available ) .
5.1.2 Access Controls and Management
- All information security duties must be decently documented. This is to guarantee seasonably, safe and effectual handling of all state of affairss, disposal user accounts- including add-ons, omissions, and alterations.
- Formal processs should be in topographic point to command the allotment of entree rights to information systems and services.
- All users must be assigned a alone identifier ( user ID ) for their concern usage. This alone ID shall be used entirely on calculating systems within the wellness installation which procedure EPHI, and a suited hallmark technique should be selected to formalize the individuality of a user.
- Controls, which are applicable to each state of affairs, should be applied to avoid misdemeanors of any legal duties ( e.g. statutory, regulative, or contractual ) , and of any security demands. Access controls could be door locks or computing machine watchwords, while other controls could be firewalls and anti-virus package.
- Management should regularly reappraisal and do appropriate corrections to the entree right ( s ) of single users at regular intervals utilizing a formal procedure.
- Policies and processs for information system monitoring must be established and implemented. This is done to establish consistence and criterions in computing machine activity logging, computing machine activity monitoring and coverage of any system events.
- Employee responsibilities and employees ‘areas of duty ‘ must be separated ; this is to cut down possible chances for unauthorised or unwilled alteration or abuse of the organisation ‘s calculating systems or assets.
- Formal ‘change policies and procedures’ should be established to pull off the execution of alterations to guarantee the attachment to criterions and security patterns.
5.1.3Virus / Malware Control
188.8.131.52Policies and processs should be implemented that reference the bar, sensing and remotion of malicious codification in the computing machine runing environment. This would cover all computing machines or devices, such as pressmans and thumb thrusts, which connect to computing machines.
5.1.4Network Perimeter Security Control
184.108.40.206If possible sensitive systems should hold a dedicated, and isolated, calculating environment.
220.127.116.11Timely information about proficient exposures of information systems being used should be obtained, the organisation ‘s exposure to the exposures should be evaluated and appropriate steps taken to turn to the associated hazard.
5.1.5Portable Devices and Remote Access Security
18.104.22.168Operating processs should be established or enhanced to protect paperss, computing machine media, input/output informations and system certification. This is done to protect sensitive information from unauthorised revelation, alteration, remotion, and devastation.
5.1.6 Secure Electronic Communication, Backups and Disaster Recovery Plans
- Information involved in electronic messaging must be suitably protected.
- A consistent attack to pull offing information security incidents, consistent with applicable jurisprudence, must be topographic point to manage information security events and failings once they are reported. Activities such as incident coverage, organisational response, resettlement of operations, grounds aggregation and system recovery are all constituents of incident response.
- Backup and Recovery plans must be documented, distributed through the organisation and easy obtained by staff in the event that an event occurs. The DR Plan must place the needed actions to set about following break to, or failure of, critical IT systems.
In decision, counties shiping on HMIS execution for service bringing in their wellness attention system need to do effectual usage of IT service suppliers contracted during the period of edifice of an HMS substructure. Main focal point should be on capacity edifice. There is need to place cardinal forces who will get necessary accomplishments in direction of information security and ICT direction for the HMIS platform from the origin of the undertaking. These cardinal forces should be retained to do certain that their cognition has been imparted to other forces in the wellness installation and county at big.
The county authorities in affair from MOH should come up with clear policies and processs for HMIS security which should be documented and handed over to a focal information security officer who in bend should do it his / her responsibility to develop all the wellness workers on the same.
It is besides a good pattern for the county authorities to cipher entire cost of ownership before shiping on edifice HMIS substructure with support from development spouses. The result of entire cost of ownership should steer the county in beging financess for direction of security and sustainability of their HMIS substructure.
In order to decrease the costs of the HMIS implementation/security and guarantee their sustainability, wellness installations or counties need to see coaction on the enterprises with other neighbouring counties that portion common values and civilization.
It is my strong belief that if the county authorities and peculiarly the wellness installations adopt the above outlined schemes, they will be in a place to consistently and methodologically pull off HMIS hazard in their wellness attention bringing systems and wellness information security will be good managed and informations confidentiality, Integrity, Availability and privateness will be preserved that would transform the wellness attention bringing system.
5.3Areas for Further Research
The relationship between Law and HMIS security, and moralss and revelation in Kenya are countries deserving extra research. As noted in my treatments and decisions that one manner of endeavoring for sustainability of HMIS execution is to join forces with other counties within and even outside the parts. This is besides another country for research as coaction on this issue may affect streamlining of some operation criterions and security direction patterns that need to be explored. The impact of such coactions on security direction of the HMIS substructure is another country worth a research. Research should be conducted on interoperability of the many HMIS platforms bing in the wellness installations with a position of developing, following and implementing one individual platform that would be able to pass on seamlessly departmentally. Last a thorough research should be desperately conducted on challenges that come with FUNSOFT execution with a position of heightening its user friendliness and in collaborating losing inside informations identified in its execution presently.