Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
For
Team 12:
Jana Giordani
Marlene Marte
Anthony McClurkin
Kwanhaun Belinda Ng
Roosevelt Woodley
EXECUTIVE SUMMARY
The Leon County Health Center IT team has defined a policy which assigns responsibility
for the design, deployment, management, coordination, and operation of the facility's future
reliable network infrastructure on the grounds of the Center. We are aware of the critical
nature of our organization, so we have optimized for 99.99% uptime, and aim for 100% uptime!
The Written Description describes the network in detail and references the diagrams in
the Appendix A & B of our network layouts, and includes all hardware & software information.
The Network Policies remind everyone that operation of these systems is a privilege, which can
be taken away at any point, and are designed to protect employees and clients from illegal or
damaging actions while using the network system. It basically outlines what you can and cannot
look at or perform while using our network, and the repercussions for violating this agreement.
It includes everything on the network, not just the Internet access, ranging from printing and
email usage to protocol standards and patches to the operating systems.
We are committed to respecting all patients’ and clinical research subjects’ rights to
maintain the privacy of their health information. Our standards are based on those of the
federal law known as the Health Insurance Portability and Accountability Act (HIPAA).
Therefore, the Security Policy does just that, and touches base on systems security as well as
physical security of the center. It provides a procedure for handling security violations as well.
Our Disaster Recovery Policy describes in detail the procedures and policies in event
that a "disaster" occurs. This includes how we plan to backup our servers, manage viruses in the
systems, disk/fault tolerance, power failure, and how we plan to bring all things to a "normal"
working order after an event happens. Our Budget spreadsheet outlines the costs relating to
our proposal, including all the hardware and software of the infrastructure.
Appendix A is a physical network diagram which lays out the location of every proposed
network device and their endpoints (workstations, servers, etc). Appendix B is the logical
diagram, and shows how our network will function, and how the information would flow with
all services provided.
WRITTEN DESCRIPTION
Looking at the Appendix A: Physical Network Diagram, it displays the actual layout of the
network. We designed the network very similarly to how the layout of the office within the
medical facility looks like (from the inside). We took the managing and head roles of the facility
(the Director, Chief Medical Officer, and 3 rotating Doctors), and combined them to share the
same printer labeled as “Management.” The Medical Supplies and Medical Records are also
sharing a printer. All of the other departments get their own printers (Human Resources, Billing
& Accounting, Public Outreach, Receptionist, Counseling, Officer Manager, and a general
mobile printer). This also includes the IT department of course (we get our own printer too!). As
far as the other 200 mobile users that need Wi-Fi, we designed and created a wireless access
point for them, and simulated the 200 users.
With the IT department, we decided to separate them from the medical facilities'
building. In the diagram, we included all the servers, the patch panel, and the PBX. The cabling
standard that was used was 100 Base T - Cat 5 UTP Ethernet, as labeled in the diagram. As far as
the part of the directions that says "The buildings are separated by a two lane paved street. The
city will not grant a permit to dig under the street to run cabling,” we simulated the IT
department to be able to use the WPA for internet connectivity (as seen in the diagram with
the yellow bolts).
In regards with the Appendix B: Logical Network Diagram, we decided to dedicate the
instructed address range to the servers (instructions asked for the 5 external IP addresses to be:
90.44.22.5 - 90.44.22.9). We have the servers connected to a switch. We decided on a switch
because they are more "intelligent" than a hub and faster in speed. Note that we didn't use a
hub also because they route data to all devices at one time, which would only slow our network
down. Also, we have the outside service router attached to a simulated Pix Firewall. This is
designed to keep the network as secure as possible. The firewall can check packets against an
access control list, flap packets, etc. Beyond the firewall, it is connected to the gateway router,
which directs traffic to the Internet. We are assuming that not everybody understands this
process, but this is the way a team member saw it done in the Military and it worked. It is more
designed for a mobile setup, but it can be used stationery as well.
For the internal network, the inside service router is using Network Address Translation
(NAT) to translate the private IP addressed to public IP addresses. We chose the private class C
address for the subnetting. Specifically, we used the IP address 192.168.1.0 /24 and broke it
down for what we needed. We implemented switches to group the users in different broadcast
domains as the instructions wanted it that way. Those different broadcast domains are Virtual
Local Area Networks (VLANs).
For the cabling, router-to-router used a cross-over cable. For router-to-switch, we used
straight-through cables. From PC-to-router, we used roll-over cables. Also, on the outside
network, we simulated some IP addresses for the firewall, gateway router, outside service
router, and outside switch.
For the different departments, we decided to put the Director, Chief, Medical Officer,
and the 3 rotating Doctors all on the same VLAN, and labeled them Management. All of the
other different departments got their own separate and respective VLANs. Doing this keeps the
different departments in their own broadcast domain. Keeping the different departments in
different broadcast domains also improves the traffic flow and makes it go faster. If they were
in the same domain, we would have one big collision domain which would make the network
very slow and cause more errors to occur.
NETWORK POLICIES
PURPOSE:
This policy is designed to protect employees and clients from illegal or damaging actions by
individuals, either knowingly or unknowingly.
The Leon County Health Center provides a communication network capable of offering
electronic mail (e-mail), Internet access, printing, where applicable, but not limited to computer
equipment, software, operating systems, storage media, and network accounts for employees
to assist in and make possible legitimate business communications. The Health Care Center’s
network and systems should be dedicated to providing service to its patients and used primarily
for medical business.
Operation of these systems is a privilege. Employees should never put information on or access
e-mail or Internet services unless they feel comfortable accessing or putting the same
information in a widely distributed office memo. By using the Leon County Health Center’s
network systems (including e-mail and Internet), employees agree that they are aware of,
understand and will comply with the provisions of the policy.
The Center’s computer system is provided to assist employees to perform their jobs, store
confidential files, and communicate with each other internally and with outside individuals and
organizations, where applicable. The Center’s computer system should primarily be used for
medical business purposes. Inappropriate use exposes The Leon County Health Center to risks
including virus attacks, compromise of network systems and services, and legal issues.
A. Use of the Center’s computer systems is to engage in communication which violates federal,
state, or local laws, codes and regulations, Center’s policies and procedures is strictly
prohibited at all times.
B. In addition, the following uses of the Center’s systems are inappropriate and are prohibited
at all times unless there is legitimate business need. The need must be conveyed to and the
use authorized by the employee’s department director prior to such use. Inappropriate uses
of the Center’s system include, but are not limited to:
C. Due to the adverse effect that instant messaging has on the network performance,
employees may not access instant messaging software. No personal access to instant
messaging will be allowed at any time.
A. The Center’s computer systems may be used by employees for business purposes.
A. The Internet is a great storehouse of information and contains resources that are invaluable
and can greatly enhance our ability to deliver cost-effective services to our patients. The
Center encourages exploration of the Internet for legitimate business-related or
professional activities.
B. During the employee’s normal work hours, the only use of the Center’s Internet account
should be legitimate Center business. Employees who work within the public’s visual site
should be cognizant of public perception and should use care and discretion in providing an
appropriate image of the Leon County Health Center.
Information Technology Services would be responsible for setting parameters and allocating
maximum disk space for all computer system users. Employees who can demonstrate
legitimate business needs for more disk space than which is allocated shall make a request to
increase their disk space. Such requests shall be evaluated and approved on a case-by-case
basis.
Employees’ e-mail may become corrupt for a number of reasons. If the corruption is a direct
result of a significant technical failure or natural disaster, the Information Technology Services
will assist in rebuilding the mailboxes and recover lost files.
The Center treats all information transmitted through or stored in the system, including e-mail
messages, as business information. An employee or anyone else using the Center’s computer
has no expectation of privacy in use of that computer.
The Leon County Health Center has the obligation to maintain all electronic files and records in
the same manner in which paper records are to be maintained in accordance with the State,
Federal, and Local archivist records retention schedule.
All records should be printed solely for the use of a patient or business manner. In the event
that a file is printed and is no longer needed it should be properly discarded and shredded to
ensure our patients confidentiality.
The purpose of the workstation configuration is to establish standards for the Center’s base
configuration of workstation computers that are authorized to operate within the Leon County
Health Center. Since data that is created, manipulated and stored on these systems may be
proprietary, sensitive or legally protected, it is essential that the computer systems and
computer network, as well as the data that is stores, be operated and maintaine4d in a secure
environment and in a responsible manner.
Leon County Health Center is committed to providing employees with reliable technology in a
stable operating condition while appropriately addressing the Center’s needs and maintaining
the medical system’s integrity and data security.
There are two security access levels at the Leon County Health Center: General and
Administrator.
1. The General access level allows most administrative power with some restrictions.
Installation of software or hardware would require the assistance of the IT department.
2. The Administrator access allows the employee to have complete and unrestricted access to
the computer. The ability to install hardware or software, edit the registry.
3. However, at a need to basis an employee’s access level might be changed to help facilitate
that job responsibilities.
4. Each employee will receive a username.
1. Computer names should begin with the departmental abbreviation (e.g. HR).
2. Computers used primarily by one person, the name should end with a hyphen and that
person’s username (e.g. HR-1254). If a person has more than one computer it should be
used (e.g. HR-1254-2).
3. Only alphanumeric characters and hyphens should be used.
4. The computer name will normally stay the same for each staff members, so when they get a
new machine it will be set up with the same name as the old one.
5. All computers will be placed on the Active Directory.
The purpose of the standards on the Leon County Health Center is to improve the durability and
efficiency of the network.
1. The Leon County Health Center has a multiple computer communication protocols on it
network. TCP/IP is the only protocol that is capable of communication across the Internet
and the only one that will be supported by all computers.
2. The routers will be placed strategically on the network to partition the traffic into sections
(LANs) and to direct traffic between the LANs as needed.
3. Any unregistered device on the network is subject to disconnection from the Leon County
Health Center network, without notice, whether or not they are disrupting network service.
All the network devices (routers, hubs, etc.) should use the following policy:
1. The devices must be inventoried. By inventoried it is meant to be entered into the database
with the domain name service.
2. If a password is needed to access the device for querying its configuration, understanding
its operation or setting parameters in the device, then the passwords to all the devices need
to be in the database.
3. All storage servers must be kept offsite at a remote location to ensure security parameters.
Each device on the network must have the recent and updated patches as long as they do not
have any immediate interface with the software.
Devices must be left on to ensure that the network can have a constant maintenance and up to
date software for the network.
Use of the Leon County Health Center’s systems including e-mail, Internet services, and printing
is a privilege. Inappropriate use or violations of this policy may result in disciplinary action, up
to and including termination.
If in the course of their normal duties, department directors, managers, supervisors, employees
and Information Technology Services staff have any reason(s) to believe that an employee is
misusing the Center’s computer systems, they shall report the inappropriate use to the
observer’s Department Director.
All reports of alleged policy violations or inappropriate use of Center’s systems received by any
Department Director shall be reported to the Information Technology Manager to coordinate
an investigation or to recommend an appropriate course of action.
If, as a result of the investigation, sufficient facts are gathered to support the allegations, it is
the responsibility of the Department Director to administer any disciplinary action(s) necessary
after consultation with the Leon County Health Center HR.
1.0.16 CHANGES TO THIS POLICY:
This policy may be temporarily changed by IT Services Manager for any reason, but typically in
response to new types of threats or risks. Notice of the change in the policy will be distributed
to all Leon County Health Center and departmental computer support divisions. Temporary
changes normally will not be extended over six (6) months without being submitted and
approved formally through policy change process.
SECURITY POLICY
The Leon County Health Center is committed in providing the highest quality health
care, which includes respecting patients’ and clinical research subjects’ rights to maintain the
privacy of their health information. The standards for protecting patient health information are
described in the federal law known as the Health Insurance Portability and Accountability Act
(HIPAA). The Leon County Health Center’s HIPAA policies are designed to ensure the
appropriate security of all patient health information across the County, in compliance with the
law. Our HIPAA privacy and security compliance policies are available at
www.leonhealthcenter.org for a more in-depth viewing.
The Center is responsible for maintaining a Physical Facility Security Plan for Leon
County Health Center and ITS-Med Data Centers. The Health Center’s Physical Facility Security
Plan ensures that PHI (Protected Health Information) in any format (electronic, paper, audio
tapes, transcripts, videotapes, etc.) that is housed in Center and ITS-Med data center locations
meets HIPAA requirements for physical security at a level that is consistent with the criticality
and risk of the PHI.
5111 PR.2 procedure: Physical Access and Environmental Supports to Protected Health
Information
The current recommendations are to use alarm keypad systems (change key codes
often) or ID key card swipes for labs, hospital rooms or areas accessed by multiple individuals.
Keep current documentation of who can authorize access to the area and individuals who
currently have access and status at the Center.
Electronic storage devices (diskettes, CDs/DVDs, zip drives, external drives, video/audio
tapes, USB drives, etc) and non-electronic PHI (images, medical records, lab results, paper files,
etc.) should be kept in secure locations when not in use. Locked cabinets, closets and offices
can provide this protection.
General Guidelines:
Electronic Mail Communication of PHI -- 5123 PR.1 04
1. Email systems used by Leon County Health Center personnel must be configured to
require SSL/TLS encryption when transmitting an email message to the SMTP server
AND when retrieving messages from an IMAP or POP server.
2. Except where PHI relates specifically to treatment, any PHI transmitted by email should
be limited to the minimum necessary to meet the recipient’s needs.
3. Email messages containing PHI must not be forwarded to non-Leon County Health Center
email addresses either individually or by an automated forwarding mechanism unless an
approved Secure Electronic Messaging option is employed (end-to-end encryption).
4. Instant Messaging (IM) software should not be installed or used for electronic messaging
until an approved secure Instant Messaging (IM) option is available.
For Basic Systems, periodic sampling, or spot checks will be used to review system logs and
access reports.
ENCRYPTION OF DATA
Users are encouraged to encrypt files, documents, and messages for protection against
inadvertent or unauthorized disclosure while in storage or in transit over data networks. The
Center makes available software and protocols endorsed by the Information Security Office
that provide robust encryption, as well as the capability for properly designated Center’s
officials to decrypt the information, when required and authorized under this policy. Users
encrypting information are encouraged to use only the given software and protocols. Users
who elect not to use the specified encryption software and protocols on IT Systems are
expected to decrypt information upon official, authorized request.
All staff, trainees, students and others in Leon County Health Care Center HIPAA Covered
Components must comply with the following policies:
1. Everyone must complete HIPAA Privacy and HIPAA Security Training and thoroughly
understand the HIPAA Electronic Protected Health Information Security Compliance
Policy. Voluntary staff who do not access, store, transmit or receive Leon County Health
Center ePHI as part of the duties associated with their appointment at Leon County
Health Center are exempted from HIPAA Security training.
HIPAA Training: This pertains to those using computing or communications systems
during the course of work at Leon County Health Center. This includes systems use on
remote locations, such as home, hotels and other off–center locations.
All faculty, staff, trainees, students and others who store, access, transmit or receive Protected
Health Information on paper (PHI) or electronically (ePHI) must comply with the following
policies:
1. All Leon County Health Center laptop and desktop computers used to
store, access, transmit or receive ePHI must follow these current secure
configuration standards, including:
Whole Disk Encryption
Automatic distribution of security and other patches via central
computer management software
Installation and update of anti-virus /anti-spyware software
Automatic locking and password protection of desktops after 15
minutes of inactivity
Registration in the ITS Backup service
o Protection via proxy servers or removal of administrative
privileges
o Removal of applications that increase the vulnerability of
computers such as Peer to Peer (P2P) file sharing
o A locking cable or equivalent device for physical security
o All new desktop and laptop computers must be purchased
from Leon County Health Center
o Other safeguards as they become technically feasible.
2. You must implement current security standards for smart phones and
other devices that store, access, transmit or receive ePHI, whether Leon
County Health Center-issued or personal, including:
Password protection
Encryption
Limitation of the email stored on the device to 250 messages or 7
days
Subscription to a service that allows for remote purging of
messages stored on the device
DISASTER RECOVERY POLICIES
PURPOSE:
The Disaster Recovery Plan is intended to provide a framework for reconstructing vital
operations to ensure the safety of employees and the resumption of time-sensitive operations
and services in the event of an emergency. At the same time, it is intended to be a guide and
not a series of defined instructions void of flexibility. The nature of the interruption should
determine how a business continuation plan is used.
BACKUP PROCEDURES:
VIRUS MANAGEMENT:
While logging may show you after the fact that a virus has been found, you probably
want to know as soon as possible when a virus hits
This task includes ensuring that we have effective virus protection running on our
network. Just having virus protection software on your workstations isn’t enough. We will also
run virus protection software on your server. While logging may show you after the fact that a
virus has been found, you probably want to know as soon as possible when a virus hits. To
counter the virus threats, we have file servers is to provide a central location for storing and
accessing files. Run virus scanners constantly on your workstations. Since there is a specific
amount of clients on the network, visit each workstation on the network to update the virus
signature files. Deduce running workstation-based virus scanning to detect files loading from
the network can potentially slow down processing at the workstation level. Server-side
scanners will be used to log the virus scanning activity for both your servers and your
workstations in a central location, which allows you to keep tabs on what the software is doing
and what it has detected.
Server-side virus protection software immediately notifies you of a virus with e-mail,
pager alerts, or network broadcasts.
DISK/FAULT TOLERANCE:
There are several different ways to achieve disk fault tolerance. The most common
implementation is known as RAID, or Redundant Array of Independent (or Inexpensive) Disks.
Multiple disks can be configured in a number of different ways to create a fault-tolerant array.
Data can simply be mirrored from one disk to another, or parity information can be stored that
will enable the regeneration of lost data. RAID can be implemented either as a hardware or
software solution. There are many different “levels? Of RAID: 0, 1, 2, 3, 4, 5, 6, 7, 10, 0+1, and
53 are the most common.
Windows Server 2003 has built-in support for three levels of software-implemented
RAID:
The biggest advantage of hardware RAID is performance; disk access is faster because
you don’t have the operating system overhead (the RAID disks appear as one to the operating
system). The big advantage of software RAID is cost; you don’t have to buy extra expensive
RAID controllers or other additional hardware to use it.
POWER FAILURE:
Electricity:
To analyze the power outage risk, it is important to study the frequency of power
outage and the duration of each outage. It is also useful to determine how many powers feeds
operate within the facility and if necessary make the power system redundant.
Telephones:
Telephones are a particularly crucial service during a disaster. A key factor in evaluating
risks associated with telephone systems is to study the telephone architecture and determine if
any additional infrastructure is required to mitigate the risk of losing the entire
telecommunication service during a disaster.
Water:
There are certain disaster scenarios where water outages must be considered very
seriously, for instance the impact of a water cutoff on computer cooling systems.
BUDGET
Product Type Estimated Price
Patch Panel $388
TalkSwitch PBX Phone Systems $695
100 Base T - Cat 5 UTP Ethernet Cable $59
Switches $140
Cisco PIX Firewall Bundle $1395
Internet (Wi-Fi WPA) $24/month
Gateway Router $100
Other Routers $200
Servers (Email, HTTP, DNS, File & Print, Databases) $3,100
VLANs $800
Printers $2,519
Other $1,319
Total Estimated Budget $55,000 + $24/month
The above spreadsheet simply outlines estimated costs related to our proposal. The
company does not already have an asset, so any of these may be eliminated. All estimated
prices were researched on Google for the best and lowest prices for a small business.
The following items that we will be justifying costs for are needed to hook up the
network together. The patch panel was found to be $388 for the cheapest price. The switches
and routers estimated together as $440. A bundle of the 100 Base T - Cat 5 UTP Ethernet Cable
was $59 for more than we would need in length. The servers needed to be online with the cost
of setting up VLANs across the facility estimated as $3,900. Cross-Over Cables, Straight-Through
Cables, and Roll-Over Cables are all needed to connect the routers, switches, and PCs together
and total to an estimated $600 for more than needed so we would have extra in case we need
to replace some cables.
Black-and-white laser inkjet printers were found to be around $229, and we would need
at least 11 (one for each department as shown in the Physical Diagram), which brings the total
to $2,519. The TalkSwitch PBX Phone Systems are $695 for everything (phones, setup, and the
PBX), and connects to up to 64 phones, which is more than enough for our Health Center. The
Cisco PIX Firewall Bundle, which we would need to keep intruders and unwanted guests out of
our network systems, was found to be $1,395. Our computer workstations cost $32,000 as we
calculated for about 64 workstations, each costing $500 for the computers and accessories. We
assume this would be enough workstations for the users coming in and out to access records
and did not bring their laptops.
Security Software, which includes personal Anti-Virus Protection & Server-side Virus
Protection for each workstation and computer, would cost about $3,000 for a business bundle.
This would ensure each computer is protected against the simplest viruses and malware that
happen to penetrate the system’s firewall security. Backup/Storage/Archive Software costs
about $1,300, and would include the programs to backup computers that have for some reason
crashed or just to allocate more storage room for records and files. OS/Application Systems
Software costs $2,000 to keep all computers up-to-date on all applications and running the
same operating system. Finally, the Internet (Wi-Fi-WPA preferred) would be $24 a month to
keep it up and running.
We put in the backup Power Generators for $5,385 in the case a power failure were to
occur and we needed to access medical records. The remaining $1,319 not accounted for in the
total so far that we have listed under as “Other” is allocated for anything that we have looked
over and missed that we would need for the setup or maintaining of our proposed network
infrastructure. Everything else that we have listed totals to $53,681 ($55,000 with the $1,319),
and then the $24 a month for the Internet Wi-Fi. Our team will look over and re-evaluate
anything deemed unreasonable or unnecessary.
APPENDIX A: PHYSICAL NETWORK DIAGRAM
See attached diagrams in the back.
APPENDIX B: LOGICAL NETWORK DIAGRAM
See attached diagrams in the back.
MEMBER CONTRIBUTION
Each of the members contributed to the final product. The amounts varied due to time constraints and
schedules as well as reliability. Members are listed in order by last name alphabetically.
Kwanhaun Belinda Ng – She volunteered to work on the Executive Summary, compose the
Budget spreadsheet , and help with the Written Description. She also did the final editing for producing
the final product.