This is a Request for Proposal (RFP) paper that is designed to inform potential vendors to apply in order to provide the healthcare organization with a functioning and effective new medical health care database management system. The Records Database Management System (RDBMS) designed for the healthcare organization is integral to increase the efficiency of service delivery and customer satisfaction. The analysis of this paper outlines the key components to which the vendors should aspire to deliver and provide to the healthcare organization. This comprises of the RDBMS security concerns, resolve, and maintenance of the maximum protection of health information systems and data. The capacity to maintain progressive and effective RDBMS directly impacts to raising the confidence of the patients in the healthcare organization. This is vital to build a positive reputation for the organization. Therefore, the RFP informs vendors of the requirements and standards to meet in order to be selected as the most viable option to help the organization meet its overall objective of improving service delivery and security of the health information systems, RDBMS.
Step 1: Overview for Vendors
The RDBMS is designed to enable the healthcare organization effectively manage the health information provided by patients at different levels. The datasets that the RDBMS should enhance its management can be categorized into six key components in which the vendors must adequately illustrate how to protect, manage, and facilitate its use to meet the day-to-day needs of the organization (Talmadge, 2019). These include; (i) administrative enrollment, (ii) inpatient records, (iii) outpatient records, (iv) billing records, (v) medical and pharmaceutical records, and (vi) insurance information. Each component is integral to effectively serve the hospital in delivering efficient services. The protection and security of these datasets is critical to impact on the confidence of the patients in the hospital. This culminates in creating a conducive environment in which patients can disclose their health information vital to effective diagnosis, treatment and intervention (Dash, Shakyawar, Sharma & Kaushik, 2019).
The capacity to develop an efficient RDBMS is integral to the operations of the healthcare organization as it provides a patient-centered system which facilitates all entities towards offering patients the best services and satisfaction. With the existence of profound health information security such as cybersecurity threats, big data analytics, patient experience and safety, transparency demand, and increased sophistication and demand for health information – it is paramount to develop high-grade and secure RDBMS (Chang & Lin, 2016). Thus, the vendors are required to develop an efficient RDBMS that can handle 1,000 in and outpatient served weekly in a healthcare with 100 employees across different levels.
Step 2: Context for the Work
The development of the RDBMS is expected to meet the minimum standards of a functioning medical health care database management system. This is based on the primary objective of enhancing service delivery and patient’s safety. A thorough assessment of the security features must be comprehensively assessed and illustrated to indicate the functioning and handling of information leakage and errors. The medical health care database management system must meet the minimum requirements include completeness by providing error free data, relevance provided in the accuracy of the data in the system, accessibility that it is available whenever needed, and confidentiality to patients (Hong et al., 2018). These key features should guide the development of the health information and management database that guarantees patients and the healthcare organization a reliable system. The consistency of the data, its timeliness, uniqueness, accuracy, and completeness are the overall features that the health information system is required to meet for smooth and efficient running of the healthcare organization (Ma, Wang, Zhou, Wen & Zhang, 2018).
The system’s reliability is integral to enhance the operations of the medical personnel and emergency responders. The concerns raised in the utilization of the RDBMS such as memory leakage, security breach, errors, information leakage, cross-site scripting flaws, insecure configurations, SQL injections, authentication, and access control must be ascertained (Abouelmehdi, Beni-Hessane & Khaloufi, 2018). This provides the users of the system and the patients the assurance of the safety and security of the system. Hence, vendors ought to provide sufficient measures to counter and guarantee the safety of the medical and health care database system.
Step 3: Vendor Security Standards
The competing vendors should focus on meeting three sets of standard that guide their operational procedures and capacity to meet the database development requirements. These should comprise of internationally accepted standards which include National Institute of Standards and Technology (NIST) standards, International Organization for Standardization (ISO), and the International Electrotechnical Commission which is poised to develop standards and technicalities for maintaining and promoting standards in the information technology, as well as, information and communications technology fields (Yuan & Li, 2019).
The standards outlined by the internationally accepted entities which the vendors should comply with are critical for effective health information database. The development of the database should take into account measures that include strategies for disasters and disaster recovery, counter cyberattacks and threats, and provide mission continuity (Mbonihankuye, Nkunzimana & Ndagijimana, 2019). This entails a fully functioning system that is integral to the service delivery in the healthcare organization. The strategies include data protection and recovery which can be maintained through the establishment of back-up systems including cloud storage of health information and external storage of servers in secure locations. This is fundamental for disaster management and recovery, as well as, provision of mission continuity. The establishment of up-to-data antivirus, system vulnerability diagnostics, and upgrading of the database security measures is critical to prevent or deter cyberattacks and threats on the system (Jacobs & Popma, 2019). These measures are fundamental in which the vendors illustrate the preparedness in handling any eventuality that may impede the functioning and operations of the healthcare organization.
Step 4: Description of Defense Models
In healthcare information systems and databases management, the capacity to maintain the maximum security and protection of the health information is fundamental. The use of approaches such as Defense in Depth (DiD) provides extensive security mechanisms and controls that are critically examined and layered to provide maximum security throughout the system (Cho & Ben-Asher, 2018). The DiD defense model provides three critical layers including physical, technical, and administrative controls. These controls culminate in the realization of confidentiality, integrity, and availability (CIA) of health information and the system’s reliability. The CIA measures attained through DiD defense model are achieving through defense mechanisms that establish perimeter defense measures, protect the host, the system and its application, as well as information/data protection (Galinec, Moznik & Guberina, 2017). Therefore, vendors’ capacity to outline these measures are critical assert the preparedness in ascertaining maximum protection for the health care information system and database security. Hence, the healthcare organization, medical practitioners, and the patients have a system that can adequately and effectively serve them to the efficiently. Thus, the realization of the objective of service delivery and patient’s satisfaction is guaranteed based on DiD controls and CIA measures (Cho & Asher, 2018).
Vendors have a responsibility of understanding the defense principles in order to maximize on all the controls and measures outlined as protective to the health information system and database. The defense controls establish the minimum requirements to which the vendors must comply with in establish system’s safety measures (Kou, Liu, Talley & Pan, 2018). The enclave computing boundary defense stipulated across the three layers facilitate the protection of the system from manipulation. For example, in the administrative controls – measures such as security clearance is critical to the accessibility of the information. This establishes security firewalls that filter the quantity and context of information access by different individuals within the system. This determines who can edit, add, format, or delete and information on the system (Sittig et al., 2020). The physical controls regulate who gains authorization to the system on physical capacity. The use security guards, facial recognition systems, biometric systems, among others are essential for physical recognition as a measure to gain access. These deters attacks such as social engineering that gain malicious access to health information systems and database. The technical controls deter hackers through regular vulnerability diagnosis and strengthening the capacity of the system’s base configuration (Alotaibi & Federico, 2017). Thus, deters cyberattacks and other technical threats to the system.
Step 5: Database Defensive Methods
The competing vendors are required to establish measures that are critical for the database security and protection. The establishment and extensive explanation of the use of MySQL database protection measures is a high requirement for the medical health care database system. The utilization of the MySQL approach provides measures that enable the developers to drop the test database (Mukherji & Egyhazy, 2004). The capacity to illustrate removal of all anonymous accounts in the database is critical to ascertain high system security. MySQL database security outlines of the change of default port mappings which facilitates the removal of dummy accounts and potential security threats through external devises. This requires the prevention of running MySQL database on root level privileges that may miss the potential system’s vulnerabilities.
Further, MySQL history file shows the number and regularity of the activities done on the system presenting potential attacks based on the acquired data. Remote logins should be disabled to ensure that only database configured devices can gain access to the system. This establishes a point where only employees can gain access to the key levels of the database that allows data entry, manipulation, and deletion (Fehis, Nouali & Kechadi, 2016). The altercation of the hosts that have access to the database provide irregular system in which the database diagnosis is conducted and from which node. Therefore, this builds the capacity to protect data in the system to the maximum level. Encryption of data in the database is fundamental in case of data bleach. Thus, the approach to the defense method that applies MySQL database protection creates an environment where every potential and emerging loopholes on the system are sealed.
Step 6: Requirement Statement for System Structure
The RFP requires the competing vendors to develop a web interface that provides a structure in which patients and other healthcare providers can be view, modify, and update the database. The web interface should user friendly and supportive to the users (Demírel, 2017). Different levels and categories of the users should have diverse access limitations based on the nature of information they are allowed to access. For example, the web interface should allow patients to access, view, and only modify personal information on the database. Health information, diagnosis, treatment, progressive, feedback, and recommendations should only be modified by healthcare professionals (Lintern & Motavalli, 2018). This is vital to provide consistency, integrity, and authenticity of the information.
The web interface should enable the users’ levels to determine the context and nature of information at that category. This is provided on the based on integrated access across multiple systems and levels of the database. For example, while patients are open to use any device to check their health information on the database, the healthcare providers can only modify and update health information on company provided devices (Kim et al., 2017). This is to limit potential data/information breach that threatens the safety and security of the information. Also, this serves as a critical measure to prevent data exfiltration by external media to the healthcare information database. Such measures that competing vendors should outline include the approaches towards block unauthorized communication and access to the system, ways to prevent phishing attacks, and systemic revoking of data access for former employees. As well, the education and training of employees is critical to build the capacity of the staff to identify and eliminate database security threats (Sittig et al., 2020). The vendors should illustrate the measures taken to identify and redact sensitive data from being accessed by different levels. Thus, maintaining of maximum protection from malicious and ill-intended entry to the database and web interface are eliminated.
Step 7: Operating System Security Components
The establishment of segmentation requirements by the operating system rings is crucial to ensure that the processes do not affect each other. This can be established through the utilization of hierarchical protection domains that provides security of the database’s operating system. The security components for the segmented rings are stipulated in terms of the sensitivity of the information accessed. This is done in the level of privilege offered at each ring with the innermost being the one with most privileges while the outmost has the least privileges (van Vee, 2018). The innermost level is identified as Ring 0 which comprise of the system administrators and healthcare organization’s top management such as the president and the chief executive officer (CEO). Ring 1 will comprise of security level of the other top level organization’s managers and heads of departments. The level of privileges differs the Ring 0 which has the most. This indicates that, Ring 1 should seek the approval and guidance of Ring 0 category in the management of the database. Ring 2 should be designed to comprise of healthcare practitioners across different departments. At this level, the privileges are designed to allow the professionals to view, modify, and update the health information system. Ring 3 will entail the outmost and least privileged level in the database (Jacobs & Popma, 2019). This comprises of patients with the privilege to view and request for modification for personal information only. However, their modification and update pends the approval of Ring 2 or 1. Thus, enables the protection of information system and the database from different users and levels.
Step 8: Requirements for Multiple Independent Levels of Security
As discussed in step 7 above, the use of hierarchical protection domains provides the requirements of the Multiple Independent Levels (MILs) of security in the handling and utilization of the database. The approach provides level privileges and security clearance based on the sensitivity of information. This determines who can and cannot access certain information under its security code – “critical,” “confidential,” “general/public” use (Chico, 2018). The RFP stipulates that, the competing vendors are required to define the security clearance and privileges based on the level of information/data sensitivity. Therefore, hierarchical protection domains will start from Ring 0 (innermost and most privileged level) and Ring 3 (outermost and least privileged level). Each level should identify and define the potential users and components of personalities classified as suitable for the position (Mbonihankuye et al., 2019).
The approach best aligns with the use of the Chinese Wall security model following the fact that the policy separates two or more groups in a system. The groups of users of the database can be used to facilitate the protection of the system based on access security clearance. This is intended for the protection of the information and data in the database from wrong utilization. The users should have an understanding of the context of the information they view, modify, and update on the database. Therefore, the defining of the security protocols for each group and level is critical for the security and protection of the database.
Step 9: Access Control Concepts and Capabilities
The management of the database requires vital access controls and capabilities to determine who gets access to the system. The competing vendors should extensively outline the authentication requirements, access controls and direct object access. Such measures include security clearance levels, voice or biometric authentication controls, physical access to system administrator’s station, among others (Sittig et al., 2020). The identification of the access controls and authentication features is vital to ensure only the authorized personnel gains access to the database. Also, this must put into account the measures put in place to ascertain information security and safety. The protection of health information is vital to raise the confidence of the patients in the healthcare organization (Galinec et al., 2017). Therefore, the access control and authentication measures are to be developed on the sensitivity of the information.
Step 10: Test Plan Requirements
The vendor should include a test plan which illustrates the functionality and safety of the database. The assessment of the test plan comprises of the determination of the safety and security competence of the database against various vulnerabilities and threats. The competing vendors are required to submit their RFP within the next three months to allow for extensive review and assessment of the effectiveness of the system (Fehis et al., 2016). The proposed database will be subjected to expert evaluation and capacity to withstand different threats. Hence, the database must be efficient, effectively developed, and highly functional to ease top operations of the healthcare organization.
