Physician Reminder System

1
Physician Reminder System SNA Step 2
Earl Crane Hap Huynh Jeongwoo Ko Koichi
Tominaga 11/2/2000
2
Overview

• Step1 Review
• Users of PRS
• Normal Usage Scenarios
• Essential Services/assets

• Trace Essential Services
• Essential Component
• Vulnerabilities
• Next Step

3
1. Review of SNA Step 1

• Business Mission Generate JIT physician
  reminders
• Functional requirement
• Response time is most important.
• Generate time-driven visit-driven reminders
• Cover three chronic disease areas diabetes,
  hyperlipidemia, and preventive cares
• Download the patient demographic data, lab data
  and billing data from HIS.
• Privacy for patients data should be ensured.

4
2. Users of PRS
Physician Reminder System
Physicians
Reminder Response
Patient Reminder Information
Staffs
DB Management
DBA
5
3. Normal Usage Scenarios
Physicians

• NUS1. View physician reminders
• A physician views the reminders to check
  evidence-based practice guideline. PRS must
  generate these reminders and ensure that they are
  current and correct.

• NUS2. Respond to the physician reminders
• A physician responds to the reminders by choosing
  an action based on the patient demographic
  information, diagnosis and lab test results. PRS
  must show base information and save the response.

6
3. Normal Usage Scenarios (Contd)
Physicians

• NUS3. Update diagnoses
• A physician views the all diagnoses ever made for
  the patient and may add a new diagnosis. PRS must
  provide a standard ICD-9 code and add a
  user-defined code to the system.

• NUS4. View reports
• A physician views the physician-directed reports.
  PRS must generate physician-directed reports that
  summarize system reminders.

7
3. Normal Usage Scenarios (Contd)
Staffs

• NUS5. Record a patients visit
• A staff records information related with a
  patients visit. PRS must save this information
  with the name of the staff.

• NUS6. Add vital data
• A staff add the patients vital data such as
  blood pressure and weight. PRS must check the
  data and insert it to database.

8
3. Normal Usage Scenarios (Contd)
Staffs

• NUS7. View time-driven reminders
• A staff views all time-driven reminders (e.g.
  letters to patients reminding them to visit the
  clinic). PRS must generate time-driven reminders.

• NUS8. View reports
• A staff views the staff-directed reports and
  patient-directed reports. PRS must generate
  staff-directed reports and patient-directed
  reports with mailing label.

9
3. Normal Usage Scenarios (Contd)

• .
• .
• .

DBA

• NUS9. Manage PRS database
• An DBA manages database for staff information,
  reminder codes and disease codes. PRS must log
  the administrators actions.

• NUS10. View reports
• DBA views the reports. PRS must generate
  admin-directed reports.

10
4. Essential services/assets

• NUS1 Generate reminders for physicians
• NUS7 Generate reminders for staff

Essential services
Essential assets

• PRS data for reminders
• PRS rules for reminders

11
5. Trace Essential Services
Hospital Information System
PRS System
PRS Client
Firewall
Email Server
Browser
Email
Web Server
PRS Client Program
Affinity System (Registration)
LAB
Eclypsis
PRS Server
Interface Engine
Database
12
6. Essential Components

• Database
• PRS Client Program
• Interface Engine

Essential Components
13
7. Vulnerabilities

• The current system architecture is expected to
  have several vulnerabilities. For example
• User privilege management in PRS system
• Email service, internet connection, etc
• Network connection with other machines (between
  HIS and PRS server, PRS server and client
  machine, client machine and HIS, etc..)

14
8. Next Step

• Attacker profiling
• Analysis of intrusion scenarios
• Identification of compromisable components
• Meeting with the client in November

15
QA (1) Who are the users?

• The users will be classified into 3 categories
• Physicians
• Staffs and nurses
• Administrators and Database Administrators
• In addition to these users, patients are
  sometimes referred as users. But from the
  narrowest definition of users we use here, they
  are not users since although they actually
  benefit from the PRS, but they themselves never
  use it.

16
QA (2) Can PRS update the existing data in HIS?

• The data flows only from the HIS to the PRS. The
  update in the HIS is reflected to the PRS in real
  time, except for the periodical update of lab
  results (lab results are updated in every
  evenings). So, the HIS data is protected from the
  manipulation of data in the PRS.

17
QA (3) Tell me about the diagram. What is
Eclypsis, Affinity system, etc?

• Eclypsis is a management system for the MACC
  (Medical Ambulatory Care Clinic). Affinity system
  is a system that treats registrations, and PRS
  obtain patients demographic data from this. Lab
  is the system from which we obtain test results
  of patients.
• Interface engine is a unix-based data converter
  system, which allows the each components of the
  system to talk to each other.

18
QA (4) Do the client machine has internet
access?

• Yes, WPH want to use it to browse internet, and
  this could be a vulnerability for the system.
• They also use email in the client machine, but
  this is a intranet mail, and will not be serious
  vulnerability.

19
QA (5) What the difference between essential
assets and essential components?

• To some extent they overlap. We assume the
  assets to be something to be protected, and
  (1) the data contained in DB and (2) the rules
  that generate reminders, are the essential
  assets.
• On the contrary, essential components are
  something we need to conduct transaction, and
  They are DB itself (you might want call this DB
  Server), Client software (DB Client), and
  Interface engine (and the data sources).
• We dont include the legacy systems, which is
  data sources for PRS to essential components
  since they are, in a sense, located background of
  the interface engine, which is out of our scope.

20
QA (6) Tell me about the vulnerabilities you
have here. What are the problems with User
privilege management in PRS?

• Currently, the PRS has no logic to restrict one
  user to view all the patients record. That is,
  all the patients records can be viewed by any
  nurse or physicians.
• This might be a problem, because one nurse might
  view or change the patients records which they
  need not know nor change. I.e. the privacy of the
  patients are at risk.

21
QA (7) What are the problems with Network
connection with other machines?

• Here we assume the Network Sniffing,
  Man-in-Middle, and Spoof-the-Server attacks.
• We will more elaborately examine the possibility
  and mediations of the each attacks in the next
  presentation.

22
QA (8) What are the problems with Email
service, internet connection, etc?

• Here we assume the attack through internet. e.x.
  viruses, malicious scripts codes, and activeX
  control, etc.
• We will more elaborately examine the possibility
  and mediations of the each attacks in the next
  presentation.