Page 345 of the text book:
1. The security firm that employs you has been hired by a new customer. This customer developed in-house, custom application system that archives papers forms in electronic format, complete with a web-based document locator function that works a fallows: users type in keywords in a search engine, related to the document that they are looking for the application returns several possibilities. User can then click on the appropriate document title, and it downloaded from the back-end database and displayed on the user's screen. It is noteworthy that the user not employees of the company in question. This company offers the application as a third party service. All its clients are medical practices that use the application as on offside electronic medical records solution. They are linked to the application via their Internet connection and a regular web browser.
2. After spending a day with the developer’s responsible for this application reviewing the code, your first recommendation is that since all the information that is transmitted is in fact a Protected Health information (PHI), all transactions should be encrypted. As it presently stands, the application system is sending all the documents between the database server and the user' desktop via HTTP (i.e., in clear text). Write a couple of paragraphs making a case that first thing that should be done to the application system is to retrofit an encryption solution.
3. It is settled that application will be sending all information via HTTPS, the secure version of HTTP that relies on SSL to guarantee confidentiality. You know that there are two choices to set up https: Either use certificates created in-house. Write a couple of paragraphs on the matter, specifically listing the pros and cons of each solution. Finally, make a recommendation of using one or the other method.
4. One the medical practices than contracted to use this application system, as its EMR solution is located outside of the United States, but still requires 128-bit encryption. Explain a paragraph how that can be an issue. Research U.S. Federal Regulations that govern exporting encryption technology on the Internet for more information on this topic if necessary.
5. Another need than you identified trough the audit than you ran against this application system is that e-mails are being sent between clients a managers. However, the integrity and nonrepudiation of the e-mail sent is not currently guaranteed. Write a paragraph to outline a solution that could be deployed to remedy this issue.