Group-6-RAD - School of Computing and Information Sciences
advertisement
Requirements Analysis Document IT Management and Automation of Superior Pharmacy Developed by: Alfonso Munive Jonathan Sanchez (Project Manager) Jose Roman Fernando Valladares Sajjad Zaidi Advisor: Dr. S. Masoud Sadjadi School of Computing and Information Sciences Florida International University Contact Information: sadjadi@cs.fiu.edu, More information: http://www.cs.fiu.edu/~sadjadi April 13, 2009 1. Introduction Superior Pharmacy Group is a chain of five small independent pharmacies that are both closed, and open door pharmacies. The five small independent pharmacies are known as: Site A, Site B, Site C, Site D and the main office, Site E. The pharmacies have been operating for about three years and have a total of five thousand patients. At the five locations, there are a total of ten user stations, and two servers, a domain controller and an application server. The pharmacy relies heavily on IT because all the workstations are used daily for data entry, accessing patient databases, accounting files, managing inventory, and accessing the internet to look up patient insurance and third party information. All claims are processed online via a T1 line. There is an average of 100 claims every hour per workstations, so any potential downtime on the internal network or on the workstations themselves can be detrimental to productivity resulting in major problems such as insurance claims back-ups while in queue. Consequentially, the pharmacy is then unable to be reimbursed appropriately, leading to poor customer service and a reduction in profit, both are something a pharmacy needs to avoid in order to remain viable. The pharmacy, at this point, has poor security management regarding patient databases, which can cause major issues with HIPAA regulations. An automated system must meet and exceed the IT needs in order to improve the pharmacy’s productivity. The automated system is designed to facilitate more efficiency rather than fix the current systems drawbacks. 1.1 Purpose of the system The purpose of the current system is to monitor the workstations in all the pharmacy locations from user state management, to patch management. They are mission critical for pharmacy operations because all the workstations are used to enter prescriptions, process insurance claims, and provide access to the patient and drug databases. 1.2 Scope of the system The scope of the system will include providing all the pharmacies with automated solutions such as an adequate backup system in accordance with HIPPA policies; automate the process of installing updates and patches to all the workstations; and provide user state management. In addition we will monitor the servers, both the application server and the domain controller in all the locations. 2. Current system The current system was not designed by an IT professional, which has created functionality problems. The current model at each location has ten workstations and two servers in each site joined together with a switch forming a star topology. Workstations are stand-alone systems that use the client program called QS1PrimeCare and also provide access to software for a users individual computing needs. Each location is connected to a network printer. There are two servers at each location. One server is the domain controller, which has an active directory and assigns group policies. The other server is the application server, which has the QS1PrimeCare server that the workstations use to access client information. It is also used for backing up client list, order list, and inventory of all drugs purchased and sold. Vendor list and payroll program are handled by QuickBooks. There is only one IT Administrator responsible for monitoring the current system. 2.1 Current Problems During the early stages of our investigation, we noticed several glitches in the implementation of the current system. The first major issue discovered was the IT administrator’s workload. The IT Administrator is responsible for taking care of issues that may affect any of the five sites, spread out within a 30-mile radius. If a workstation goes down in Site A and another in Site C, the IT Administrator has to both sites, passing Site B in the process, to fix the problem. This results in a huge delay and slows down productivity in Superior Pharmacy Group’s because of the administrator’s extended absence. Secondly, and more importantly, there are several gaps in computer security since all users have administrative access to each workstation. There are currently no restrictions to using the Internet and downloading applications. At the time of the investigation, systems in Site E had many users logged into social networking sites, and browsing histories on some of the workstations were neither work related or pertinent to pharmacy operations. Peer-to-peer software had also been installed on some of the workstations, downloading unknown content from these programs and facilitating the possibility for infection of a workstation with malicious programs such as Trojans. Granting back door access into workstations has the potential to compromise patient information. User carelessness creates a high security threat that can be counteracted by uniform virus protection in each workstation. There is also a lack of control in regards to patch management. Some systems are patched, but those that are not can create a threat to the integrity of the network since they have holes that are exploitable. As mentioned, there is no monitoring of workstations and some hard drives were filled to their capacity, containing mostly information irrelevant to work. Another example of an over-extended IT system, Site C purchased new workstations that needed to install QS1 Prime Care. The IT administrator had a difficult time with the installation since the computer did not have the minimum requirement needed for optimal operation. QS1 Prime Care requires Windows XP SP2 which was already installed in the current machines, but the new workstations came with Windows XP SP1 pre-installed resulted in the IT administrator occupied at Site C, unable to manage any other sites if problem occurred there. A major operating concern for Superior Pharmacy Group is weak disaster recovery protocol. In the event of some sort of incident such as a power failure, patient data stored in the server has the likelihood of becoming permanently irretrievable. Also, in order to remotely log into different workstations within the network, one would have to know the IP address of the server. After establishing a connection with the server, would then need to know the IP address of each workstation just to have remote control access. By properly naming each workstation, there is no need to memorize countless IP addresses. The following will now elaborate further on the above-mentioned issues with the current system for Superior Pharmacy Group: 2.1.1 Issue #1 Having only one IT administrator present at the main site means workstations have been granted administrative access and their specifications have not been defined or modified for employee use. Users have access to all software and are running applications like Bit Torrent, and during our investigation, noticed a lot of users were logged onto their “Facebook” pages, wasting valuable work time. Since the five locations are spread within a 30-mile radius, the IT administrator cannot monitor the workstations simultaneously. Multiple system failures at different locations can hinder productivity if only one IT administrator is available. When a workstation is down, it can take hours before the IT administrator is able analyze the system failure. There is also no solid order of preference when a workstation goes down, so if two workstations go down at two different locations, it is the IT Administrator’s responsibility to determine where to go first, instead of the company deciding which site is more crucial for continued productivity. 2.1.2 Issue #2 There is no form of workstation monitoring in place. This lack of monitoring has caused issues in the past such as workstations running out of hard disk space due to peer-to-peer downloads. One of the workstations located at Site E had an iTunes library utilizing 5GB of hard drive space, which has been allocated for work purposes only and not personal entertainment. Low hard disk space can result in issues when trying to access the pharmacy’s software, QS1 Prime Care. QS1 becomes sluggish if there is not enough space available making it difficult to download the E-prescribe faxes promptly. At Site C, three of the user workstations had an average 90% CPU usage. After further investigation, it was discovered the workstations had been infected with a Trojan that had been downloaded from a peer-to-peer site. Viruses, Trojans, key loggers, or any other form of malware can compromise the security of patient data and leak private information such as social security and prescription information resulting in lawsuits and the loss of profit. At Site B, the server had a memory leak. A file on the server, run.dll, would cause the memory to be full, making the server unresponsive. This is a huge problem because patient data needs to be accessed locally as well as remotely and users should not be spending 30-45 minutes trying to access patient information. 2.1.3 Issue #3 There is no hardware inventory management on the current systems. Workstations use QS1 Prime Care that requires a minimum of 1GB of memory. Several months ago, one of the memory sticks failed. This slowed down the workstation causing a lag that resulted in the dispensing of prescriptions to be delayed by one hour. Patient prescriptions need to be processed in a timely manner. If Superior Pharmacy Group is slow to dispense prescriptions, and then the result will be a loss of customer’s because of weak customer service. 2.1.4 Issue #4 We encountered a frail disaster recovery plan in place. Back ups are being performed every Sunday at 2 AM & there are no snapshots of user workstations. This can lead to a huge problem because if a server loses its data drives all the patient information for that week would be permanently lost. One of the pharmacies encountered a power failure and after the power came back, the user’s hard disk was hit by a surge of power, rendering it useless. This situation could have been avoided by using a UPS. Since there is no snapshot of the drive, everything had to be manually re-installed and reconfigured. This took up two days of the IT administrator’s time, compromising all the other sites whereas if the proper procedures for recovery had been in place, the situation could have been resolved in a few hours. 2.1.5 Issue #5 Workstations are not up-to-date with software updates. New workstations purchased for Site C did not have the latest service packs installed, Windows XP SP3, but instead came with Windows XP SP2. This service pack is important because Windows XP SP3 is one of the requirements for installing QS1 Prime Care. When the user tried to install QS1 Prime Care it resulted in an error, and not until the third try did the user contact the IT Administrator. This slowed down productivity, delaying the processing of the patient’s prescription even further. 2.1.6 Issue #6 Site C had none of its virus definitions updated. Three of the technician workstations were infected with a Trojan because of forwarding infected emails. An up-to-date virus protection solution would have scanned the file and let the user know of the security risk. This is the first line of defense, followed by the system monitoring as stated in issue two. Without these systems in place, the patient information is at risk as and the workstation is unproductive until all viruses are eliminated. 2.1.7 Issue #7 In order for the IT administrator to maintain the integrity of the computers, remote access is an important part of that process. With the present system, if the IT administrator needs to access data like QuickBooks or patient information, he needs to know the IP address of every machine, log into the server and then log into the individual machine. In one instance, the records of a patient were in a computer at Site E, but could not be accessed because the workstation was shut off. 3. Proposed system The following are suggestions for a new proposed system that would address all the aforementioned issues each system currently has. Each employee working for Superior Pharmacy Group will have a user name and password with their own personal settings and programs based on their position within the company which will also be a precursor to Internet access. Some employees, based on tasks performed, do not require access to the Internet, but regardless of this point social networking sites will be blocked. By using Firefox as the default browser, potential phishing attacks can be avoided. To address the numerous complaints of low hard disk space, a quick monitoring system will check random workstation on a daily bases. Assistance will be hired to work directly with the IT administrator. The additional assistance will help reduce the workload off of an overextended IT Administrator. Scanning the workstations for security and software updates is crucial and will keep workstations software up-to-date, therefore protecting your workstation from viruses and preventing potential attacks. This will also allow for compliance with HIPPA regulations, thereby reducing the risks of potential lawsuits. Next, it is important to make sure all the workstations, including the domain controller server and the application server are audited. It is important to have accurate inventory of hardware and software and all the workstations and servers. A more efficient way of connecting the workstation and server is by using computer names rather than using an IP address. Synchronizing the workstation data to the server, this will save the IT Administrator time. The following functions: Help Desk, Patch Management, Audit Inventory, Remote Control, Monitoring, User State Management, End Point Security and Backup & Disaster Recovery; will elaborate more on the proposed system that is used to make Superior Pharmacy Group more efficient. 3.2 Functional requirements 3.2.1 Remote Control Accessing the workstations remotely needs to be efficient. Knowing the IP address for the workstation that uses QuickBooks so you can access that workstation remotely can be tedious. Instead of logging in remotely via the IP address, it is better to assign computer names for each workstation. Its best to have all workstation data synchronized to the domain controller server. This eliminates the step of first connecting remotely to the domain controller server before connecting to the workstation remotely. By synchronizing the data to the domain controller, you will only need to connect to the server to retrieve the data that you want. 3.2.2 Auditing & Asset management All of the hardware and software that is supported by each workstation will be documented and be kept for Superior Pharmacy Group's records. When the time came to purchase the new workstations, it would have been a good practice to have inventory on the workstations that were replaced. If the inventory were documented for the old workstations, you would know that the user workstation required Windows XP SP3 installed so it can run QS1 Prime Care. This would have prevented the multiple tries on installing QS1 and calling the IT Administrator to review the problem. 3.2.3 Monitoring It is very important that Superior Pharmacy Group have a monitoring system in place. Too many times did we catch users logging in to their “Facebook” page. A user was where their favorite T.V. shows and listening to their music on iTunes, which eats up the hard disk, space for that workstation. By having a monitoring system in place, you will be able to check the current hard disk space on the each workstation, if you notice that you are running low on disk space, you can then check the cause of the low disk space. Regarding the workstation at Site E, we were able to identify one of the reasons for low disk space, the iTunes library. You can also check the browser’s history to see if any of the users were logged into “Facebook”. If the social network activities are at a high then its best to restrict the access to those social network websites like “Facebook”. 3.2.4 Patch Management With Patch Management, the workstation will be scanned to see if it has the latest security updates or software. This scan should be administered after working hours, so not to disrupt the current working environment. After the scan, you can then assign the update that is needed for that workstation. So if you purchase a new machine with Windows XP SP2 and you are trying to install QS1 Prime Care, but it requires Windows XP SP3, with Patch Management, you will be able to install the new Service Pack. Some locations were running out-date virus protection software, the scan would have noticed the out-of-date virus definitions notifying you that installing the latest virus protection software is a high priority. 3.2.5 Backup & Disaster Recovery Standard: This includes a Snapshot of the boot drive every time there is a major update performed to the system. This plan is recommended this plan for systems where there is not a lot of data, where the data is not that important, or that are not being used pro actively. In this plan you can get your system back up in case of an OS problem in minutes. Premium: This includes a RAID-1 with 2 partitions (data & boot), daily on site or remote back up of data, & snapshot of the boot drive. This plan is recommended for delicate machines where the data is very important. This is implemented on the application server since there is redundancy in your data. You can quickly recover from OS crashed or even dead hard drives without a problem. You may also use a USB drive to further back up your data off site. Premium Plus: This includes a RAID-1 & RAID-5, daily off site back ups, snapshot of you boot drives, weekly scans data integrity scan, Email alert if you raid is degraded. We recommend this plan for you off site server, which should store all other sites server information in case of a natural disaster. Mirrored boot drive maximize your up time because if one of your data or boot drives die you simply add a new one. RAID-5 comes with fail over drives so if one dies it simply rebuilds your RAID. This plan will make Superior Pharmacy Group 100% HIPAA compliant because it is practically impossible for you patient data to be lost. 3.2.6 Endpoint Security Complying with HIPPA is the most critical aspect of the pharmacies IT policy management. Data handled by all pharmacies is extremely important and breach can lead to major lawsuit and financial penalties. Strict policies are required for handling sensitive data and encrypting software is required for this task. All machines should have latest spy ware and anti-virus software installed as well as mandatory update and installation of patches dealing with OS security. New systems cannot have access to the network until they are fully patched, updated, and added to the pharmacy domain. 3.2.7 User State Management Configuring user settings manually at all location is not a practical solution and is tedious, time consuming, and there is a the risk of forgetting something. With five locations in place & future potential growth this feature is the most important aspect for the IT administrator for efficient output. The most required feature is printer and drive mapping. Desktop standards will be provided to avoid users for customizing the workstations that leads to potential problems. To be HIPAA compliant the most important task under User State Management is to provide a QS1 Prime Care customize access to users at different locations. This will ensure that users are not able to access different aspects of data that they don’t have access to. Group policy that is not effective and not defined properly will eliminate most of the problems that are occurring mostly at the remote locations. The following problems will be fixed after defining effective group policies. Centrally create and manage desktop configurations for all users and computers for efficiency also allow technicians to access their files from any location at any time by using Roaming User Profiles and Folder Redirection in combination with Off-line Files. Manage how software is deployed and installed on computers to ensure that Floor techs and Pharmacy Techs have QS1 Prime Care customized access. Manage and enforce centralized data storage. This helps you keep important corporate data backed up. Replace computers efficiently by using these technologies that includes remote Installation Services and Group Policy–based software installation to replace applications. Roaming User Profiles to recover user profiles and folder Redirection to centrally store files a must for QS1 Prime Care. 3.2.8 Help Desk This will provide the IT Administrator for Superior Pharmacy Group additional help. At times, the work load for the IT Manager can become excruciating when traveling from one location to another, and a Help Desk will be able to reduce that workload with additional support from the help desk team that will be provided: On-site visits and phone support. If there is a system failure with a workstation, the user will communicate their issues via a ticketing system to the IT Administrator. If multiple system failures occur at different locations and the IT Administrator cannot attend to all the problems, the IT Administrator will then relay the problem to the Help Desk team, so they can further access the problem. 3.3 Nonfunctional requirements 3.3.1 Usability The current systems usability is questionable. All the issues that plague the system slow down productivity and in turn make the company look bad. 3.3.2 Reliability The current system is not very reliable because there is only one IT Administrator that has to monitor five different locations. The task have become overwhelming, if the administrator where to get sick or is in a meeting he wouldn't be able to take care of any pressing issues that might come up. As it is, there a various machines missing updates and patches, there is no real back up plan, and there are computers that have been infected with Trojans and have no end point security. The reliability of the current system is unacceptable. 3.3.3 Performance Since there is only one IT Administrator, if multiple workstations were to malfunction, the IT Administrator would have to go to each workstation to assess the problem. After the IT Administrator finished, then he would have to go to the next and so on. This hindered productivity, since users had to wait for the IT Administrator to come to there workstation and see what the problem was. 3.3.4 Supportability Basically, the IT Administrator is the support, since Superior Pharmacy is lacking any uniform system; it is up to the IT Administrator to handle all the IT issues at Superior Pharmacy. If there’s an issue at a workstation, the IT Administrator would have to be in front of the workstation to see what the problem is. 3.4 Agent Roles 3.4.1 Agent Role: Domain Controller This server is running Microsoft Windows Server 2003 operating system. On this server the IT administrator uses active directory to create user accounts for pharmacists, technicians and other associates and assigns group policies accordingly. In addition all user data is synchronized back to the server once the user logs out of different workstations. Also all incoming documents such as faxes, electronic prescriptions and personal patient documentation are stored on this server as well. All insurance claims that are processed are saved on this server for auditing purposes. The IT administrator uses this server as a gateway to remote into other computers on the internal network from an external location. In addition this server has the time clock server installed on, so all employee hours are tracked on this server and archived for the accountant 3.4.2 Agent Role: Application Server The application server runs the QS1 Prime Care management application, which is the software that all the pharmacies use. It serves as the connection console, in which the IP addresses of the client machines are used to authenticate, and then granted access to the databases. This server has the patient, drug, and POS databases. Anytime a new patient is added to the system, or a drug profile is updated it gets saved on the database on this server. Since this server has the POS server, all updates that are needed for the POS machine are downloaded to this machine, which is later pushed to the POS client. In addition this server connects to the QS1 main servers once a week and downloads the latest service packs. 3.4.3 Agent Role: Windows XP Machines All the XP machines that are in the pharmacies are used as clients to connect to the application server to access patient and drug databases. One of these machines is used as the Local Workstation Update Node (LWUN). The utility on this machine is used to connect to the QS/1 Server and check for updates to be downloaded. By designating this workstation as the LWUN, it eliminates the need for all workstations to connect to the QS/1 Server and collect updates. All the pharmacy associates use these machines to process prescriptions and transmit insurance claims. The accountant also uses one of these machines for accounting tasks such as invoices and payroll, and the receptionist also uses these machines for emails and notes. 3.4.4 Agent Role: CEO Laptop The CEO’s laptop runs Mac OS X for security reasons. Since all the pharmacies aren’t connected together, this is the only machine that has all patient information and financial documents from all five locations combined. The CEO uses a VPN client to log into the pharmacies when needed to look up additional information. On his laptop he does not carry Prime Care databases or QuickBooks but uses excel for use of quick reference before he does any sort VPN interaction. Due to the tight security needed on this laptop, this machine uses the built in Fire Vault Mac OS X protection which secures the users home folder by encrypting it's contents. This feature automatically encrypts and decrypts the files on the machine while they are in use. If the machine is lost or stolen, and the wrong administrative password is entered, all data will be lost. 3.4.5 Agent Role: POS Machine The POS machine used in the pharmacies is a Windows-based open platform solution that integrates with the Prime Care software and peripheral hardware devices such as the electronic signature capture device for HIPAA and credit card transactions. The POS machine allows users the ability to view or edit secure information such as patient payment information, and patient preferences such as easy caps. It is also a comprehensive tool for promoting drugs, tracking drug movement, and maintaining optimal inventory levels for all of our OTC products. In addition the POS machine registers the pharmacy configuration, inventory, and transaction information locally, allowing registers to continue operating during a network or server failure. When connectivity is restored, the FUNCTIONALITY REQUIREMENT FOR ALL AGENT ROLES HELP DESK PATCH MANAGEMENT AUDIT INVENTORY REMOTE CONTROL BACKUP/DISASTER ENDPOINT SECURITY USER STATE MANAGEMENT MONITERING Agent Roles APPLICATION SERVER FULL DOMAIN CONTROLLER FULL CEO LAPTOP POINT OF SALE SNAPSHOT WORKSTATION PREMIUM PLUS system automatically synchronizes. The machine also receives updates from the application server when needed. 3.5 Mapping Functions to Agent Roles BACKUP PACKAGE PLANS FREQUENCY SNAPSHOT MULTI PARTITION ONSITE BACKUP OFFSITE BACKUP RAID-1 RAID-5 PLANS STANDARD MAJOR UPDATES PREMIUM PLUS DAILY FULL DAILY 4. Definitions, Acronyms, and Abbreviations Admin – abbreviation for Administrator or Administration. Administrator – individual responsible for the installation, management, and control of a network. Administrator Access – In windows machines means that a person has full control of installing programs and can change anything in the system. Antivirus - software that is used to detect, delete and or neutralize computer-based viruses. Bit Torrents - An effective tool for sharing large files based on peer-to-peer connections. Different parts of files are distributed in chunks and then reassembled on the receiving machine. Facebook - a free-access social networking website. Hard Drives - computer hardware that holds and spins a magnetic or optical disk and reads and writes information on it. HIPAA - Health Insurance Portability and Accountability Act. Help Desk - a service that provides information and assistance to the users of a computer network. IT – Information Technology. Memory – Hardware used by computers, which can be used by programs to perform necessary tasks while the computer is on. OS – Operating System Social network - a web-based service that provides ways for users to interact, such as file sharing, blogging, and discussion groups, to build communities of people who have common interests. T1 - An AT&T term for a digital carrier facility used to transmit a DS-1 formatted digital signal at 1.544 megabits per second. Trojan - Malware that appears to perform a desirable function but in fact performs undisclosed malicious functions. UPS - uninterrupted power supply. Virus - a software program capable of reproducing itself and usually capable of causing great harm to files or other programs on the same computer Virus definitions – Lists that carry virus signatures for detection. Workstation - a desktop computer. POS – Point of Sale QS1 Prime Care – Prescription Software
