Information Security Assessment in King Abdullah Medical Complex: A Case Study

King Abdullah Medical Complex in Jeddah (KAMCJ) is a 500-bed hospital with highly qualified staff, advanced equipment's and technologies. The hospital provides a wide range of medical services round the clock. Equipped with the latest technologies and state of the art information and communication systems, the hospital has the ability and the resilience to operate at full capacity and withstand the different operational conditions. At the heart of its technological infrastructure comes the computer network, which is one of the biggest networks in Jeddah. The hospital's Information and Communication Technology (ICT) runs different services and systems that automate most of the operations in all divisions. However, making the operations fully automated comes with a major security challenge. That is, in a fully integrated systems, compromising one component could cause the failure of the system partially or entirely not to mention the reputation damage that security breaches could inflict if sensitive patients' information were compromised. As such, it is imperative to implement rigorous security measures to safeguard the hospital's digital assets against the cyber-attacks. It is also crucial to revise the security policies regularly to make sure that these measures are always relevant. To this end, this study is devoted to assessing the security measures currently applied in the hospital's network and give recommendations on how to consolidate the security of the hospital's data and the underlying digital infrastructure. The study starts by conducting a series of semistructured interviews involving group of end users in addition to IT staff and information security personnel. Based on the data collected from the interviews, network architecture discovery was carried out in order to understand the structure and identify the critical components in hospital's network. By utilizing the data acquired during the discovery process, the existing security controls are identified, and the adequacy of these controls are evaluated. In light of these controls, the vulnerabilities of each of these components are determined. Based on the identified vulnerabilities, the prepositions and recommendations to improve security controls as well as the plan on how to deploy these recommendations in the hospital's network are proposed. By incorporating the proposed recommendations into the hospital's IT services and infrastructure, the security of digital assets will be improved and the risk of losing data or disrupting business operations will be significantly decreased.