Q1: IMAGINE YOU ARE RESPONSIBLE FOR DESIGNING THE DATABASE SECURITY OF A HEALTHCARE

MANAGEMENT SYSTEM. EXPLAIN THE ACCESS CONTROL MECHANISMS YOU WOULD IMPLEMENT
TO ENSURE PATIENT DATA PRIVACY. DISCUSS SPECIFIC ROLES, PERMISSIONS AND SCENARIOS.

When designing a designing an information system access control can defined based off of four
possible mechanisms namely: Role-based, Mandatory, Attribute-based and Discretionary. These
mechanisms differ in the aspects used in their criteria for granting or revoking rights and privileges
to different users of this information system.

Role-based access control uses the user’s job and function in the organisation as this criteria. For
instance in a hospital scenario a doctor and a pharmacy clerk would typically be granted different
levels of access because their roles in the organisation have different requirements. The clerk would
only need read only access to patient files determine the necessary drugs prescribed whilst a doctor
need to read and write to these files to access history and write in his new diagnoses. It is however
up to the system designers, analysts and administrators’ tasks to determine the access levels
according to each users specific roles. Also requires continuous administrative oversight to change
adjust the rights of each users depending on shifts in the organisational roles.

Attribute based considers the attributes of users, data, action and environment to define policies
and rules for access. For instance patient record could only be granted from a user terminal in the
organisational building. This access control makes use of the environment of attribute of the users
attempting to access this data.

Mandatory access control enforces a strict hierarchy of security levels for data and users. Data and
users are classified and assigned security labels such as top secret, secret, confidential, restricted or
unclassified. Users can then only access information that has been classified with equal or lower
security labels than their own. This hierarchy has to be defined during the systems implementation
phase by system designers and all those involved during this phase.

Lastly, discretionary access control is a mechanism that allows users of the system to determine who
can access their data; in other words, the can share information at their own discretion without the
system administrator’s interference.

Q2: ANALYSE THE SECURITY IMPLICATIONS OF USING SYMMETRIC ENCRYPTION VERSUS

Symmetric key encryption describes a cryptographic system that makes use of one key for both the
encryption and decryption process. By making use of some encryption algorithm, information can be
kept secure from adversaries; and when the intended user wishes to access this information, they
are able to do so by using this secret key in a decryption algorithm. Symmetric-key encryption
methods have the fastest implementations among all encryption techniques, making them ideal for
encrypting huge volumes of data. This encryption technique, however, raises the challenge of, ‘how
can parties share this secret key without it being intercepted by unauthorised entities?’ Because
there is a risk that the key could be exposed, leaving your data at risk of being decrypted by an
adversary, when sharing this key between intended parties. Due to this factor symmetric key
encryption is ideal for encrypting data at rest, where you do not need to share the key with another
entity.

Page |1
Asymmetric key encryption (also known as public key cryptography) differers from the prior,
symmetric key encryption, because it makes use of two separate keys for its encryption and
decryption processes. This makes it more secure in terms of key exchange, since the decryption key
is only held by one party, so long as its kept secret the data it decrypts is secure.

The basic idea of public-key cryptography are public keys. Each person’s key
is separated into two parts: a public key for encryption available to everyone
and a secret key for decryption which is kept secret by the owner.

- (Delfs and Knebl p33)

Asymmetric encryption techniques however have been known to produce slower encryption
algorithms. Its is due to these factors that in most practical cryptographic systems both symmetric
and asymmetric encryption techniques are used in tandem to supplement either shortcomings.

Financial data is sensitive information that would benefit from the use of both these techniques
rather than one on its own. When storing large datasets using symmetric encryption will be optimal
due to its higher efficiency. When sharing information over a network, a secret key could be shared
using asymmetric encryption because of its smaller size whilst still maintaining privacy; and then
transitioning to symmetric encryption which is, again, more efficient when handling large data.

Page |2
References

1. Delfs Hans and Helmut Knebl. Introduction to Cryptography: Principles and Applications. 2nd ed.,
Springer, 2007.

2. GeeksforGeeks. “Difference Between Symmetric and Asymmetric Key Encryption.” GeeksforGeeks,

3. Adetunji, Daniel. “Symmetric and Asymmetric Key Encryption – Explained in Plain English.”
freeCodeCamp.org, Apr. 2023, www.freecodecamp.org/news/encryption-explained-in-plain-english.

Page |3