Question

In: Operations Management

Scenario: You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a...

Scenario: You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a fictitious health services organization headquartered in Minneapolis, Minnesota. Health Network has over 600 employees throughout the organization and generates $500 million USD in annual revenue. The company has two additional locations in Portland, Oregon and Arlington, Virginia, which support a mix of corporate operations. Each corporate facility is located near a colocation data center, where production systems are located and managed by third-party data center hosting vendors.

Company Products Health Network has three main products: HNetExchange, HNetPay, and HNetConnect.

HNetExchange is the primary source of revenue for the company. The service handles secure electronic medical messages that originate from its customers, such as large hospitals, which are then routed to receiving customers such as clinics.

HNetPay is a Web portal used by many of the company’s HNetExchange customers to support the management of secure payments and billing. The HNetPay Web portal, hosted at Health Network production sites, accepts various forms of payments and interacts with credit-card processing organizations much like a Web commerce shopping cart.

HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to allow Health Network customers to find the right type of care at the right locations. It contains doctors’ personal information, work addresses, medical certifications, and types of services that the doctors and clinics offer. Doctors are given credentials and are able to update the information in their profile. Health Network customers, which are the hospitals and clinics, connect to all three of the company’s products using HTTPS connections. Doctors and potential patients are able to make payments and update their profiles using Internet-accessible HTTPS Web sites.

Information Technology Infrastructure Overview

Health Network operates in three production data centers that provide high availability across the company’s products. The data centers host about 1,000 production servers, and Health Network maintains 650 corporate laptops and company-issued mobile devices for its employees. Threats Identified Upon review of the current risk management plan, the following threats were identified:

*) Loss of company data due to hardware being removed from production systems ? Loss of company information on lost or stolen company-owned assets, such as mobile devices and laptops

*) Loss of customers due to production outages caused by various events, such as natural disasters, change management, unstable software, and so on

*) Internet threats due to company products being accessible on the Internet

*) Insider threats

*) Changes in regulatory landscape that may impact operations Management Request

Senior management at Health Network has determined that the existing risk management plan for the organization is out of date and a new risk management plan must be developed. Because of the importance of risk management to the organization, senior management is committed to and supportive of the project to develop a new plan. You have been assigned to develop this new plan.

Additional threats other than those described previously may be discovered when re-evaluating the current threat landscape during the risk assessment phase.

The budget for this project has not been defined due to senior management’s desire to react to any and all material risks that are identified within the new plan. Given the company’s annual revenue, reasonable expectations can be determined.

Project Part 2 Task 3: Disaster Recovery Plan (DRP)

Your project on risk management, the BIA, and the BCP have been well received by senior management at Health Network. They now want you to develop a DRP in order to overcome any mishaps that might occur in the future. You may research and use National Institute of Standards and Technology (NIST) templates to develop a DRP plan for the company.

Evaluation Criteria and Rubrics (Ask these questions to yourself)

  • Did I develop a DRP that could recover business operations while efforts are ongoing to restart pervious operations?
  • Did I completely fill out the template found in their research?
  • Did I completely understand the DRP constructs presented in class?
  • Did I create a professional, well-developed report with proper grammar, spelling, and punctuation?

Solutions

Expert Solution

*****Please please please LIKE THIS ANSWER, so that I can get a small benefit, Please*****

Introduction:
A risk is an event or provision that, if it occur, could have a positive or negative result on a project’s objectives. Risk Management is the procedure of identify, assess, respond to, monitor, and reporting risks. This Risk Management Plan classifies how risks connected with the data maintain by different services provided by Health Network, Inc. will be recognized, analyze, and managed.

About Health Network, Inc.
Health Network, Inc. is a supposed health services organization in Minnesota have its head quarters at Minneapolis .The organization has an knowledgeable workforce of 600 employees and have an annual revenue of $500 million USD. Besides deliver the health services, the company offers a mix of corporate operations at its branches placed in Portland, Oregon and Arlington, Virginia. all of the services of the organization is adjacent to a co-location data center manage by third party data center hosting vendors have production systems within them.

Products and service portfolio:
The company provides three products :
HNetExchange, HNetPay, and HNetConnect.
HNetExchange has the main share of the company’s earnings. This service routes the mail connected to patients securely between different clinics and hospitals
HNetPay is a Web portal to execute all the payment transactions by the customers of the company to give their bills in return to the services subscribed.
HNetConnect is an online directory that lists doctors, clinics, and further medical services

Overview of IT Infrastructure at Health Network , Inc.
In order to make sure high availability across the company’s products, Health Network, Inc. operate in three production data centers which host about 1,000 production servers. Along with this, The Health Network employees are supply with 650 laptops and company-issued mobile devices for operations and maintenance.

Scope

Business Objectives
Health Network, Inc. is aimed to provide secure and user friendly services to its customers ensure high accessibility all the time and reliability of the data being hosted and security to the information being exchanged through its services.
The deliverables of the company includes secure mail information exchange of the patients between various clinics and hospitals, a web portal accepting secure payments and billing services and maintaining a directory of various hospitals and doctors .

The risks involved in the organization are due to:
Hardware theft
Loss of mobile devices and laptops
Software errors and natural disasters
Internet threats
Insider threats
Changes in regulatory acts and laws

Compliance laws and regulations:
The company is hosting health-care and medical websites so it requires us to be compliant to laws and regulations surrounding secure hosting and exchange of patient information. Especially familiar with HIPAA’s Standards for Privacy of Individually Identifiable Health Information for privacy and HIPAA’s Security Standards for the Protection of Electronic Protected Health Information for security

HIPAA was expanded by the HITECH (Health Information Technology for Economic and Clinical Health) Act in 2009. This recognized a set of federal principles to make sure the privacy of secluded health information (PHI).
Both HIPAA and HITECH acts provide national minimum standards for protecting a person’s protected health information (PHI). Originally, HIPAA was intended to progress health-care processing and to lower costs by standardize common health-care transactions while maintenance the individual’s information safe. HITECH prolonged on these security necessities, while the U.S. Department of Health and Human Services (HHS) manages and enforces these principles.

There are specific security regulations inside HIPAA that address execution specifications regarding the encryption of secluded health information in broadcast (in flight) and in storage (at rest).
Data Encryption

To protect data during electronic communication, files contain secluded health information should be encrypted utilizing technologies such as 256-bit AES algorithms. Additionally, to decrease the risk to PHI even further and to decrease bandwidth usage, any data, including with PHI.

High-Level Protection
Data transient to and from the network should be protected with encryption; however, information that come in contact with administrators or third-party partners may require different control mechanisms.
It’s important to keep a close watch on security policies and processes regarding data and how customers can implement authentication, access consent processes, and audit controls to reduce the risk of compromise. All of these practices are necessary in order to comply with HIPAA’s Security Rule.

This attention to detail allows customers to understand data restriction options to their systems and to carefully monitor their systems for fast alerts and lockdowns in case of threat or attack.

Auditing and Backups
Be sure your servers can run action log files and audit down to the packet layer on the customers’ virtual servers, now as they would do on normal hardware. Disaster Recovery supplies
Under HIPAA, cover entities necessity have a backup plan to protect information in case of an emergency. Retrievable and exact copies of electronic secluded health information (PHI) must be accessible.
HIPAA’s disaster recovery procedure of caring an organization’s data and IT infrastructure are typically one of the additional expensive necessities to comply with.

Roles and responsibilities
The organization has employed the following personnel for its operations and services:
Data Expert
Ensures the data being entered in the portal is genuine and complies with the national medical standards
Network Administrator
Monitors and manages all the networking infrastructure of the company
Database Administrator
Deals with the data stored in the company database and is responsible for securing the data by backup of the database
Customer relation executives:
Responsible for providing the support by providing the solutions to customer issues like updating or any payment related issues.
HR executives
Responsible for maintaining the company’s employee information, payrolls etc.,
Technical expert
Responsible for troubleshooting any technical issues which may arise in the products
Risk Mitigation Plan
Potential risks identified in previous assessments in the project:
• Loss of company data due to hardware creature detached from production systems
• Loss of company information on misplaced or stolen company-owned property, such as mobile devices and laptops
• Loss of customers due to manufacture outages caused by different events, such as natural disasters, modify management, unstable software, and so on
• Internet pressure due to company products being available on the Internet
• Insider threats
• Changes in regulatory landscape that might impact operations

Risk Mitigation approaches
The loss of the company data due to hardware removal in production can be avoided by enforcing a strict surveillance and physical securing of the data devices like hard-disks and it is also suggested to implement a full data encryption of the disks so as to avoid data leakage in case of theft of hardware devices.

1. To keep away from the Loss of company owned mobile assets like phones and laptops, the portable devices have a high factor of risk in terms of being stolen or unauthorized access .It is of necessity a high priority to mitigate the risks involved in such cases .Mostly such risks can be avoid by surrendering of the company owned assets when the employees leave the duties or may be provided only in case of high necessity.
2. The laptops necessity be password protected and all the disks must be encrypted. Network access rules must be enforced by the administrator to avoid access form external data access points any such unauthorized attempts must be notified to the administrator immediately by reporting software
3. The loss of customer data cause by production outages and maintenance actions and other causes such as natural disasters or by the software related errors can be avoided by taking regular backups and enforcing a recovery mechanism at every server so as to ensure the accessibility of data even after a disaster.
4. If the data cannot be recovered at any case; it must be notify to all the customers specifying the reason of data loss clearly and the company’s attempts which were being implemented for the data recovery (in a worst case)
5. Internet threats are also a main reason of data risks in the organization. Since all the services accessible by the company relies on the internet the company need to put on efforts to reduce the risk potential of internet threats by enforcing antimalware and firewall mechanisms.
6. Also the company employees are counsel to update the software on the laptops regularly as there is a high risk of attack on the devices with outdated software which may act as entry points for malicious software and spy-ware Insider threats must also be considered as it may not even have a sign of risk being occur.
7. Sometimes it might offer the competitors to have a possibility to abuse the company’s business secrets cause undesirable events. All the employees should be monitor thoroughly and there should be a backup personnel team so as to avoid any risks of employees leaving the company intermittently which may result in the trouble in the business activities of the company.
8. Sometimes the changes in regulatory policies may affect the delivery of the services or may cause temporary outages to the services due to updates being made as per the revised regulations. In such cases, the product design may require restructuring so that the updating can be made to the affected modules rather than putting the entire product or service on a complete outage.
9. The top management officials should be in usual contact with HIPAA and HITECH authorities so that it might be beneficial to guess any changes in the regulatory policies as early probable which give an enough mean time of reply in case of risk.
10. In adding to this in its place of hosting company owned servers, it is advisable to implement the services in cloud computing environment as it will offer high factor of suppleness security and accessibility

The key Risks to Health Network, Inc. (Health Network), a fictitious health services organization headquartered in Minneapolis, Minnesota are as follows:

1.      Loss of company data due to hardware being removed from production systems.

2.      Loss of company information on lost or stolen company-owned assets, such as mobile devices and laptops.

3.      Loss of customers due to production outages caused by various events, such as natural disasters, change management, unstable software, etc.

4.      Internet threats due to company products being accessible on the Internet.

5.      Insider threats.

6.      Changes in regulatory landscape that may impact operations Management Request.

Threat

Outcome

Existing risk plan in place

Likelihood

Consequence

Rating

Proposed revised plan

Loss of data due to the removal of hardware from production systems

Failure of the production process and errors in production

Replace the hardware immediately with approuvals

3

4

Severe

Have a pre-approved a budget to immediately arrange the hardware

Loss of company data due to loss of company assets

Data loss and important information is compromised

Replace the asset and follow the laid down process

4

4

Severe

Data back up in all assets, all laptops to have passwords and data locking system which cannot be hacked even if the asset is lost.

Loss of customers due to outages such as natural disaster etc

The entire process will be stalled and all work will stop immediately

Disaster plan is in place but hasn’t been reviewed since long

1

5

high

The organsiation will keep two places of work at different geographic locations. The backup support will be strengthened and disaster plan will be reworked immediately.

Internet threats

The entire process will be stalled

Technical team will resolve immediately

3

5

Severe

Back up internet though expensive will be kept at all times.

Insider threats

The entire system will be at risk

The violations will be analyzed and found and action taken.

5

5

High

The authority for data access has to be limited and sanctions required for accessing critical and vulnerable information.

Change in the regulatory landscape

The regulation will have to be adhered to and processes changed accordingly.

The regulation will be reviewed.

2

2

low

The necessary plan will be made as per changes asked.

Risk rating

Description

Action

1-2

Low

Action in 6 months

3-4

Moderate

Action within 1 month

5-6

High

Action within 1 week

7-8

Severe

Immediate action required

Likelihood of event Occurring

Rare

UnLikely

Moderate

Likely

Certain

The event may occur rarely in exceptional conditions

The event may occur

The event might probably occur at some time

High chances of the event to occur

The event will occur

Occurrence

Once a year

Once in 6 months to 1 year

Once in 3-6 months

Once in a month

Every week

Level

1

2

3

4

5

Draft of risk assessment

HAZARD RISK PREVENTION
Removal of hardware or losing of laptop and mobile of company. Loss of data Always maintain copy of data in one centered software which can store data from all device's (data backup).
Natural hazard or software failure. Loss of customer Regular update and checking of software,keeping alternative connection to reduce the obstacles in data serving to customers.
Internet threat Damage of company image and good will. Internet hacker's may threat the company by accessing the company products there by affect the customer as well as company.Need to build strong security for products so that no one can hack.
Insiders threat loyalty issue Employees may misuse the company products which may lead to reduction of loyalty rate in the eyes of clients so need to have strict regulations in the company so that employees never misuse the data.

*****Please please please LIKE THIS ANSWER, so that I can get a small benefit, Please*****


Related Solutions

Community health information network (CHIN) Regional health information organization (RHINO) National health information network (NHIN) Health...
Community health information network (CHIN) Regional health information organization (RHINO) National health information network (NHIN) Health Information Technology for Economic and Clinical Health Act (HITECH Act) How do these terms relate/ rely on one another?
Please create a Risk Mitigation Plan for this scenario. Scenario: You are an information technology (IT)...
Please create a Risk Mitigation Plan for this scenario. Scenario: You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a fictitious health services organization headquartered in Minneapolis, Minnesota. Health Network has over 600 employees throughout the organization and generates $500 million USD in annual revenue. The company has two additional locations in Portland, Oregon and Arlington, Virginia, which support a mix of corporate operations. Each corporate facility is located near a colocation data center, where...
Imagine that you are working as an intern at an advertising agency and the agency just...
Imagine that you are working as an intern at an advertising agency and the agency just won a new account, a bottled team named Leafs Alive. The sale of bottled tea is surging, with the industry reaching $10.5 billion in sales in 2014. 1. What consumer trends seem to be driving this product development? 2. Develop a demographic profile of consumers you think are most likely to purchase this product.
You are an intern, working with the statistical expert tasked with completing the study for the...
You are an intern, working with the statistical expert tasked with completing the study for the bank. She is interested in your thoughts on the project, and has asked you to write up your answers to the following questions, devoting a short paragraph to each question. Identify the sampling method (Cluster, Simple Random Sample, Stratified Random Sample, Convenience, etc.) that would best ensure that your sample would reflect the overall population of branch customers. Briefly explain your reasoning. If the...
As the summer intern for a company that manufactures nozzles for garden hoses, you are working...
As the summer intern for a company that manufactures nozzles for garden hoses, you are working on a project involving adjustable hose nozzles. Your design calls for a rotating head that has a number of cylindrical plugs that can be inserted into the hose opening. On a particular setting, the speed of the water passing around the plug is 7 times as large as the speed of the water in the hose. Determine the ratio of the plug radius (rplug)...
Part I – The Tour You are an intern working in the Atlanta, GA office of...
Part I – The Tour You are an intern working in the Atlanta, GA office of Dr. Priya Wayne, MD. Dr. Wayne is a specialist in rare neuromuscular and musculoskeletal disorders. You’ve been working with Dr. Wayne for the last year and due to this experience you’ve gained a great deal of knowledge about the human body and muscle physiology. You’re also a college student and working with Dr. Wayne has allowed you to gain first-hand experience with some of...
As a recently hired MBA intern, you are working in a consulting capacity to provide an...
As a recently hired MBA intern, you are working in a consulting capacity to provide an analysis for Al Dente's Italian Restaurant. A financial income Statement is presented below: Sales $4,640,560 Cost of sales (all variable) $2,679,008 Gross Margin $1,961,553 Operating expenses: Variable $478,117 Fixed $367,521 Total operating expenses: $845,638 Administative expenses (all fixed) $970,725 Net operating income $145,190 This income statement presents the sales, expenses and pre-tax operating income for a local eating facility. At Al Dente, the average...
select a Health information technology related to precision medicine. Describe the selected health information technology, what...
select a Health information technology related to precision medicine. Describe the selected health information technology, what it does, why it will be beneficial, and what risk it may involved. follow APA format
Consider the following scenario: You are working as a health care provider, and have started prescribing...
Consider the following scenario: You are working as a health care provider, and have started prescribing a new medication for difficult to manage seizures as part of the treatment of epilepsy. Several of your patients start to develop unusual previously not reported side effects in the clinical trials for that drug. The side effects include peripheral vision blindness and skin turning blue. In addition to alerting the FDA, you want to publish your patient observations so that other doctors are...
Scenario 1 - You are working on a mental health inpatient unit and just finished admitting...
Scenario 1 - You are working on a mental health inpatient unit and just finished admitting a patient with schizophrenia who stopped taking his medications three weeks ago. The patient is hallucinating but is not aggressive. The patient appears disheveled with poor hygiene. The hospitalist asks you to participate in treatment planning and has a few questions for you. Using the information from your textbook, develop appropriate answers regarding the assessment and treatment options for this patient. List three positive...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT