Question

Please create a Risk Mitigation Plan for this scenario.

Scenario: You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a fictitious health services organization headquartered in Minneapolis, Minnesota. Health Network has over 600 employees throughout the organization and generates $500 million USD in annual revenue. The company has two additional locations in Portland, Oregon and Arlington, Virginia, which support a mix of corporate operations. Each corporate facility is located near a colocation data center, where production systems are located and managed by third-party data center hosting vendors.

Company Products Health Network has three main products: HNetExchange, HNetPay, and HNetConnect.

HNetExchange is the primary source of revenue for the company. The service handles secure electronic medical messages that originate from its customers, such as large hospitals, which are then routed to receiving customers such as clinics.

HNetPay is a Web portal used by many of the company’s HNetExchange customers to support the management of secure payments and billing. The HNetPay Web portal, hosted at Health Network production sites, accepts various forms of payments and interacts with credit-card processing organizations much like a Web commerce shopping cart.

HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to allow Health Network customers to find the right type of care at the right locations. It contains doctors’ personal information, work addresses, medical certifications, and types of services that the doctors and clinics offer. Doctors are given credentials and are able to update the information in their profile. Health Network customers, which are the hospitals and clinics, connect to all three of the company’s products using HTTPS connections. Doctors and potential patients are able to make payments and update their profiles using Internet-accessible HTTPS Web sites.

Information Technology Infrastructure Overview

Health Network operates in three production data centers that provide high availability across the company’s products. The data centers host about 1,000 production servers, and Health Network maintains 650 corporate laptops and company-issued mobile devices for its employees. Threats Identified Upon review of the current risk management plan, the following threats were identified:

? Loss of company data due to hardware being removed from production systems ? Loss of company information on lost or stolen company-owned assets, such as mobile devices and laptops

? Loss of customers due to production outages caused by various events, such as natural disasters, change management, unstable software, and so on

? Internet threats due to company products being accessible on the Internet

? Insider threats

? Changes in regulatory landscape that may impact operations Management Request

Senior management at Health Network has determined that the existing risk management plan for the organization is out of date and a new risk management plan must be developed. Because of the importance of risk management to the organization, senior management is committed to and supportive of the project to develop a new plan. You have been assigned to develop this new plan.

Additional threats other than those described previously may be discovered when re-evaluating the current threat landscape during the risk assessment phase.

The budget for this project has not been defined due to senior management’s desire to react to any and all material risks that are identified within the new plan. Given the company’s annual revenue, reasonable expectations can be determined.

Please create a Risk Mitigation Plan

Senior management at Health Network allocated funds to support a risk mitigation plan, and have requested that the risk manager and team create a plan in response to the deliverables produced within the earlier phases of the project. The risk mitigation plan should address the identified threats described in the scenario for this project, as well as any new threats that may have been discovered during the risk assessment. You have been assigned to develop this new plan.

Answer 1

Introduction:

A risk is an event or provision that, if it occur, could have a positive or negative result on a project’s objectives. Risk Management is the procedure of identify, assess, respond to, monitor, and reporting risks. This Risk Management Plan classifies how risks connected with the data maintain by different services provided by Health Network, Inc. will be recognized, analyze, and managed.
About Health Network, Inc. :
Health Network, Inc. is a supposed health services organization in Minnesota have its head quarters at Minneapolis .The organization has an knowledgeable workforce of 600 employees and have an annual revenue of $500 million USD. Besides deliver the health services, the company offers a mix of corporate operations at its branches placed in Portland, Oregon and Arlington, Virginia. all of the services of the organization is adjacent to a co-location data center manage by third party data center hosting vendors have production systems within them.
Products and service portfolio:
The company provides three products :
HNetExchange, HNetPay, and HNetConnect.
HNetExchange has the main share of the company’s earnings. This service routes the mail connected to patients securely between different clinics and hospitals
HNetPay is a Web portal to execute all the payment transactions by the customers of the company to give their bills in return to the services subscribed.
HNetConnect is an online directory that lists doctors, clinics, and further medical services
Overview of IT Infrastructure at Health Network , Inc.
In order to make sure high availability across the company’s products, Health Network, Inc. operate in three production data centers which host about 1,000 production servers. Along with this, The Health Network employees are supply with 650 laptops and company-issued mobile devices for operations and maintenance.
Scope
Business Objectives
Health Network, Inc. is aimed to provide secure and user friendly services to its customers ensure high accessibility all the time and reliability of the data being hosted and security to the information being exchanged through its services.
The deliverables of the company includes secure mail information exchange of the patients between various clinics and hospitals, a web portal accepting secure payments and billing services and maintaining a directory of various hospitals and doctors .
The risks involved in the organization are due to:
Hardware theft
Loss of mobile devices and laptops
Software errors and natural disasters
Internet threats
Insider threats
Changes in regulatory acts and laws
Compliance laws and regulations:
The company is hosting health-care and medical websites so it requires us to be compliant to laws and regulations surrounding secure hosting and exchange of patient information. Especially familiar with HIPAA’s Standards for Privacy of Individually Identifiable Health Information for privacy and HIPAA’s Security Standards for the Protection of Electronic Protected Health Information for security
HIPAA was expanded by the HITECH (Health Information Technology for Economic and Clinical Health) Act in 2009. This recognized a set of federal principles to make sure the privacy of secluded health information (PHI).
Both HIPAA and HITECH acts provide national minimum standards for protecting a person’s protected health information (PHI). Originally, HIPAA was intended to progress health-care processing and to lower costs by standardize common health-care transactions while maintenance the individual’s information safe. HITECH prolonged on these security necessities, while the U.S. Department of Health and Human Services (HHS) manages and enforces these principles.
There are specific security regulations inside HIPAA that address execution specifications regarding the encryption of secluded health information in broadcast (in flight) and in storage (at rest).
Data Encryption
To protect data during electronic communication, files contain secluded health information should be encrypted utilizing technologies such as 256-bit AES algorithms. Additionally, to decrease the risk to PHI even further and to decrease bandwidth usage, any data, including with PHI.
High-Level Protection
Data transient to and from the network should be protected with encryption; however, information that come in contact with administrators or third-party partners may require different control mechanisms.
It’s important to keep a close watch on security policies and processes regarding data and how customers can implement authentication, access consent processes, and audit controls to reduce the risk of compromise. All of these practices are necessary in order to comply with HIPAA’s Security Rule.
This attention to detail allows customers to understand data restriction options to their systems and to carefully monitor their systems for fast alerts and lockdowns in case of threat or attack.
Auditing and Backups
Be sure your servers can run action log files and audit down to the packet layer on the customers’ virtual servers, now as they would do on normal hardware. Disaster Recovery supplies
Under HIPAA, cover entities necessity have a backup plan to protect information in case of an emergency. Retrievable and exact copies of electronic secluded health information (PHI) must be accessible.
HIPAA’s disaster recovery procedure of caring an organization’s data and IT infrastructure are typically one of the additional expensive necessities to comply with.
Roles and responsibilities
The organization has employed the following personnel for its operations and services:
Data Expert
Ensures the data being entered in the portal is genuine and complies with the national medical standards
Network Administrator
Monitors and manages all the networking infrastructure of the company
Database Administrator
Deals with the data stored in the company database and is responsible for securing the data by backup of the database
Customer relation executives:
Responsible for providing the support by providing the solutions to customer issues like updating or any payment related issues.
HR executives
Responsible for maintaining the company’s employee information, payrolls etc.,
Technical expert
Responsible for troubleshooting any technical issues which may arise in the products
Risk Mitigation Plan
Potential risks identified in previous assessments in the project:
• Loss of company data due to hardware creature detached from production systems
• Loss of company information on misplaced or stolen company-owned property, such as mobile devices and laptops
• Loss of customers due to manufacture outages caused by different events, such as natural disasters, modify management, unstable software, and so on
• Internet pressure due to company products being available on the Internet
• Insider threats
• Changes in regulatory landscape that might impact operations
Risk Mitigation approaches
The loss of the company data due to hardware removal in production can be avoided by enforcing a strict surveillance and physical securing of the data devices like hard-disks and it is also suggested to implement a full data encryption of the disks so as to avoid data leakage in case of theft of hardware devices.
1. To keep away from the Loss of company owned mobile assets like phones and laptops, the portable devices have a high factor of risk in terms of being stolen or unauthorized access .It is of necessity a high priority to mitigate the risks involved in such cases .Mostly such risks can be avoid by surrendering of the company owned assets when the employees leave the duties or may be provided only in case of high necessity.
2. The laptops necessity be password protected and all the disks must be encrypted. Network access rules must be enforced by the administrator to avoid access form external data access points any such unauthorized attempts must be notified to the administrator immediately by reporting software
3. The loss of customer data cause by production outages and maintenance actions and other causes such as natural disasters or by the software related errors can be avoided by taking regular backups and enforcing a recovery mechanism at every server so as to ensure the accessibility of data even after a disaster.
4. If the data cannot be recovered at any case; it must be notify to all the customers specifying the reason of data loss clearly and the company’s attempts which were being implemented for the data recovery (in a worst case)
5. Internet threats are also a main reason of data risks in the organization. Since all the services accessible by the company relies on the internet the company need to put on efforts to reduce the risk potential of internet threats by enforcing antimalware and firewall mechanisms.
6. Also the company employees are counsel to update the software on the laptops regularly as there is a high risk of attack on the devices with outdated software which may act as entry points for malicious software and spy-ware Insider threats must also be considered as it may not even have a sign of risk being occur.
7. Sometimes it might offer the competitors to have a possibility to abuse the company’s business secrets cause undesirable events. All the employees should be monitor thoroughly and there should be a backup personnel team so as to avoid any risks of employees leaving the company intermittently which may result in the trouble in the business activities of the company.
8. Sometimes the changes in regulatory policies may affect the delivery of the services or may cause temporary outages to the services due to updates being made as per the revised regulations. In such cases, the product design may require restructuring so that the updating can be made to the affected modules rather than putting the entire product or service on a complete outage.
9. The top management officials should be in usual contact with HIPAA and HITECH authorities so that it might be beneficial to guess any changes in the regulatory policies as early probable which give an enough mean time of reply in case of risk.
10. In adding to this in its place of hosting company owned servers, it is advisable to implement the services in cloud computing environment as it will offer high factor of suppleness security and accessibility