In: Computer Science
Please create a Risk Mitigation Plan for this scenario.
Scenario: You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a fictitious health services organization headquartered in Minneapolis, Minnesota. Health Network has over 600 employees throughout the organization and generates $500 million USD in annual revenue. The company has two additional locations in Portland, Oregon and Arlington, Virginia, which support a mix of corporate operations. Each corporate facility is located near a colocation data center, where production systems are located and managed by third-party data center hosting vendors.
Company Products Health Network has three main products: HNetExchange, HNetPay, and HNetConnect.
HNetExchange is the primary source of revenue for the company. The service handles secure electronic medical messages that originate from its customers, such as large hospitals, which are then routed to receiving customers such as clinics.
HNetPay is a Web portal used by many of the company’s HNetExchange customers to support the management of secure payments and billing. The HNetPay Web portal, hosted at Health Network production sites, accepts various forms of payments and interacts with credit-card processing organizations much like a Web commerce shopping cart.
HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to allow Health Network customers to find the right type of care at the right locations. It contains doctors’ personal information, work addresses, medical certifications, and types of services that the doctors and clinics offer. Doctors are given credentials and are able to update the information in their profile. Health Network customers, which are the hospitals and clinics, connect to all three of the company’s products using HTTPS connections. Doctors and potential patients are able to make payments and update their profiles using Internet-accessible HTTPS Web sites.
Information Technology Infrastructure Overview
Health Network operates in three production data centers that provide high availability across the company’s products. The data centers host about 1,000 production servers, and Health Network maintains 650 corporate laptops and company-issued mobile devices for its employees. Threats Identified Upon review of the current risk management plan, the following threats were identified:
? Loss of company data due to hardware being removed from production systems ? Loss of company information on lost or stolen company-owned assets, such as mobile devices and laptops
? Loss of customers due to production outages caused by various events, such as natural disasters, change management, unstable software, and so on
? Internet threats due to company products being accessible on the Internet
? Insider threats
? Changes in regulatory landscape that may impact operations Management Request
Senior management at Health Network has determined that the existing risk management plan for the organization is out of date and a new risk management plan must be developed. Because of the importance of risk management to the organization, senior management is committed to and supportive of the project to develop a new plan. You have been assigned to develop this new plan.
Additional threats other than those described previously may be discovered when re-evaluating the current threat landscape during the risk assessment phase.
The budget for this project has not been defined due to senior management’s desire to react to any and all material risks that are identified within the new plan. Given the company’s annual revenue, reasonable expectations can be determined.
Please create a Risk Mitigation Plan
Senior management at Health Network allocated funds to support a risk mitigation plan, and have requested that the risk manager and team create a plan in response to the deliverables produced within the earlier phases of the project. The risk mitigation plan should address the identified threats described in the scenario for this project, as well as any new threats that may have been discovered during the risk assessment. You have been assigned to develop this new plan.
Introduction:
A risk is an event or provision that, if it occur, could
have a positive or negative result on a project’s objectives. Risk
Management is the procedure of identify, assess, respond to,
monitor, and reporting risks. This Risk Management Plan classifies
how risks connected with the data maintain by different services
provided by Health Network, Inc. will be recognized, analyze, and
managed.
About Health Network, Inc. :
Health Network, Inc. is a supposed health services organization in
Minnesota have its head quarters at Minneapolis .The organization
has an knowledgeable workforce of 600 employees and have an annual
revenue of $500 million USD. Besides deliver the health services,
the company offers a mix of corporate operations at its branches
placed in Portland, Oregon and Arlington, Virginia. all of the
services of the organization is adjacent to a co-location data
center manage by third party data center hosting vendors have
production systems within them.
Products and service portfolio:
The company provides three products :
HNetExchange, HNetPay, and HNetConnect.
HNetExchange has the main share of the company’s earnings. This
service routes the mail connected to patients securely between
different clinics and hospitals
HNetPay is a Web portal to execute all the payment transactions by
the customers of the company to give their bills in return to the
services subscribed.
HNetConnect is an online directory that lists doctors, clinics, and
further medical services
Overview of IT Infrastructure at Health Network , Inc.
In order to make sure high availability across the company’s
products, Health Network, Inc. operate in three production data
centers which host about 1,000 production servers. Along with this,
The Health Network employees are supply with 650 laptops and
company-issued mobile devices for operations and maintenance.
Scope
Business Objectives
Health Network, Inc. is aimed to provide secure and user friendly
services to its customers ensure high accessibility all the time
and reliability of the data being hosted and security to the
information being exchanged through its services.
The deliverables of the company includes secure mail information
exchange of the patients between various clinics and hospitals, a
web portal accepting secure payments and billing services and
maintaining a directory of various hospitals and doctors .
The risks involved in the organization are due to:
Hardware theft
Loss of mobile devices and laptops
Software errors and natural disasters
Internet threats
Insider threats
Changes in regulatory acts and laws
Compliance laws and regulations:
The company is hosting health-care and medical websites so it
requires us to be compliant to laws and regulations surrounding
secure hosting and exchange of patient information. Especially
familiar with HIPAA’s Standards for Privacy of Individually
Identifiable Health Information for privacy and HIPAA’s Security
Standards for the Protection of Electronic Protected Health
Information for security
HIPAA was expanded by the HITECH (Health Information Technology for
Economic and Clinical Health) Act in 2009. This recognized a set of
federal principles to make sure the privacy of secluded health
information (PHI).
Both HIPAA and HITECH acts provide national minimum standards for
protecting a person’s protected health information (PHI).
Originally, HIPAA was intended to progress health-care processing
and to lower costs by standardize common health-care transactions
while maintenance the individual’s information safe. HITECH
prolonged on these security necessities, while the U.S. Department
of Health and Human Services (HHS) manages and enforces these
principles.
There are specific security regulations inside HIPAA that address
execution specifications regarding the encryption of secluded
health information in broadcast (in flight) and in storage (at
rest).
Data Encryption
To protect data during electronic communication, files contain
secluded health information should be encrypted utilizing
technologies such as 256-bit AES algorithms. Additionally, to
decrease the risk to PHI even further and to decrease bandwidth
usage, any data, including with PHI.
High-Level Protection
Data transient to and from the network should be protected with
encryption; however, information that come in contact with
administrators or third-party partners may require different
control mechanisms.
It’s important to keep a close watch on security policies and
processes regarding data and how customers can implement
authentication, access consent processes, and audit controls to
reduce the risk of compromise. All of these practices are necessary
in order to comply with HIPAA’s Security Rule.
This attention to detail allows customers to understand data
restriction options to their systems and to carefully monitor their
systems for fast alerts and lockdowns in case of threat or
attack.
Auditing and Backups
Be sure your servers can run action log files and audit down to the
packet layer on the customers’ virtual servers, now as they would
do on normal hardware. Disaster Recovery supplies
Under HIPAA, cover entities necessity have a backup plan to protect
information in case of an emergency. Retrievable and exact copies
of electronic secluded health information (PHI) must be
accessible.
HIPAA’s disaster recovery procedure of caring an organization’s
data and IT infrastructure are typically one of the additional
expensive necessities to comply with.
Roles and responsibilities
The organization has employed the following personnel for its
operations and services:
Data Expert
Ensures the data being entered in the portal is genuine and
complies with the national medical standards
Network Administrator
Monitors and manages all the networking infrastructure of the
company
Database Administrator
Deals with the data stored in the company database and is
responsible for securing the data by backup of the database
Customer relation executives:
Responsible for providing the support by providing the solutions to
customer issues like updating or any payment related issues.
HR executives
Responsible for maintaining the company’s employee information,
payrolls etc.,
Technical expert
Responsible for troubleshooting any technical issues which may
arise in the products
Risk Mitigation Plan
Potential risks identified in previous assessments in the
project:
• Loss of company data due to hardware creature detached from
production systems
• Loss of company information on misplaced or stolen company-owned
property, such as mobile devices and laptops
• Loss of customers due to manufacture outages caused by different
events, such as natural disasters, modify management, unstable
software, and so on
• Internet pressure due to company products being available on the
Internet
• Insider threats
• Changes in regulatory landscape that might impact
operations
Risk Mitigation approaches
The loss of the company data due to hardware removal in production
can be avoided by enforcing a strict surveillance and physical
securing of the data devices like hard-disks and it is also
suggested to implement a full data encryption of the disks so as to
avoid data leakage in case of theft of hardware devices.
1. To keep away from the Loss of company owned mobile assets like
phones and laptops, the portable devices have a high factor of risk
in terms of being stolen or unauthorized access .It is of necessity
a high priority to mitigate the risks involved in such cases
.Mostly such risks can be avoid by surrendering of the company
owned assets when the employees leave the duties or may be provided
only in case of high necessity.
2. The laptops necessity be password protected and all the disks
must be encrypted. Network access rules must be enforced by the
administrator to avoid access form external data access points any
such unauthorized attempts must be notified to the administrator
immediately by reporting software
3. The loss of customer data cause by production outages and
maintenance actions and other causes such as natural disasters or
by the software related errors can be avoided by taking regular
backups and enforcing a recovery mechanism at every server so as to
ensure the accessibility of data even after a disaster.
4. If the data cannot be recovered at any case; it must be notify
to all the customers specifying the reason of data loss clearly and
the company’s attempts which were being implemented for the data
recovery (in a worst case)
5. Internet threats are also a main reason of data risks in the
organization. Since all the services accessible by the company
relies on the internet the company need to put on efforts to reduce
the risk potential of internet threats by enforcing antimalware and
firewall mechanisms.
6. Also the company employees are counsel to update the software on
the laptops regularly as there is a high risk of attack on the
devices with outdated software which may act as entry points for
malicious software and spy-ware Insider threats must also be
considered as it may not even have a sign of risk being
occur.
7. Sometimes it might offer the competitors to have a possibility
to abuse the company’s business secrets cause undesirable events.
All the employees should be monitor thoroughly and there should be
a backup personnel team so as to avoid any risks of employees
leaving the company intermittently which may result in the trouble
in the business activities of the company.
8. Sometimes the changes in regulatory policies may affect the
delivery of the services or may cause temporary outages to the
services due to updates being made as per the revised regulations.
In such cases, the product design may require restructuring so that
the updating can be made to the affected modules rather than
putting the entire product or service on a complete outage.
9. The top management officials should be in usual contact with
HIPAA and HITECH authorities so that it might be beneficial to
guess any changes in the regulatory policies as early probable
which give an enough mean time of reply in case of risk.
10. In adding to this in its place of hosting company owned
servers, it is advisable to implement the services in cloud
computing environment as it will offer high factor of suppleness
security and accessibility