You are the IT risk assessment lead at Health Network, Inc., a health services organization headquartered in Tampa, Florida. Health Network has over 700 employees throughout the organization and generates $500 million in revenue annually. The company has two additional locations in Seattle, Washington, and Arlington, Virginia. These locations support different aspects of corporate operations. Each facility is located near a data center, where production systems are located and managed by third-party data-center hosting vendors.Health Network has three main products:
HNetExchange is the primary source of revenue for the company. The service handles secure electronic medical messages that originate from its customers, such as large hospitals, which are then routed to receiving customers such as clinics.
HNetPay is a web portal used by many of the company’s HNetExchange customers to support the management of secure payments and billing. The HNetPay web portal, hosted at Health Network production sites, accepts various forms of payments and interacts with credit-card processing organizations, much like a web commerce shopping cart.
HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to allow Health Network customers to find the right type of care at the right locations. It contains doctors’ personal information, work addresses, medical certifications, and types of services that the doctors and clinics offer. Doctors are given credentials and are able to update the information in their profiles. Health Network customers, which are hospitals and clinics, connect to all three of the company’s products using HTTPS connections. Doctors and potential patients are able to make payments and update their profiles using internet-accessible HTTPS websites.
Health Network operates in three production data centers that provide high availability across the company’s products. The data centers host about 1,000 production servers, and Health Network maintains 650 corporate laptops and company-issued mobile devices for its employees.
A previous risk assessment identified the following threats:
Potential loss of data due to inappropriate hardware decommission
Potential loss of protected health information (PHI) from lost or stolen company-owned assets, such as mobile devices and laptops
Potential data loss due to corrupt production data resulting from a systems outage
Internet threats from hackers and other malicious actors
Insider threats due to social engineering, installation of malware and spyware
Changes in the regulatory landscape that may impact operations
Based on the findings of this risk assessment, Health Network administration has determined that the existing risk management plan does not take into account the above threats and is therefore out of date. You have been assigned to develop a new plan.
Directions
For this assignment, you will create a risk management plan for Health Network that contains the following objectives:
Importance: Explain the plan’s purpose and importance for the key stakeholders of the organization.
Scope: Define the scope and boundaries of the plan.
Risks: Identify the organization’s primary internal and external risks based on the local environments where facilities are located.
Safety: Describe physical and safety considerations associated with the identified risks.
Business Impact: Conduct a business impact analysis (BIA) that determines the probability and significance of certain risky events and their potential impact on the various aspects of Health Network’s business.
Mitigation: Identify strategies to mitigate these risks and to allow Health Network to continue operating and disaster recovery plan if these risks occur.