Topic: Healthcare Security-Stand Alone
Overview: Making recommendations for securing a healthcare entity
You work in a large hospital that’s based in the US. The hospital has supported more than 40 million patients. The healthcare system offers specialized treatment that attracts patients from around the world, including many patients from Europe.
Last year, the company experienced a cybersecurity breach that exposed all patient records. A careless employee clicked on a link within an email with the subject line “Your New Patient Diagnosis” that led to an imposter hospital employee website.
The employee logged in with a username and password. Over the next few months, unknown to the employee and company, external parties were able to log into the user’s account and carry out various unauthorized activities.
A loophole in the access process allows employees to create new administrator accounts that have the highest level of access to all systems in the hospital. The attacker was able to use this loophole to create an administrator account.
The breach was discovered six months later when a security researcher found the hospital’s entire database of patient data for sale on the dark web. The entity was required to notify all affected patients; however, news outlets learned of the incidents and published the story before notifications were sent.
News outlets around the world picked up the story as it went viral, startling investors and causing the company’s stocks to plummet. Lawsuits also began to accumulate as patients reported that their identities had been stolen. The healthcare system was criticized in the media for taking six months to discover the breach, and even longer to notify patients.
You’ve been tasked with improving the cybersecurity program plan to help a hospital prevent another breach in the future.
Project Tasks:
Part 1: Understanding your environment (Two pages | 30 points)
Discuss the five key participating groups relevant to healthcare delivery and describe the kinds of data they may interact with, collect, and provide to your hospital.
Identify five electronic health records or data components relevant in hospital environments and document them in a data classification table. Discuss whether the information is confidential, for internal company use only, or open to the public. Explain why hackers might want to steal this information.
Identify five examples of technology systems or devices relevant to hospital environments. Discuss security and legal issues associated with each.
Part 2: Outlining regulatory and governance requirements (Five pages | 70 points)
Outline the regulations that are relevant to the hospital. Summarize the purpose and core requirements of each regulation.
Identify the information security policies that should be created and adopted by the company. Discuss why the policies are necessary and who should adhere to them.
Create an official end-user agreement and an incident reporting policy for the hospital. Example templates can be found here, https://www.sans.org/security-resources/policies/generalacceptable-use-policy.
Part 3: Analyzing threats and managing risks (Three pages | 50 points)
The hospital was breached in the past, as summarized in the overview. Discuss the threat, vulnerabilities, and impacts present throughout the case study. Use the information you’ve outlined to create a new risk-based decision tree. Chapter 4 in the textbook provides an example. Based on the ISO 27000 family of standards, recommend an approach to addressing the risks in the decision tree, and provide justification for your response.
Think of five different third-party providers that the hospital may work with. Discuss the risks that third parties can introduce to the business. Summarize security considerations and security control recommendations for granting third parties access to hospital resources. Outline additional tools that can be used to manage third-party risk.
Part 4: Raising security awareness (Two pages | 30 points)
Share five recommendations for ways to increase cybersecurity knowledge and awareness in the company. Explain why it’s necessary to implement this. Create an example awareness poster that educates stakeholders on the risks of ransomware attacks against hospitals.
Part 5: Responding to cyber incidents (Three pages | 50 points)
You’ve been made aware that the hospital was hit with yet another cyber-attack that exposed all of the data types you outlined in Part 1 of the project. You found that the incident started with a phishing email that a contractor from your medical payment system provider clicked on. Discuss the steps necessary to contain, eradicate, and recover from this incident.
Draft an example breach notification letter that will be sent to affected patients about the incident.
Part 6: Implementing fundamental security protection measures (Five pages | 70 points)
Explain the core guiding principles of security.
Using the NIST CSF, make a recommendation for a control that would be valuable for the hospital to implement for each of the five components. For each control you select, explain the ways that failing to implement the control could impact confidentiality, integrity, and/or availability.