MH685 Healthcare Security - Stand Alone Project - making recommendations for securing a healthcare entity

Stand Alone project

MH685 Healthcare Security

Overview: Making recommendations for securing a healthcare entity

You work in a large hospital that's based in the US. The hospital has supported more than 40 million patients. The healthcare system offers specialized treatment that attracts patients from around the world, including many patients from Europe. Last year, the company experienced a cybersecurity breach that exposed all patient records. A careless employee clicked on a link within an email with the subject line "Your New Patient Diagnosis" that led to an imposter hospital employee website. The employee logged in with a username and password. Over the next few months, unknown to the employee and company, external parties were able to log into the user's account and carry out various unauthorized activities. A loophole in the access process allows employees to create new administrator accounts that have the highest level of access to all systems in the hospital. The attacker was able to use this loophole to create an administrator account. The breach was discovered six months later when a security researcher found the hospital's entire database of patient data for sale on the dark web. The entity was required to notify all affected patients; however, news outlets learned of the incidents and published the story before notifications were sent. News outlets around the world picked up the story as it went viral, startling investors and causing the company's stocks to plummet. Lawsuits also began to accumulate as patients reported that their identities had been stolen. The healthcare system was criticized in the media for taking six months to discover the breach, and even longer to notify patients.

You've been tasked with improving the cybersecurity program plan to help a hospital prevent another breach in the future.

Project Tasks:

Part 1: Understanding your environment (Two pages | 30 points)

• Discuss the five key participating groups relevant to healthcare delivery and describe the kinds of data they may interact with, collect, and provide to your hospital.
• Identify five electronic health records or data components relevant in hospital environments and document them in a data classification table. Discuss whether the information is confidential, for internal company use only, or open to the public. Explain why hackers might want to steal this information.
• Identify five examples of technology systems or devices relevant to hospital environments. Discuss security and legal issues associated with each.

Part 2: Outlining regulatory and governance requirements (Five pages | 70 points)

• Outline the regulations that are relevant to the hospital. Summarize the purpose and core requirements of each regulation.
• Identify the information security policies that should be created and adopted by the company. Discuss why the policies are necessary and who should adhere to them.
• Create an official end-user agreement and an incident reporting policy for the hospital. Example templates can be found here, https://www.sans.org/security-resources/policies/general#acceptable-use-policy.

Part 3: Analyzing threats and managing risks (Three pages | 50 points)

• The hospital was breached in the past, as summarized in the overview. Discuss the threat, vulnerabilities, and impacts present throughout the case study. Use the information you've outlined to create a new risk-based decision tree. Chapter 4 in the textbook provides an example. Based on the ISO 27000 family of standards, recommend an approach to addressing the risks in the decision tree, and provide justification for your response.
• Think of five different third-party providers that the hospital may work with. Discuss the risks that third parties can introduce to the business. Summarize security considerations and security control recommendations for granting third parties access to hospital resources. Outline additional tools that can be used to manage third-party risk.

Part 4: Raising security awareness (Two pages | 30 points)

• Share five recommendations for ways to increase cybersecurity knowledge and awareness in the company. Explain why it's necessary to implement this. Create an example awareness poster that educates stakeholders on the risks of ransomware attacks against hospitals.

Part 5: Responding to cyber incidents (Three pages | 50 points)

• You've been made aware that the hospital was hit with yet another cyber-attack that exposed all of the data types you outlined in Part 1 of the project. You found that the incident started with a phishing email that a contractor from your medical payment system provider clicked on. Discuss the steps necessary to contain, eradicate, and recover from this incident.
• Draft an example breach notification letter that will be sent to affected patients about the incident.

Part 6: Implementing fundamental security protection measures (Five pages | 70 points)

• Explain the core guiding principles of security.
• Using the NIST CSF, make a recommendation for a control that would be valuable for the hospital to implement for each of the five components. For each control you select, explain the ways that failing to implement the control could impact confidentiality, integrity, and/or availability.

            

 

MH685 Discussion 6-2

Discussion 6-2

Explain each phase of the CSF. Discuss technology that can help companies detect cyber-attacks.

  

MH685 Discussion 6-1

Discussion 6-1

What is HCISSP? Discuss the certification's benefits, and certification requirements. Discuss how the certification is different from the CISSP.

   

MH685 Discussion 4-2

Discussion 4-2

Summarize patient rights in healthcare and the role of a privacy officer in upholding patient privacy and security.

  

MH685 Discussion 4-1

Discussion Question 4-1

Analyze breach notification requirements. Discuss when breach notification is required, how actions can vary by locations, and how organizations can use technology controls to avoid breaches and subsequent notifications.

  

MH685 Discussion 3-2

Discussion Question 3-2

Find an article on a breach that was caused by a connection with a third party. Recap the incident, discuss the risks of third parties to hospitals, and share recommendations for managing risks.

  

MH685 Discussion 2-2

A security gap has been found in your hospital environment. After an impact assessment, you've concluded that the probability that the risk will occur is very high, and the impact could result in a financial loss of $50,000-$100,000 depending on how much data is compromised as a result of the gap. The cheapest solution that will fix the issue costs $250,000. Based on ISO's six options for addressing risk (Avoid, Accept, Retain, Remove, Change, and Share), what actions you recommend?

Discuss why you recommend each option.

    

MH685 Discussion 2-1

Discussion Question 2-1

Explore the consequences of failing to comply with healthcare regulations, like HIPAA and HITECH

  

MH685 Discussion 1-2

Discussion Question 1-2

Discuss the types of data used in healthcare environments and why attackers may want to steal this information? Discuss risks associated with third parties who have access to the data as well.

   

MH685 Discussion 1-1

MH685 Health Care Security

Discussion Question 1-1

Discuss types of technology used in hospital environment and security threats that apply to devices.

  

MH685 Activity 4 Ransomware Activity

Activity 4: Ransomware Activity (100 Points)

(A two page response is required)

Review the assigned readings and conduct additional research online. Answer the following questions:

What's ransomware? How does ransomware impact core security components (confidentiality, integrity, and availability)? How can hospitals prevent ransomware attacks? How can hospitals recover from ransomware attacks?

   

MH685 Activity 3 Cyber Breach Activity

Activity 3: Cyber Breach Activity (100 points)

This activity is comprised of two parts. (100 points) (A two-page response is required for the combination of Parts A and B.)

You work in a healthcare technology company that provides software  technology to 100 hospitals throughout the United States. As a result,  your software stores patient data for about 10 million patients across  all of your customers. To better protect data, you're working on a  project to deploy encryption technology across all locations so that all  customer data is encrypted.

The data is segmented and stored in the following ways:

• Five million patient data records in Location A
• Two million patient data records in Location B
• Three million patient data records in Locations C

The encryption project is about 30 percent complete, with Location C  being the first to achieve full encryption. Data in this location, even  if breached, can't be viewed or understood by unauthorized individuals.  Today, you learned that a breach happened on your network, and hackers  were able to gain access to all three locations.

Part A: Discuss the purpose of patient breach  notifications and whether patient breach notification is required in  this case. If so, how many notifications need to go out, and within what  timeframe should they be sent? (50 points)

Resources:

• Page 169 of your textbook
• US Department of Health and Human Services – Health Information Privacy
• US Department of Health and Human Services – Breach Notification

Part B:  Select one of the latest breaches reported to HHS in the following  link, and draft a breach notification letter to send to those affected.  (50 points)

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

    

MH685 Activity 2 HIPAA Activity

Activity 2: HIPAA Activity

A two-page response is required.

A new patient from Ireland has filled out all the personal information and medical history form that Hospital X requires to begin treatment. The Hospital C admin uploads all the information into a healthcare data management system managed by Vendor Y in the cloud.

Based on this scenario, identify who is the data subject, data controller, and data processors. Explain your reasoning in making these designations. Specify which parties are required to comply with HIPAA and additional regulations they may need to comply with as well.

  

MH685 Activity 1 Classification Activity

Activity 1: Classification Activity (100 points)

This activity is comprised of two parts. (100 points) (A two-page response is required for the combination of Parts A and B.)

Cybersecurity starts with understanding what assets are essential to protect. Healthcare organizations should have a classification system based on the value of the information. It's important to note that this type of data classification differs from that of computer programming, which is also called classification, but relates more to labeling the data to differentiate it into classes and sets. In cybersecurity, data classification is required to apply a value relative to how sensitive and critical the information is, as defined by the organization. This value will determine what level of information protection controls will be applied to information collected, maintained, retained, used, and disposed of when no longer needed.

Perform data classification analysis on the below list of healthcare data points and determine how each should be classified. Explain your thought process and reasoning for each decision. Use the categories of Confidential, Internal Company Use Only, or Open to Public.

 Part A: Define and describe each of the three categories in your own terms. Research information, security data, and classification systems and definitions online. (25 points).

Part B: Label each of the data points below the appropriate category and explain your reasoning. (75 points)

1. Patient name, address, and social security number
2. A hospital blog website with patient health tips
3. Patient medical history such as medicine and allergy lists
4. Patient laboratory test results
5. Doctor name, address, and employee ID number
6. Patient radiology images (X-ray, MRIs, and so on) and clinical photographs (endoscopy, laparoscopy, and so on)
7. A newsletter for all hospital staff
8. Nurse shift schedule for the month
9. A page on the hospital website that describes how patient data is protected
10. Prescribed and administered medications for patients
11. A summary report of a new clinical trial, soon to be published in the public news

       

MH685 Discussion 5-2

Discussion 5-2

Summarize the concepts of confidentiality, availability, and integrity. Discuss, in the context of ePHI, how damage to each element could negatively impact a healthcare organization.

 

MH685 Discussion 5-1

Discussion 5-1

Look up ransomware attacks against a healthcare entity in the last few years. Discuss how ransomware attacks can impact patient health and safety.

  

MH685 Discussion 3-1

Discussion Question 3-1

Research and discover a new risk application to healthcare that isn't mentioned in the prediction from 2015 (see required readings).

 Tip: Think about how technology has evolved over the last few years (for example, SaaS growth).