IT313 Risk Analysis and Mitigation Plans
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
313
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
7
Uploaded by msheba08
Running Head: RISK ANALYSIS AND MITIGATION PLANS
1
IT 313 Project Two
Bathsheba Myers
Southern New Hampshire University
Risk Analysis and Mitigation Plans
October 15, 2023
RISK ANALYSIS AND MITIGATION PLANS 2
Introduction
Any business, especially Health Network, Inc., that aims to detect, evaluate, and reduce potential dangers to its processes, information safety, and general viability must mitigate risk. A risk is any occurrence or situation that might have a consequence on a company's goals, either positively or negatively. Health Network, a well-known healthcare company with nearly 700 staff members and $500 million in yearly earnings, is headquartered in the Florida city of Tampa and maintains locations in Seattle, Washington, and Arlington, Virginia. The company's primary services, such as HNetPay, HNetExchange, and HNetConnect, are essential to delivering medical
care. A threat in the setting of the Healthcare Network can appear as a circumstance or element that could impair its medical services, jeopardize the integrity of its information, or harm its image in the marketplace. Proactively identifying these possible dangers and creating countermeasures is essential for efficient risk reduction. This approach to risk control will outline
the underlying concepts and significance of risk administration for the company and address particular problems internally and externally.
Importance and purpose
For many essential stakeholders inside the company, the risk management strategy for Healthcare Network fulfills a vital function and is of utmost significance. This risk mitigation aims to recognize, track, evaluate, minimize, and avoid hazards to consumers. It entails an intricate web of medical and managerial processes, structures, operations, and analysis frameworks (McGowan et al., 2023). Its purpose is to offer a systematic structure for locating flaws and putting protective measures in place. Several important constituents across Health set a high priority on the risk mitigation plan. The highest-ranking executives and the company's leadership must guarantee the confidentiality of data, the reliability of personally identifiable information, and private medical information. Directors can safeguard the confidence of their workforce by reducing the risks connected with information theft and failure to comply (Pascarella et al., 2021).
The strategy strongly emphasizes promoting the physical security of Health Network's employees, resolving issues with working conditions, and creating a safe workplace. Furthermore, it promotes an atmosphere of preparedness and readiness, allowing staff members to spot and notify potential hazards quickly. The plan also facilitates the strategy for ensuring business resilience amid possible disruptions brought on by different hazards. The corporation's revenue sources and supply of services, essential to its successful outcome, are preserved through this continued operation. This comprehensive plan essentially serves as a cornerstone for
Health Network, Inc., allowing it to safeguard the objectives of all of its constituents and carry out its primary goal of providing critical medical treatments efficiently and reliably.
Closely related to its importance is the scope of the plan. This risk mitigation scheme's broadness is intended to cover all aspects of Health Network, Inc.'s activities, particularly protecting vital resources, information, and capabilities. To make this plan's scope and restrictions clear, it is crucial to define its limits. It deals with data safety and covers data kept in the organization's computer networks and research centers, particularly protecting monetary records and personal health information (PHI). It also includes physical safety, which includes
RISK ANALYSIS AND MITIGATION PLANS 3
safeguards for workplaces, comprising buildings and offices, to guarantee the safety of staff members and guests and preserve corporate property. Additionally, it comprises company disaster recovery strategies intended to keep crucial corporate processes running through disturbances, avoiding lengthy and service outages. The plan also considers complying with regulations, which includes evaluating and adapting to ever-shifting healthcare legislation. This ensures that the company keeps up with increasing regulatory and financial needs. The plan also covers the detection and reduction of hazards from both inside and outside the organization.
Risks
Every company's mission inevitably and unavoidably involves risk and Health Network, Inc. is no different. Recognizing, evaluating, and minimizing potential internal and external threats that can impair activities and jeopardize the company's fundamental principles is crucial in risk mitigation. In its most basic form, a risk is the unpredictability that surrounds any situation or event and has a chance to have an influence, either positively or negatively.
Internal Threats
Health Network, Inc. is very concerned about internal dangers. These risks emanate from inside the company and cover a range of issues that, if not addressed, could jeopardize information safety and continuous operations. The first internal danger concerns the Inappropriate Equipment Decommission. It entails inappropriate disposal of gear, especially inside servers, which might lead to corruption of data and the release of classified data. The devices can land in the hands of individuals with malicious intentions, which means that information and data inside such assets are at risk of manipulation. Theft of company-owned property, including mobile devices and computers, is the second type of vulnerability. Protected personally identifiable information and other confidential information are at risk from potential damage or exploitation of these resources. With the rise of cybercrimes, data that is not stored in the correct format and places is at a high risk of landing in unsafe hands, in which further manipulation to steal insights can be performed against the organization's consent. Insider threat is a common risk in healthcare settings; this originates from risks and threats caused by healthcare organization employees and workers. Human errors that result during data entry can expose sensitive information to outsiders. The lack of education and training on the current security threats and occurrences results in the regular installation of malware and ransomware through phishing or unscanned media devices, which might corrupt the
organization's data in the data centers and servers. External Threats
The risks and threats that originate from outside the organization are referred to as external threats, and just like internal threats, external threats have the same capabilities of hindering the operational continuity and success of the organization’s objectives. The main external threat is cybersecurity and internet threat. With the increased technological innovation and application in different areas, there is an increased rate of cyber-attacks, which mainly target the organization’s data and data centers, and their impacts span from data breaches to the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
RISK ANALYSIS AND MITIGATION PLANS 4
interruption of organization operations. This commonly changes the regular operation of the organization setup and flow to follow a new pattern defined by the attackers.
Malware infiltrates the company’s networks while hacking tactics allow for illegal penetration and information thievery. The presence of unauthorized access to the organization’s data center means it is impossible to keep a log of the events happening in the system; hence, data theft, breaches, and illegal manipulation will remain untraced. Phishing attempts to trick workers into providing additional information through clicking links or following specific information, which may result in data breaches and Distributed Denial of services attempts to interfere with internet systems. The safety of medical information and proprietary knowledge is put at risk by data surveillance, injection assaults, and information theft. At the same time, phishing and social engineering tools take advantage of human weaknesses.
Safety
For Health Network, Inc., the risk presented by regulation modifications is a recurring external danger. This threat has its roots in the constantly changing healthcare regulatory environment, which has the potential to significantly influence the business’s operations, compliance initiatives, and legal duties. The basis for the behavior of the organization is provided by healthcare rules, which are dynamic and necessitate a prompt and precise reaction as
they change. Ineffective adaptation can lead to organizational setbacks, compliance difficulties, and possibly legal ramifications. Additionally, specific complications in local healthcare rules and legal constraints show the complicated nature of regulatory requirements and safety standards
Business Impact Analysis
Health Network Inc. will have to regularly conduct a comprehensive business impact analysis to identify how the risks will likely affect the business's ability to offer services and generate revenues. Business impact must quickly address the financial impact of the risk. The financial impact is one of the critical business impact analyses for the business's financial performance that threatens business continuity. Events like data breaches and Distributed denial of service attacks (DDOS) disrupt an organization's business operations.
System unavailability or downtime in critical services can reduce revenue, as healthcare providers and customers rely on uninterrupted access to essential systems. Furthermore, data breaches can potentially result in legal fines, Like the case of compensation claims and costs associated with regulatory compliance. The best example of how such events can affect business negatively is the case of Equifax. Equifax paid a fine of $700 million to relevant authorities in the USA and UK. The company also paid 25 million to settle multiple compensation and legal requirements caused by a data breach. Other companies that have paid millions of dollars in penalties include Didi Global, $1.2 billion; Facebook, $725 million; and Amazon, $886 million. From the data, it is expensive for a company to incur penalties and data breach fines. Such penalties threaten business continuity and are likely to affect the ability of the business to maintain its operations (Statista, n.d.). The organization must be prepared to address the financial
consequences arising from these risks.
RISK ANALYSIS AND MITIGATION PLANS 5
The BIA delves into the operational impacts that Health Networks may face in the wake of risky events. Service disruptions have financial ramifications and can affect the organization's ability to deliver services effectively. Google Inc. is one of the largest providers of Internet services and microservices used by multiple businesses across every sector of the economy. In 2017, Google and its affiliate company Alphabet suffered one of the largest DDOS. There was a significant disruption of services globally where people could not access websites and systems hosted by Google (Abhishta et al.,2019). Critical services like transport were widely affected since they operated Google Maps API, which was unavailable. Service delivery relies on robust business processes and the satisfaction of customers, including hospitals and clinics. Disruptions can lead to delays in medical services, which could impact patient care and damage the organization's reputation. Identifying the operational consequences of these risks is essential for maintaining service continuity and the smooth functioning of business processes.
Other examples of DDOS attacks affecting the delivery of services of organizations include the 2018 GitHub DDOS attacks. This is still the most significant DDOS attack GitHub has experienced. At its peak, the attack hit 1.3 Tbs, which was sharing data packets at a rate of 126.9 million per second. Such a data stream was too powerful to affect some of its services, like
authentications and other companies' services. Luckily, GitHub had a sound system that could trigger alerts, thus helping the security team mitigate the attack before GitHub services were affected.
The impact of risky events extends to the reputation of Health Network. Data breaches, security incidents, and compromised data security can tarnish the organization's image and erode trust among patients and partners. Huge companies like Equifax suffered in both resources and its reputation. The company had many prospects due to its vast portfolio. However, the attack affected the trust the public had entrusted in them. In an industry where patient confidentiality and trust are paramount, reputation damage can have long-lasting and severe consequences (She et al.,2020). The BIA assesses the potential damage to the company's reputation and other subsequent effects like legal and penalties; thus, there is a need for the institution to conduct regular business analysis to avoid all these cases.
Mitigation Strategies
The hospital must protect all its digital infrastructure, equipment, and devices. A healthy network must implement multiple security measures like encryption and remote wipe capabilities
and integrate diverse access controls that only give access to the minimum data necessary for all level users. These measures not only protect the confidentiality of patient information but also provide the means to secure data in the event of device loss or theft.
Establishing data backup and recovery plans is a core component of the risk mitigation strategy. One of the best ways to implement data recovery is creating an automated data backup, preferably to third-party cloud systems like AWS/GCP or Azure. Such plans are essential to address the risk of data loss due to corrupt production data from data center outages. The backup must also include a system backup that allows the hospital to activate a backup similar system when one is attacked, and the hospital's business operations are unaffected.
RISK ANALYSIS AND MITIGATION PLANS 6
In the current cyber-security. Business needs to implement diverse cyber systems solutions to help manage ever-changing attacks. The solutions must include traditional solutions such as firewalls and intrusion detection systems—contemporary solutions like AI-powered Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Simultaneously, ongoing employee training equips the workforce to recognize and respond to potential security threats effectively. A well-informed and proactive employee base is a critical defense against many cybersecurity challenges.
Conclusion
In conclusion, this comprehensive risk management plan is a critical tool, empowering Health Network, Inc. to address and mitigate risks proactively. These multifaceted mitigation strategies serve as the organization's shield, protecting it against diverse internal and external risks and ensuring the uninterrupted delivery of essential healthcare services. The institution must address the risks using new and traditional cybersecurity solutions to help protect the system effectively.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
RISK ANALYSIS AND MITIGATION PLANS 7
References
Abhishta, A., Joosten, R., Dragomiretskiy, S., & Nieuwenhuis, L. J. (2019, February). Impact of successful ddos attacks on a major crypto-currency exchange. In 2019 27th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP) (pp. 379-384). IEEE.
McGowan, J., Wojahn, A., & Nicolini, J. R. (2023). Risk management event evaluation and responsibilities
. PubMed; StatPearls Publishing. https://www.ncbi.nlm.nih.gov/books/NBK559326/
Pascarella, G., Rossi, M., Montella, E., Capasso, A., De Feo, G., Botti, G., Nardone, A., Montuori, P., Triassi, M., D’Auria, S., & Morabito, A. (2021). Risk Analysis in Healthcare Organizations: Methodological Framework and Critical Variables. Risk Management and Healthcare Policy
, Volume 14
(14), 2897–2911. https://doi.org/10.2147/rmhp.s309098
Seh, A. H., Zarour, M., Alenezi, M., Sarkar, A. K., Agrawal, A., Kumar, R., & Khan, R. A. (2020). Healthcare Data Breaches: Insights and Implications. Healthcare (Basel, Switzerland), 8(2), 133. https://doi.org/10.3390/healthcare8020133
Statista. (n.d.). Worldwide data breach fines & settlements 2021. Statista. https://www.statista.com/statistics/1170520/worldwide-data-breach-fines-settlements/