Project 2

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

313

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

7

Uploaded by PrivateBraveryEmu1997

Report
Introduction: The Health Network Inc. is a health organization that offers a variety of services to its clients, including HnetExchange (a service for handling secure electronic medical messages), HNetPay (a service for handling secure payments and other interactions with banking organizations), and HNetConnect (a service for providing a list of healthcare providers and medical facilities online). Importance: This risk management plan is put in place to help Health Network Inc. identify potential threats, assess their severity, and develop strategies to eliminate or reduce them so that they can continue giving their customers great healthcare in a safe and trustworthy environment. Health Network Inc. is better prepared to deal with potential problems that may arise, thanks to the risk management plan. The company can examine operating procedures and spot weaknesses thanks to the risk management strategy. With each new revision, the risk management plan becomes more effective at reducing potential threats and bringing the organization’s procedures closer to industry benchmarks. Businesses must have proper risk management. Businesses must manage all types of risks. Health Network Inc. patients, vendors, facilities, and providers are among the most crucial players. Due to the nature of the data being handled in the system, these parties will be affected by the risk management strategy. These parties are vulnerable to disruptions in Health Network, Inc.'s activities because of a lack of a comprehensive risk management strategy. Medical records could be stolen from patients, payments to vendors could be withheld, and essential information on doctors and hospitals could be lost. Failure to adequately manage the risks associated with operating Health Network, Inc. could lead to the company's failure to
comply with applicable information technology healthcare laws and regulations, which could lead to the company's ultimate downfall. Scope: The plan is geared towards mitigating the risks and threats uncovered in the initial risk analysis. If completed correctly, this will help safeguard against data loss because of unplanned server shutdowns. Protected health information is safeguarded against the loss that could occur if company-owned equipment, such as mobile phones or computers, were lost or stolen. In the case of a system failure, corruption of production data is avoided, preventing the loss of data. Protects users from online risks such as hackers and spammers. Protects against social engineering, malware, and spyware installations from within. Preventing shifts in the business regime that could influence operations is a priority. The business will accomplish all these goals by inspecting its network infrastructure to determine if it has sufficient security controls in place, such as preemptive controls that would aid in reducing the likelihood of harm coming to certain assets. Physical controls like alarm systems, technical controls like firewalls and IPSs, and administrative controls like role segregation, data classification, and auditing are all considered throughout the assessment. Assessing the effectiveness of the organization's detective controls, which are in place to help it detect the presence of potential risks, is another important part of the evaluation. Risk: The following are some common risks related to the business: Potentially disruptive shifts in the regulatory environment (Low)
Internal attacks from social engineering, malware/spyware installations, and other methods (Low-Med) Risk of data loss because of improperly decommissioned hardware (Low-Med) There is a chance of losing data due to the data getting corrupted because of a system failure. (Med-High) Cybercriminals pose a significant risk to online users (High) The risk of personal and health information being compromised because of loss or theft of company equipment (High) The company must safeguard all clients’ personal information. The company gathers sensitive information such as names, addresses, email addresses, social security numbers, and financial information. Another key aspect of this business is its extensive and intricate network infrastructure. Some of its data centers must be situated in different countries for the company to be successful. It's important to note that third parties manage the production systems. These factors collectively increase the gravity of the dangers faced. If the network is not properly protected, it could be subject to both internal and external attacks. To compromise a company's most important digital assets, malevolent actors may, for example, adopt deceptive tactics to get employees (especially those who are unaware of the attackers' true motives) to reveal private information. Insider attacks are another threat to the systems' security since they occur when malicious users acquire access to sensitive data and leak it to the public. In addition, the group runs the danger of having valuable items like laptops stolen because not everyone can be trusted. There is a chance that some of its private information could be taken or made public if this occurs. When a company outsources the management of some of its systems, it opens itself up to security risks when it comes to disclosing critical information. If a network infrastructure is
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
poorly defended, an attacker can easily attack it from the outside by performing man-in-the- middle assaults, inserting malicious code into the system, using social engineering, or doing any other action that jeopardizes the security, integrity, and availability of the data being maintained in the systems. All these dangers are ones that the strategy hopes to mitigate. Safety: All Health Network services are highly available because of the company's three operational data centers. About a thousand production servers are housed in Health Network's data centers, while 650 employee laptops and mobile devices are maintained by the organization. The above- mentioned threats to the servers can be mitigated by employing physical security mechanisms that can reveal intrusion attempts. This involves the installation of biometric access controls, security cameras, and fire detection systems, along with many other things that would directly assist in protecting and maintaining the safety of the data centers. When a system reaches the end of its useful lifecycle, decommissioning and disposal are normal operating procedures in the IT business, but the process should be carried out in accordance with established company policy. When mobile devices, such as phones, or laptops, go missing, stolen, or exploited, exposing important information. Reporting the missing or stolen items to IT Asset Management and the SOC will get the ball rolling on finding and replacing them. Staff and suppliers must be informed of the formal reporting policy. Power spikes, surges, and outages can all cause problems for the system. Generators and backup generators can avert system disruptions. Hackers posing a threat from within need to be contained. Since PHI does not evolve, it is a prime target for identity thieves who can commit several frauds using the same data. If Health Network, Inc. is to avoid being hacked, cyber security must be given top priority. An infiltration could lead to social engineering if the
intruders obtain access to sensitive data or infrastructure. Constant monitoring of the regulatory environment is essential, as is the timely application of any necessary revisions. In addition, the company should think about instituting security policies and processes to prevent employees from misusing or sharing company-issued devices. This would protect against vulnerabilities caused by user error or other factors that give attackers an opening into the system. The rules should include provisions that prevent employees from taking work-issued electronics home with them. Although the company may have a BYOD policy, such employees should not be allowed to install personal applications on company-issued devices. Adopting such measures would help reduce the likelihood that the indicated risks will materialize. Business Impact: The business generates most of its revenue through the HnetExchange. The Health Network Inc. will be severely impacted by any threats to this service. Potentially, the company will shut down. There is a risk of losing patients’ protected health information, which means medical messages sent there are not secure. This will interfere with the functioning of the facilities and communications with the suppliers. Payments and bills are both safe and easy using the HNetPay website. If this service is compromised, patients' credit card information will be in danger. This may cause Health Network Inc. to be in violation of PCI-DSS standards. This can lead to a complete halt to Health Network Inc.'s financial operation and a catastrophic loss of capital. HNetConnect is a database that lists doctors' offices and hospitals so that patients may easily find them online. Potential threats to this might jeopardize data between patients, doctors, and hospitals. As HNetConnect and HNetPay are integrated into a single system, there will be an impact on the security of patients' payment card information. If this is the case, Health Network
Inc. may be in violation of PCI-DSS standards. Around 1000 production servers are housed in the data center. The data center has room for around a thousand operational servers. If the data center is compromised, the entire system will be down. All services will be interrupted because of this. For Health Network Inc., this would be disastrous. A total of 650 laptops and mobile phones are provided to Health Network staff, all of which are maintained by the organization. There is a possibility that Health Network data could be lost if these resources are jeopardized. However, the business is still harmed, but to a lesser extent than would be caused by the factors discussed above. The availability of the Health Network is in danger due to system disruptions. The Health Network Inc.'s activities will suffer greatly because of this. The risk is rated on a scale from low to high. Mitigation: It is very important that the company’s decommissioning protocol be followed to ensure the safe destruction of any data that may remain in obsolete computer systems. Prior to this procedure, all records must be deleted, and all systems must be removed from Health Network Inc. Each asset owned by the company must be encrypted using BitLocker technology to reduce the danger of assets and information being stolen. To guarantee the integrity of data transmitted between nodes, networks like HNetExchange, HNetPay, and HNetConnect should have encryption protocols. If an attacker were to successfully intercept data traveling over a network, they would be unable to use the information because it would require a key pair to decrypt. This prevents unauthorized individuals from accessing the asset. It is important that data centers be safeguarded by ensuring that only authorized persons are permitted access to the interior portions of the facility which house the servers. To this goal, the organization must make certain that there is an adequate amount of physical control. For example, biometric technology should be
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
utilized at the entrance points to identify authorized workers. CCTV and sensors should be put into all data centers. It is imperative that the company implements preemptive security measures to lessen the likelihood of impactful breaches. There is no greater danger to data security than the Internet. Network security hazards can be greatly reduced through measures like properly configuring a firewall. To guarantee that any and all attempts at attacks are identified and stopped instantly, additional security controls, such as intrusion detection and prevention systems, must be implemented on the network. The use of virtual private networks (VPNs), anti- ARP spoofing software, and the use of HTTPS is just a few of the best practices that should be used. User education also aids in spotting potential insider dangers before they become serious incidents. Users can be protected from social engineering attacks by receiving bi-annual training on the risks they face. Health Network, Inc. must constantly evaluate the regulatory environment and change its compliance procedures accordingly.

Related Documents

Module 4 assignment 1 codio.docx
Module 8 Assignment.docx
Activity 4-1.docx
IT 423 Project 1.docx
ISACA CISM Sample Questions.docx
Activity 5-2.docx
Reason for BCP.docx
IT 409 Project 1.pptx
Project One.docx
The Evolving Landscape of Artificial Intelligence.docx
8-2 Scenaria Assignment Module 8.docx
Final Project.docx