Who are the cyber security stakeholders in this who -why-when and how

Transcribed Image Text:

High Mountain Orthodontics and Cosmetic Dentistry Organization Overview High Mountain Orthodontics and Cosmetic Dentistry 7439 Center Ave, Meridian CA 53464 1-800-555-1212 www.yourbeautifulsmile.com High Mountain Orthodontics and Cosmetic Dentistry (HMOCD) has been in business for ten years. It is a privately held dental service where the five dentists and two orthodontists have mutual business shares. The two most recently hired dentists, Dr. Smith and Dr. Jones, specializing in cosmetic dentistry. Dr. Smith and Dr. Jones have convinced the other owners of the business there is an opportunity to rapidly grow the business gross by 25% by heavily investing in new and costly cosmetic dentistry equipment, expanding the web site, adding specialty cosmetic devices that attach to the network, and a photo area for before and after pictures of patients and their beautiful new teeth. Vernon Vance, a recently graduated college student with excellent development and programming skills, has been hired to expand the website and integrate a mobile application. A cosmetic dentistry sales team has been built over the last six months. HMOCD has a digital first strategy, and patients can log in to view their accounts from the website and the mobile application. There is a feature in the mobile app where patients can view options for new teeth, view before and after predicted results for both Veneers or teeth whitening. Patients can also book appointments and opt- in for mobile reminders for upcoming appointments. There is a total of 50 employees o o o Five dentists Two orthodontists Six X-Ray technicians O Five receptionists o One office manager, Tammy Thompson Ten dental hygienists Five dental assistants Two dental technicians 10 salespeople who find clients for the teeth whitening and cosmetic dental surgery o 3 IT people (1 developer who is responsible for changes to the website, new integrations, mobile application) One security person - Bob Bean HMOCD Cybersecurity o O C O The gross revenue for High Mountain Orthodontics and Cosmetic Dentistry (HMOCD) is $6,216,370. The operating expense for the business is $4,424,330.0. Sales of teeth care products is another area of active growth. The products are sold in the office or be purchased from the website. The products include teeth whitening, fresh breath, special floss, toothbrushes, and teeth-safe gum. Cosmetic dentistry is the most profitable part of the business, although the primary revenue is still the standard dentistry and orthodontics services. The OpenDental application is critical to support the business since it manages all the patient information. The office VOIP phones are also critical to the business since it is still the primary method used by patients to communicate with the office. Payment options for clients are cash, credit card, or check. Credit cards can be used in the office, on the website, and through the mobile application. They use a credit card processing service for all credit card transactions. Employees Tammy Thompson is the office manager and is responsible for all human resource related tasks, including hiring, employee reviews, pay, and employee discipline tasks. She is also the person responsible for all financial aspects of the business. Any budget requests

Transcribed Image Text:

must be approved by her. Tammy is also responsible for all social media posts for HMOCD. Tammy is the only person allowed to post about HMOCD on social media. Due to the sensitive nature of their business, all other employees are required to read and sign a "Do not post any information about HMOCD to personal social media accounts" agreement when they are hired. John Jones from JJ and J Legal is not an employee of HMOCD but is on retainer to provide legal services for HMOCD and is responsible for legal and compliance counsel to the business. The IT team consists of four people. Cale Clark, Vernon Vance, Al Smith, and Bob Bean. Al Smith is the senior IT lead, and Bob Bean is responsible for cyber security. All employees have their own Windows PC with Office365 fully migrated to the cloud with email provided from the cloud service. There is two wireless access point that provides wireless service for both the employees and patients. The physical wireless access points are not easily accessible by patients. There is guest wireless provided for patient use while they are in the office. The network supports one router and one switch. There are four iPads used for patient check-in. The iPads are locked down and directly connect to a SharePoint site with a form created for member check-in. iCloud is used and has location tracking and wiping with Al Smith as the system administrator. Employees can use their personal devices for work access, but only if they are managed through Intune. Applications used in the office are: OpenDental 37 licenses Salesforce (all employees) Office365 (all employees) Dropbox (all employees) Web and mobile development tools 0 There is some tension between Bob Bean and the other employees at HMOCD since many of the security changes he has promoted have caused friction for both employees and patients. Examples of recent complaints; Patient and office staff impact due to the roll-out of a recent patch for the router Bob insisted had to be patched quickly. Bob required it patched within two days of patch availability due to a newly identified vulnerability rated a CVE 9. Because there was not enough time to effectively test compatibility, the patch caused login failures to the OpenDental application, and one day of appointments had to be rescheduled. Both the X-ray technicians and the dental technicians have been frustrated with lock screen time since they feel it slows them down when they need to log in frequently. The salespeople received a barrage of frustrated calls after a forced password change to all member portal accounts and a patch to the SQL database locked up OpenDental and they were forced to roll the patch back. This vulnerability still exists since calls with OpenDental support team have yet to determine why the patch is locking up the SQL database. A person who does appreciate Bob Bean is Tammy Thompson since he was responsible for recognizing a business email compromise attack. Tammy paid an invoice to what she thought was a legitimate email invoice request for payment to one of their smaller vendors, Safe Teeth Chewing Gum inc. but Bob and the IT team were able to recover the funds after spotting some suspicious activity on her system. Through their Incident Response investigation, they discovered the fake email and were able to work with their bank and recover the funds before they were transferred to an offshore account. Bob Bean provides a quarterly update to the seven shared business owners, Tammy Thompson and John Jones. The quarterly update consists of six slides: (1) Title Slide (2) Overview of the organization, which includes business objectives. (3) Existing security controls aligned with the NIST Cybersecurity Framework (NIST CSF) (4) Overview of the organization's Security Awareness Program (5) Top Threats and Risks a. For the organization segment (Healthcare vertical from the Verizon data breach report) b. Top threats and risks specific to HMOCD (6) Cybersecurity goals for next quarter.