Situation:
Your team represents the IT leadership of a large healthcare organization that is preparing to purchase a smaller hospital group consisting of:
2 Metro hospitals (1 is a learning hospital, which means students are in scope)
3 Rural hospitals
2 Shared data centers (located within 5 miles of each other)
25 Physician practices
1 Lab
1 Coordinated business office
Your objective is to evaluate the sites prior to purchase from a risk and compliance standpoint, with a focus on access controls at both the logical and physical standpoint. Part of the agreement allows for your organization to thoroughly test the systems, which includes:
1 Electronic medical record (EMR) system
2 Mobile applications (1 has the ability to accept credit card payments)
5 External websites (1 has the ability to accept credit card payments)
3 Cloud based systems (1 Infrastructure as a service, 2 Software as a service)
Internet connectivity is not shared between the physician practices and main hospital locations
75 Patient care applications (25 developed internally)
500 Patient care devices
See individual assignments for deliverables (1 – 8)
Consolidate all project sections into one document, each team member will submit the same document individually.
- Team Details
- Document your roles in the organization (e.g., CIO, CISO, Architect, etc.) (each team member)
- Develop job descriptions for each role, include a salary range
2. Information Security Policy
- Select a best practice framework, review the control family recommendations and document a policy for the existing organization with the expectation that the new sites will follow the policy. Note: Still follow APA for this assignment, which may not be appropriate in an organization.
3. Testing Methodology Policy and Procedure
- Research and document preferred testing methodologies for:
EMR, Mobile Apps, Patient Care devices, External websites, SDLC (hint: vulnerability scanning, penetration testing, medical device scanning, static code analysis, dynamic code analysis, etc.). (each team member) - Research and document preferred remediation cycles for the in scope systems (hint: HIPAA, PCI, FERPA)
- Research and document preferred reporting cycles / methods for the in scope systems (hint: vulnerability metrics, such as CVSS, NVD). Note: Still follow APA for this assignment, which may not be appropriate in an organization.
4. Network Diagram
- Develop a proposed network diagram for after the purchase to aid in security and administration (reference required security controls in your policy) (You can use PowerPoint if you dont have Vizio or another option).
5. Physical Security Assessment Procedure
- Develop a physical security assessment plan for the new entity (reference this in your policy). Note: This can be a checklist.
6. Project Plan
- Include timelines, expected level of efforts, RACI model, remediation expectations (if you decide to also use third party resources, youll need to estimate those costs since you have already created your own hourly rate).
7. Risk Acceptance / Risk Tolerance Procedure
- Develop a method for leadership to receive risk details and determine appropriate risk actions.
8. Final Presentation
- Summarize items 1 7 to present to the class
