ABC HEALTHCARE CASE BACKGROUND
Healthcare companies, like ABC Healthcare, that operate as for-profit entities, are facing a multitude of challenges. The regulatory environment is becoming more restrictive, viruses and worms are growing more pervasive and damaging, and ABC Healthcare’s stakeholders are demanding more flexible access to their systems.
The healthcare industry is experiencing significant regulatory pressures that
mandate prudent information security and systems management practices.
Furthermore, the continued pressure to reduce cost requires that management
focus on streamlining operations, reducing management overhead and
minimizing human intervention. The regulatory focus at ABC Healthcare is on the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX). Both pieces of legislation highlight the need for good systems administration and controls, but focus on different aspects of the business. The main focus of HIPAA is to protect personally identifiable health information while SOX is concerned with data that impacts financial reporting. Violations may be met with both civil and criminal penalties. Therefore, the company must be ever watchful of new threats to their systems, data, and business operations.
The most prevalent security related threat to on-going business operations is the
continued development and propagation of viruses and worms. Virus and worm
prevention or containment is a vital component to the overall risk mitigation
strategy. Virus and worm outbreaks have multiple cost aspects for the company
including lost patient charges due to system unavailability, lost productivity
because of recovery efforts due to infection, and potential regulatory impacts
depending on the virus or worm payload. However, the company must balance
risk with opportunities in order to serve the stakeholders and grow the business.
ABC Healthcare’s stakeholders include multiple groups that depend on or need access to clinical and/or financial systems in order to help support and grow the company. The access requirements and associated risk model varies by user group. The main access groups are internal only users (i.e. nurses, hourly employee, etc.),
internal/remote users (i.e. salaried employees, doctors, etc.), and business
partners (i.e. collection agencies, banks, etc.). Risk mitigation solutions must be
developed for each user group to help ensure that the company recognizes the
benefit that each group brings and to minimize the risk to business operations.
The high-level management goals of the network design implementation are as
• Support the business and balance security requirements without introducing significant overhead and complexity;
• Maintain and enhance security without significantly increasing management overhead or complexity;
• Implement systems that are industry supported (standards where appropriate), scalable, and fault-tolerant;
• Ensure that the design is implemented to help ensure compliance with any and all applicable regulations;
• Proper management of access control for legitimate users and malicious users is of the utmost importance for the security of the ABC Healthcare management system. The threat is not limited to outside malicious users but also legitimate users engaged in illegitimate activity.
Based on the above description you are to provide a recommendation of how you would address each of the following ABC Healthcare’s computer network security requirements. Note, whereas cost is typically an important factor, this is not a consideration for this case analysis. Therefore, you do not need to include cost estimates. Your solution should have the “right feel”, despite the lack of depth or details necessary to be accepted by upper management. Be specific in your answers. Write them as if you were writing a proposal to your boss. You do not need to include citations. Since you are developing a solution to a specific circumstance, material that is copied from an outside source will not likely fit so everything should be in your own words.
1. Describe your technical recommendation for addressing the security requirements in the overall technical design of the ABC Healthcare network. This should include both internal and external (untrusted and trusted) aspects. Untrusted would include user connectivity to the Internet. The “trusted” network has the main purpose of supporting the business functions of known entities (i.e. partners, suppliers, etc.) which have a business relationship with the company. Note that you are to concentrate on the physical and logical level, including the type of hardware and software, however you are not expected to provide specific low level details in terms of equipment suppliers or model numbers, etc. for your recommended design. (30 points)
2. Discuss the way you will address requirements for system monitoring, logging, auditing, including complying with any legal regulations. (10 points)
3. Describe how the system will identify and authenticate all the users who attempt to access ABC Healthcare information resources. (10 points)
4. Discuss how the system shall recover from attacks, failures, and accidents. (10 points)
5. Discuss how the system will address User Account Management and related security improvements. (10 points)
6. Complete the Cyber Security Action Plan template (30 points)1
Exam Fall 2013
Deadline: 11:59 PM EST Sunday, December 1, 2013 NOTE: No Exceptions
This examination is worth
of your total grade. There are
five semi open
(worth 70 points) along with an accompanying
cyber security action
(worth 30 points).
You are to answer each of the five questions and to
Cyber Security Action Plan template
based on best practices and your
understanding of the case.
Maximum length answer for each question should be limited to approximately 1200
words (3 pages double spaced) excluding diagrams, illustrations or other addendum.
to use APA formatting.
For the open ended questions you are to provide
your answers immediately follow the question as follows:
And so forth…
On the Cyber Security Action Plan template for each Action Plan item include your
response. You can add additional space if needed.
Sections in the Plan
Enumerates the types of security hazards that affect your enterprise.
Describes the general security strategies necessary to meet the risks.
Public key infrastructure
Includes your plans for deploying certification authorities for internal and
external security features.
Security group descriptions
Includes descriptions of security groups and their relationship to one
another. This section maps group policies to security groups.
Includes how you configure security Group Policy settings, such as network
Network logon and
Includes authentication strategies for logging on to the network and for using
remote access and smart card to log on.
Information security strategies
Includes how you implement information security solutions, such as secure
e-mail and secure Web communications.