Assessing Risk

Review the description of High Class Healthcare, the organization on which you will base your course project. Within the required reading, identify the steps and procedures involved in conducting a risk assessment and apply those concepts to prepare the organization for an upcoming risk assessment, which will be completed over the course of the quarter.

Describe the following about the organization:

1. Identify strategies for calculating the likelihood and impact of potential areas of risk.
2. Enumerate which specific human resources should make up the security management planning activities.
3. Describe the potential challenges present due to the distributed environment of the project organization.
4. Explain the role that formal policies, procedures, and guidelines play in the work of assessing risk.
5. Use proper APA (6th edition) style and formatting for all references and citations.

Scenario

Mark Moneybags has decided to use the millions of dollars he inherited from his rich uncle Mike to venture into the healthcare industry. To that end he has begun construction on a brand new 150-bed hospital called High Class Healthcare in a North Hennepin suburb. Construction is nearly complete, so Mark has begun to turn his attention to activities related to opening the hospital itself.

Recently Mark hired his executive tier, which is described in the High Class Healthcare Organization Chart. They in turn have hired their immediate subordinates. It is this group of individuals upon whom Mark will rely to get his hospital up and running.

Tess Tekky, the newly appointed CIO for High Class Healthcare, has hired you to conduct a risk assessment and to develop recommendations for a business continuity plan and information security policies that High Class Healthcare can implement as part of opening for business.

Technical Details

Mark Moneybags, in coordination with Tess Tekky and Nick Network, has purchased a number of information assets that will be used to create, transmit, and store the health data collected at High Class Healthcare. The specific items that have been purchased are listed on the Risk Assessment Documentation Spreadsheet. You should assume that the list is a complete set of information assets and that anything you believe missing from this list has not been purchased and should therefore be added to your risk recommendations.

The network for High Class Healthcare is being implemented exclusively using fiber and Cat5e cable. Mark Moneybags has opted to reserve implementation of a wireless network as a future enhancement to the network. Fiber will be used only on the backbone between the core switches and on the segment where the ERP, EMR, and Radiology servers will be located. All other segments of the network will be implemented using Cat5e. Network speeds are 100 mg to the desktop and gigabit Ethernet on the backbone and server segments.

A computing facility has been constructed in the basement of the new building below the main kitchen. Proper racks and housing for the blade servers have been installed as part of the facility construction. Access to this area is controlled by short-range RFID badges that generate audit reports, which include both authorized and unauthorized access attempts. The dock and storage areas are located behind the computing facility, which requires the staff in all of those areas to be given access. In addition, Ben Buildings, who is responsible for Facilities Management, has asked for access for himself and all of his staff who are responsible for security and environmental controls for the facility. Mark has agreed that this access is necessary in the event of an incident that would require this staff to have access to this area.

All servers will be located in the computing facility with the exception of the lab servers. Larry Labguy has had a bad experience with IT in the past, so he made it a condition of his employment that his servers will be housed in the second floor lab area and he will have administrator access to manage these servers himself. Larry has agreed to go out and purchase a UPS for the server, but there are no environmental or security controls designed for the lab area.

Mr. Moneybags and Nick have asked you to include recommendations for who should have access to which of these resources once the network is implemented. Currently Nick has provided domain administrator accounts to all of the executive leadership, including Larry Labguy. They in turn have created domain administrator accounts for all of their immediate subordinates.

The network architecture being designed includes the use of Openlink as an interface engine, which will feed data streams between systems. All of the source systems will be those that send data, and the receiving systems will be those that have data fields populated. The interfaces being developed are included in the Risk Assessment Documentation Spreadsheet.

Irene Invoice has pointed out the need to transmit large amounts of patient billing information to the clearinghouse with which Mark has contracted for the purposes of communicating with the payers. She has suggested that these files be sent via FTP. Betsy BuysStuff would like a direct connection between High Class Healthcare and its top 20 suppliers that would allow the suppliers to manage their own inventory items. Mark has asked for your opinion as part of your risk assessment recommendations.