John Miller is the information security and privacy officer of a local county-owned teaching hospital. He is new to his position and began his work by evaluating the existing security and privacy controls that are in place in the institution. He is also new to information security, having only recently graduated with a BS in information security with professional experience as an active-directory administrator for two years. This work with active directory created his interest in pursuing a position in the field of security. Because he has most experience in the area of account management, user creation and management, groups, roles and group policy, these are the areas where he began his work. He found literally hundreds of idle accounts indicating that users are created but are not properly discontinued when medical students, nursing students, and other employees move on and no longer need access to the data collected and stored by the hospital.

This discovery inspired him to begin digging into other aspects of the security controls, and he found evidence of malware on the servers that house the data collected and stored for use by the hospitals clinical systems. His next discovery was the most alarming. The objective of the malware that had deeply infested the hospital systems was to package and transmit all available data to a remote host located in North Korea. John is clearly in over his head at this point and needs to act quickly to resolve this situation and stop the flow of personally identifiable health information to an unauthorized third party.

Use the study materials and any additional research needed to fill in knowledge gaps. Then discuss the following:

1. What primary laws, regulations, or statutes have been violated by this lack of attention to controls, leading to this serious breach of security?

2. What channels of communication should John enlist to assist him in resolving this matter, and in what order should those communication sources be contacted?

3. What tools and any supporting resources are available to John to determine the breadth of the breach and the mitigations available to secure those assets?