• Write paper in sections
• Understand the company
• Find similar situations
• Research and apply possible solutions
• Research and find other issues
• You are an Information Technology (IT) intern
• Health Network Inc.
• Headquartered in Minneapolis, Minnesota
• Two other locations
• Portland Oregon
• Arlington Virginia
• Over 600 employees
• $500 million USD annual revenue
• Each location is near a data center
• Managed by a third-party vendor
• Production centers located at the data centers
Health Networks’s Three Products
• Handles secure electronic medical messages between
• Large customers such as hospitals and
• Small customers such as clinics
• Web Portal to support secure payments
• Accepts various payment methods
• Allows customers to find Doctors
• Contains profiles of doctors, clinics and patients
Health Network IT Network:
• Three corporate data centers
• Over 1000 data severs
• 650 corporate laptops
• Other mobile devices
• Current risk assessment outdated
• Your assignment is to create a new one
• Additional threats may be found during re-evaluation
• No budget has been set on the project
• Loss of company data due to hardware being removed from production systems
• Loss of company information on lost or stolen company-owned assets, such as mobile devices and laptops
• Loss of customers due to production outages caused by various events, such as natural disasters, change management, unstable software, and so on
• Internet threats due to company products being accessible on the Internet
• Insider threats
• Changes in regulatory landscape that may impact operations
• Conduct a risk assessment based on the information from this presentation
• Write a 5-page paper properly APA formatted
Your paper should include
The Scope of the risk assessment i.e. assets, people, processes, and technologies
Tools used to conduct the risk assessment
Risk assessment findings
Business Impact Analysis
• You will add to your findings from part 1 and address with a risk mitigation plan.
• The plan should include
• The plans to reduce risk and vulnerabilities
• Determine if organization is risk averse or risk tolerant
• Future plans to reduce residual risks
• The requirements for this half is also 5 pages properly APA formatted.
Risk Assessment Plan
Risk in Healthcare organization is prevalent. Thus any healthcare company must have a qualified risk manager who can assess, develop, implement & monitor risk management plan by which company can minimize exposures to threats. Risk assessment for all companies needs to be done after every specific period, which helps the company to take measures against new threats that might expose a vulnerability in future and impact in a loss for a company such as a loss of servers, loss of customer data, loss of company’s confidential information. HealthNet Network Inc needs an updated risk assessment so that management can make better decisions for the future and save companies assets, money, and their customers data. Currently, HealthNet has three main products i.e., HealthNet Exchange, HealthNet Pay and HealthNet Connect, and all three products access the company servers, customer data, payment portals, hospitals data through their website. Threat isn’t just the outside forces that can compromise company system, there is always more to that such as natural disasters, threat to system failure, Accidental human and the most important one is Malicious threat. Currently, HealthNet has three data centers at each location i.e., Minneapolis, Portland, and Arlington; third party vendor manages all. There are more than 1000 data servers and around 650 corporate laptops with other mobile devices. Production centers are also located at the data centers. With new Risk assessment plan for HealthNet can check the most current opportunities, threats, vulnerabilities, strengths of the company which can help management to take better decisions in future such as where & how much money do the company needs to invest in protecting HealtNet products from possible future Risks. For HealthNet company products to work properly; It is essential to identify the scope of the plan to avoid the risk of “Scope Creep,” i.e., the scope of the project increases uncontrollably. One of the significant scope for HealthNet Inc is to ensure HIPAA compliance for HealthNet Inc data. Some of the other scope are defined as follows:
- HNet Exchange should be able to transfer data securely between the hospitals or clinics.
- Exchange of medical messages between the customers should be done safely, and electronic messages should maintain their authenticity.
- All the payments should be made through HNet Pay portal.
- HNet Pay should support secure payments such as using HTTPS links.
- HNet Connect contains all the doctor or patient information that should not be leaked to everyone, so it should be made sure only accessible person can look for doctors or patients profile.
- All the three products are accessible through internet so secure network, good firewalls, updated antivirus and software, Intrusion detection system, and high good quality servers and equipment’s, should be used.
- Identification, storage, usage, and transmission of health data.
- Proper security policies are followed by all the employees.
For the Risk assessment, we can use the following equation to check the impact of that Risk:
Risk = Threat * Vulnerability
Risk is always high is the vulnerability is high, and Risk is low when our vulnerability is low. Threats are always out there, and it’s the vulnerability that threat always exposes and results in Risk. We can use the Risk Assessment Matrix to measure the impact of the Risk, which can weigh as High, Medium, and Low. Following two techniques are used to assess the Risk for HealthNet Inc.
- Quantitative Risk Assessment
Technique is used to calculate the actual cost and helped to identify priority of risks and effectiveness of controls.
- Qualitative Risk Assessment
Is a subjective method based on opinions from expert? Experts tell about their views about the likelihood & impact of the risks. After looking at the following table, we can prioritize risks for HNet inc. (Derril Gibson, 2015)
|Loss of Protected Health Information Leaked from unauthorized Access||30||100||0.3*100
|Accidental Human (Unintentional)||100||100||1.0*100
|Loss of website due to hardware or System Failure||30||100||.30*100
|Attacker or Hacker ,(Malicious Attack)||100||100||1.0*100
By using these techniques following threats are recognized at HealthCare Net Inc
- Production systems helps to produce information for the company and to get the data. These systems should be working correctly. Threat is noticed that company data losses when hardware being removed from production systems.
- Many laptops and mobile devices are stolen, which are considered to be as company assets, and with every stolen asset company losses information.
- All three company products are accessible through the internet, and there is always an internet threat such as any hacker or malicious attack over the internet.
- Threat of Natural disasters such as floods, hurricane, tornadoes, etc. can cause production outages, which can result in a loss to the company.
- Insider Threat- Someone can make a mistake, and the threat of doing this is very high. Threats of human doing accidentally is always high.
- Threat of system failure. This threat will be low if we use good and high-quality products or equipment for servers & system safety. We should never eliminate the possibility of system failure, or CPU fan is burn out, or power supply is out, or motherboard dies. Threat of all this is happening is high if equipment quality is low.
Following risk assessment matrix is used to tell the impact of all the possible risk in HealthCare Net company environment. (Derril Gibson, 2015)
|Risk||Threat||Vulnerability||Impact of Risk|
|Loss of data because of Production system outage.||
|Loss of data||
|Network compromised||Malware||Antivirus software outdated or not renewed||High|
|Loss of company Information||
|Loss of confidentiality||Hacker||Public facing server not protected with firewalls and intrusion detection systems||High|
|Loss of customer||System Failure||Low quality equipment’s are used||High|
|Loss of Money||Internal||Lack of information about Policies such as HIPPA||Low|
After Prioritizing the risk, Business Impact Analysis is done to check the impact of these risk on HealthNet Inc. Following threats are identified after doing the BIA.
- System outages
- Loss of confidential data
- loss of company Information,
- Loss of company Assets
- Loss of money
Resources are needed to get back our system online quickly if in case system outages occur. Following measures should be considered as soon as possible in the future to minimize the vulnerabilities that lead HealthNet to above-stated risks.
- Cloud storage backup of data in case system outage occurs
- High-quality Intrusion detection system and proper access controls should be implemented again to make sure there is no unauthorized access.
- New insurance should be purchased for HealthNet, To insure all the Assets
- Policies should be updated, and proper training held by department managers
- Server protection software should be updated
- Antivirus software at the systems should be updated and renewed till the time of next risk assessment
- [Eli the Computer Guy] (2010, Dec 13) Introduction to Risk Assessment. Retrieved from. https://www.youtube.com/watch?v=EWdfovZIg2g
- Article, n.d. (2018). What Is Risk Management in Healthcare? Retrieved from. https://catalyst.nejm.org/what-is-risk-management-in-healthcare/
- Gibson, D. (2015). Managing Risk in Information Systems, 2nd edition. Burlington, MA: Jones & Bartlett, 2015