A Security Risk Analysis of HealthNow LLC

The medical group HealthNow, LLC has a business structure which consists of offices distributed at three locations, a main office together with two satellite offices. There are three doctors at each of the three offices, a pediatrician, a family medical doctor and an internal medical doctor. The two satellite offices additionally have four nurses together with one receptionist each. The main office employs five nurses, a receptionist, as well as two appointment schedulers who make appointments according to the availability of doctors and the addresses of patients. The finance department within the main office also has two employees. The main office equipment includes six desktop computers, ten laptop computers and three printers. There is a rack of servers with adequate capacity of storing the data for each of the three offices. At each of the two satellite offices there are, four desktop computers and seven laptop computers with two printers. HealthNow, LLC provides Doctors with Smart phones to provide after-hours services while capable of connecting to HealthNow, LLC the servers and review patients’ data.

            Even though HealthNow, LLC does not have an information security department, there must be a plan for ensuring the security of all business information assets. To achieve this objective the team has develop the report which includes the following sections. There is a description of the potential external as well as internal security threats for HealthNow, LLC that covers possible information security damages ranging from minor losses to the destruction of the entire information system destruction with consideration of accessibility to the Internet and vulnerability to various types of threats. The business and compliance section covers management of compliance related to infrastructure and establishment of effective programs and best practices. The roles and responsibilities section outlines the profiles of every employee in relation to the new IT infrastructure and the support it will provide in their day to day tasks while having an effective security program.

            The security risk assessment section describes methods and identifies organizational information technology security risks and provides measurement and analysis of the security risk profile of information assets together with plans of action for risk mitigation.  In the supply chain security section policy that must be followed by HealthNow, LLC vendors. The newly configured network diagram for the HealthNow, LLC network is presented with the next section discussing the regulations HealthNow, LLC is subject to, followed by an outline of legal and regulatory issues facing HealthNoww LLC as well as the security metrics which will be implemented.

Potential External and Internal Security Threats at HealthNow, LLC

            For HealthNow, LLC, business information technology (IT) threats are multilayered. The internal and external IT threats involve several components which include information and communication networks, operating systems, computer systems, software applications as well as wireless, intranet and internet technologies as threat vectors. Generally, the IT threats facing HealthNow LLC are grouped into the following categories: Hardware; software; data; network; personnel; administration; and physical. (Baskerville, Spagnoletti & Kim, 2014).  Robust and effective security is critical for efficient IT performance and the success of HealthNow, LLC. This organization relies greatly on computer and telecommunication-based systems which have several inherent security risks including server content and software piracy, data modification theft and destruction; hardware destruction and IT network sabotage. (Baskerville, Spagnoletti & Kim, 2014).   

            There are also inherent IT network vulnerabilities and weakness which might be exploited to gain unauthorized access to the network and these include network architecture configuration, procedures and structure, software malfunction, network operation challenges and compatibility issues. It is supremely useful to identify sources of the vulnerabilities. The team identified potential internal threats as stealing proprietary information, sabotage, unintentional or unplanned breaches, viruses and fraud. (Baskerville, Spagnoletti & Kim, 2014).   These potential threats may be intentional and malicious. Potential external threats were identified as possibly occurring through wired and wireless networks connections and, physical intrusion. Such external threats include cache poisoning, eavesdropping, data forwarding, and external denial of service, hacking and cyber terrorism. (Baskerville, Spagnoletti & Kim, 2014).   Global internet connectivity increases the potential for threats and vulnerability due to remote accessibility of the network. Since the HealthNow, LLC network will be highly interconnected with computer systems and mobile devices, the potential threats may originate from multiple sources simultaneously posing security threats to the operating systems (OS) architecture. Cyber attacks represent a major potential external threat for HealthNow LLC network because of the complexity and internet connectivity of the network. (Tuma, Scandariato, Widman, & Sandberg, 2017). Such externally originating threats included spamming, viruses, Trojan horses, spyware and phishing. (Tuma, Scandariato, Widman, & Sandberg, 2017). These threats may be introduced through emails, Voice over Internet Protocol (VoIP) as well as downloads. These potential threats can lead to serious compromise to data integrity. (Tuma, Scandariato, Widman, & Sandberg, 2017).

            Additionally, wireless systems including Wi-Fi and Bluetooth are other points of entry for potential external threats. These wireless interfaces can be used by intruders to gain remote access to HealthNow LLC devices including mobile phones, laptops, PDAs and tablets to steal, modify or destroy company information. (Tuma, Scandariato, Widman, & Sandberg, 2017).   Jamming is also a type of external threat which may compromise the integrity of HealthNow LLC wireless IT networks. (Baskerville, Spagnoletti & Kim, 2014). HealthNow LLC is also faced by compliance threats because failure to comply with the legal requirements related to information technology may result in serious legal challenges, penalties or even closure of the business by government agencies. (Layton, 2016). Lack of security awareness by the network users represent another internal threat which may result in unauthorized access and Identity theft because of ignoring company policies, leakage of sensitive information and using ineffective passwords. (Tuma, Scandariato, Widman, & Sandberg, 2017).

The Business and Compliance Elements

               Business and compliance management for HealthNow LLC involves the capability of maintaining and protecting information, remediating IT related problems, and providing all necessary compliance reports. The two critical areas to be considered are internal compliance that assures observance of procedures and regulations as well as industry best practices according to internal business policies, and external compliance that ensures the practice of adherence to laws, regulations and guidelines enforced by governments, regulatory agencies, and industry organizations. National and international law will however need evidence of compliance which includes documentation. The industry and regulatory organizations impose certain standards and guidelines, for example the Payment Card Industry Data Security Standard (PCI DSS) which ensures security for credit and debit card-based financial transactions. (Zulhuda & Ansari, 2018).   The other elements of compliance which HealthNow LLC must consider include protection of information from unlawful destruction of information.

               In addition to local and federal laws, regulations and policies, HealthNow LLC will have to adhere to international regulations and standards related to healthcare industry and ICT use as well as regional and statutory regulations. (Zulhuda & Ansari, 2018).  There may be some difficulty in identifying all the laws, regulations and guidelines required however, the legal team together with HealthNow LLC executives with the guidance and recommendations from the IT implementation team determined the scope of compliance. HealthNow LLC will deal with multiple regulations primarily covering the healthcare, financial and information technology industries and may be daunting for the organization which has not information security department. In the United States, HealthNow LLC will be complying with the authority of the Securities and Exchange Commission (SEC), the Federal Communications Commission (FCC), the Federal Trade Commission (FTC). Centers for Medicare and Medicaid Services (CMS), Office of the National Coordinator for Health Information Technology (ONC), Health Insurance Portability and Accountability Act (HIPAA) and the U.S Department of Health and Human Services (HHS), U.S. Environmental Protection Agency (EPA)  U.S. Food and Drug Administration (FDA) and U.S. Consumer Product Safety Commission. Apart from these official laws and regulations, HealthNow LLC will comply with industry standards that include financial accountability standards and The Information Technology Industry Council (ITI). (Ball, Weaver, & Kiel, 2013).

            The successful demonstration of business and information technology compliance within this complex regulatory environment requires improvement to the quality of HealthNow LLC data and reporting systems so that the organization’s response in any situation is consistent and follows the requirements of these multiple regulatory agencies. Under such environment the quality of reporting systems are the important and contributors which address compliance requirements consistently. With robust as well as adequate business and compliance reporting systems, it will be possible to meet both national and international compliance requirements. These compliance requirements should also be integrated with the day-to-day operations and management of HealthNow LLC.

Employee Roles and Responsibilities

            The greatest risks to information security at HealthNow LLC are the employees. People frequently unintentionally generate risks for the organization. Training of all employees about the basics of information and network system security is one of the approaches the team will use in securing HealthNow LLC information technology assets. All employees will be regularly trained to develop a culture which conscious of security at all times. Employees using computer and network applications that contain sensitive data include doctors, nurses, appointment schedulers, finance department employees and receptionists. These employees will be informed and trained on the proper use and protection of such data. Before granting of access to HealthNow LLC computer systems, employees will also be trained on the new and existing information security policies as well as their responsibilities in protecting sensitive information.

            All employees will additionally be periodically required to sign attestations which act as confirmation of the proper understanding of business and IT policies, commitment to following the business policies, and clear understanding of the penalties resulting from non-compliance. The consequences of violation of security policies will be plainly defined and well understood across the entire organization. To keeping sensitive data protected each employee will have a user account which password protected with every employee is having the responsibility of keeping these passwords safe. Each user and every application will be accessed through individual password t which all employees are responsible for selecting and ensuring is sufficiently strong to prevent hacking and guessing attempts. Employees are not permitted to share the user accounts or passwords with anyone including other colleagues. In case the using of shared passwords cannot be avoided then all the employees will be individually responsible for understanding the policies and regulations that guide the use of shared accounts.

            Through implementation of least privilege HealthNow LLC will be able to protect t sensitive business information by restricting the number of employees with access. Roles will be created for employees within the organization according to the required tasks for the roles as follows: The network administrator will have the highest level access to all user accounts and company information. Then doctors and managers will have high level access with ability to view all patient data and administrative information while nurses, receptionists and other employees will have the lowest level of privilege with access to patients and treatment processes data. The finance department employees will have a special access to financial and operational information.

A security risk assessment

            The risk assessment consists of both qualitative and quantitative evaluation of each risk together with the consequences of the effects of risks. With this security assessment, the objective is identification of information technology related security strengths and weaknesses of HealthNow LLC together with the IT infrastructure. The security risk assessment identified the positives as well as the areas which present opportunities for improvement. In this case, the following positive characteristics as well as strengths were identified: The network configuration shows moderate efforts of minimizing risks through appropriately restricted access to required services. The user account access controls also seem strong are not able to be successfully extracted through several types of breaches. Even though there are indications of proper security and protection of information technology infrastructure together with data, several weaknesses have been identified that may potentially be damaging to the HealthNow LLC.

            The identified shortcomings include:  Experiencing internet based applications performance problems which reveal information related to server and the network configuration.  Significant SQL server injection issues related to the HealthNow LLC web site that may allow unauthorized extraction of database and server information. The HealthNow network architecture if not well configured will also present a largely weak protection against mobile phone and email based social engineering threats. Such weaknesses may result in to high-risk actions including clicking on unsafe links while potentially revealing sensitive information. (Peltier, 2016). HealthNow LLC has the possibility of greatly improving the existing security configuration through implementation of the recommended activities.

The information risk assessment considered the following vulnerabilities attributed to Information Assets.

1. Fire Wall

The firewall if not properly configured provides no mitigation against malicious external interference and distributed denial of service (DDoS).

2. Servers

The servers are located in a poorly ventilated and air conditioned room which will eventually lead to overheating and damage to the servers causing sensitive information destruction and overall network system failure.

3. Sensitive Information

Permissions and access controls are not properly configured, there is no IT auditing software and there are no regular backups of the network and information system. This means there is a potential for accidental destruction or deletion of sensitive information.

4. Ports

Fortunately, no open ports were identified in this case because the network has not yet been configured to use routers for accessing the internet.

5. Information Disclosure

            Both intentional and unintentional information exposure may occur as a result of unauthorized access to that information which arises from PHP script errors found in HealthNow LLC system. This error exposes the program’s full path.

Information System Security Implementation Approach for HealthNow, LLC

            Protecting information technology assets and data at all the HealthNow LLC sites is required to minimize or eliminate the risk of unauthorised access to information and protection of data from theft, loss, alteration and damage that may be introduced through information assets and which will disrupt HealthNow LLC activities. The implementation plan covers the network implementation and configuration, user access life-cycle control and requirements for access to information and system services. (Shedden et al., 2016). The scope of implementation includes information assets which are critical to normal operations within HealthNow LLC such as user access, data availability device connectivity and network availability. (Da Veiga & Martins, 2015).  The information assets include the computer network systems, system hardware and software as well as internet connectivity and cloud services.

            The recommendations for implementation are based on international regulations, industry best practices and experience. Security control represents safeguards and countermeasures designed for protecting the Availability confidentiality and integrity of information, assets, systems and processes. Security controls will comprise of operational, management and technical activities designed as deterrent, delay, detection, denial and mitigation against malicious and unauthorised access. (Da Veiga & Martins, 2015).   Protecting the HealthNow LLC information involves implementation of new network architecture, applying comprehensive firewall and network security measures which specifically address cyber threats, physical threats, and employee security. (Kim & Solomon, 2016). The security controls also involve protection of telecommunications and electrical power infrastructure by using emergency and backup power and communications infrastructure.

            The implementation plan addresses the identified weakness through IT network system reconfiguration, deletion of redundant user accounts, deleting of unnecessary and default file sharing, disabling vulnerable system services as well as ports, creating access controls for file systems, databases and registries together with use of encryption mechanisms. (Li et al, 2015).

Access Control

Access and user account control is will ensure only permitted to access information assets and data. Controlled access will consist of permission to the information system only from HealthNow LLC onsite network, satellite facility network or remote access from authorized and pre-registered and approved external devices only.

Baseline Configuration

A network configuration has been established which will be adhered to by all systems to maintain safe and secure information network. This baseline configuration means that all network systems and equipment will operate with the security controls requirements defined by the set baseline.

Communications Security

This will employ network protocols designed to protect the network from physical intrusion and access by malicious software which may be used for information theft

Cryptography

Cryptography involves encrypting data and information. Currently available encryption tools and software will be installed in the network for information security. The level of encryption depends on the assessed security risk level of the data and communications to be encrypted.

HealthNow LLC Supply Chain Security Policy

     The critical operational factor of ensuring resilience for the HealthNow supply chain necessitates the deploying of effectively designed supply chain security system which includes identification, analysis, and prioritization of supply chain security risks. A robust supply chain security policy entails the establishment and maintenance of a risk-based supply chain security program for the entire organization’s supply chain which includes all vendors and suppliers. The ISO 31000 offers a comprehensive vendor management framework and establishes adequate resilience in the supply chain.   Implementation of the ISO 31000, ISO 28001-2007, ISO 28004- 2007 and ISO 28000 standards will serve as the policy framework for establishing  effective supply chain security system at healthNow LLC.

     The ISO risk management guidelines describe an effective approach in development and management of industry-appropriate supply chain security management system.   This encompasses all the aspects for implementation of supply chain security policy which will maintain a resilient supply chain while minimizing adverse risk effects. For effectively supplementing the HealthNow LLC supply chain security system defined by the ISO standards, an activity based, operational-level category guidelines together with industry best practices can be implemented to establish sustainable supply chain security system. The guidelines to the supply chain security policy together with best practices are defined by the fundamental elements of supply chain security drawn from internationally accepted supply chain security management standards that include WCO’s SAFE Framework of Standards and AEO.  The objective of the standards is to enable HealthNow LLC to deploy an effective and efficient supply chain security policy which will contribute to the resilience of the organization’s supply chain. (Ball, Weaver, & Kiel, 2013).

            An important element of the HealthNow LLC supply chain security policy is the documentation processes security, including manual and electronic methods. The process must assure information is captured legibly then protected from data damage or loss. Protection of all business data will be safeguarded through network access and information control. Controlling of access to the information systems has been defined according to levels of responsibility and information clearance level. (Peltier, 2016).  Physical access to information system equipment and devices such as laptops will be ensured through area access control and surveillance monitoring. Employee use of information is also regulated to support the supply chain security policy in addition to backing up of all processes and computer system information. The overall HealthNow LLC supply chain security policy is based on the organization’s core principles, international business code of conduct, ethical business and international supply chain security regulations and standards. The supply chain security policy based on the ISO Supply Chain Security Management Guidelines and HealthNow LLC core values defines the operations of the entire supply chain system together with the security activities and general principles.

Network Diagram

Information System Assets

Regulations Applying to HealthNow, LLC

            The entities that impose regulation on the health-care sector in the U.S are both private and public at the local, state and federal, as well as county and city levels. The numerous regulations represent the constant response to an ever present requirement for balancing the goals of healthcare system quality enhancement, expansion of access and regulation of costs within healthcare. Every player in the health-care system must be subjected to regulation by several governmental as well as nongovernmental agencies. (Zulhuda & Ansari, 2018).  The primary federal regulatory agencies include the U.S. Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), the Centres for Disease Control (CDC), and the Food and Drugs Administration (FDA). (Ball, Weaver, & Kiel, 2013). State regulatory agencies that HealthNow LLC will be subject to are the healthcare provider license boards, county or city regulations, public health departments, provider licensing boards and some independent non-governmental organizations. Industry organizations and provider associations which include the AMA and insurance commissions will also play a regulatory function for HealthNow LLC as these are some of the requirements within the U.S healthcare system. (Ball, Weaver, & Kiel, 2013).    

            HealthNow LLC also comes under the regulatory and governance authority of public as well as private agencies related to third party payers, pharmaceutical organizations, medical equipment and components, securities and financial services, individual privacy statutes, and private healthcare provider organizations. Third party payer regulatory authority for private insurance and third party actors, for HealthNow LLC will be distributed between federal and state agencies. Existing regulations and governance elements which include third party payers came about mainly from the multiple legislations of the McCarran-Ferguson Act together with the ERISA. (Ball, Weaver, & Kiel, 2013). As a response to the ruling by Supreme Court that the insurance industry was an interstate activity, the McCarran-Ferguson legislation was created to establish state authority of regulating third party payers. Every state also has provisional regulations governing healthcare insurers and providers from engagement in unethical practices within the United States. (Ball, Weaver, & Kiel, 2013). HealthNow LLC also comes under ERISA regulatory authority which focuses on the state-level regulations. ERISA establishes the basic standards for protection of individuals who participate in many of the voluntarily created health insurance benefit plans in the private sector such as self-insurance plans by employers. ERISA regulates the administration of self-insured plans and determines the handling of disputes presented by participants. Regulatory authority of ERISA applies to HealthNow LLC because of employer-insured health plans which relates to the activities on any healthcare provider. (Ball, Weaver, & Kiel, 2013). The ERISA regulations include requirement for information provision about health insurance plans to enrollees together with the financial aspects and fiduciary obligations which are applicable.

Security Metrics Program

            The advances in the security of information and communications technology together with enhanced government-directed cyber security programs notwithstanding, information system attacks is not about to end any time soon and hackers continue to pursue unprotected patient and provider data. Healthcare organizations such as HealthNow LLC account for a large proportion of reported data system breaches. (Ball, Weaver, & Kiel, 2013). Considering these data breach occurrences, it is evident that HealthNow must be well prepared with very strict HIPAA compliance than would be ordinarily expected. HIPAA compliance, particularly with the Security regulations is a necessity for the organization because the value of both patient and provider data which includes sensitive and private information consistently increases. (Ball, Weaver, & Kiel, 2013).

             HealthNow will typically follow all privacy regulations with the metrics applied including implementation and updating of business associate agreements (BAA) which concerns interations where associated businesses generate, obtain, store, and convey protected health information (PHI). (Ball, Weaver, & Kiel, 2013). However, even the implementation of BAA does no eliminate the common liability between the insured individual and another business entity. (Ball, Weaver, & Kiel, 2013). This common liability makes it critical to audit all business associates for compliance with all the regulations while ensuring that only the necessary data is sent to other business associates in performing assigned tasks.

            Covered entities frequently do not prepare well for compliance with Security Rule regulations with many not having firewalls, adequate security for remote access or even encryption. (Brotby, & Hinson, 2016). To address such issues, HealthNow LLC has established a business associate information security compliance audit plan in addition to having well designed self-security of the information systems. HealthNow LLC also completed an information risk analysis and implemented an information asset risk management plan which addressed all identified technological and physical vulnerabilities. Action plans for addressing the vulnerabilities included regular employee training about data system security and protection and HIPAA compliance requirements. (Brotby, & Hinson, 2016).

References

Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1), 138-151.

Brotby, W. K., & Hinson, G. (2016). PRAGMATIC Security Metrics: Applying Metametrics to Information Security. CRC Press.

Da Veiga, A., & Martins, N. (2015). Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security, 49, 162-176.

Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Jones & Bartlett Publishers.

Layton, T. P. (2016). Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.

Li, S. H., Yen, D. C., Chen, S. C., Chen, P. S., Lu, W. H., & Cho, C. C. (2015). Effects of virtualization on information security. Computer standards & interfaces, 42, 1-8.

Peltier, T.R. (2016). Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management. New York: CRC Press.

Shedden, P., Ahmad, A., Smith, W., Tscherning, H., & Scheepers, R. (2016). Asset Identification in Information Security Risk Assessment: A Business Practice Approach. Communications of the Association for Information Systems, 39(1), 15.

Tuma, K., Scandariato, R., Widman, M., & Sandberg, C. (2017). Towards security threats that matter. In Computer Security (pp. 47-62). Springer, Cham.

Ball, M. J., Weaver, C., & Kiel, J. (Eds.). (2013). Healthcare Information Management Systems: Cases, Strategies, and Solutions. Springer Science & Business Media.

Zulhuda, S., & Ansari, A. H. (2018). Information Asset as Property: A Legal Perspective. In Contemporary Issues in International Law (pp. 371-381). Springer, Singapore.