The purpose of this assignment is to develop an information security risk assessment report for an organization.
Using Kaiser Permanente as an example develop a risk assessment report with the following.
1) Executive Summary of the risk assessment report
2) Methodology
3) Results
4) Risk Register
5) Conclusion
Executive Summary
Kaiser Permanente uses HP Fortify static scan and Webinspect dynamic scan help to find out security issues from the application code and application URL and this software is on-demand software and run whenever required and test application’s security faster, right, affordably and easy to manage. Fortify software tool is used for scanning the application code and web inspect tool is for scanning the application websites and report any possible security issues from the code and as well as website access. HP Fortify is market leading software for both static code analysis and dynamic application URL testing and provides summary report, detail report about security issues including High, Medium and Low and corresponding remediation processes for the issues.
Risk Process Methodology
Organizational Assessment
Organizational assessment is more unstructured risk analysis and it is highly depends on various sources of information and some sources and their past trends including security threats and trends, audit findings, security incidents, security exceptions, and security metrics. Kaiser Permanente must conduct a review to determine a pharmacy; Medicaid managed care plan's compliance with standards established by state related enrolled rights and protections, access to services, structure and operations, measurement and improvement and industry standards. Third party company DHCS conducts review activity through an extensive monitoring process that assesses KP plan's compliance with State and federal requirements at initial contracting through subsequent and ongoing activities.
System Specific Assessment
System specific risk assessment is more structured than organizational assessment and focused on interpreting the data gathered in order to derive findings and conclusions for the in-scope systems and this is very critical for translating the collected data and analyzes the various values and scores. System specific review shows the following structured elements including threats, vulnerabilities, likelihood, impacts and controls. During this system assessment, risk score calculated using these elements mainly threat and vulnerability pairs and risk score used as primary data analysis used in system specific assessment. Different observations and findings will be derived using different views of risk scores.
System specific assessment table at Kaiser Permanente have the following information for each specific healthcare application which includes threat with agent and action, vulnerability, risk score and risk classification like moderate, high and low values. As part of system specific assessment, after categorization of risk, team will determine the all high risk items and derive the table which contains threat agent, threat action, vulnerability and affected system. System specific risks will include disclosure of transmitted sensitive data like email encryption, secure FTP infrastructure, and security awareness. Data alteration is another example like logging and monitoring, System intrusion like password complexity enforcement and security awareness.
Risk Assessment Results
Organizational Risk Results
Risk |
Observation |
Threat Initiation |
||||
Mobile Attacks: Mobile device usages are increased for business activities and allow more exposure to the outside world and there is high chance of having attacks on these devices. |
Based on Kaiser Permanente risk analysis using the framework, that the KP appears to have potential exposures to mobile attack threat vectors and this is due to increase in staff mainly physicians using mobile devices to access the patient data and clinical information. Trending security reviews from researchers says mobile security risks are high rate. Factors involving in increase attacks are malware and also natural predisposition of mobile devices and sometimes allowing physicians to use their personal devices to access the data and it is risk for the organization. |
Effective mobile device management, security awareness, data loss prevention and technology implementation required. |
||||
Third party security Gaps: There are potential issues of Kaiser Permanente systems and networks |
Fortify scanning metrics show that there are a high number of unmatched vulnerabilities within KP systems. Additional research shows that these appear to be the same unpatched systems associated with the vendor managed systems documented within filed security exceptions. |
Third-party system security
requirements, |
||||
Fishing and social engineering: Suspect ability of organization user's fishing causes unauthorized access to the hospital network systems |
A careful review of security incidents over period shows that there are large portion of incidents are related to phishing and or social engineering attacks and these attacks happened due to user credentials leaked or clicked on a malicious link or email attachment. This behavior could potentially lead to unauthorized access to hospital systems. |
Security awareness, malware protection controls and data loss protection technology. |
||||
Data Loss: Lack of technology to initiative to increase the accidental or intentional data loss of ePHI data |
There are several incidents for data loss and these incidents are accidental or malicious. |
Data Loss Prevention |
||||
Malware: Spam links or malware attack to the organization. |
Unauthorized access to HIS or disruptions of services. Gaps in the current enterprise anti-virus and malware solution. |
Malware protection controls |
||||
System Specific Risk Results
System characterization is the first step of system specific review and part of this step asset scope, profile surveys and interviews were conducted and there are five systems in scope for this information security risk assessment, systems including health information system, pharmacy system, accounting, HR payroll, email and imaging. Threat identification is another step that Kaiser third-party conducted research on common information security threats for organization and determines threat agent and threat action and prepare threat catalog. Vulnerability identification is another step where current and future potential vulnerabilities identified through third-party assessments. Impact analysis, likelihood and control analysis are follow-up steps to determine risks and recommendations and as part of that confidentiality, integrity and availability of the Kaiser Permanente systems.
Risk Register
Risk register identifies the risk and provides analysis based on organizational and system specific factors and also provides current and ongoing remediation activities and the following risks identified for the Kaiser Permanente.
Risk ID |
Risk Name |
Risk Scope |
Description |
Impact |
Rational |
Treatment |
R01 |
Mobile attacks |
Organizational |
|
Exposure of sensitive information, unauthorized access of KP HIS |
Increase in usage of mobiles by providers and mobile attacks from hackers |
Proposals are , having strong mobile device management, data loss treatment, security awareness |
R02 |
Security Gaps |
Organizational |
Compromises in health information systems due to vulnerabilities in vendor managed system |
Loss of members or providers information or security breach in health information systems could lead to significant penalties. |
Multiple security exceptions from the third-party managed system |
Third-party security requirements, network isolation |
R03 |
Phishing through social networks |
Organizational |
Exposure of company user's social network information and from there getting access to hospital websites |
unauthorized use of hospital resources |
Compromise of user accounts from hospital through social network pishing |
security awareness, malware protection and data loss protection |
R04 |
Data loss |
Organizational |
Possible loss of regulated data through emails and loss of ePHI data |
Loss of members or patients could lead to reputation issues for Kaiser |
security incidents of data loss via email transmission or portable removable devices |
security awareness and data loss protection technology |
R05 |
Malware |
Organizational |
Potential malware attacks |
Due to malware attacks, possible impact on hospital systems and degrade |
High priority security issues due to malware attacks |
Effective malware protection |
R06 |
Sensitive data |
Email system |
Possible risk of ePHI data transmission via email due to lack of encryption |
Possible loss of members data |
Email system like outlook or lotus notes does not support strong encryption |
Email encryption |
R07 |
Unverified data |
Health Information System |
Data alteration due to lack of logging and monitoring |
Inaccurate data and unverified data alterations causes data integrity issues |
Healthcare information system does not have logging and monitoring system |
Logging and monitoring control system |
Conclusion
Kaiser Permanente third-party Company conducted risk analysis for the organization and specific systems review and identified 5 organizational and three system-specific information security risks. KP company risks were found using risk determination process based on a high level KP organizational risk review. The SSR risks determined by using NIST framework and quantify each risk based on impact, likelihood and controls that are in place by threat and vulnerability from ISO. During the risk assessment process, all identified risks communicated to the Kaiser Permanente's Chief information officer (CIO) and information security officer. Risks identified in the process given the priority for mitigation activities to address the risks and mainly high risks.
Get Answers For Free
Most questions answered within 1 hours.