Information Assurance Project

profilesloezh
Paper.docx

Everything in this paper needs to follow this order.

APA style needs to followed IN-TEXT CITATIONS AND REFERENCE PAGE!

Week 1 - Develop your network boundary based on the requirements provided, see Appendix A of the syllabus. Follow the assignment in Appendix A. *Use this diagram*

Network boundary created, provide a detailed network description of this network boundary.

Week 2 – Describe the security and privacy requirements for the network boundary. This is a physician’s office, so please describe the HIPAA security and privacy requirements you need to follow for your network boundary. Use the HIPAA, HiTech, and Omnibus Laws to help you create HIPAA security and privacy requirements.

Week 3 – We need to ensure the physician’s office is secure and the HIPAA data is protected. Read NIST SP 800-53 rev 4. How can this document help you ensure your physician’s office is secure? Out of the 18 control families, pick two control families and address the controls in complete sentences for your network boundary.

Week 4 – We need to ensure the network boundary is hardened. Please review the DOD STIG for Oracle 12. Select 20 controls and address how the Oracle server has been hardened in the physician’s office.

Week 5 – We are preparing for an audit of the system for HIPAA compliance. What are all of the documents we will need to have prepared for the upcoming audit? Please explain why each document is important. What scans should you run on the system, please describe the scan and on why systems the scan ought to be facilitated.

Week 6 – The auditors have finished their assessment. In Appendix B, we have the findings from the audit. Please address in detail how each finding should be mitigated. Match up each control to the SP800-53 control family and control number.

Week 7 – The physician’s office now wants to add tele-medicine to the functionality of their network. Explain in great detail, 500 words or more, how this will impact the physician’s office and what we need to do from an information assurance perspective. Make sure you include change management in this discussion.

Be sure to address each of the following:

· Use APA guidelines.

· Include at least 14 peer-reviewed sources.

· Include your responses to the tasks depicted in Appendices A and B.

· Add narrative transitions where appropriate.

· Incorporate what you have learned from the weekly Blackboard discussion questions.

· Use your hypothetical physician’s office network diagram as an example throughout your paper.

· Include a Table of Contents.

· Include a References section in the back.

· Conclude your project with a 500-word narrative explaining why information security is important in the Healthcare field.

APPENDIX A

Information Assurance Project

In order to understand the practical impact of Information Assurance, we will work on a project over the next 8 weeks. One of the major requirements in information assurance is documentation and being able to articulate your understanding of a security requirement or control. Please design a network for a hypothetical physician’s office and provide a network description with the following:

*SEE ATTACHMENT FOR ALL INSTRUCTIONS*

1 Server with Scheduling software (pick one)

1 Server for billing (pick one)

1 Server with a data base for patient data – _Oracle 12

1 Server for email – _Microsoft Exchange Email

The office has 10 patient rooms with a desktop in each room running Windows 10 for the OS

The office is based on wireless networking with TCP/IP.

There are two doctors in this office.

This office has an Internet connection to the mother company.

The network boundary for this assignment is just this physician’s office.

In your network description please provide the following:

Describe the purpose of this network.

Describe the network and equipment, the servers and the software in place.

Describe the security you have in place.

APPENDIX B

The auditors have completed their assessment. The following are the findings determined during the audit. Please address in detail how each finding should be mitigated.

Identified Vulnerability

Identify the Matching Control in the SP 800-53 – _Control Family and Control Number

What would be the appropriate mitigations?

1. People can gain physical access to the physician’s office without anyone checking ID.

2. The server room does not have a lock on the door.

3. There are default admin accounts with elevated privileges.

4. The receptionist of the office provided the password to the server via an inbound phone call.

5. There are unused open ports on all of the servers.

6. The scheduling software shows verbose code.

7. There is no encryption on the network. PHI/PII data is sent over the wireless network in clear text.

8. The PHI/PII data on the database server resides on unencrypted drives.

9. In an interview with the Nurse, she stated there is no training for HIPAA Security or Privacy provided.

10. On the desktops, there are Microsoft vulnerabilities in the Windows 10 OS which have not been patched.

11. The auditor watched an employee make changes to the Oracle server without following change management.