Assignment - Project 1 - Task2

Executive Summary

Health Network, Inc. is a health organization whose headquarters are in Minneapolis, Minnesota and has a network of over 600 employees throughout the organization that generates $500 in USD annual revenue. The company also has two additional locations in Portland and Virginia and each of those facilities are located near a co-location data center where production systems are located and managed by third-party data center hosting vendors. HNetPay is a web portal part of the company used by most of the company's customers to support the management of secure payments and billing. The portal is hosted by Health Network’s production sites, it accepts various forms of payment and interacts with credit-card processing organizations just like a Web commerce shopping cart. HNetExchange is the major source of company revenue. The product service handles secure electronic medical messages originating from customers like large hospitals and then the messages are routed to the receiving customers such as clinics. The other product is HNetConnect which is an online directory that provides a list of doctors, clinics and other medical facilities for customers to find the right type of care and locations. This product contains personal information about doctors, work addresses, certifications, types of specialized services the doctor and their clinics offer. The doctors can update their credentials and clinic information on the website. The three products are synchronized such that by using https connections, doctors and potential patients can make payments using the internet.

Risks - Threats – Weaknesses within each domain

User Domain

Risk : Loss of customers Threat : Loss of customers due to production outages caused by various events like natural disasters, change in management and unstable software. Weakness : The company is faced with stiff competition because there are other companies that offer similar services.

Risk : Regulatory risk Threat : Changes in the regulatory landscape that may impact the normal operations of the company.

Weakness : The laws governing the industry might change and render some activities of the company illegal.

Risk : Destruction of data Threat : A botnet is a network of zombie computers that performs large-scale malicious acts for the creator of the botnet. Weakness : The company is exposed to botnet because they can pretend to be customers on the websites.

Workstation Domain

Risk : Loss of data Threat : Loss of company information due to loss or theft of company-owned assets such as mobile devices and laptops Weakness : The company allows employees to use laptops and mobile devices for personal utilities.

Risk : Physical damages Threat : Physical damage of computer and mobile devices like breakage and wearing out. Weakness : The laptops and mobile devices used in the company are delicate and are prone to damage when handles without care.

Risk : Damage of data Threat : Trojan horse is malicious software that pretends to be harmless so that the user willingly downloads and installs it in the computer. Weakness : The employees might have knowledge gaps on the right software to install and end up allowing Trojan horse into the system.

LAN Domain:

Risk : External attacks on data Threat : Internet threats due to company products being accessible on the internet. Weakness : Most of the company’s products are only accessible via internet and criminals can pretend to be customers.

Risk : Internal attack on data Threat : Threats caused by insiders like employees or management staff who may compromise the security of the system.

Weakness : Some employees might have the chance to give out vital information to criminals.

Risk : Illegal data access Threat : Keystroke logging or keyboard capturing which is the action of recording “logging” keys on a computer keyboard. Weakness : Some employees can get access to information only available to senior employees if they get the credentials illegally.

WAN-to-LAN Domain

Risk : Accessibility concerns Threat : Changes in broadband network settings that concern the industry thus making the existing systems outdated.

Weakness : Customers might experience difficulties logging into the system due to slow or weak connections.

Risk : Illegal data access Threat : Keystroke logging or keyboard capturing which is the action of recording “logging” keys on a computer keyboard. Weakness : Some employees can get access to information only available to senior employees if they get the credentials illegally.

WAN Domain

Risk : Mass Destruction of Data Threat : Computer malware software is used to disrupt computer operations, gather sensitive information, or gain access to private computer systems.

Weakness : The company does not have effective mechanisms to deal with threats of viruses and they can cause great damage before being eliminated.

Risk : Illegal access to data Threat : Privilege escalation is the exploitation of bugs within a system such that access to certain resources with higher privileges can bypass security controls. Weakness : Confidential information might be accessed by employees who use crafty methods and leak it outside the company.

Remote Access Domain

Risk : Damage of data Threat : Trojan horse is malicious software that pretends to be harmless so that the user willingly downloads and installs it in the computer.

Weakness : The employees might have knowledge gaps on the right software to install and end up allowing Trojan horse into the system.

Risk : Loss and Destruction of data Threat : Computer viruses are programs that can replicate their structures or effects by infecting other files or structures on computers.

Weakness : The company is using old firewalls that might be allowing viruses into the system.

System/Application Domain

Risk : Destruction of data Threat : Computer worms are malicious programs that can replicate themselves throughout the computer network and can be used to steal data from a company. Weakness : The firewalls in LAN-to-WAN Domain are outdated and thus, computer worms can get into the system.

Risk : Loss of data Threat : Loss of company data due to the hardware being removed from the production systems.

Weakness : The company has loose security checks for employees when leaving and reporting to work.

Compliance Laws and Regulations

1. 21st Century Cures Act. This seeks to improve flow and exchange of electronic health information and is related to advancements in interoperability, prohibits information blocking, and enhances the security of health IT.

2. MACRA. Medicare Access and CHIP Reauthorization Act which is in the interests of clinicians who were initially threatened for a long time by the Sustainable Growth Rate Formula.

3. HITECH Act. Health Information Technology for Economic and Clinical Health Act provides the authority to establish programs to improve healthcare quality, safety and, efficiency through the promotion of IT.

4. FDASIA Act. The Food AND Drug Administration Safety and Innovation Act contains proposed strategy and recommendations in an appropriate, risk-based regulatory framework for health IT, including mobile applications and protects patient’s safety.

5. Affordable Care Act. This establishes comprehensive healthcare insurance reforms in order to increase access to healthcare, improve quality and lower the costs while still protecting the consumers.

Table 1

Figure 1