Computer Science
user0611
required.docxRISK ASSESSMENT FOR HEALTH NETWORK INC
Risk Assessment for Health Network Inc
Introduction
Purpose
Institutions are currently facing many challenges within the volatile environments making business to be vulnerable to the unforeseen and unpredictable forces that endanger their activities in the provision of services. The purpose of the risk assessment evaluates the adequacy of health network Inc security. The assessment offers a structured qualitative assessment for the operational business environment. Its also addresses sensitivity, risks, vulnerabilities threats and safeguards (Fielder et al., 18). It also looks at the opportunities and risks of Health Network Inc. the risk assessment will also recommend policies and mitigation strategies to ensure that threats and exploitable vulnerabilities are managed.
Scope
The scope of the assessment is concentrated on the company’s use of controls and resources to mitigate exploitable vulnerabilities. The scope of the evaluation also included all the Health network Inc critical assets like mobile devices, laptops, software’s HNetExcahnge products, web portals HNetConnect and the data centres (Fielder et al., 18). The scope also includes all the personnel, buildings and the different company facilities in all its branches. During the assessment, several existing document was also leveraged. Some of the documents include relevant internal control reports before risk assessment and threat studies.
Company overview
Health network Inc is a US-based company that has headquarters Minneapolis, Minnesota. The company offers many services but highly focuses on three items. HnetExnchange is the first product that it provides. The company uses the tool to handle secure E-medical messages between large customer like hospitals and other customers like clinics. It is a leading service provider in the category within the country. It also offers another service known as Hnetpay. The service helps the institution to provide web portals services that secure payments. The product also allows it to provide diverse payments methods to the client. Lastly, it gives HNet connect platform where clients can interact with their preferred physicians with their profiles uploaded in the database. The platform contains a profile for the clinics and hospitals where customers easily select their preferred choice depending on someone needs. These services are offered across the globe and other locations like Oregon, Arlington Virginia and Portland. The areas are also located near data centres managed by third parties.
Assessment steps
Several steps were taken during the entire assessment process. Foremost, lists of all the Health Network Inc vital resources were compiled and included a short overview of the business (Fielder et al., 2018). The resources were also given a value depending on their risk vulnerability. Afterwards, using sequence testing tools, all threats got identified for the vital resources. A description of the weakness and how they can affect the company was explained and all the threats categorized. A likelihood and severity rating was conducted for every risk, and a risk exposure rate determined according to availability, confidentiality, accountability and integrity for all critical resources. In all identified risk actions were recommended to bring the risk into minimal range.
Risk assessment process
The risk assessment approach and methodology was performed using the Health Network Inc procedures adopted from the risk management guide for IT system. The evaluation was comprehensive in assessment and scope of security threats impacting integrity, availability, and confidentiality (Fielder et al., 2018). The assessments give appropriate security protection permitting the institution administration to make the right decisions on security-linked enterprises. The process also addresses technical and operational controls.
The pre-assessment phase explains the risk assessment of nature. The risks evaluation offers an independent analysis to aid the management in determining the relevant level of security needed for the systems to support the security plans for the company (Hubbard, 2020). The review also gives the information required for the IT professionals to and the other officers to make the right decisions about the companies operation system. The assessment was mainly based on the technical reviews, and the necessary interview and documentation.
In the process, the risk register and risk log tools were used to identify threats. The tools are used to efficiently identify and group business risk according to the priority and impact of the threat. The tools also show how risks can influence the board and stakeholders decisions (Hubbard, 2020). The risk assessment also needs to profoundly group the risks according to their impact and prevalence on the company. The process helps isolate highly substantial threat from the ones that do not have the same level of seriousness. It also assists in the process of allocation of enough resources depending on the severity to curb the threats. Research has shown that different ways can be used by organizations to assess threats, but the scoring approach is always the same as it is simple to use during the risk assessing process (Kovačević et al., 2019). The scores are generally obtained via the ordinal scale that is calibrated as a scale of one to five or low to high rating scheme. Recent advances and the coming of risk matrix design will help in the assessment process and will illustrate the likelihood of the risk occurring and their impact (Kovačević et al., 2019).
The table below showed the risk assessment method used
|
Rate of the risk |
Chances of occurring |
Impact magnitude |
|
1 |
Very unlikely |
Negligible |
|
2 |
small |
small |
|
3 |
possible |
Moderate |
|
4 |
likely |
severe |
|
5 |
Very likely |
Catastrophic |
During the process, the threats identified below were assessed using the matrix method. The risks were also calculated depending on the magnitude of the score and the possibility of the hazard occurring. The given table was also used.
|
Risk Rating |
Action |
|
0-9 |
No action needed |
|
10-15 |
Monitor for any change |
|
16-24 |
Risk mitigation needed immediately. |
Risks found
Although Health Network Inc is a leading company, when it comes to its provision of services and consumption, it faces a lot of competition from other institutions in the same business line. Thus a tough rivalry competition was one of the main risks that the company faces despite working hard to be a great services provider. Besides that, there were other risks identified during the assessment. Foremost, there was an increased loss of data because of the hardware being removed from the production system. There was also a lot of company information lost on the company-owned assets like laptops and mobile devices that were stolen or lost. The assessment also showed that the company continues to lose its customers because of production outage caused by events like change in management, unstable software and natural disasters. The company also faces a lot of insider threats where employees use devices that are not secure, and that can increase company system vulnerabilities. Since the company can also be accessible through the internets, this also poses as an internal threat as the internet was not secure enough and could be used for phishing, and botnet attacks. Lastly, there was a risk due to changes in the regulatory landscape that could impact the company’s operations.
Risk description
Information loss due to a company owned assets stolen or lost: the risk occurrence was ranked at number 5 meaning it was highly likely to occur and its impact was also ranked at number 5 (Hubbard, 2020). The risk rating was also given a 20 level, meaning it needed immediate mitigation. This is because if the production system were lost, the organization would again lose its data and hardware components. Since it has several production houses with around 600 laptops costing slightly above $600, the company can have losses of approximately $360000. Moreover, it would also mean that the attackers would view patients and doctors transaction information and profile creating an added danger since the data can be used in identity theft and spread confidential information making the company lose its credibility.
Loss of customer due to production outage: the threat occurrences was ranked at number three, meaning it was possible to occur. Its magnitude and impact were ranked at number 5, meaning that if it were to happen, it would be very catastrophic (Kovačevic et al., 2019). The risk rating occurred at level 20, and thus it required an immediate mitigation plan.
Internet threats: the risk occurrence came at number 3, and thus it was highly possible to occur. Its impact came at number 4, meaning that is it was severe (Kovačevic et al., 2019). Since the institution can be accessed via the internet, attackers can use viruses to breach security settings and steal confidential information from computers. The attackers can also get passwords used by the employees to aces the company’s central servers from where they can erase vital details.
Mitigation and control measures
Although the company has many exiting solutions like it have installed cameras and CCTV which helps monitor malicious activities and people within the organizations, the company can also employ security personnel and invest in the biometrical system to be used in accessing production areas (Goguen et al., 2017). Moreover, the company has its culture centred on its vision and missions. Due to this, customers are essential assets to the company. Thus, health network Inc should maintain consistency in delivering customer’s needs. The risk from natural calamities that can face the institution can be stopped by having back up system and backup locations. The company also emphasizes ethical online behaviours and all staffs are encouraged on personal policies that will ensure online safety. Therefore, the company should try and invest in cyber insurance, Since the market is expected to grow (Goguen et al., 2017). The cyber insurance will also provide security to the company's finances which will ensure that it will be safe from cyber-attacks from both system and their associates.
Conclusion
In conclusion, the risk assessment has shown that Health Network Inc is faced with a lot of threats as provided above. The risks have been discussed and a mitigation measure that can benefit the company provided. However, the company should note on the risk of loss of company-owned assets as it can lead to massive financial loses that can even lead to the collapse of the business. Besides that, irrespective of the increased competition, the company can continue to create policies that cater to the internet and on-premise security, profitability and excellent outcomes from clients and doctors.
References
Fielder, A., König, S., Panaousis, E., Schauer, S., & Rass, S. (2018). Risk assessment uncertainties in cybersecurity investments. Games, 9(2), 34.
Goguen, A., Stoneburner, G., & Feringa, A. (2017). Risk management guide for information technology systems and underlying technical models for information technology security. Retrieved from https://www. Amazon. Com/Management-Information-Technology-Underlying-Technical/dp/0756731909.
Hubbard, D. W. (2020). The failure of risk management: Why it's broken and how to fix it. John Wiley & Sons.
Kovačević, N., Stojiljković, A., & Kovač, M. (2019). Application of the matrix approach in risk assessment. Operational Research in Engineering Sciences: Theory and Applications, 2(3), 55-64.
Zou, Y., Kiviniemi, A., & Jones, S. W. (2017). A review of risk management through BIM and BIM-related technologies. Safety Science, 97, 88-98.
