Residency Project
th@78- 3 – 4 Students per group
Situation:
Your team represents the IT leadership of a large healthcare organization that is preparing to purchase a smaller hospital group consisting of:
2 Metro hospitals (1 is a learning hospital, which means students are in scope)
3 Rural hospitals
2 Shared data centers (located within 5 miles of each other)
25 Physician practices
1 Lab
1 Coordinated business office
Your objective is to evaluate the sites prior to purchase from a risk and compliance standpoint, with a focus on access controls at both the logical and physical standpoint. Part of the agreement allows for your organization to thoroughly test the systems, which includes:
1 Electronic medical record (EMR) system
2 Mobile applications (1 has the ability to accept credit card payments)
5 External websites (1 has the ability to accept credit card payments)
3 Cloud based systems (1 Infrastructure as a service, 2 Software as a service)
Internet connectivity is not shared between the physician practices and main hospital locations
75 Patient care applications (25 developed internally)
500 Patient care devices
See individual assignments for deliverables (1 - 8) 
Residency Project #1
- Team Details (individual submission (everyone submit the same document))
- Document your roles in the organization (e.g., CIO, CISO, Architect, etc.)
- Develop job descriptions for each role, include a salary range
- Residency Project #22. Information Security Policy (individual submission)
- Select a best practice framework, review the control family recommendations and document a policy for the existing organization with the expectation that the new sites will follow the policy. Note: Still follow APA for this assignment, which may not be appropriate in an organization.
- Residency Project #33. Testing Methodology Policy and Procedure (individual submission)
- Research and document preferred testing methodologies for:
EMR, Mobile Apps, Patient Care devices, External websites, SDLC (hint: vulnerability scanning, penetration testing, medical device scanning, static code analysis, dynamic code analysis, etc.). - Research and document preferred remediation cycles for the in scope systems (hint: HIPAA, PCI, FERPA)
- Research and document preferred reporting cycles / methods for the in scope systems (hint: vulnerability metrics, such as CVSS, NVD). Note: Still follow APA for this assignment, which may not be appropriate in an organization.
- Research and document preferred testing methodologies for:
- Residency Project #44. Network Diagram (individual submission)
- Develop a proposed network diagram for after the purchase to aid in security and administration (reference required security controls in your policy) (You can use PowerPoint if you don’t have Vizio or another option).
- Residency Project #55. Physical Security Assessment Procedure (individual submission)
- Develop a physical security assessment plan for the new entity (reference this in your policy). Note: This can be a checklist.
- Residency Project #66. Project Plan (individual submission)
- Include timelines, expected level of efforts, RACI model, remediation expectations (if you decide to also use third party resources, you’ll need to estimate those costs since you have already created your own hourly rate).
- Residency Project #77. Risk Acceptance / Risk Tolerance Procedure (individual submission)
- Develop a method for leadership to receive risk details and determine appropriate risk actions.
- Residency Project #88. Final Presentation (individual submission)
- Summarize items 1 – 7 to present to the class
7 years ago
60
Answer(1)![blurred-text]()
Purchase the answer to view it
NOT RATED
PracticeFramework.docx
