You are a systems administrator in the IT department of a major metropolitan hospital. Your duties are to ensure the confidentiality, availability, and integrity of patient records, as well as the other files and databases used throughout the hospital. Your work affects several departments, including Human Resources, Finance, Billing, Accounting, and Scheduling. You also apply security controls on passwords for user accounts. Just before clocking out for the day, you notice something strange in the hospital’s computer system. Some person, or group, has accessed user accounts and conducted unauthorized activities. Recently, the hospital experienced intrusion into one of its patient’s billing accounts. After validating user profiles in Active Directory and matching them with user credentials, you suspect several user’s passwords have been compromised to gain access to the hospital’s computer network. You schedule an emergency meeting with the director of IT and the hospital board. In light of this security breach, they ask you to examine the security posture of the hospital’s information systems infrastructure and implement defense techniques. This must be done quickly, your director says. The hospital board is less knowledgeable about information system security. The board makes it clear that it has a limited cybersecurity budget. However, if you can make a strong case to the board, it is likely that they will increase your budget and implement your recommended tool companywide. You will share your findings on the hospital’s security posture. Your findings will be brought to the director of IT in a technical report. You will also provide a nontechnical assessment of the overall identity management system of the hospital and define practices to restrict and permit access to information. You will share this assessment with the hospital board in the form of a narrated slide show presentation. You know that identity management will increase the security of the overall information system’s infrastructure for the hospital. You also know that, with a good identity management system, the security and productivity benefits will outweigh costs incurred. This is the argument you must make to those stakeholders.
Please use the attached template to assist with writing this report
Daily life requires us to have access to a lot of information, and information systems help us access that information. Desktop computers, laptops, and mobile devices keep us connected to the information we need through processes that work via hardware and software components. Information systems infrastructure makes this possible. However, our easy access to communication and information also creates security and privacy risks. Laws, regulations, policies, and guidelines exist to protect information and information owners. Cybersecurity ensures the confidentiality, integrity, and availability of the information. Identity management is a fundamental practice. Part of identity management is the governance of access, authorization, and authentication of users to information systems, Identity management is one part of a layered security defense strategy within the information systems infrastructure. Your work in this project will enable you to produce a technical report and nontechnical presentation that addresses these requirements.
Step 1: Defining the Information System Infrastructure.
Select a hospital or healthcare organization to research. You may choose an organization you are familiar with or can readily obtain information about. To maintain confidentiality, you do not need to mention the name of the organization. You may also choose a hypothetical/fictitious healthcare organization.
Others have researched several healthcare organizations, which have suffered major security breaches, extensively.
- Describe the organization and structure including the different business units and their functions. You may use an organizational chart to provide this information.
- Choose one or more mission-critical systems of the healthcare organization. Define the information protection needs for the organization’s mission-critical protected health information (PHI). This information is stored in database medical records for doctors, nurses, and insurance claims billing systems, which are used to fulfill the organizational information needs.
- Define the workflows and processes for the high-level information systems that you have just identified that will store PHI. Workflows and processes for healthcare organizations define how the organization gets its work done. They describe the movement of patient information to the business units that have needs to process and manage that information, from billing to physician care. All these organizations have hardware and software implementations of their information systems, and it is critical to understand these components, and how they are connected (known as their topology), so the appropriate protections can be applied. Your research may produce instances and examples of how an information system is connected, to include cybersecurity components like firewalls, in the information system and network diagram. Be sure you understand the benefits and weaknesses for the different network topologies.
You may incorporate what you find in your research, in your definition for workflows and processes for the high-level information systems and provide explanation of how that topology fulfills the mission for the health care organization. Your definition should include a high-level description of information systems hardware and software components and their interactions. Take time to read the following resources. They will help you construct your definition.
- Information systems hardware
- Information systems software
You may supply this information as a diagram with inputs, outputs, and technologies identified. Consider how you might restrict access and protect billing and PHI information.
- The links shown below provide access to essential information you’ll need to complete this part of the hospital’s information system infrastructure definition. Click each link, review its resources, and refer to them as you compose this part of the definition.
- Open Systems Interconnections (OSI) Model
- TCP/IP protocols
- network protocols
You will include these definitions in your report.
2. Step 2: Threats
Now that you have defined the hospital’s information system infrastructure, you will have to understand what the threats to those systems are and describe the types of measures that could address those threats. In this section, you will learn about different types of identity access management solutions and how they protect against the threat of unauthorized access.
To complete this section of the report, you’ll brush up on your knowledge of threats by reading the following resources: web security issues, insider threats, intrusion motives/hacker psychology, and CIA triad. Take what you learned from these resources to convey the threats to the hospital’s information systems infrastructure. Include a brief summary of insider threats, intrusion motives, and hacker psychology in your report as it relates to your hospital data processing systems. Relate these threats to the vulnerabilities in the CIA triad.
This section of your report will also include a description of the purpose and components of an identity management system to include authentication, authorization, and access control. Include a discussion of possible use of laptop devices by doctors who visit their patients at the hospital, and need access to hospital PHI data. Review the content of the following resources. As you’re reading, take any notes you think will help you develop your description.
- Authorization
- Access control
- Passwords
- Multi-factor authentication
Next, expand upon your description. Define the types of access control management to include access control lists in operating systems, role-based access controls, files, and database access controls. Define types of authorization and authentication and the use of passwords, password management, and password protection in an identity management system. Describe common factor authentication mechanisms to include multi-factor authentication.
You will include this information in your report.
Steps 3 – Introduce password management
Step 4 – I will it do myself
Step 5: The Technical Report and Executive Summary
The technical report and the nontechnical presentation will identify compromises and vulnerabilities in the information systems infrastructure of the healthcare organization, and identify risks to the organization’s data. You will propose a way to prioritize these risks and include possible remediation actions.
The technical report: Provide recommendations for access control and authentication mechanisms to increase the security within the identity management system. Review the mission and organization structure of this healthcare organization. Review the roles within the organization, and recommend the accesses, restrictions, and conditions for each role. Present these in a tabular format as part of your list of recommendations.
Provide a comparison of risk scenarios to include the following:
- What will happen if the CIO and the leadership do nothing, and decide to accept the risks?
- Are there possible ways the CIO can transfer the risks?
- Are there possible ways to mitigate the risks?
- Are there possible ways to eliminate the risks?
- What are the projected costs to address these risks?
Provide an overall recommendation, with technical details to the director of IT.
The executive summary: In addition to your technical report, also create a nontechnical report as an executive summary.
The deliverables for this project are as follows:
- Technical report: Your report should be a 6-7 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables or citations.
- Executive summary: This should be a 2-3 page double-spaced Word document.
- In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab.
Project Recommendation
You need to assume the role of an IT employee in an organization, develop the topics, and provide analysis/recommendations.
Please keep in mind that the purpose of Project 1 (and most of the subsequent projects) is for you to learn/practice providing technical advice/recommendations to the management of your organization in regard to cybersecurity. Although best practices and general recommendations are fine, you need to provide specific/actionable recommendations. Often, the non-technical managers rely on the technical expertise of their IT personnel. Many times you will find yourselves in the need to analyze and recommend products that would help your company to strengthen their security posture. In industry, this type of specific/concrete information helps them make decisions and allocate funds/resources as needed.
As you have learned, Project 1 discusses identity management topics. So, in addition to the topics as per outline, part of the message to your organization needs to include a compare/contrast analysis of the tools you’ve learned in your lab. Assuming that the IM of your company is weak, how do you tell management that these tools could enhance their security in relation to IM? Which one would you recommend and why?
Please include the above analysis in your technical report (at a detailed level), and summarize it in your executive summary and non-technical presentation.