Subject: Info. Security & Risk Management BELOW INTRSUTION HAS BEEN GIVEN FROM PROFESSOR. WE HAVE TO DO IT BY GROUP. The topic of the Group'sresearch paper must be pre-approved by emailing the profess

Final Project Paper

Vasavya Atluri

University of the Cumberlands

ISOL-533-05: Information Security & Risk Management

Dr. Amelia Philips

Executive Summary

ProMed health insurance companies manage a variety of data, which include covered health information, contact information, electronic medical record or health insurance ID, names, addresses, credit card, and social security information. This makes ProMed a good target for hackers and cybercriminals. Since the three companies are being merged, the acquiring company is at greater risk of being breached due to the expansion of cyber footprint. This paper discusses all the Threats and vulnerabilities that ProMed might be subjected to. A new risk assessment plan has been discussed, along with a Risk mitigation plan. Business Impact Analysis is conducted, and a business continuity plan is discussed. This paper also details the disaster recovery plan and computer incident response team plan for ProMed. All the risk assessment methods and approaches are discussed in this paper.

Introduction

ProMed Insurance offers specialized health insurance and is headquartered at Seattle, Washington, with a $900 million annual revenue. It has over 1000 employees and has offices located in 5 other locations in Portland – Oregon, Phoenix – Arizona, Los Angeles – California, Boise – Idaho, Las Vegas – Nevada.

ProMed Insurance, Inc specializes in ProMed records, ProMed finance, ProMed connect. ProMed records handle all the medical data of large and small institutions like hospitals, research facilities, and small clinics. It also provides services for its clients and patients to access their records, sharing their personal health information with doctors, and facilitate a way to communicate with doctors via emails, etc. ProMed finance handles PCI data like different credit and debit card information, various methods of payment methods, and reliable and flexible spending plans. ProMed finance also connects hospitals, clinics, and patients with insurance coverage. ProMed connect helps its patients/clients to find doctors, clinics, and practitioners in their network and provide all the specializations and background of the professional.

ProMed insurance information technology network has corporate data centers located at all its six locations. There are over 2000 data centers and about 700 laptops and other devices like corporate mobiles, tablets that are used by health agents to record patient records. In order to protect ProMed sensitive information especially PII, PCI and PHI data, all these devices must be protected from all sorts of insider and outsider threats.

All the three companies have their own risk assessment at present, but the current merge necessitated a new risk assessment. In this paper, I will discuss a new risk assessment plan that can be employed. I will start by discussing threats identified, risk assessment approach that can be considered and all risk assessment methods that can be used.

Threats – Vulnerabilities in ProMed

It is important to understand top security threats and vulnerabilities that might impact health Insurance and Health care systems and then study the risks that might be existing in the target merger company.  

Ransomware is a malware that infects systems and files, rendering them inaccessible until a ransom is paid. When this takes place inside the healthcare enterprise, essential procedures are slowed or emerge as entirely inoperable. Hospitals are then compelled to move back to making use of pen and paper, slowing the processes and soaking up funds that could otherwise have been allocated to the modernization of the infrastructure. (Kleyman, 2019).

For example, on July 8th, 2019, premier family medical at Utah is breached by cybercriminals and protected Health Information (PHI) of more than 300,000 patients was compromised in a ransomware attack, and its restricted access to patient's information and different network systems.

Ransom attacks are generally inflicted in three ways. Phishing emails containing a malicious attachment through a user clicking on a malicious hyperlink and via viewing an advertisement containing malware (malvertising). Ever-evolving editions and processes, techniques, and strategies make it hard for protection experts to keep up. Additionally, ransomware as a service (RaaS) makes it easy for anyone with little to no technical skill to release ransomware assaults against companies. (CIS, 2019)

Theft of IT:

Theft of IT can be from a lost or stolen laptop or a person downloading a sensitive document onto a pen drive. Risk can be mitigated by identifying the theft fast. Top security practices will prevent simple security errors like locking your workstation down and ensure that your endpoints are locked down properly. Prevent external people from placing external devices or pen drive unless cleared by the IT team. Both physical and cyber security are equally important, and all the employees should be trained in workplace security practices. (CIS, 2019)

PII/PHI Data Loss: 

The value of healthcare information continues to boom and losing data in any quantity is terrible. In the healthcare industry, breaches can include credential-stealing malware, an insider who either purposefully or by accident discloses patient information, or lost laptops or other gadgets. Most of the time, loss of data comes from poorly secured machines and poor information storage practices. Furthermore, there are continual challenges in how you permit personnel to keep data on their non-public gadgets. Proper protection practices can simply help reduce data loss threats. Personal Health Information is of most value than the credit card credentials or usual Personally Identifiable Information (PII). Therefore, there's a better incentive for cybercriminals to aim clinical databases so that you can promote the PHI or use it for his/her personal gain. (CIS, 2019)

DDoS Attacks: 

           Distributed denial of service (DDoS) attacks is a popular method utilized cybercriminals for overwhelming a network to the point of inoperability. This poses a serious threat to health insurance and health care companies who has to access the system to provide proper patient care or need to access the Internet to get hold of emails, prescriptions, statistics, and records. (CIS, 2019)

Insider Threats: 

Insider Threats can vary from Compromised users and Careless users who are involuntarily involved, and Malicious users, who can be a real threat. Anthem's insider threat that resulted in personal data being stolen for over 18,000 Medicare members is the best example. This is a case of a malicious user. Anthem has learned that an employee has been misusing Medicare member data that included Medicare Id numbers, Social security numbers, health plan Id's, names, dates of enrollment. The employee is supposedly sent an email of a file containing the data to his personal email. It is advisable to train employees on how to recognize and report an insider threat or prevent them from inadvertently becoming one. (LeBlanc, 2018)

While there are many other threats like crypto-jacking, compromising of IoT botnets, etc., The threats mentioned above are some severe and frequent cybersecurity Threats experienced by the Healthcare industry.

Risk Assessment, Risk Mitigation, BIA and BCP for ProMed

Risk Assessment, Mitigation, and business impact analysis is utilized by companies to analyze the amount they could gain or lose under certain instances. The analysis considers the worst-case situations and involves comprehending the rate and kind of expected costs whilst conditions within the organization stays constant. Organizations make use of business impact analysis and risk assessment to assess the significance of operational and economic expenses that they could incur from disruptions, which include political conflicts or monetary crisis.

Just like any organization, ProMed is subjected to various internal and external risks. ProMed also handles different PCI, PHI, and PII data. ProMed records handle hospitals, clinics, and client information while ProMed finance handles payment card details and different insurance plans information. Organizations that are exposed to internal and external threats hinder the organization's ability to provide its stakeholders and investors with expected returns. Some of the internal and external risks identified for ProMed are discussed. Internal risks can be defined as human-factor, technological, and physical threats. Risk factors associated with human-factors include risk due to unintentional human errors, employee's union strikes, employees who are dishonest and disloyal, ineffective leadership, and failures form external producers or suppliers. Technological risks can be from unexpected changes in the product's manufacture or delivery or modifications made to the distribution of the organization's product or service. Some technical threats that can be faced by ProMed are the use of outdated operating systems, Compromised information systems, etc. Physical risks may be due to loss or damage to assets that belong to the company.

While Internal risks can be controlled with a proper Risk mitigation plan, external chances are hard to control. External threats are hard to address because organizations lack the ability to control external events that can lead to risk; they also lack the resources to forecast issues with a high level of reliability. External threats include Economic, natural, and political factors in an organization. Economic risk occurs when there are changes to market conditions. Inherent risks happen when there are natural disasters that are taking place, which can affect the organization's regular business operations and damage infrastructure, buildings, and products. Political risks are related to changes in governments and their policy, which are beyond an organization's scope.

Qualitative Risk Assessment: This entails methods for ranking the identified risks so that necessary actions are taken to mitigate the risk. The priority of the identified risks is assessed based on their chance of occurrence, the project risk tolerance, the time frame of the project, and the corresponding effect of the uncertainty on the objectives of the project. However, ProMed can utilize historical data from identical past projects, including details of certain risk events, to guide the risk assessment process.

Quantitative Risk Assessment: This assessment is conducted on the risks that the qualitative risk analysis process prioritized. The chances are based on how they impact the project, either substantial or potential. The primary objective is to quantify risks based on their time and cost impact. (Rausand, 2013). By quantitative analysis, ProMed will be able to perform Value for Money analysis as well as design key terms of a contract.

Risk Mitigation

Mitigating organizational and security risks: The best practices that ProMed can use to manage internal and external threats is by mitigating regulatory risks. To mitigate internal threats, ProMed must restrict exposure to human-factor, technological, and physical hazards. External risk is hard to reduce, but by having a Credit, insurance can help protect the ProMed against some external dangers. ProMed can mitigate some internal and external threats by safeguarding their sensitive data. It is always a good idea to track and audit internal files and data which contain confidential information. Since performing an insider attack is too easy for a disgruntled employee, ProMed needs to monitor employee access habits and data/file transfer traffic to determine whether access is everyday user activity or potential malicious data theft. (Meyer, 2016). 

Training ProMed Employees: Every organization should educate its employees on safety risk factors. When organizations, particularly in security, do not train their staff, they are prone to severe risks. Inputting security training will help ProMed to control the behavior, mitigate risks, and enforce compliance with its employees. Security risk training help with protecting assets, prevent downtime, empowers employees, increase adoption, and instills proactive practices because everyone in the organization would be on the same page when it comes to mitigating security risks. 

                                              Business Impact Analysis

The business impact analysis helps ProMed in analyzing the necessary recovery level, tolerances, and timeframes. It helps ProMed in analyzing the external and internal environment and what might be impacted in case of significant disruptions. The method Makes use of data from high-profile sources, including human environment, legal, market data, and company accounts, to analyze the losses caused by a significant disruption. Whereas, Risk assessment focuses on identifying the potential risks that might impact the business. Therefore, it helps ProMed in coming up with strategies and controls to mitigate the consequences of the risks identified. The big problem with the study of the business impact and risk assessment is that they are costly to conduct. Also, risk assessment requires the use of business impact analysis to classify and measure risks. ProMed should focus on creating a workplace road map or designing software that will help them conduct a risk assessment minus relying on business impact analysis.

Business Continuity Plan

Improving BCP: Enhancing the business continuity plan starts with enhancing quality and productivity. ProMed should continually analyze its Business Impact Analysis (BIA) to determine which risk management plan is essential over those not. This also helps to determine which disaster recovery programs should be implemented. Another way to improve the effectiveness and quality of an organization BCP is to review and make updates to their BCP regularly. By creating updates and reviews to the BCP, an organization can make changes and updates to information if required, which will help the effectiveness in times of disasters or disruptions. The inherent risk in the BCP is related to two factors: the recovery time of the recovery plan and the threat environment of the business unit. The goal of recovery time refers to the amount of time spent trying to recover after a breakup. It involves the amount of time spent attempting to get back the program, method, or functionality of the company (Herrera, 2017). This plan measures the criticality of the organization's processes. The threat landscape of an organization identifies the various threats a recovery plan may have. These threats can range from location to technology. The BCP inherent risk is also suitable for calculating residual risks.

                                   DRP and CIRT for ProMed

A Disaster recovery plan protects the organization against any unexpected internal and external threats. DRP helps organizations to recover from any catastrophic event as quickly as possible and resuming all operations while CIRT is defined as a computer incident recovery plan team that provides security to the organization from attacks. Having a Disaster recovery plan for health insurance companies is a requirement under HIPAA. This paper discusses a proper Disaster Recovery plan and a Computer Incident Response Team Plan for ProMed Insurance. (McCarthy, Todd & Klaben, 2012).

DRP involves conducting a business impact analysis before prioritizing a disaster recovery plan for an organization. I would like to outline a step by step DCP that can be implemented on restoring ProMed important systems.

Following recovery process should be followed:

1. Data recovery

2. Central Datacenter recovery

3. Network and Telecommunications recovery

4. Applications recovery

5. Desktop information recovery

Detailed Steps would be the following:

1. Check if the primary data center is still in operable condition and the damage caused can be reversible – If yes, start the disaster recovery processes. If no – reach out to the failover data center personnel for recovery.

2. Check if the network center is still operating or is recoverable condition. If in the recoverable state – contact network operations for recovery. If no – contact, network operations to re-route the networks to failover servers.

3. Check impact on applications in the following order –

i. All applications- client /server

ii. Authentication mechanism

iii. All web services

1. Prevent any further damage to IT systems by shutting down active areas and prevent any unauthorized access.

2. Transfer all the backup data to the failover servers.

3. Test all the systems like servers, network, desktop/client, databases to ensure proper operation.

4. Test and verify all the data loaded, also check operating systems and other software.

5. Check for overall system performance and communicate that all the systems were retrieved to users and employees. (Schiff, 2016).

Incident Response Team Plan for ProMed         

The following computer incident response team plan can be employed in ProMed. In the Incident Response worksheet, make a note of the following aspects. (Petters, 2018).

1. Preparation: Get the list of all the tools, applications, infrastructure, network systems needed to address the security breach.

2. Identification: Immediately after opening the incident, identify, classify, and document it.

The following factors must be identified for the nature of the event.

1. Type of threat?

2. Any sensitive data got impacted?

3. Kind of business impact?

4. The factor of risk?

5. Level of impact

1. Containment: The main objective of any disaster management is to limit the scope and magnitude of the incident.

2. Eradication: The threat must be immediately addressed and eradicated of the breach. Check for access controls and make sure only authorized users can access the limited data.

3. Recovery: restore all the lost data that is backed up.

4. Review: Review and update all the security policies and plans like BCP, DRP, BIA annually.

Disasters are unexpected events and cannot be avoided. It is essential for any organization to properly have backup systems and failover systems in case of any unforeseen event. In this paper, I have discussed a disaster recovery plan and a computer incident response team plan that can be implemented in ProMed.

Conclusion

This paper outlines threats and vulnerabilities that can be a risk to ProMed. A risk assessment approach has been discussed, along with a risk mitigation plan. A proper risk assessment should be conducted so that possible risks are identified and mitigated effectively. It is also essential to follow appropriate risk assessment methods to ensure the threat is taken care of. This paper also discusses a Business impact analysis and a business continuity plan for ProMed. A disaster recovery plan, along with a computer incident response team plan, was also discussed in this paper.

References

CIS, (2019). Cyber Attacks: In the Healthcare Sector. Retrieved from

https://www.cisecurity.org/blog/cyber-attacks-in-the-healthcare-sector/

Herrera, M. (2017). Business Continuity Risks: Comparing Inherent & Residual Risks.

Retrieved from: https://bcmmetrics.com/business-continuity-risks/

Hiles, A. (2002). Enterprise Risk Assessment and Business Impact Analysis: Best Practices. Brookfield, Conn: Rothstein Associates.

Kleyman, B. (2019). Top 5 Healthcare Data Security, Infrastructure Threats. Retrieved from

https://healthitsecurity.com/news/top-5-healthcare-data-security-infrastructure-threats.

LeBlanc, K. (2018). Cyber-Threats and Vulnerabilities in the Healthcare Industry. Retrieved from https://blog.rapid7.com/2018/11/08/top-5-threats-healthcare-organizations-face-and-how-to-combat-them/

McCarthy, N. K., Todd, M., & Klaben, J. (2012). The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk. McGraw-Hill Education Group.

Petters, J. (2018). What is Incident Response? A 6 Step Plan: Varonis. Retrieved from https://www.varonis.com/blog/incident-response-plan/

Rausand, M. (2013). Risk Assessment: Theory, Methods, and Applications. Hoboken: Wiley.

Schiff, J. L. (2016). 8 ingredients of an effective disaster recovery plan. Retrieved from https://www.cio.com/article/3090892/8-ingredients-of-an-effective-disaster-recovery-plan.html

Thompsonm, H. & Trilling, S. (2018) Cyber Security Predictions: 2019 and Beyond. Retrieved from: https://www.symantec.com/blogs/feature-stories/cyber-security-predictions-2019-and-beyond