Residency Project 3: 4 Students Per Group Situation Your Tea

Residency Project3 4 Students Per Groupsituationyour Team Represent

Your team represents the IT leadership of a large healthcare organization that is preparing to purchase a smaller hospital group consisting of two metro hospitals (one being a learning hospital), three rural hospitals, two shared data centers, twenty-five physician practices, one laboratory, and a coordinated business office. Your objective is to evaluate these sites from a risk and compliance standpoint, focusing specifically on access controls at both logical and physical levels.

Part of the assessment process includes the opportunity to thoroughly test the systems involved in the acquisition. These systems encompass electronic medical records (EMR), mobile applications (including one capable of accepting credit card payments), external websites (including one with credit card payment capabilities), cloud-based systems (Infrastructure as a Service and Software as a Service platforms), 75 patient care applications (with 25 developed internally), and approximately 500 patient care devices. Internet connectivity is not shared between physician practices and hospital locations.

The deliverables for this project are divided into eight sections, which must be consolidated into a single comprehensive document. Each team member will submit the same document individually, reflecting collaborative input on all aspects.

Paper For Above instruction

1. Team Roles and Job Descriptions

As members of the IT leadership, team members will assume roles such as Chief Information Officer (CIO), Chief Information Security Officer (CISO), IT Architect, and Project Manager. Each role carries specific responsibilities vital for the integration and security of the healthcare systems. For example, the CIO oversees strategic planning and overall IT operations, while the CISO directs the information security standards and compliance.

Job descriptions should detail responsibilities, required qualifications, and skills. Additionally, each role should include a salary range based on industry standards and geographic considerations—such as maintaining alignment with healthcare IT compensation benchmarks (HIMSS, 2022) (HR, 2023).

2. Information Security Policy Development

Select a best practice framework such as NIST Cybersecurity Framework, ISO/IEC 27001, or HIPAA Security Rule. Based on this, develop a comprehensive security policy tailored to the current organization, with components including access controls, data management, incident response, and system monitoring. The policy should clearly state that future sites will adhere to these standards to ensure uniformity in security practices across the newly acquired hospitals and practices.

3. Testing Methodology Policy and Procedures

Research and document the preferred testing methodologies for the systems in scope. For EMR systems and patient care devices, techniques such as vulnerability scanning, penetration testing, static code analysis, and dynamic application testing are recommended (OWASP, 2021). External websites should be tested via web application security testing protocols, with an emphasis on PCI-DSS for credit card-related components. For cloud-based systems, penetration testing must follow cloud provider policies (AWS, 2022).

Remediation cycles should align with compliance standards like HIPAA, PCI, and FERPA—typically ranging from monthly to quarterly updates. Reporting cycles should utilize vulnerability metrics such as CVSS scores and National Vulnerability Database (NVD) entries for tracking and prioritization (ISS, 2020).

4. Network Diagram Development

Design a detailed network architecture diagram illustrating how the post-acquisition environment will be structured, including segmented networks for patient care, administrative systems, and external access points. Incorporate security controls such as firewalls, intrusion detection/prevention systems (IDS/IPS), VPN gateways, and secure gateways for cloud services, referencing the organization’s security policy requirements. This diagram aids in security management and ensures proper network segmentation (Cisco, 2021).

5. Physical Security Assessment Procedure

Create a step-by-step physical security assessment plan—ideally a checklist—that evaluates access controls such as biometric readers, security cameras, alarm systems, environmental controls, and restricted access areas. The plan should include evaluating visitor management, facility alarms, and secure storage for sensitive devices or data. Reference physical security best practices from organizations like ASIS International (2020).

6. Project Plan and Timeline

Develop a detailed project plan with timelines, resource effort estimates, and assigned responsibilities following the RACI (Responsible, Accountable, Consulted, Informed) model. Include schedules for system testing, security assessments, and remediation activities. Estimate costs, especially if third-party assistance is needed, based on projected hourly rates for cybersecurity services ($150 - $300/hour) (Cybersecurity Ventures, 2023).

7. Risk Acceptance and Tolerance Procedures

Establish a procedure for senior leadership to review identified risks using comprehensive risk reports. Define criteria for risk acceptance versus mitigation, referencing organizational risk appetite levels documented in governance frameworks such as COBIT or ISO 31000. This process should facilitate informed decision-making about residual risks and acceptable thresholds (ISO, 2018).

8. Final Presentation

The final deliverable involves synthesizing all sections—roles, policies, testing procedures, network design, physical security assessment, project planning, and risk procedures—into a coherent presentation for stakeholders. This presentation should clearly communicate the security posture, planned actions, and governance strategies for the acquired healthcare network.

References

• Cybersecurity Ventures. (2023). Cybersecurity Hiring Report. https://cybersecurityventures.com/hiring-report/
• HIMSS. (2022). Healthcare IT Salary Guide. https://himss.org/
• HR. (2023). Healthcare Industry Salary Data. https://hr.example.com/
• ISO. (2018). ISO 31000:2018 Risk Management Guidelines. International Organization for Standardization.
• ISS. (2020). Vulnerability Scoring and Management. Information Security Society. https://iss.org/
• OWASP. (2021). Testing Guide. Open Web Application Security Project. https://owasp.org/
• Vizio or PowerPoint. (n.d.). Network diagramming tools.
• Amazon Web Services (AWS). (2022). Penetration Testing Policy. https://aws.amazon.com/security/penetration-testing/
• American Society for Industrial Security (ASIS). (2020). Physical Security Guidelines. https://asisonline.org/
• Cisco. (2021). Network Security Design Best Practices. Cisco Systems. https://cisco.com/