A Risk Management Plan for a Health Network
Cara Hanley
Southern New Hampshire University
IT-313-J4010
Objective:
- Create a risk management plan for a health network
- Identify the scope, risk identification, and physical and safety considerations associated with identified risks
- Identify strategies to mitigate identified risks
- Address risk probability, significance and potential impact on health network
- Create a Business Impact Analysis (BIA)
- Create a Business Continuity Plan (BCP)
HEALTH NETWORK, INC RISK MANAGEMENT PLAN
Purpose of the Risk Management Plan
This Risk Management Plan will define how Health Network can identify, analyze, and manage risks to increase the safety and security of its employees, customers, and assets. This plan will address current internal and external risks and provide safety guidelines and mitigation strategies that will allow Health Network to continue operations in the event of a natural disaster or system failure. The Business Impact Analysis included in this plan will prioritize certain risks according to their impact on the organization. It will examine risk tolerance (degree of impact) and prioritize risks in order to minimize the likelihood of disasters occurring or reoccurring and to gauge which risks are acceptable, and which are not. If all risks are set to high priority, then the likelihood of them all being controlled is less likely; therefore, prioritization of risks will increase the likelihood of establishing controls. Risk Management also helps reduce uncertainty, allows for successful planning, helps reduce expenses and losses and improves the organization’s reputation (Kaushik, 2020).
Scope and Boundaries of the Risk Management Plan
The scope of the Risk Management Plan will cover the three main products of Health Network: the HNetExchange, the HNetPay web portal and the HNetConnect online directory. The recommendations will apply to all three of the Health Network locations in Tampa, Seattle, and Arlington to include the employees and operations of these locations. It will also extend to all forms of electronic media such as laptops, mobile devices, hard drives, servers and other network equipment. The plan will address mitigation strategies for the data centers and their respective hosting vendors. The basis for the plan is to address the inadequacies of the existing plan and to provide solutions for the threats specific to the organization such as potential data loss from hardware decommission and systems outages, protecting health information stored on laptops and mobile devices, threats from malicious external actors, and common threats to internal staff, such as social engineering. Additionally, the plan will address the current changes and challenges associated with the regulatory landscape to ensure operations are in line with those requirements.
The plan will address the main internal and external risks specific to the location of operation and suggest implementation plans for safety and security of physical devices and systems. The plan will analyze the business impact through a business impact analysis that will prioritize risks based on probability and impact on the organization. The plan will identify the approach the organization should take in its disaster recovery plan. The business continuity plan outlined in this plan will determine how certain disasters impact operations, how certain safeguards and test procedures will be implemented to mitigate risks and a plan for monitoring those safeguards and keeping them up to date.
Risk Identification
The primary risks that Health Network, Inc. should focus on include internal and external risks specific to the locations in which the facilities are located. These risks are identified as follows:
Internal Risks
- Technology Risks: Company-owned devices such as laptops are at risk of becoming lost, stolen or damaged, which could lead to loss of data or compromised data. In addition, system outages and power outages could lead to system downtime, potential loss of data and high costs.
- Operational Risks: System and network failures could cause operational delays and potential loss of data.
- Reputational Risk: Third party vendors are susceptible to data breaches and carry certain compliance risks, which have a direct impact on the organization and its reputation.
- Compliance Risk: Being out of compliance with HIPAA, SEC and PCI DSS could lead to legal penalties. Regulatory changes could affect the organization’s ability to bring operations and systems up to date with compliance standards. Third parties must also be monitored for legal compliance.
- Security Risk: Staff are vulnerable to insider threats such as social engineering and malware. Inappropriate hardware decommission is a data exposure risk. Data breaches could expose PHI and impact legal compliance obligations and cause reputational damage to the organization.
External Risks
- Natural Events (Environmental risks): Flooding, hurricanes, earthquakes, storm damage, and fires could cause damage to the IT environment to include production servers. Not having backup recovery system in place could lead to permanent loss of data. The Tampa headquarters and Arlington, VA location are in a high-risk areas for hurricanes and flooding. The Seattle location is susceptible to earthquakes, which often strike without warning, making a disaster recovery plan all the more important.
Safety: Physical and Safety Considerations Associated with Identified Risks
There are certain physical and safety implications in not addressing technological risks. If a company device is lost, stolen or damaged, not only could valuable data be compromised but the cost of replacing the device is high. Power outages on the other hand, can also lead to damaged equipment and potential loss of data. External risks such as environmental disasters could cause irreparable damage to equipment or facilities.
A compromised HNetExchange system would raise numerous safety concerns due to the sensitive medical nature of the information being transmitted across networks. Modified or missing health information could lead to misdiagnosis and missing drug information could lead to the wrong prescriptions being prescribed or over-prescribed. An interruption in operations could prevent the flow of healthcare information from being delivered in a timely and effective manner, creating a potential health risk for patients needing expedient care, prescriptions or diagnosis.
Business Impact: Business Impact Analysis (BIA), Risk Probability, Significance and Potential Impact on Health Network
A BIA identifies and prioritizes system components and the impact they have on the objectives of Health Network. The BIA will help determine which system functions and activities are critical to the business and the maximum amount of downtime that is acceptable before the business would incur considerable financial or reputational damage.
The BIA chart below identifies the key function or activity that is analyzed along with the maximum acceptable downtime (MAD) (on a scale of vital, critical, essential or important with vital being the highest impact), a risky event that would have some level of significant impact, the probability of occurrence of that incident occurring, and the level of impact on the business, with a short explanation of the impact.
*See Table 1 Business Impact Analysis
Strategies to Mitigate Identified Risks and to Allow for Continued Operations (Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
A Business Continuity Plan (BCP) identifies mitigation strategies for the risks outlined in the BIA. It explains how Health Network can continue normal operations and minimize the impact of a disaster. It also aids in preparing MHC for future disasters.
**See Table 2 Business Continuity Plan
A disaster recovery plan (DRP), on the other hand, will outline the steps to restore resources after an IT disaster. It is important to provide training to staff after implementing the disaster recovery plan to raise awareness about security issues and minimize the panic and confusion that typically ensues after a natural event or security incident. The DRP must be tested and exercised to ensure proper controls are installed and are adequate to cover anticipated disasters and threats. Finally, BCPs and DRPs should be maintained and updated to keep pace with the evolving security landscape while taking advantage of new technology that emerges to solve issues in the most efficient way.
Recovery strategies should be developed to anticipate the loss of hardware, software, data, and connectivity, which is vital to keep the system running (Ready, 2021). Therefore, the DRP should address each of these elements:
- Inventory should be taken of company assets such as IT hardware and software, network equipment, laptops, devices, data, cloud service providers, ISP providers.
- Assets should be categorized according to level of criticality (i.e., which assets would have the most impact if they were to be compromised?)
- Assess potential risks as outlined in the BIA
- Analyze recovery time objectives (RTO) to determine how data should be backed up
In considering the above information, a disaster recovery system can be determined that includes disaster recovery sites and where they will be located, and which backups will be maintained. Recovery sites can be in the form of a cold site, hot site or warm site. A cold site is an office space with basic utilities, a hot site is a mirrored copy of the primary production center, and a warm site is a middle ground between the two, with some network connectivity and hardware equipment but not equipped on the same level as the production center (Reed, 2019). It’s important to have a remote storage solution to keep business operations active and to protect data.
Table 1: Business Impact Analysis (BIA)
Key Function or Activity | MAD | Risk Event | Probability | Level of Impact | Impact |
HNetExchange Messages | Vital | HNetExchange Service failure | Low | High | · Loss of revenue · Creates delays in medical services · Potential reputational damage · Creates a heavy backlog of messages |
HNetPay Web Portal | Vital | HNetPay web portal unavailable or malfunctioning | Low | High | · Clients will not be able to make payments · Might be no longer PCI DSS Compliant · Frustrated clients · Potential loss of clients |
System (network and application) | Vital | Systems Outage (no disaster recovery plan in place) | Low | High | · Loss of data · Loss of application service · Loss of productivity · Loss of clients · Loss of reputation · Reduced revenue |
Environmental disaster impacting data center | Vital | Lack of disaster recovery | Low | High | · Loss of system functions · Loss of data · Loss of revenue · Loss of clients · Loss of reputation |
Key Function or Activity | MAD | Risk Event | Probability | Level of Impact | Impact |
Health Network Applications, data center, servers | Vital | Data breaches | Medium | High | · Financial loss · Reputational damage · System downtime · Loss of sensitive data · Data exposure could create legal implications (no longer in compliant with HIPAA or PCI DSS · Potential loss of reputation |
Regulatory compliance | Vital | Non-compliance with HIPAA and/or PCI DSS | Low | High | · High penalties and violation fines · Government audits · Potential data breaches · Class-action lawsuits · Corrective Action Plans (CAPs) · Loss of Revenue · Reputational damage |
Health Network website | Critical | Internet Threats | Low | High | · Compromise sensitive data (man-in-the-middle attacks) · Potential HIPAA and PCI DSS violations · Potential for website to become inaccessible (DDoS Attacks) · Could cause critical server to go down which would impede operations |
Key Function or Activity | MAD | Risk Event | Probability | Level of Impact | Impact |
Hardware Decommission | Critical | Inappropriate hardware decommissions | Medium | High | · Creates potential security holes in the network · Places other system components at risk · Might no longer be PCI DSS and HIPAA compliant, which could lead to legal penalties |
Company-issued laptops and mobile devices | Critical | Lost or stolen company assets | Low | High | · Potential data breach could expose sensitive data · High financial costs to replace · Loss of productivity while replacement is procured · Potential fines for loss of sensitive or confidential data · Significant loss of time recovering data and device(s) |
Employee access to Health Network | Critical | Insider threats | Low | High | · Potential exploitation of systems could compromise reputation, integrity · Loss of clients · Loss of revenue · Loss of operations · Intellectual property loss |
HNetConnect online directory | Essential | HNetConnect online directory unavailable | Low | Low | · Clients are inconvenienced · Potential loss of new business |
Table 2: Business Continuity Plan (BCP) | |||
Threat | MAD (Criticality) | Consequences | Mitigation Action |
HNetExchange Service failure | Vital | Customers can’t use messaging service | · Have a backup server in place in the event one goes down · Encrypt backups · Store backups off-site · Perform periodic testing |
HNetPay web portal unavailable or malfunctioning | Vital | Customers unable to use payment service | · Check that network capacity is appropriate · Monitor and maintain servers · Network monitoring · Apply patches to system as needed · Harden the servers · Implement an Intrusion Detection System (IDS) |
Systems Outage | Vital | System downtime leading to loss of productivity and high costs | · Implement a Disaster Recovery Plan (DRP) · Use a monitoring tool with full-stack observability (client end, backend, network, infrastructure, etc.) · Work with ISP and cloud providers to plan for incidents that could cause outages |
Lack of disaster recovery | Vital | Potential loss of system functions, loss of data, loss of clients and revenue | · Create and maintain a Disaster Recovery Plan (DRP) · Have Incident Response (IR) controls in place · Have a contingency plan in place |
Threat | MAD (Criticality) | Consequences | Mitigation Action |
Data breaches | Vital | Financial loss, system downtime, legal implications, reputational damage | · Employ Endpoint Detection and Response (EDR) solutions to find malicious or anomalous behaviors (NSA, 2018) · Use Identification and Authorization techniques · Use vulnerability scanners to find security loopholes and system vulnerabilities · Install timely patches and updates to software and operating systems · Use Intrusion Detection to identify potential attacks · Use Multi-factor authentication to enhance network security |
Non-compliance with HIPAA and/or PCI DSS | Vital | Financial penalties and fines, government audits, loss of revenue | · Stay current with regulatory changes · Ensure employees are trained on maintaining and enforcing compliance · Maintain strict privacy settings using automated privacy controls · Conduct risk assessments and compliance audits |
Internet Threats | Critical | Sensitive data could be compromised, website no longer accessible leading to loss of revenue, reputational damage | · Use network defenses to block certain · Keep antivirus software and firmware up to date for network devices and servers · Implement Access Controls (principle of least privilege) · Awareness and Training for employees |
Threat | MAD (Criticality) | Consequences | Mitigation Action |
Inappropriate hardware decommissions | Critical | Creates potential security holes in the network, places rest of the system at risk | · Take inventory of hardware to establish a baseline · Thoroughly remove unnecessary hardware from the network based on established deactivation protocols to limit attack surface · Least functionality controls (components of the system are carefully reviewed to determine which can be eliminated) |
Lost or stolen company assets | Critical | Increases chance of data breaches, loss of productivity while finding replacement, high costs to replace equipment | · Take thorough inventory of devices and assets · Have a reporting process in place for lost or stolen IT assets · Implement strict policies for safeguarding company laptops and devices (i.e., not leaving in unlocked vehicle, strong password protection, etc.) |
HNetConnect online directory unavailable | Essential | Clients are inconvenienced, potential loss of new business | · Strict database access privileges · Protect against SQL injection attacks · Maintain database configurations, especially after patches applied · Block malicious web requests using Domain Name Service (DNS) redirection or filtering |
Insider threats | Critical | Potential loss of assets and clients, reputational damage, cause data to be compromised | · Promote a culture of safety and security · Identify organization assets and who can access them · Use of access management and monitoring tools |
References
Kaushik, P. (2020, January 6). Why Is Risk Management So Important in Business? Starting
Business. https://www.startingbusiness.com/blog/risk-management-importance
KnowItAllNinja. (n.d.). The Impact of Threats. Retrieved April 11, 2022 from https://www.knowitallninja.com/lessons/the-impact-of-threats/
National Security Agency. (2018, March). NSA’s Top Ten Cybersecurity Mitigation Strategies. NSA.
https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-
strategies.pdf
Ready. (2021, February 17). IT Disaster Recovery Plan. https://www.ready.gov/it-disaster-recovery-plan
Reed, J. (2019, July 14). An Overview of Disaster Recovery Sites. Nakivo.
https://www.nakivo.com/blog/overview-disaster-recovery-sites/
Robinson, C. (2020, February). Why do online payments need to be secure? GoCardless.
https://gocardless.com/guides/posts/secure-payments/
Serrano, H. (2019, May 2). How to avoid the devastating consequences of HIPAA noncompliance. HFMA.
https://www.hfma.org/topics/hfm/2019/may/how-to-avoid-the-devastating-consequences-of-hipaa-noncompliance.html
Strategic Communications. (n.d.). Decommissioning It Equipment: 5 Considerations.
Retrieved April 11, 2022 from https://www.yourstrategic.com/decommissioning-it-equipment-5-considerations/