NovaSecure
Security
203280
Instructor: Eng. Hazem Arabiyat
Prepared by:
Saeed Iqtaish
22110102
Section 2
Contents
Part 1: .............................................................................................................................................. 4
A: Unauthorized System Use: ..................................................................................................... 4
B: Security Procedure: ................................................................................................................ 5
C: Risk Management Method: .................................................................................................... 5
D: Firewall and VPN Risks: ....................................................................................................... 6
1.
Firewalls:......................................................................................................................... 6
2.
VPNs: .............................................................................................................................. 6
E: DMZ, NAT, and Static IP: ..................................................................................................... 7
1.
DMZ:............................................................................................................................... 7
2.
NAT/PAT:....................................................................................................................... 7
3.
Static IPs: ........................................................................................................................ 7
F: Real-Time Monitoring Tools:................................................................................................. 7
Part 2: .............................................................................................................................................. 8
A: Security Measures: ................................................................................................................. 8
1.
Biometric Access Control and CCTV: ........................................................................... 8
2.
Network Segmentation with DMZ: ................................................................................ 8
3.
Ban BYOD and Implement Work Devices:.................................................................... 8
B: Risk Assessment: ....................................................................................................................... 8
C: HIPPA and GDPR Compliance: ................................................................................................ 9
1.
HIPAA Requirements for NovaSecure ........................................................................... 9
2.
Key GDPR Requirements for NovaSecure ................................................................... 10
3.
Current Procedures at NovaSecure (Identified Gaps) ................................................... 10
4.
Recommended Compliance Procedures ....................................................................... 11
D: ISO 31000 Risk Management Framework .......................................................................... 12
1.
Overview ....................................................................................................................... 12
2.
ISO 31000 Core Risk Management Process ................................................................. 12
3.
ISO 31000 Risk Management Principles ...................................................................... 13
4.
Framework and Guidelines Implementation ................................................................. 14
5.
NovaSecure-Specific Risk Assessment Framework ..................................................... 15
E: Security Audits: .................................................................................................................... 15
1.
Definition and Purpose ................................................................................................. 15
2. Core Benefits for NovaSecure .......................................................................................... 16
3. Audit Process Components ............................................................................................... 16
4. Compliance Implications .................................................................................................. 16
5. Patient Trust Implications ................................................................................................. 16
Part 3: ............................................................................................................................................ 17
A: IT Security and Corporate Policies ...................................................................................... 17
1.
Identified Issues ............................................................................................................ 17
2.
Recommendations ......................................................................................................... 17
3.
Risks.............................................................................................................................. 18
4.
Healthcare-Specific Considerations .............................................................................. 18
B: Stakeholder Roles in Audits ................................................................................................. 19
1.
Internal Stakeholders .................................................................................................... 19
2.
External Stakeholders ................................................................................................... 19
C: Security Policies and Disaster Recovery Plan ..................................................................... 20
1.
Enterprise Information Security Policy (EISP)............................................................. 20
2.
Issue-Specific Security Policy (ISSP):.......................................................................... 20
3.
System-Specific Security Policy (SSSP): ..................................................................... 21
4.
Disaster Recovery Plan (DRP) Components ................................................................ 21
5.
Supporting Tools ........................................................................................................... 21
D. High-Value Asset Security Plans ......................................................................................... 22
1.
Electronic Health Records (EHR) System .................................................................... 22
2.
IoT Medical Devices ..................................................................................................... 22
3.
Telehealth Platform ....................................................................................................... 22
4.
Control Justification ...................................................................................................... 23
References ..................................................................................................................................... 24
Part 1:
A: Unauthorized System Use:
Identified Threats Include:
1. Insider Misuse: NovaSecure has already had an employee access patient info
without proper authorization, falling under privilege abuse with employees using legit
access right for unauthorized purposes, impacting patient data security and data
confidentiality and even integrity at NovaSecure if employees can change patient info
after accessing records without needing authorization. Employees also share their
credentials during shift changes instead of following a well-structured procedure for
changes where each employee is only allowed to perform work using the account
corresponding to their own credentials, heavily impacting accountability and making
it much harder to find out who is responsible if problems happen, and how they
should be delt with.
2. Weak Authentication and Access Control: Employees often reuse passwords
across different systems, making one point of failure where if one password is leaked,
many different devices and account will be vulnerable instead of just one device.
NovaSecure also implements weak physical security with doors to the server room
using generic keycards which can easily be cloned or stolen impacting confidentiality,
they also do not have any CCTV or other monitoring for the server rooms impacting
accountability.
3. Possible Data Leak Weak Points: with employees able to bring and use their
personal devices to work increasing the chances of data leaking to the outside if an
employee device is hacked, or malware getting into the system through an infected
device.The network is also unsegmented with all devices and functions (including
administrative systems) sharing the same network, creating a single point of failure,
the network also uses outdated encryption for transmitting medical records, making it
much easier for attackers to get usable patient data in case of different network
attacks targeting transmitted data.
Impact on Healthcare Services:
1. Patient Safety: unauthorized changes to patient data could lead to medical errors or
unplanned/unneeded treatment changes, as well as device tampering such as insulin
pumps, possibly causing loss of life.
2. Patient Data Privacy Violations: unauthorized access to medical info is a direct
violation of HIPPA, costing NovaSecure heavy fines and losing their credibility or
even loosing certification, as well as enabling insurance fraud and identity theft.
B: Security Procedure:
1. Definition: A security procedure is a documented, step-by-step set of instructions that
describes the WHO, WHAT, WHEN, and HOW of implementing a security policy. It
translates high-level security policies into actionable, repeatable processes that staff
can follow consistently. Security procedures ensure standardized implementation of
security controls across an organization, reducing human error and maintaining
compliance.
2. Example and NovaSecure Implementation: as NovaSecure has an issue with
credential sharing, it would be best to implement the following:
a. Multi-Factor Authentication (MFA): to ensure just sharing credentials is not enough
to allow employees to use each other identity or allow unauthorized access.
b. Have Work Devices for Each Employee, and BAN BYOD: to both solve the
problem of possible data leaks and improve the security of MFA where each employees
MFA will only be linked to their work device and no other devices.
3. Operational Enhancements: implementing these procedures would completely get
rid of credential sharing at NovaSecure, eliminating unauthorized access to patient
data, as well as decrease the potential for breaches and outside access through
employee devices, ensuring that patient info is kept safe as per HIPPA regulations, as
well as increasing accountability within NovaSecure, as well as reduce the probability
of medical errors due to unauthorized medical record changes.
C: Risk Management Method:
1. Proposed Method: For NovaSecure, I think it would be best to implement a hybrid
Risk management method using ISO 31000 principles, and NIST CSF controls
configured for healthcare systems.
2. Structure:
a. Main Criteria:
i. Always prioritize patient safety.
ii. Ensure regulatory compliance with HIPPA, GDPR, and any other
medical regulations both nationally and internationally.
iii. Ensure 24/7 operations.
b. Risk Types:
i. Clinical Risk (affecting patients).
ii. Operational Risk (affecting the system).
iii. Information Risks (affecting data and privacy).
iv. Compliance Risk (affecting regulatory compliance).
c. Risk Analysis and Evaluation:
i. Have both qualitative and quantitative assessment.
ii. Evaluate risk based on all criteria (patient health impact, system
operations impact, regulatory impact, and down time).
3. Justification: implementing this method would have many advantages for both
healthcare and NovaSecure issues including:
a. Improving patient safety with the most important criteria for assessment being
patient wellbeing above anything else, reducing the chance of medical errors
due to security issues.
b. Regulatory compliance since this method puts a big emphasis on following
regulation both nationally and internationally, giving NovaSecure a better
image.
c. Ensuring continues operations with a focus o both 24/7 availability and down
time in case of emergency, minimizing the time the system, and by extension,
NovaSecure is not able to provide needed care for patients in emergency
situations.
D: Firewall and VPN Risks:
1. Firewalls: for firewalls there are two main risks in the case of NovaSecure being:
a. Overly Permissive Configuration: with the network not being segmented, and the
medical and administrative device occupying the same network makes it so that
unregulated traffic could reach admin systems and cause a lot of harm to the system
and even affect medical equipment hooked up to the system such as insulin pumps.
b. Overly Strict/Outdated Configuration: on the other hand, having the system be
too strict or not having it get updated regularly could cause issues where medical
devices cant access the network, or patient info is not being transmitted across the
network to where it needs to be causing significant issues in availability across the
entire system.
2. VPNs:
a. Third-Party VPN Vulnerabilities: with NovaSecure potentially using third-party
VPN services for remote access to medical systems, there is a significant risk of
data interception if the VPN provider has weak encryption protocols or logging
policies that could expose patient data. This creates a single point of failure where
compromised VPN credentials could give attackers direct access to the internal
network, bypassing perimeter security and potentially accessing critical medical
devices and patient records.
b. Misconfigured VPN Access Controls: on the other hand, having VPN
configurations that are too broad or poorly managed could allow unauthorized users
to access sensitive healthcare systems, while overly restrictive VPN policies could
prevent medical staff from accessing critical patient information during
emergencies when remote access is essential. This could impact patient care
delivery and create availability issues where healthcare providers cannot reach lifecritical systems when working remotely or during after-hours emergency situations.
E: DMZ, NAT, and Static IP:
1. DMZ: for NovaSecure, the DMZ should have the following configuration:
a. DMZ Interface: with direct access to the internet, which should house any
servers needed for public services such as the NovaSecure website, and
appointment booking and patient portals front end interfaces
b. Private Interface: which will only have limited access to the outside network
through the DMZ through specific ports and protocols, it should have integral
systems including anything that has to do with medical equipment like insulin
pumps, as well as anything that has to do with patient information such as the
backend interface for the patient portal and appointment booking, as well as
other internal network systems like DNS and DHCP.
2. NAT/PAT: which would help NovaSecure by reducing costs, as public IPs cost
money, and having an address for each device that has to access the internet (servers
in the DMZ) would be costly, it would also improve the security of the network by
obscuring the IP of devices inside the network, making it so that hackers cant target
the internal Ips.
3. Static IPs: which helps in improving traceability and accountability as static Ips can
always be traced to the same source, as well as for implementing access control lists
(ACL) which helps for giving certain authorized individuals full access over the
network, as well as whitelisting when implementing technology such as IPD and IDS,
to make sure admins can perform their work as needed. And in the case of
NovaSecure, some health regulations require that medical equipment connected to a
network use static IP to ensure that the medical equipment is always accessible to all
staff when needed.
F: Real-Time Monitoring Tools:
Implementing these technologies into the NovaSecure systems would greatly benefit in
identifying issues that should be addressed in the system such as identifying performance
bottlenecks in the network through tools like NetFlow, as well as monitoring the performance of
platforms like EHR platform, enabling NovaSecure to address these issues before they become
big enough to affect workflow and maybe affect patient health.
Also, implementing real-time issue detection is very important for healthcare compliance, as
HIPPA requires conducting periodic technical and non-technical assessment of work within
organizations to ensure proper precautions are taken. It also greatly helps with audits as it
presents all the information needed to pin point the issues that cause breaches through tech such
as Syslog servers.
All this along with integrating systems like SOAR and IPS would greatly help in incident
response as Ips would stop suspicious traffic before it reaches its destination, stopping possible
attacks, and SOAR would provide move advanced monitoring capabilities as well as prevent
many network attacks such as DoS and DDoS.
Part 2:
A: Security Measures:
1. Biometric Access Control and CCTV: implement retinal or finger print scanners for
server room access instead of traditional key cards, as well as implement CCTV
monitoring, both of which would make it much harder if not impossible for unauthorized
personnel to get into the server room, as well as improve accountability and nonrepudiation as every access to the room will be recorded by the CCTV, and traced to the
specific employee who accessed it though Biometrics, also improving confidentiality.
2. Network Segmentation with DMZ: instead of having one network for patient
monitoring devices and admin devices, split the network by implementing a DMZ with a
next generation firewall, which would solve a lot of the problems NovaSecure has by
blocking outside access to critical devices in any way, mitigating many attacks from
happening such as DDoS, as well as making it so that the system does not have a single
point of failure, so if one system goes down, the effect on others would be minimal
ensuring close to 24/7 availability and guaranteeing patient health.
3. Ban BYOD and Implement Work Devices: have work devices for employees that can
only be used for NovaSecure related matters and forbid employees from taking the work
devices home, greatly minimizing the risk of malware getting into the systems, and any
data being leaked to the outside, ensuring confidentiality for patient and system data, and
with the help of implemented DMZ making it harder for reconnaissance attacks making
the system work like a black box without outsiders being able to see how it functions,
decreasing the chance and effectiveness of attacks.
B: Risk Assessment:
Asset
Risk
Likelihood
IoT Medical Devices Outdated firmware
Almost
(insulin pumps, heart vulnerable to remote
certain
monitors)
exploitation
Consequence if
exploited
Risk
level
Patient death from
device manipulation,
medical malpractice
lawsuits
Extreme
Hospital Tablets
(BYOD)
Personal devices with
cached PHI can be
Likely
lost/stolen
PHI breach, HIPAA
fines ($1.5M+), identity High
theft
Server Room
Infrastructure
Generic keycards can
be cloned for
Moderate
unauthorized access
Physical theft, system
sabotage, complete data High
center compromise
EHR System
Ransomware attack
due to unsegmented
network
Complete loss of patient
data access, treatment
Extreme
delays, potential deaths
Likely
Consequence if
exploited
Risk
level
Active DDoS attacks
Almost
with expired SSL
certain
certificates
Service outage, missed
critical consultations,
patient harm
Extreme
Legacy Access
Control System
Door systems
vulnerable to badge
cloning (10+ years
old)
Moderate
Unauthorized facility
access, theft, potential
violence
Moderate
Cloud Backup Data
No MFA or
encryption at rest on
third-party storage
Likely
100,000+ patient records
exposed, $50M+ HIPAA Extreme
fines
EHR Transmissions
DES encryption can
be cracked in hours
Almost
certain
Mass interception of
patient data during
transfer
Staff Credentials
Password reuse and
sharing during shifts
Almost
certain
Insider misuse (already
occurred), unauthorized Extreme
access
Asset
Risk
Telehealth Platform
Likelihood
Extreme
C: HIPPA and GDPR Compliance:
1. HIPAA Requirements for NovaSecure
a. Administrative Safeguards:
Have a Security Officer responsible for overseeing PHI protection and conduct
regular workforce training on HIPAA privacy and security policies as well as enforce
strict access authorization and termination procedures, and maintain documented
security incident response and reporting protocols. All this ensures that the staff at
NovaSecure follow the HIPPA regulations as needed
b. Physical Security:
Implement access control for important places like the server room and only allow
authorized personnel to go in, as well as monitoring who access these areas and when.
Outline workstation security policies for all devices handling PHI and only allow
employees with proper training and authorization to use them, as well as implement
logging.
c. Technical Security:
Enforce unique user identification such as 2FA and implement automatic logoff after
15 minutes of inactivity, and have audit logging on all systems that create, receive,
maintain, or transmit PHI Use encryption to protect PHI both at rest and in transit
maintain integrity controls to ensure data is not altered or destroyed in an
unauthorized manner by requiring high level authorization for changing medical
records.
2. Key GDPR Requirements for NovaSecure
a. Scope and Lawful Basis:
Identify and document a lawful basis for each processing activity (why this data is
being used) and obtain explicit consent when processing is based on patient consent
to avoid privacy violations.
b. Data Protection Principles:
Process personal data transparently and collect only data that is needed, also keep
data accurate and up to date and retain data only for as long as necessary, using
automated data-deletion schedules as well as ensure confidentiality and integrity
through organizational and technical measures like encryption and anonymity.
c. Privacy by Design and Default:
Incorporate privacy safeguards into product development lifecycle so any new
systems are secure and force data minimization and purpose limitation across all
platform features only using data when needed.
d. Data Subject Rights:
Maintain a clear process for patients to request access to their personal data and
comply with requests for deleting unless data is needed (ongoing medical treatment or
legal obligation).
e. Data Protection Impact Assessments (DPIAs):
Conduct DPIAs for all new high-risk processing activities (e.g., AI algorithms using
sensitive health data) and document findings and mitigation strategies to review
systems annually to ensure patient data privacy.
3. Current Procedures at NovaSecure (Identified Gaps)
a. Physical Security:
Server rooms rely on generic keycards; no biometric controls or CCTV monitoring
(violates HIPAA physical security requirements and GDPR integrity/confidentiality
principles).
b. Technical Security:
Use of DES encryption and expired SSL certificates (fails both HIPAA’s technical
security requirements and GDPR’s appropriate technical measures ) as well as lack of
network segmentation where production, administrative, and IoT medical devices
share the same network, and weak password policies and credential sharing during
shift.
c. Administrative Security:
No documented HIPAA training program or GDPR awareness training and no
centralized system for logging and reviewing access to PHI and limited audit-log
monitoring.
4. Recommended Compliance Procedures
a. HIPAA Compliance Framework
i. Risk Assessment and Management
Conduct a formal risk assessment documenting all vulnerabilities
(encryption gaps, unsegmented networks, inadequate access controls) and
develop and implement a risk mitigation plan (fully migrate from DES to
AES-256, segment network with DMZ zones) and schedule quarterly
reassessments for high-risk areas.
ii. Workforce Training Program
Develop a HIPAA training curriculum covering: PHI definitions, allowed
disclosures, breach notification procedures, and sanction policies and
provide initial role-based training for all employees with annual refresher
courses document attendance and completion of training and have incidentspecific training following any security event.
iii. Access Control Procedures
Assign unique user IDs and enforce strong password requirements and
implement multi-factor authentication (MFA) on all systems that create,
receive, maintain, or transmit PHI. configure automatic logoff after 15
minutes of inactivity and deploy role-based access control, giving least
privilege needed for job functions, also encrypt all PHI at rest and in transit.
iv. Audit and Monitoring
Enable audit-logs for all PHI systems and configure automated alerts for
suspicious access patterns. Review access logs daily for critical systems and
make monthly audit reports for senior management.
b. GDPR Compliance Framework
i. Privacy by Design Implementation
Configure all new products with privacy in mind such as encryption at
creation. Also restrict data collection to only what is necessary for the
specific clinical or operational purpose. And automate data-retention
schedules so that personal data is deleted once purpose is fulfilled.
ii. Lawful Basis Documentation
For clinical monitoring and emergency care, document “vital interests” as
the lawful basis and for billing, document “legal requirement.”. and for any
non-core features like analytics ensure explicit consent is obtained and
recorded, with mechanisms for withdrawal.
iii. Data Subject Rights Procedures
Develop a web-portal interface where EU patients can submit Data Subject
Access Requests (DSARs) and ensure responding to DSARs within 30 days,
also publish a Right to Erasure workflow verify and delete data from live
systems and backups when requests qualify and establish procedures for
rectification requests and restrictions on processing.
iv. Data Protection Impact Assessments (DPIAs)
Mandate a DPIA for any new implementation involving large-scale
processing of health data like AI analytics modules and document risks and
mitigation strategies. Reevaluate DPIAs annually, especially after major
system changes or expansions into new markets.
D: ISO 31000 Risk Management Framework
1.
Overview
ISO 31000 is an Enterprise Risk Management System made by ISO (International
Organization for Standardization) that provides risk management recommendations and
concepts to enterprises. The latest version (2018) is designed for use in institutions and
companies of all sizes, making it particularly suitable for NovaSecure's healthcare
technology operations.
2. ISO 31000 Core Risk Management Process
c.
Risk Identification:



Identifying the obstacles that may stop us from reaching our goals at
organizations
For NovaSecure: unpatched IoT devices, weak encryption, unsegmented
networks
Other risks: malware threats, phishing attacks, and IoT device vulnerabilities.
d. Risk Analysis:


Knowing causes and the sources of the threats that have been discovered in
organization
For NovaSecure: analyzing why DES encryption still in use, root causes of
credential sharing, network segmentation failures. Analyze likelihood and
impact of each identified risk on patient safety and operations
e. Risk Evaluation:



Determining whether the risk is reasonable by comparing risk analysis results to
risk criteria
Prioritize risks based on severity and likelihood
Establishing risk tolerance levels for different types of healthcare operations
f. Risk Treatment:


Dealing with the identified risk that meet the criteria to pose a threat
Immediate actions: Fix expired SSL certificates, stop DES encryption
g. Establishing the Context:



Clarifying the scope of the risk management process, the organization's
objectives, and setting risk evaluation criteria based on internal and external
factors
External factors: HIPAA/GDPR compliance, FDA regulations, patient
expectations, market conditions, stakeholder expectations
Internal factors: 24/7 operations, life-critical systems, medical device
dependencies, organizational governance, culture
h. Monitoring and Review:

This task compares both risk management performance and indicators in
organizations and confirms they are fully reviewed and they follow the plan
i. Communication and Consultation:

Keep in contact with stakeholders and inform them of policies and procedures
implemented and explaining the reasons for decisions.
3. ISO 31000 Risk Management Principles
a. Integrated: Risk management must be integrated into all organization operations and
activities throughout the healthcare delivery process
b. Systematic and Comprehensive: The approach to risk management should be
systematic and comprehensive across all departments
c. Customized: The processes and risk management framework must be adapted to suit
NovaSecure's healthcare objectives and employees, considering the unique healthcare
context
d. Inclusive: Appropriate and timely involvement of stakeholders (medical staff, IT,
management) enables their knowledge, views and perceptions to be considered, resulting
in improved awareness and informed risk management
e. Dynamic and Iterative: It must be dynamic and repetitive to anticipate and detect
sudden changes in the healthcare environment and prepare for changes
f. Information-Based: Risk management is based on the best available information, using
both quantitative data and qualitative healthcare expertise
g. Human and Cultural Factors: Human and cultural factors are of paramount
importance in risk management and should be considered at all stages, especially in
healthcare settings
h. Continuous Improvement: The risk management framework is constantly being
improved through learning and experience. Organizations with maturity in risk
management invest in long-term risk management and demonstrate natural achievement
of their objectives
4.
Framework and Guidelines Implementation
ISO Framework Standards for NovaSecure:
a. Leadership and Commitment:
Synchronize risk management with business objectives and company culture and determine
the acceptable degree of risk that NovaSecure can deal with in healthcare operations
b. System Integration:
Define the roles and responsibilities of organizational management and ensure that risk
management is an integrated part of all aspects and departments of the facility
c. Planning:
Understanding the organization in its internal and external context and plan for the
healthcare-specific risk management program
d. Execution:
Set goals and deadlines for achieving them considering 24/7 healthcare operations then
define, evaluate, and make changes to the decision-making process as needed and create
incident response procedures for healthcare environments
e. Evaluation:
Measure the performance of the risk management system and evaluate the success rate and
patient safety improvements and ensure goals are feasible within healthcare operational
constraints
f. Continuous Improvement:
Continuous monitoring of all aspects of the risk management framework and deal with
internal and external changes in healthcare technology landscape and plan taking actions to
improve the risk management system framework
5. NovaSecure-Specific Risk Assessment Framework
Risk Categories and Priorities:
Critical Risks: Medical device vulnerabilities, patient data exposure



Unpatched medical device vulnerabilities affecting patient safety
Outdated DES encryption exposing PHI to unauthorized access
Network vulnerabilities allowing access to medical devices
High Risks: System availability, regulatory compliance


Expired SSL certificates disrupting secure communications
Inadequate physical security for data centre containing PHI
Medium Risks: Operational efficiency, cost overruns



Insufficient staff training on healthcare-specific security requirements
Delayed patch cycles for non-critical systems
Incomplete audit logging for PHI access
Low Risks: Minor administrative issues


Minor documentation inconsistencies in policies
Single-factor authentication on non-PHI administrative systems
E: Security Audits:
1. Definition and Purpose
An IT security audit “compares and evaluates an organization’s information systems to a
checklist of best practices, policies, standards, or regulations”. Its goals are to confirm that
security measures align with NovaSecure’s objectives—protecting patient data, ensuring
system reliability, and maintaining regulatory compliance—and to report on any risks or
deficiencies.
2. Core Benefits for NovaSecure

Data Protection: Audits review network access controls, encryption configurations, and
data transmission methods to confirm PHI is secure.

Vulnerability Identification: By examining hardware, software, networks, and human
processes, audits pinpoint weaknesses to address them accordingly.

Regulatory Compliance: Regular audits demonstrate compliance to HIPAA and GDPR
requirements, reducing legal problems.

Operational Insight: Multi-perspective analysis allows NovaSecure to optimize both
cybersecurity and business workflows without introducing unnecessary complexity.
3. Audit Process Components

Policy Level: Verify that NovaSecure’s security policies are comprehensive, up to date,
and aligned with healthcare regulations.

Procedure Level: Assess whether administrators and medical staff consistently follow
documented procedures.

System/Application Level: Test technical controls to confirm correct implementation
and effectiveness.
4. Compliance Implications

HIPAA Requirements: Audits must confirm periodic evaluations of administrative,
physical, and technical safeguards; verify audit logs for all PHI access; and ensure
documentation of findings.

GDPR Obligations: Audits support the accountability principle by providing evidence of
DPIAs, ongoing security testing, and documented data-processing practices. They also
validate that NovaSecure upholds data-subject rights workflows and cross-border transfer
safeguards.

NovaSecure-Specific Issues: Current audit focus areas include expired SSL/TLS
certificates, deprecated encryption (DES), unsegmented networks, and policy violations
such as credential sharing.
5. Patient Trust Implications

Transparency and Accountability: Publishing audit summaries in an annual report
demonstrates NovaSecure’s commitment to security and regulatory compliance.

Breach Prevention: By identifying vulnerabilities proactively, audits reduce the
likelihood of data breaches, increasin confidence among hospital clients and patients.

Quality Assurance: Audits ensure system reliability and availability, which is critical for
continuous patient monitoring and uninterrupted clinical workflows.
Part 3:
A: IT Security and Corporate Policies
Overview and Applicability
In healthcare organizations like NovaSecure, misalignment between IT security and corporate
policy creates serious operational and compliance risks. Misalignment occurs “when the CISO
does not have an equal voice in the enterprise” and when security is isolated from business
strategy.
1. Identified Issues




Legacy Encryption: DES is still used despite policies likely requiring strong encryption.
BYOD Risks: Medical staff access sensitive systems via personal devices, breaching
internal controls.
Credential Sharing: Password reuse and shift-based credential sharing undermine
accountability.
Physical Security Gaps: Generic keycards contradict security standards for facilities
managing patient data.
2. Recommendations
a. Executive Integration


Include security leadership in strategic decision-making for the entire organization.
Hold joint discussions on risk tolerance with business managers.
b. Business-Security Alignment



Frame security as a business requirement rather than a constraint.
Link cybersecurity investments to healthcare quality.
Communicate how data protection supports trust.
c. Policy Harmonization Process




Conduct a full review of all IT and corporate policies.
Identify contradictions or outdated directives.
Develop a unified framework that reflects NovaSecure’s healthcare priorities and
regulatory responsibilities.
Engage stakeholders across departments for input and adoption.
d. Communication and Awareness

Make policies accessible and understandable to all roles.



Provide role-specific training to all employees.
Launch internal campaigns to reinforce correct behaviors.
Establish feedback loops for staff to report confusion or gaps.
3. Risks
a. Operational Conflict


Staff bypass security controls to maintain efficiency.
Emergency access workarounds become permanent vulnerabilities.
b. Employee Confusion



Mixed messages lead to inconsistent behavior.
Security procedures contradict workflow needs.
Unclear rules increase human errors and accidental data breaches.
c. Compliance Failures


Regulatory violations (HIPAA, GDPR) due to mismatched policies and practices.
Audit failures and potential sanctions from lack of alignment.
d. Security Gaps



Poorly enforced access controls.
Exposure to phishing, insider misuse, and unmonitored systems.
Delayed incident response due to lack of coherent governance.
4. Healthcare-Specific Considerations
a. Patient-Centered Security



Ensure security enables—rather than delays—patient care.
Align emergency access procedures with clinical needs.
Maintain usability and speed in critical healthcare systems.
b. Regulatory Integration



Embed HIPAA and GDPR controls directly into security policies.
Include FDA requirements for connected medical devices.
Reflect jurisdiction-specific health data regulations in operations.
c. Stakeholder Inclusion


Involve clinical leaders, compliance officers, and IT professionals in policy development.
Balance security rigor with clinical practicality and administrative efficiency.
B: Stakeholder Roles in Audits
1.
Internal Stakeholders
Executive Management



Oversee implementation of audit recommendations.
Allocate necessary resources (staff, budget, tools).
Ensure security improvements align with 24/7 healthcare operations.
IT and Security Teams



Apply technical fixes such as updating encryption, patching systems, and segmenting
networks.
Ensure minimal disruption to medical systems during implementation.
Monitor systems post-remediation for effectiveness.
Medical Staff



Provide feedback on the clinical impact of security changes.
Report usability issues or workflow disruptions caused by new controls.
Support adoption of security measures within care teams.
Facility and Security Officers


Address physical security gaps (e.g., outdated access control systems).
Implement recommended upgrades such as biometric authentication or CCTV for
data centers.
2. External Stakeholders
External Auditors


Verify that measures are complete and effective.
Issue certifications needed for regulatory compliance.
Legal Counsel



Review audit findings for legal purposes.
Ensure regulatory breach notification timelines are met.
Update contracts and policies as needed for compliance.
Medical Device Vendors


Provide firmware updates for unpatched IoT devices.
Assist with secure configuration and compliance with FDA guidance.

Schedule changes to minimize downtime in clinical use.
Third-Party Service Providers



Cloud vendors must enforce data encryption and access controls.
Security vendors support implementation of monitoring, firewalls, and threat
detection tools.
Integration partners ensure secure APIs and data exchanges with hospitals.
C: Security Policies and Disaster Recovery Plan
1.
Enterprise Information Security Policy (EISP)
Purpose: Establish an overarching strategy for protecting the confidentiality, integrity, and
availability of patient data across NovaSecure’s digital health platforms.
Scope: Applies to all staff, systems, devices, vendors, and environments handling Protected
Health Information (PHI).
Responsibilities:

CISO: Leads enterprise security initiatives.

Department Heads: Enforce policies within their teams.

All Employees: Follow documented security procedures.
Key Principles:

Privacy-by-design is mandatory across all systems.

Role-based access and least privilege enforcement.

Security is integrated with patient safety and innovation.

Continuous policy reviews and security assessments.
2. Issue-Specific Security Policy (ISSP):
Password Management
Purpose: Prevent unauthorized access by enforcing authentication.
Requirements:

Passwords must be at least 14 characters with complexity rules.

Password reuse is prohibited across systems.

Mandatory password changes every 90 days.

MFA is required for clinical systems.

No credential sharing.
Enforcement:

3.
Automated controls, account lockouts after three failed attempts, and real-time alerts for
anomalies.
System-Specific Security Policy (SSSP):
Electronic Health Records (EHR)
Purpose: Secure NovaSecure’s EHR platform as a critical system for patient care.
Controls:
4.

Access Control: Role-based, department-specific permissions.

Encryption: AES-256 for all stored and transmitted data.

Audit Logs: Record user activity including access time and actions.

Session Management: Auto-logout after 15 minutes.

Backups: Encrypted backups stored offsite.
Disaster Recovery Plan (DRP) Components
DRP Team:

Led by IT Director, includes Clinical Ops, Security, and Facilities.
Recovery Objectives:

RTO: 15 minutes for clinical systems, 4 hours for others.

RPO: Zero data loss for patient data; 1 hour for admin systems.
Backup Strategy:

Weekly full backups, daily incremental.

Off-site encrypted storage with quarterly recovery tests.
Documentation:

5.
Clear step-by-step recovery procedures.
Supporting Tools

Backup: Veeam Healthcare Edition (HIPAA-compliant).

Incident Response: SOAR platform for automated workflows.

Monitoring: SIEM for real-time detection and alerts.

Access Control: Privileged Access Management.

Encryption: Hardware Security Module for key management.
D. High-Value Asset Security Plans
1. Electronic Health Records (EHR) System
Asset Justification
The EHR system is NovaSecure's most critical asset containing all patient medical records,
treatment histories, and personal health information. Current vulnerabilities include weak DES
encryption and unsegmented network access, making it a prime target for attackers.
Tailored Security Controls

Encryption: Immediate migration from DES to AES-256

Access Control: Role-based access

Network Isolation: Dedicated network with strict firewall rules

Monitoring: Real-time SIEM alerts for unusual access patterns

Backup: Continuous backups to encrypted off-site location

Authentication: Smart card + biometric for all access
2. IoT Medical Devices
Asset Justification
These devices directly impact patient lives and are currently running "outdated firmware"
according to the assessment. A compromise could lead to fatal consequences, making them the
highest risk asset despite lower data value.
Tailored Security Controls

Network Segmentation: Isolated medical device network with no internet access

Patch Management: Monthly vendor coordination for firmware updates

Access Gateway: Proxy server for all device communications

Monitoring: Anomaly detection for unusual device behavior

Physical Security: Locked equipment rooms with biometric access

Fail-Safe Defaults: Devices continue operating if network fails
3. Telehealth Platform
Asset Justification
Critical for remote patient care and currently suffering from DDoS attacks and expired SSL
certificates. Service disruption directly impacts patient access to healthcare, and the platform
handles real-time medical consultations.
Tailored Security Controls

DDoS Protection: Cloud-based scrubbing service with auto-scaling

Certificate Management: Automated renewal with 90-day validity

Load Balancing: Geographic distribution across multiple data centers

Session Security: End-to-end encryption for all video consultations

Access Control: Time-based access with appointment verification

Recording Protection: Encrypted storage with 7-year retention
4. Control Justification
Risk-Based Approach
Each asset's controls address specific identified vulnerabilities:

EHR: Fixes weak encryption and access control issues

Medical Devices: Addresses firmware vulnerabilities and network exposure

Telehealth: Resolves DDoS and certificate problems
Regulatory Compliance

HIPAA technical safeguards for all three assets

FDA requirements for medical device security

GDPR encryption standards for data protection
Operational Considerations

Minimal disruption to clinical workflows

Fail-safe mechanisms for patient safety

24/7 availability requirements met
References
Course slides
European Union, 2016. Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 (General Data Protection Regulation - GDPR). [online] Available at:
https://eur-lex.europa.eu/eli/reg/2016/679/oj [Accessed 10 Jun. 2025].
International Organization for Standardization (ISO), 2018. ISO 31000:2018 Risk management –
Guidelines. [online] Available at: https://www.iso.org/standard/65694.html [Accessed 10 Jun.
2025].
National Institute of Standards and Technology (NIST), 2018. Framework for Improving Critical
Infrastructure Cybersecurity Version 1.1. [online] Available at:
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf [Accessed 10 Jun. 2025].
U.S. Department of Health and Human Services (HHS), 2013. Summary of the HIPAA Security
Rule. [online] Available at: https://www.hhs.gov/hipaa/for-professionals/security/lawsregulations/index.html [Accessed 10 Jun. 2025].