Organized Union for Critical Healthcare Information Security Assessment Introduction The NTS450/MSE450 performed a security assessment according to NSA INFOSEC Assessment Methodology standards on Organized Union for Critical Healthcare. The mission of OUCH is to “To treat all patients appropriately while abiding to federal regulations.” The purpose of the assessment is to find vulnerabilities in the overall security posture by assessing policies, processes, standards, and the culture of the organization. Defining Impact Attributes Confidentiality: The existence of an object and/or its contents is not accessed or disclosed to unauthorized subjects. Integrity: Data is accurate and complete and has not been wrongly modified or destroyed in an authorized or unauthorized manner. Availability: Information is available to authorized individuals when they need it. High: A high impact includes financial loss of $1 million or more, risk of loss of life or serious injury, wide release of patient information, power outage for more than one hour, and catastrophic damage to the hospital building. Medium: A medium impact includes financial loss of $100,000 to $1 million, risk of minor injury, individual theft of patient/employee/financial information, and repairable damage to the building. Low: A low impact includes financial loss of less than $100,000, inconvenience to patients, and loss of productivity. Organizational Information Criticality The organizational information criticality will show the perceived impact of the loss of confidentiality, integrity, or availability concerning the information within the OUCH organization. This includes a listing of information types and definitions of impact attributes and their rating. Information identified as critical by officers of OUCH are the following: Patient Information: Including information such as SSN, current injury and/or illness, admissions/releases, financial information (insurance, credit card, etc.), and other critical medical information (allergies, etc.). Employee Information: Including information such as SSN, and financial information (salary, banking accounts, investment plans, credit card, etc.). Scheduling Information: Information pertaining to patient medications, patient feeding, schedule surgeries, and scheduled checkups. Financial Information: Including all information pertaining to OUCH’s monetary gains. Organizational Criticality Matrix Information Patient Employee Scheduling Financial Confidentiality HIGH MEDIUM LOW LOW Integrity HIGH LOW HIGH MEDIUM Availability MEDIUM LOW LOW LOW System Information Criticality This section discusses the perceived impact of the loss of confidentiality, integrity, or availability in regard to the information types stored, processed, and transmitted within specific denoted systems of the OUCH organization. Human Resources: Patient data and employee data. Medication: Medication instructions for all patients. Admissions: System for admitting new patients. Morgue: Records and all necessary data for the morgue. System Criticality Matrix System Human Resources Medication Admissions Morgue Confidentiality HIGH LOW LOW LOW Integrity MEDIUM HIGH LOW MEDIUM Availability LOW HIGH MEDIUM LOW Assessment Findings Summary Throughout this assessment we have found numerous vulnerabilities with some being much more critical than others. These are the vulnerabilities we have found and our suggestions to reducing the risk of them. Disaster Recovery Plan The disaster recovery plan we received is still a work-in-progress. The plan does not state who is responsible for what tasks. There are no people appointed to lead the effort in restoring business operations which is one of the most important things in a disaster recovery plan. There is also no continuity plan for bringing the organization back to order. The section regarding computer crime should include an incident response plan. In that plan, it should include who is responsible for contacting legal authority if the need arises and what is to be done from a public relations perspective. One of the most important sections of the disaster recovery plan is the contacts. It should include the contact information for every individual who would be responsible for helping OUCH recover from an incident or disaster. Password Policy There is not existing password policy. A policy needs to be created that addresses some very important needs. Passwords should contain alphanumeric characters and be at least ten characters long. New passwords should be issued every at least every 90 days. A password lockout should be implanted after three unsuccessful login attempts. Instructor: Greg Miles Team Leads: Brian Bernstein Marcin Wielgoszewski Assessment Team: Alexander Andrews Benjamin Chiu Jeremy Leung Russell McAndrew Moises Moreno Christopher Saltzman Benton Snyder David Westcott