Confidentiality:

advertisement
Organized Union for Critical Healthcare
Information Security Assessment
Introduction
The NTS450/MSE450 performed a security assessment according to NSA INFOSEC
Assessment Methodology standards on Organized Union for Critical Healthcare. The
mission of OUCH is to “To treat all patients appropriately while abiding to federal
regulations.”
The purpose of the assessment is to find vulnerabilities in the overall security posture by
assessing policies, processes, standards, and the culture of the organization.
Defining Impact Attributes
Confidentiality:
The existence of an object and/or its contents is not accessed or
disclosed to unauthorized subjects.
Integrity:
Data is accurate and complete and has not been wrongly modified
or destroyed in an authorized or unauthorized manner.
Availability:
Information is available to authorized individuals when they need
it.
High:
A high impact includes financial loss of $1 million or more, risk of
loss of life or serious injury, wide release of patient information,
power outage for more than one hour, and catastrophic damage to
the hospital building.
Medium:
A medium impact includes financial loss of $100,000 to $1
million, risk of minor injury, individual theft of
patient/employee/financial information, and repairable damage to
the building.
Low:
A low impact includes financial loss of less than $100,000,
inconvenience to patients, and loss of productivity.
Organizational Information Criticality
The organizational information criticality will show the perceived impact of the loss of
confidentiality, integrity, or availability concerning the information within the OUCH
organization. This includes a listing of information types and definitions of impact
attributes and their rating. Information identified as critical by officers of OUCH are the
following:
Patient Information:
Including information such as SSN, current injury and/or
illness, admissions/releases, financial information
(insurance, credit card, etc.), and other critical medical
information (allergies, etc.).
Employee Information:
Including information such as SSN, and financial
information (salary, banking accounts, investment plans,
credit card, etc.).
Scheduling Information:
Information pertaining to patient medications, patient
feeding, schedule surgeries, and scheduled checkups.
Financial Information:
Including all information pertaining to OUCH’s monetary
gains.
Organizational Criticality Matrix
Information
Patient
Employee
Scheduling
Financial
Confidentiality
HIGH
MEDIUM
LOW
LOW
Integrity
HIGH
LOW
HIGH
MEDIUM
Availability
MEDIUM
LOW
LOW
LOW
System Information Criticality
This section discusses the perceived impact of the loss of confidentiality, integrity, or
availability in regard to the information types stored, processed, and transmitted within
specific denoted systems of the OUCH organization.
Human Resources:
Patient data and employee data.
Medication:
Medication instructions for all patients.
Admissions:
System for admitting new patients.
Morgue:
Records and all necessary data for the morgue.
System Criticality Matrix
System
Human Resources
Medication
Admissions
Morgue
Confidentiality
HIGH
LOW
LOW
LOW
Integrity
MEDIUM
HIGH
LOW
MEDIUM
Availability
LOW
HIGH
MEDIUM
LOW
Assessment Findings Summary
Throughout this assessment we have found numerous vulnerabilities with some being
much more critical than others. These are the vulnerabilities we have found and our
suggestions to reducing the risk of them.
Disaster Recovery Plan
The disaster recovery plan we received is still a work-in-progress. The plan does not
state who is responsible for what tasks. There are no people appointed to lead the
effort in restoring business operations which is one of the most important things in a
disaster recovery plan. There is also no continuity plan for bringing the organization
back to order.
The section regarding computer crime should include an incident response plan. In
that plan, it should include who is responsible for contacting legal authority if the
need arises and what is to be done from a public relations perspective.
One of the most important sections of the disaster recovery plan is the contacts. It
should include the contact information for every individual who would be responsible
for helping OUCH recover from an incident or disaster.
Password Policy
There is not existing password policy. A policy needs to be created that addresses
some very important needs. Passwords should contain alphanumeric characters and
be at least ten characters long. New passwords should be issued every at least every
90 days. A password lockout should be implanted after three unsuccessful login
attempts.
Instructor:
Greg Miles
Team Leads:
Brian Bernstein
Marcin Wielgoszewski
Assessment Team:
Alexander Andrews
Benjamin Chiu
Jeremy Leung
Russell McAndrew
Moises Moreno
Christopher Saltzman
Benton Snyder
David Westcott
Download