If theCIO and the top management decide not to act on the situation and accept therisks, it will be unprecedented as the organization information system willbecome less secure. Thus, if any of the workers was giving away information,they will continue to do so undetected. In addition, hackers will also be ableto gain entry into the systems and they could easily use denial of attackssoftware’s to enter the system. They will therefore be able to steal patient’sprivate information and even steal an individual’s financial information (Williams& Woodward, 2015).Further,due to advancements in technology, the system will become weaker as noted by (Upton& Creese, 2014).
This will allow individuals to easily use phishing attacksto maliciously attack the IT systems and infrastructure within the hospital.This will therefore lead to disastrous consequences. If the hospital systemsare penetrated by hackers, the system might be taken over, bringing a halt tooperations. In addition, the organization will be forced to spend more than200,000 dollars to hire cyber consultants to overhaul the system and return backcontrol to the organization. This is not taking into account the millions ofdollars the organization will end up losing as a result of halting theiroperations (Upton & Creese, 2014).
Inaddition, hackers gaining entry into the system might lead to the hackersstealing personal data about patients. This might lead to the hackers knowingthe patients financial information which they might exploit for their ownnegative motives. The organization will therefore be found in contravention ofthe Health Insurance Portability and Accountability Act. This will mean thatthe organization might be sued by its patients claiming that the organizationwas negligent in protecting the information presented to them by their patients(“What is HIPAA”, 2016). Thus, in addition to the capitals andresources the organization will have to spend in case of any cyber-attack, theymight have to reach an out of court settlement and pay hefty sums to patientswhose personal data has been compromised.Thus,ignoring the situation and the risks noted will prove to be dire for theorganization, as it faces a certain level of risk which if not addressed willprove to be detrimental in the near future (Williams & Woodward, 2015).Possible ways the CIO can transfer therisks?However,various methods exist in which the CIO can transfer some of the cyber riskfaced by the organization. This includes buying cyber insurance which will givethe organization a backup in case their systems are hacked.
In addition, itwill also allow the organization to be routinely evaluated by the cyberinsurance company to determine any loopholes in security. Thus, it will be themandate of the cyber insurance company to come up with stringent securitymeasures and also pay any liabilities resulting due to privacy issues (Klonoff,2015). In addition, the insurance company will also aid in data recovery byproviding an offline system where the hospital can store their records in caseof a cyber-attack and will also help eliminate cyber extortion by continuallylooking for loopholes in the organization which can be exploited by hackers forfinancial gain (Mylonas, Kastania & Gritzalis, 2013).Thus,the organization does have a choice in transferring some of the risk to aninsurance company which might cushion the organization if it is sued by itspatients. This will ensure that the hospitals systems are regularly checked bythe insurance company of which the hospital will remit monthly premiums to. Theinsurance company will therefore undertake the roles they signed for whichmight include regular auditing of the security systems to determine anyloopholes, strengthening the existing IT infrastructure to be able to repel anycurrent threats or phishing attacks and providing storage options for theorganization like cloud provisioning services (Hall, Heath & Coles-Kemp,2015).Inaddition, the insurance company will also ensure that the hospital is compliantto all the statutory regulations outlined by the various privacy acts. Thiswill ensure that in case of any breaches, the organization can show throughtheir records that their systems were up to standards.
Further, the insurancecompany would also pay for the lost incurred by the organization since controlhas ceded from the organization to the cyber insurance company. Finally, theinsurance company would also provide backup options in case data was lost andensure that recovery of data happens in an efficient manner which would allowthe hospital to continue with its operations (Hall, Heath & Coles-Kemp,2015).Possible ways to mitigate the risksWhenaddressing the security issues encompassed by the metropolitan hospital, it isprudent to ascertain that the vast majority of information security issues arenecessarily not caused by highly-sophisticated technological exploitations butrather by humans who fall prey to phishing attacks or by simple securityvulnerabilities. In this case, to significantly reduce the hospital’s risk ofdata breach will require the mitigation of the commonly overlooked risks.Moreover, it is prudent to brainstorm for any overlooked vulnerabilities while implementingbest practices in mitigating network security issues.
The following are some ofthe major ways to comprehensively mitigating the common ways through whichcontemporary networks are compromised by cyber criminals:§ Mitigatingrisks associated with mobile devices. It is noted that the hospitalsnetwork encompasses connection to mobile devices through its wirelessconnections. This is due to the fact that mobile phones are essential tools forworker productivity. However, these mobile devices can expose the hospital toan array of security issues such as communication interception, compromising ofthe network by mobile malware and user risks associated with sharing of themobile phones (Pfleeger &Pfleeger, 2002). Possible ways to mitigate mobile phones risksinclude having effective acceptable use polices which stipulate on how to useboth hospital owned and worker owned mobile devices, use of file integritymonitoring applications which can detect any intrusion of the hospital’snetwork through the mobile devices and implementation of device managementtechnology which improves oversight and maintains timely security updates onall the mobile phones connected to the hospital’s network.
§ Mitigatingrisks associated with portable storage devices. These devices comprise ofstorage devices such as USB drives and any other relevant external storagedevices. It should be noted that these devices have the potential to introduceor leak information out of the hospital’s network. The most common methodologyof mitigating risks which come with these devices is entirely banning the useof eternal portable devices being used in the hospitals network devices (Pfleeger & Pfleeger, 2002). Indoing so, the network admin can turn off all the ports in the hospital’scomputers through Windows Active Directory, and restrict Media access tocertain users, a strategy that can make it impossible to download or share photo/musicfiles. Lastly, the network users can be authorized to use secure alternative ofstorage techniques such as cloud based storage as sharing options.
§ Checkingon authentication requirements. This is a common avenue that isused by cyber criminals in gaining access to networks. Single factorauthentications can allow unauthorized accesses to go undetected.
As such,knowledge of certain credentials as well as possessing a well-known device canbe used in mitigating security issues concerned with authentications. Anotherapproach of mitigating authentication security issues includes implementingmultiple-factor authentication and also adding location (geolocation) and timeof access as additional authentication factors (Spear, 2007). § Workingon default software installations. It should be noted thatsecurity vulnerabilities can occur in both home developed IT solutions as wellas vendor produced ones. As such, failing to constantly update various softwareused in the network nodes can be risky. Actively mitigating application riskscan encompass deploying all updates from vendors to purchased softwareimmediately, actively identifying and remediating risks in both homegrown andvendor-supplied applications. Additionally, network administrators should berequired to follow necessary change control procedures especially during theconfiguration of the network or during any update.
§ Addressingthe issue of missing patches.It should be noted that onemissing patch can weaken an entire network. For complex data ecosystem such asthe one in the hospital’s network, it is possible to lose control of patchupdates hence introducing a significant vulnerability.
As such, missing patchsecurity issues can be mitigated by applying patch updates regularly withrespect to PCI requirements. Also, it is required that critical files bemonitored for any changes during scheduled patch updating. § Checkingon poor configuration choices.A careful analysis of thesecurity issues being experienced at the hospitals shows that there could bepoor configuration in its network. Commonly, default configurations are knownto be the main sources of risks in a network(Spear, 2007).
As such, this issue can be mitigated by carrying out anexpert reviewing of the hospital’s network’s firewall rule bases to check onany vulnerabilities which do not match with the hospital’s security needs.Moreover, mitigation approaches should include ensuring that the securitypolicies are comprehensive and using effective use policy guidelines in guidingfirewall configuration bases. Possible ways to eliminate the risksThissection encompasses eliminating the identified risks accordingly. The majorissues to be taken into consideration are the abnormal activities that tookplace at the hospital’s computer system from the unauthorized access of useraccounts.
The possible ways of eliminating the identified risks include: § Implementingeffective password management. It is noted that thesecurity issue being experienced at the hospital is a result of compromising ofuser passwords. Studies have shown that a number of passwords are still set asdefault or as admins in various networks hence leading to poor password controland governance (Pfleeger , 2002).
Also, other aspects of poor organizational control such as usingminimal password standards or allowing for infrequent password changes are someof the issues which could have led to the security issues being experienced atthe hospital’s network. As such, this risk will be eliminated by first fullyencrypting all stored passwords using advance encryption system (AES) withrespect to PCI-DSS standards, logging out all users and instructing for changeof passwords by all users, coming up with guidelines of using strong andcomplex
