CIO and the top management decide not to act on the situation and accept the
risks, it will be unprecedented as the organization information system will
become less secure. Thus, if any of the workers was giving away information,
they will continue to do so undetected. In addition, hackers will also be able
to gain entry into the systems and they could easily use denial of attacks
software’s to enter the system. They will therefore be able to steal patient’s
private information and even steal an individual’s financial information (Williams
& Woodward, 2015).
due to advancements in technology, the system will become weaker as noted by (Upton
& Creese, 2014). This will allow individuals to easily use phishing attacks
to maliciously attack the IT systems and infrastructure within the hospital.
This will therefore lead to disastrous consequences. If the hospital systems
are penetrated by hackers, the system might be taken over, bringing a halt to
operations. In addition, the organization will be forced to spend more than
200,000 dollars to hire cyber consultants to overhaul the system and return back
control to the organization. This is not taking into account the millions of
dollars the organization will end up losing as a result of halting their
operations (Upton & Creese, 2014).
addition, hackers gaining entry into the system might lead to the hackers
stealing personal data about patients. This might lead to the hackers knowing
the patients financial information which they might exploit for their own
negative motives. The organization will therefore be found in contravention of
the Health Insurance Portability and Accountability Act. This will mean that
the organization might be sued by its patients claiming that the organization
was negligent in protecting the information presented to them by their patients
(“What is HIPAA”, 2016). Thus, in addition to the capitals and
resources the organization will have to spend in case of any cyber-attack, they
might have to reach an out of court settlement and pay hefty sums to patients
whose personal data has been compromised.
ignoring the situation and the risks noted will prove to be dire for the
organization, as it faces a certain level of risk which if not addressed will
prove to be detrimental in the near future (Williams & Woodward, 2015).
Possible ways the CIO can transfer the
various methods exist in which the CIO can transfer some of the cyber risk
faced by the organization. This includes buying cyber insurance which will give
the organization a backup in case their systems are hacked. In addition, it
will also allow the organization to be routinely evaluated by the cyber
insurance company to determine any loopholes in security. Thus, it will be the
mandate of the cyber insurance company to come up with stringent security
measures and also pay any liabilities resulting due to privacy issues (Klonoff,
2015). In addition, the insurance company will also aid in data recovery by
providing an offline system where the hospital can store their records in case
of a cyber-attack and will also help eliminate cyber extortion by continually
looking for loopholes in the organization which can be exploited by hackers for
financial gain (Mylonas, Kastania & Gritzalis, 2013).
the organization does have a choice in transferring some of the risk to an
insurance company which might cushion the organization if it is sued by its
patients. This will ensure that the hospitals systems are regularly checked by
the insurance company of which the hospital will remit monthly premiums to. The
insurance company will therefore undertake the roles they signed for which
might include regular auditing of the security systems to determine any
loopholes, strengthening the existing IT infrastructure to be able to repel any
current threats or phishing attacks and providing storage options for the
organization like cloud provisioning services (Hall, Heath & Coles-Kemp,
addition, the insurance company will also ensure that the hospital is compliant
to all the statutory regulations outlined by the various privacy acts. This
will ensure that in case of any breaches, the organization can show through
their records that their systems were up to standards. Further, the insurance
company would also pay for the lost incurred by the organization since control
has ceded from the organization to the cyber insurance company. Finally, the
insurance company would also provide backup options in case data was lost and
ensure that recovery of data happens in an efficient manner which would allow
the hospital to continue with its operations (Hall, Heath & Coles-Kemp,
Possible ways to mitigate the risks
addressing the security issues encompassed by the metropolitan hospital, it is
prudent to ascertain that the vast majority of information security issues are
necessarily not caused by highly-sophisticated technological exploitations but
rather by humans who fall prey to phishing attacks or by simple security
vulnerabilities. In this case, to significantly reduce the hospital’s risk of
data breach will require the mitigation of the commonly overlooked risks.
Moreover, it is prudent to brainstorm for any overlooked vulnerabilities while implementing
best practices in mitigating network security issues. The following are some of
the major ways to comprehensively mitigating the common ways through which
contemporary networks are compromised by cyber criminals:
risks associated with mobile devices.
It is noted that the hospitals
network encompasses connection to mobile devices through its wireless
connections. This is due to the fact that mobile phones are essential tools for
worker productivity. However, these mobile devices can expose the hospital to
an array of security issues such as communication interception, compromising of
the network by mobile malware and user risks associated with sharing of the
mobile phones (Pfleeger &
Pfleeger, 2002). Possible ways to mitigate mobile phones risks
include having effective acceptable use polices which stipulate on how to use
both hospital owned and worker owned mobile devices, use of file integrity
monitoring applications which can detect any intrusion of the hospital’s
network through the mobile devices and implementation of device management
technology which improves oversight and maintains timely security updates on
all the mobile phones connected to the hospital’s network.
risks associated with portable storage devices.
These devices comprise of
storage devices such as USB drives and any other relevant external storage
devices. It should be noted that these devices have the potential to introduce
or leak information out of the hospital’s network. The most common methodology
of mitigating risks which come with these devices is entirely banning the use
of eternal portable devices being used in the hospitals network devices (Pfleeger & Pfleeger, 2002). In
doing so, the network admin can turn off all the ports in the hospital’s
computers through Windows Active Directory, and restrict Media access to
certain users, a strategy that can make it impossible to download or share photo/music
files. Lastly, the network users can be authorized to use secure alternative of
storage techniques such as cloud based storage as sharing options.
on authentication requirements.
This is a common avenue that is
used by cyber criminals in gaining access to networks. Single factor
authentications can allow unauthorized accesses to go undetected. As such,
knowledge of certain credentials as well as possessing a well-known device can
be used in mitigating security issues concerned with authentications. Another
approach of mitigating authentication security issues includes implementing
multiple-factor authentication and also adding location (geolocation) and time
of access as additional authentication factors (Spear, 2007).
on default software installations.
It should be noted that
security vulnerabilities can occur in both home developed IT solutions as well
as vendor produced ones. As such, failing to constantly update various software
used in the network nodes can be risky. Actively mitigating application risks
can encompass deploying all updates from vendors to purchased software
immediately, actively identifying and remediating risks in both homegrown and
vendor-supplied applications. Additionally, network administrators should be
required to follow necessary change control procedures especially during the
configuration of the network or during any update.
the issue of missing patches.
It should be noted that one
missing patch can weaken an entire network. For complex data ecosystem such as
the one in the hospital’s network, it is possible to lose control of patch
updates hence introducing a significant vulnerability. As such, missing patch
security issues can be mitigated by applying patch updates regularly with
respect to PCI requirements. Also, it is required that critical files be
monitored for any changes during scheduled patch updating.
on poor configuration choices.
A careful analysis of the
security issues being experienced at the hospitals shows that there could be
poor configuration in its network. Commonly, default configurations are known
to be the main sources of risks in a network
(Spear, 2007). As such, this issue can be mitigated by carrying out an
expert reviewing of the hospital’s network’s firewall rule bases to check on
any vulnerabilities which do not match with the hospital’s security needs.
Moreover, mitigation approaches should include ensuring that the security
policies are comprehensive and using effective use policy guidelines in guiding
firewall configuration bases.
Possible ways to eliminate the risks
section encompasses eliminating the identified risks accordingly. The major
issues to be taken into consideration are the abnormal activities that took
place at the hospital’s computer system from the unauthorized access of user
accounts. The possible ways of eliminating the identified risks include:
effective password management.
It is noted that the
security issue being experienced at the hospital is a result of compromising of
user passwords. Studies have shown that a number of passwords are still set as
default or as admins in various networks hence leading to poor password control
and governance (Pfleeger &
Pfleeger, 2002). Also, other aspects of poor organizational control such as using
minimal password standards or allowing for infrequent password changes are some
of the issues which could have led to the security issues being experienced at
the hospital’s network. As such, this risk will be eliminated by first fully
encrypting all stored passwords using advance encryption system (AES) with
respect to PCI-DSS standards, logging out all users and instructing for change
of passwords by all users, coming up with guidelines of using strong and