Problem Statement

The subject is a cybersecurity solution for a major hospital, identified as Big City Hospital. The hospital uses a variety of IT systems connected via a hospital local area network (LAN) to create a hospital information enterprise. The enterprise interacts with external organizations and users via the public Internet. This IT environment is used to manage:

Patient records and related data.

Pharmacy data on drug inventories, dispensing, ordering, disposal, etc.

Medical supplies data, including inventories, usage, and ordering.

Scheduling of operating theaters, treatment facilities, and other shared facilities, equipment, and resources.

Staff records, including medical professionals, affiliated providers, administrative staff, and maintenance staff.

Food service operations, including a cafeteria and room service for patients.

General operations data such as building and equipment maintenance, janitorial services, non-medical supplies, telecommunications and net-work services, etc.

Much of the hospitals data is highly sensitive. Patient information is protected by public law (e.g. HIPAA), and other personal data requires a high level of protection. Pharmacy data can be stolen or corrupted as part of the theft of expensive drugs for illegal resale. Personal data on staff members is also subject to theft, including identity theft. Other data requires various levels of protection based on its sensitivity. Corruption, hostile encryption, or deletion of patient records has major implications for their care and thus raises a serious safety concern.

Threats to these information assets can arise from the full spectrum of Threat Agents. A particular concern of the health care industry is ransomware attacks, in which the attacker gains access to data repositories, encrypts them, and demands payment to provide the key to decrypt the files. Organized crime is known to be using stolen drugs as a major source of revenue. Hackers, disgruntled current or former employees, and others may attempt to breach the hospital enterprise for a variety of reasons. Insiders, both malicious and inadvertent, are involved in many attack scenarios.

The hospitals owners and executives have promulgated a security policy with the following key features:

Business Security Objectives the following represent the acceptable level of residual risk after security controls are implemented:

No more than one data breach per year of any kind.

Probability of exposure of Most Sensitive data < 1% per year (1 exposure every 100 years).

System Availability > 98%.

IT Security Policy the following specific security measures will be implemented as part of an overall balanced and operationally effective cybersecurity solution:

Strong Authentication maximize confidentiality by minimizing the risk of unauthorized access to resources.

Mandatory Access Control all sensitive assets will have explicit access permissions.

Role-Based Fine-Grained Authorizations/Access Permissions each distinct protected asset will have specific access permissions.

Active User Account Management accounts will be actively maintained to enforce only current access permissions, will be monitored for unusual activity, and will be closed immediately upon employee termination/departure.

Principle of Least Privilege users will be granted only the access permissions associated with their current job responsibilities.

Layered Defense security controls will be implemented in an architecture based on Defense-in-Depth and Zero-Trust.

Data Integrity maximize integrity by protecting data at rest, in use, and in motion.

Intrusion Prevention/Data Loss Prevention active protection will be implemented to detect and block suspicious or unauthorized at-tempts to access protected assets.

Protection Against Insider Threats measures will be implemented to train and motivate employees in secure practices and to identify suspicious behaviors that may indicate malicious activity.

Questions

(1) Requirements. Write down five (5) specific and verifiable requirements for a cybersecurity solution based on the particulars of the IT Security Policy. [20 points]

(2) Risk Management.

(a) Briefly describe five (5) vulnerabilities associated with the IT system as described and before security controls are implemented. [20 points]

(b) Based on possible Threat Actors, briefly describe a risk associated with each of these vulnerabilities; using a scale of 1 5, assign a Probability of Occurrence and Consequence of Occurrence to each risk. [20 points]

(c) For each of these risks, identify a feasible risk treatment (risk reduction, transference, avoidance, or acceptance) with a short rationale for each. [15 points]

(d) Assume a risk has been identified resulting from a vulnerability in the system that manages the Patient Information Database. The estimated cost to restore the database if it is entirely lost or corrupted is assessed as $1M, and the economic damage due to patients and doctors moving to other hospitals is estimated to be an additional $1M. Based on published information on cyberattacks in the health care industry, the estimated number of successful attacks based on exploitation of the vulnerability is four (4) per year, and each successful attack is estimated to cost the hospital 5% of the estimated total potential loss. Further assume that a commercial product has been identified that will reduce the loss from a breach by a factor of ten (10) to 0.5% of the total. What is the maximum annual total cost for this product to achieve a positive return on the investment to procure it (i.e., a positive Control Value)? Note that this is based on Module 3 slides [20 points]

(3) Layered Defense. Describe a layered defense strategy for the Big City Hospital IT enterprise based on Defense-in-Depth and Zero-Trust. Base your approach on the Problem Statement, including the threats and vulnerabilities you have identified, various levels of asset sensitivity, and the IT Security Policy. Consider the balance between the cost and operational impact of your solution vs. achieving the acceptable level of risk (dont just write down every countermeasure youve heard of). At a minimum, address the following:

(a) Identify a set of DiD layers and specific security controls to be implemented in each layer. [25 points]

(b) Identify an approach to network segmentation. [15 points]

(c) Briefly describe how other elements of a Zero-Trust architecture can be implemented. [20 points]

(d) Briefly describe an approach to maintain data Integrity. [15 points]

(4) Other Safeguards. List three Procedural and three Physical safeguards that would be effective when applied to the Big City Hospital IT enterprise. [30 points]

(5) Governance. Summarize a Cybersecurity Governance strategy for the Big City Hospital. Specifically:

(a) Identify organizational roles and responsibilities in Governance. [20 points]

(b) Identify three Administrative Governance activities. [15 points]

(c) Identify three Technical Governance activities. [15 points]