ISOL631 – Operations Security
Prepare a report to address all aspects of the case study/assignment. This report should be no less than 10 pages of content. You need to include outside sources and properly cite and reference your sources. You must have at least 10 references, 7 of which must be scholarly peer-reviewed articles. In addition to the 10 pages of content, you will want a title page and a reference sheet. This report needs to be in proper APA format.
Be prepared to present a 15-minute presentation on this assignment.
Smith Hospital is a leading health care provider within Kentucky (having five locations throughout the entire state). The system they use is a popular Electronic Health Record system called EPIC. To learn more about this EHR system visit: https://www.epic.com/. On September 15, Daniel Brown (CIO of Smith Hospital) was notified that about two major incidents.
The first incident occurred at the northeast office in which the IT server room was burglarized during normal business hours. It was determined that iPhones, laptops, flash drives and one server was stolen. Local police were notified, and the incident was reported on that date.
The second incident occurred at the southwest campus in which the entire IT system was hacked. Local information security staff determined that 80% of patient’s PII to include social security, insurance provider, mailing address and phone number were obtained.
You are Daniel Brown and need to respond to these incidents by taking action immediately.
You will need to complete the following:
Develop an Incident Response Policy for Smith Hospital that will be used to help with Scenario #1 and #2 (create two separate response policies) (this is an attachment that should be included in your paper and referenced in your presentation).
Upon developing the Incident Response Policies, evaluate the incidents described above:
Summarize the data incident and potential level of risk, include why?
Upon identifying the types of data that could potentially be impacted and what laws/regulations could be in violation of non-compliance if this data was breached
Develop your action plan to evaluate this data incident (include your rationale for why the steps were necessary)
Describe how the Incident Response Policy supported your actions
Identify any issues that made the evaluation more difficult
Identify areas of future risk mitigation actions should a similar incident occur (look at the gaps or issues with this scenario)
Close the incident (NOTE: The outcome of the incident did not surface any major risks or data breach to the company, but it took the evaluation to get to this conclusion)