Professional Documents
Culture Documents
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
Apollo Hospitals
opasdfghjklzxcvbnmqwertyuiop
Risk Assessment Report
asdfghjklzxcvbnmqwertyuiopas
dfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzx
cvbnmqwertyuiopasdfghjklzxcv
bnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmrtyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzx
Prepared By:
Reviewer
September,2015
PritiPuri
Table of Contents
1.
Introduction....................................................................................................... 4
2.
3.
Hospitals Assets.......................................................................................... 4
Risk Identification.............................................................................................. 5
3.1.
Identification of Vulnerabilities....................................................................5
3.2.
Identification of Threats.............................................................................. 5
3.3.
Identification of Risks.................................................................................. 5
4.
Control Analysis................................................................................................. 5
5.
6.
7.
8.
Recommendations............................................................................................. 5
9.
Result Documentation....................................................................................... 5
1. Introduction
*TO BE EDITED
We have performed this risk assessment for BYOD implementation to satisfy the
requirements of NIST Special Publication (SP) 800-30 to perform an assessment at
least every 3 years or whenever a major change is made to a sensitive system.
This risk assessment identifies
Vulnerabilities
Threats
Risks
Risk Likelihoods
Risk Impacts
It defines the scope of the risk assessment effort. The purpose of this step is to identify
the network assets, to define the risk assessment boundary and components, and to
identify the data sensitivity.
2.1.
Hospitals Assets
*TO BE EDITED
Asset Types
Devices
Assets
Laptops
Mobile
Tablets
3. Risk Identification
*TO BE EDITED
The purpose of this step is to identify the risks to BYOD assets. Risks occur in
anysystem when vulnerabilities (i.e., flaws or weaknesses) in the IT system or
itsenvironment can be exploited by threats (i.e. natural, human, or environmental
factors).
The process of risk identification consists of three components:
Identification of vulnerabilities in the system and its environment.
Identification of credible threats that could affect the system.
Pairing of vulnerabilities with credible threats to identify risks to which the
system is exposed.
After the process of risk identification is complete, likelihood and impact of risks
willbe considered.
3.1.
Identification of Vulnerabilities
Vulnerabilities were identified and documented in below table.
3.2.
Identification of Threats
The purpose is to identify the credible threats to the IT system and its
environment. Athreat is credible if it has the potential to exploit an identified
vulnerability. Threats were identified related to each vulnerability and is
documented in below table.
3.3.
Identification of Risks
*TO BE EDITED
Vulnerability
Threat
Risk of
compromise
of
Risk Summary
Health
Information
exchange not
secured
Data compromise
by intrusion, data
breach
Sensitive and
critical data
Failure at Data
Center
Denial of Service
attack on Data
Centre
Availability of
data and
applications
Disaster
Recovery and
Business
Continuity not
in place
Severe effect on
operations of the
hospital, impact
on business
Productivity,
revenue,
patient safety
Unidentified
security
vulnerabilities
in biomedical
devices
Systems can be
hacked or
planted with
malware
Patient safety,
privacy of data
Electronic
Health Record
(EHR)
application not
secured
Access rights
misused, data
breach or man in
the middle attack
Data privacy,
intellectual
property
No information
security policy
implemented
Technical,
physical, and
administrative
safeguards
vulnerable
Security of
health
information
As health information
exchanges (HIEs) make
patient information
electronically available across
hospital system, privacy and
data security concerns have
become paramount. The risks
are compounded by the
numerous systems and
organizations involved.
Data-based business
intelligence is quickly moving
to the forefront for most
healthcare organizations. The
greater the emphasis on
better managing outcomes
and overall population health,
the more important data
(clinical or otherwise)
becomes.
Productivity, revenue, and
even patient safety could be
severely affected if systems
and data are not available
and operational at all times.
While business continuity
related to disaster recovery is
not a new concern for
healthcare organizations,
it ranked high because of its
strategic and business
impact.
Unidentified security
vulnerabilities in biomedical
devices can affect patient
safety as well as the privacy
of data on devices and
networked systems.
Many healthcare
organizations
are susceptible to risks
related to the implementation
of electronic health record
(EHR), financial, and other
business systems.
HIPAA remains an area of
significant risk for healthcare
organizations. Maintaining
the security of protected
health information is
challenging. Absence of
IT assets and
Software
licenses not
tracked
Access through
personal
devices not
restricted
supporting documentation
demonstrating adherence to
policies can be a huge risk.
Many organizations have
issues with tracking not only
their physical IT assets but
their software licenses as
well. Lack of control in these
areas can lead to financial
losses for the organization.
Electronic protected health
information (ePHI) and
similarly sensitive data can
be disclosed to unauthorized
personnel either by malicious
intent or inadvertent mistake.
Use of outdated
software
introduces
vulnerability,
software stops
operating after
license expiry
Data loss,
malware infection
Security of
health
information,
availability of
data and
applications
Identity
management
and RBAC (Role
Based Access
Control) not
implemented
Unauthorised
access to data or
applications
Security of
hospital data,
patient
information,
applications
10
Not complied to
Payment Card
Industry Data
Security
Standard (PCI
DSS)
Customers'
credit card data
11
Malfunctioning
of the
application
Electronic Health
Record (EHR)
Application
failure
Confidentiality
and integrity of
hospital data
(financial, ip,
staff info)
12
Defects in the
systems
Systems failure in
hospitals
Intentional
human Error
Unscheduled
system downtime
14
Levels of
securities not
applied
Indiscriminate
Malicious Attack(Mock
Cyberattacks)
Medical
devices, patient
safety
15
Patients
details,their
reputation and
privacy
Unscheduled downtime is
unplanned downtime due to system
or environmental (e.g., power)
failures. Downtime may affect a
single application or be systemwide
16
Distruntled
member,frustrated
person
Personal Revenge
Business
loss,reputation
at stake
17
Occurrence of
Natural calamities,
disasters.
Wide spread
disasters results
power blackout
Availability of
the entire
infrastructure
18
Operational
discontinuity
Business
Impact,
Availability
impact
19
Lack of awareness
among employees
Violation of policy
regulation by an
employee
Hampers
Business
continuity
4. Control Analysis
The purpose of this step is to document a list of security controls used for the Network
Asset monitoring. The controls are matched with the risks identified, in order to
identify those risks that require additional response and are documented in the below
table.
SR
Risk Summary
Control
Other factors may also be used to estimate likelihood. These include historical
information, records and information from security organizations such as US-CERT
and other sources.
SR
Low
Low
Moderate
Low
Moderate
High
Risk Summary
As health information
exchanges (HIEs), PHI make
patient information
electronically available across
hospital system, privacy and
data security concerns have
become paramount. The risks
are compounded by the
numerous systems and
organizations involved.
Data center failure: Data-based
business intelligence is quickly
moving to the forefront for most
healthcare organizations. The
greater the emphasis on better
managing outcomes and overall
population health, the more
important data (clinical or
otherwise) becomes.
Moderate
High
High
High
High
10
Moderate
Moderate
High
High
Low
High
Moderate
Moderate
11
12
13
14
15
16
Low
Low
Low
Moderate
Moderate
Low
17
18
19
Low
Moderate
Low
Moderate
Low
SR
Risk Summary
1
As health information exchanges
(HIEs) make patient information
electronically available across
hospital system, privacy and
data security concerns have
become paramount. The risks
are compounded by the
numerous systems and
organizations involved..
Impact Of Definition
Occurrence of the risk: (1) may result in
human death or serious injury; (2) may result
in the loss of major tangible assets, resources
or sensitive data; or (3) may significantly
harm, or impede the mission, reputation, or
interest.
Occurrence of the risk: (1) may result in
human injury; (2) may result in the costly loss
of tangible assets or resources; or (3) may
violate, harm, or impede the mission,
reputation, or interest.
Occurrence of the risk: (1) may result in the
loss of some tangible assetsor resources or (2)
may noticeably affect the mission, reputation
Risk Impact
Risk Impact
Rating
Loss of Mission
Critical
business
information
High
Sensitive
Data
Compromised
High
5
Many healthcare organizations
are susceptible to risks related to
the implementation of electronic
health record (EHR), financial,
and other business systems.
10
Unrequitted
Intrusion
exposed
Fork bomb
data wipe out
Data
or
Moderate
and
High
Replication
of
company's
new
launches, Sensitive
and
business
critical information
and data
High
Low
Inadvertent
violations
security
precautions
of
Moderate
Security
Breach
and vitiate other
machines
High
High
Significant
loopholes in the
current
security
setup
Moderate
11
High
Periodic re-authentication assures
that the user is genuine. Unlimited
access without re-authentication is a
secure vulnerability for any device
that might be stolen or compromised
during authenticated use.
Management suites can enforce reauthentication after a set time period.
12
Apps with this threat permit hackers
to steal files or data, completely wipe
data, permit eavesdropping, and
cause other consequences on the
victims device. It is also possible for
an app to carry multiple payloads.
The source code of a legitimate app
will be taken out and repacked with
malicious code to hide the threat from
the victim.
13
Employees may download
communication apps that have been
infected by adversaries to mine the
users contact database; if these
databases are connected to the
corporate network, then hackers can
mine corporate data and send it over
to compromised servers via the
web. Such apps will mine text and call
logs too.
14
15
Unauthorised
Access
Sensitive,
confidential,
company-related
Data exposed.
Moderate
Users
contacts,corporate
data leakage
High
Organization's
Financial data and
sensitive
information.
High
Moderate
Personal
Information loss
16
17
Personal
safety
and
company's
data
Low
Low
Strategic decisions
leakage
18
Low
Mobile devices are simply too good of
a target for potential attackers to pass
up. All it takes is for one infected
device to eventually reach many
others that are connected to the same
network. Research has shown that
2,000 new malware samples for
Android devices are discovered daily.
Loss of Personal
Data
SR
#
Risk Summary
Risk
Likelihoo
d Rating
Risk
Impact
Rating
Overall
Risk
Rating
High
High
High
High
High
High
Low
Moderate
Moderate
Moderate
High
Moderate
High
High
High
Low
Low
Low
High
Moderate
Moderate
8. Recommendations
The purpose of this step is to recommend additional actions required to respond to the
identified risks, as appropriate to the agencys operations. The goal of the recommended risk
response is to reduce the residual risk to the system and its data to an acceptable level. The
following factors should be considered in recommending controls and alternative solutions
to minimize or eliminate identified risks:
SR
#
Risk Summary
Overall
Risk
Rating
Recommendations
High
High
Moderate
Moderate
High
Low
9. Result Documentation
The final step in the risk assessment is to complete the Risk Assessment Matrix.
The risk assessment report helps senior management, the mission owners, makes informed
decisions on policy, procedural, budget and system operational and management changes.
A risk assessment is not an audit or investigation report, which often looks for wrong doing
and issues findings that can be embarrassing to managers and system owners. A risk
assessment is a systematic, analytical tool for identifying security weaknesses and
calculating risk.