As an information security professional, you are responsible for ensuring preventive information security controls are in place. Such controls include implementing organizational and security policies, processes, and other forms of preventive security measures. Given the information in the scenario below, you have been asked to create employee policies for the company and ensure the policies comply with the minimum requirements of the national or international standards in these areas. These policies will be published to the entire organization in the employee handbook or the HR portal.

Scenario:

During a routine audit of an electronic health record (EHR) system, a major healthcare provider discovered three undocumented accounts that appeared to have access to the entire clinical and financial health record within the system. Further investigation revealed that these accounts were accessing records around the clock via remote access to the healthcare system’s network. Three remote access accounts appeared to have been set up at least six months prior to the creation date of the first account in the EHR. Additionally, the accounts in the EHR were originally established as standard user accounts approximately two months ago and escalated to full access over the course of two weeks.

System controls are verified to be in effect that limit access for each account to no more than 300 records per day. Over the course of the past two months it is estimated that more than 37,000 but no more than 50,000 records could have been accessed. Reports are being run to determine which patient accounts were accessed, but the reports will take more than two weeks to identify the record identification numbers and then take longer than 60 days to compile the usernames and addresses. An audit of other systems that contain sensitive information revealed no other unauthorized access.

Audit files that would normally identify the creator of the accounts overwrite themselves after two weeks in the systems that provide remote access and the EHR. No one in senior management has any reason to suspect that it was an inside job, but based on the short duration for log retention, there is no way to eliminate that possibility either.

Requirements:

Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. Use the Turnitin Originality Report available in Taskstream as a guide for this measure of originality.

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.

A. Describe three of the security faults in this scenario that caused a security breach.
B. After researching the national and international standards, create three policy statements that apply to the entire organization, comply with a national or international standard, and might have prevented the security breaches identified in part A.

1. Justify how each organizational policy statement in part B complies with a specific nationally or internationally recognized standard (e.g., HIPAA, HiTech, PCI-DSS, ISO/IEC, NIST) and could plausibly be enforced at the company.

Note: The policy statements should match the baseline requirements of the standards for organizational compliance.

C. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.