Posted: August 17th, 2022

Information Security Audit

Information Security Audit
You have recently been promoted to Chief Information Security Officer of a large healthcare organization with 10 hospitals under management. Your fist task is to design an information security audit to determine the state of cyber security of your organization as you enter into your new role. You know that the implementation of a robust and effective information security program is only the start of providing for the confidentiality, integrity and availability of information assets. Those tasked with the responsibility for information security will also implement a routine audit of their information security controls. The National Institute of Standards and Technology (NIST) publishes the cyber security framework for improving critical infrastructure cyber security. Review this framework and prepare a sample audit to be reviewed by your organizations Chief Information Officer for approval. Your sample audit should include the 5 primary areas of your information security program that you would audit, the details of what you would audit for and a 1 paragraph summary per section that describe your goals for that section of the audit.

www.nist.gov
Healthcare systems were recognized in the President’s Executive Order (EO) 13636 of 2013 as critical infrastructures of interest to the United States. An attack on the healthcare systems of any organizations is therefore a potential threat to economic security and national security. Consequently, the security of healthcare systems is critical to the nation.
This document provides an information security audit to determine the state of cyber security at a large healthcare organization with 10 hospitals under management. The audit follows the cyber security framework (CSF) provided by National Institute of Standards and Technology (NIST) in conjunction with other subject matter experts. NIST requires that an information security audit should prioritized, flexible, repeatable, and cost-effective. Additionally, the information security audit must continually provide mechanisms for five CSF functions that include identification, protection, detection, response, and recovery.
The main information security challenge facing the healthcare sector is the protection of patient data and information. Any threat to patient information and data is considered a threat to national security as well as the economy. Therefore, an information security audit in the healthcare sector must address all areas that relate to patient data and information.
The five areas of interest include network infrastructure, administration, and management audit. Audit in this area seeks to determine whether there is any threat to the network infrastructure including software and hardware. It also seeks to identify whether there are any human-related factors that could be a threat to the network infrastructure. It is especially important because of the nature of interconnections for all ten facilities in the network.
Database integrity and database management audit is the second critical audit area. The question on database involves issues such as how data is stored, level of encryption, information authentication levels, and the rights to read and write information as well as copying information in the database. The audit of database and database management must also include database backup features as well as data recovery protocols.
Hardware infrastructure audit is the third critical area of audit. An inventory of all information systems hardware is required, their vulnerabilities identified, and protocols for the security of the hardware determined. All hardware that store any critical information must also be identified considering that one way to gain access to the records is through the theft of hardware.
The fourth area of information security audit is the integrity of the software used in the organization. This must encompass the resilience of the electronic health systems which are used in generation of the patient data. The second important software encompasses the operating systems status as well as defense systems on all hardware. For instance, does the system allow the administrator to reject installation of software, copying of software or data, or sharing of information online? Other aspects would include how the software is prepared to deal with online threats and attacks including the download of malware into the systems. These are some of the major threats to information security.
The last audit focuses on the people. The audit must focus on the user’s understanding of information systems use protocols with a focus on cyber security. It also entails separation of powers and responsibility of data in the systems. Most importantly, there is the need to audit the behavior of the key persons with respect to the use of technology. The security of information systems can only be as good as the people want it to be.
In summary, this document provides information on key audit areas in the healthcare setting. The network, databases, hardware, software, and people are all important risk areas in the healthcare settings. The primary goal of audit in all areas is to identify vulnerabilities that may face patient data.
References
NIST (2018: 2024 – Write My Essay For Me | Essay Writing Service For Your Papers Online). Cyber Security Framework. Retrieved from https://www.nist.gov/cyberframework/new-framework#background

Order | Check Discount