"Case Study
Epworth Healthcare provides mental healthcare services at a number of locations across Australia, employing 500 personnel that include physicians, nurses (e.g., assistant, orderlies, enrolled and registered), a nurse manager, nurses, licensed nurse practitioners, social worker, technologists, data, system and network administrators, etc. Epworth deploys a complex networked information system accessed through wired and wireless local area network as well as wide area network technologies. There are 500,000 records of confidential patient data at Epworth residing in plaintext on a single database. Multiple groups within the Epworth will be accessing and modifying the database daily. This database is accessed directly by a web server which resides in a DMZ environment. A compromise of the database could result in the exposure of all patient data. It was determined that the replacement cost for each record (i.e., contacting and informing the patients, changing account numbers of the patients and providing new cards to the patients) to be $300. The likelihood of the database being compromised is estimated to be 25% per annum.
QUESTIONS
Based on the information provided in the case study, answer the following questions. Read the questions carefully and use complete and grammatically correct sentences. You must justify your answers in order to receive credit for your answers. Insufficient justification earns 0 points.
Task 1: Based on your knowledge of IT security management, argue for or against the assertions that the Epworth system is in compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Task 2: The chief information security officer of Epworth claims that the system is robust against reputational risk. Criticise the claims of the chief information security officer by reasoning about why the Epworth system suffers from reputation risk. Your answer must briefly discuss the reputation risk, the most apparent causes as well as the negative consequences of reputational risk on Epworth.
Task 3: An IBM analyst has recommended to Epworth a suite of security technologies aimed at database compromise and data loss prevention at a cost of $40,000 per year. The Epworth management has asked you to determine if it is beneficial in terms of cost to purchase a licensed copy of the security suite recommended by the IBM analyst. You are expected to provide a complete, correct and step by step explanation of how you arrived at your conclusions.
Task 4: Suppose you are asked by Epworth to establish an on-line employee awareness and training course for safeguarding sensitive patient information. List and discuss five examples of items that you would include in the on-line awareness and training course. You must justify your choices.
Task 5: The Epworth management recently decreed a "Responsible Use of Wireless LAN Technology" issue-specific security policy to be developed. Briefly explain the main purpose an issue-specific security policy is designed and used for. Also, briefly describe three purposes that the issue-specific security serves for Epworth."