As an information security professional, you are responsible for ensuring preventive information security controls are in place. Such controls include implementing organizational and security policies, processes, and other forms of preventive security measures.
During a routine audit of an electronic health record (EHR) system, a major healthcare provider discovered three undocumented accounts that appear to have access to the entire clinical and financial health record within the system. Further investigation revealed that these accounts were accessing records around the clock via remote access to the healthcare system’s network. Three remote access accounts appear to have been set up at least six months prior to the creation date of the first account in the EHR. Additionally, the accounts in the EHR were originally established as standard user accounts approximately two months ago and escalated to full access over the course of two weeks.
System controls are verified to be in effect that limit access for each account to no more than 300 records per day. Over the course of the past two months it is estimated that more than 37,000 but no more than 50,000 records could have been accessed. Reports are being run to determine which patient accounts were accessed, but the reports will take more than two weeks to identify the record identification numbers and then take longer than 60 days to compile the usernames and addresses. An audit of other systems that contain sensitive information revealed no other unauthorized access.
Audit files that would normally identify the creator of the accounts overwrite themselves after two weeks in the systems that provide remote access and the EHR. No one in senior management has any reason to suspect that it was an inside job, but based on the short duration for log retention there is no way to eliminate that possibility either.
Create a legal analysis by doing the following:
A. Create three organizational policy statements that may have prevented the security breach.
1. Justify each organizational policy statement based on a nationally or internationally recognized standard (e.g., ISO/IEC, NIST).
B. When you use sources, include all in-text citations and references in APA format.
Note: When bulleted points are present in the task prompt, the level of detail or support called for in the rubric refers to those bulleted points.
Note: For definitions of terms commonly used in the rubric, see the Rubric Terms web link included in the Evaluation Procedures section.
Note: When using sources to support ideas and elements in a paper or project, the submission MUST include APA formatted in-text citations with a corresponding reference list for any direct quotes or paraphrasing. It is not necessary to list sources that were consulted if they have not been quoted or paraphrased in the text of the paper or project.
Note: No more than a combined total of 30% of a submission can be directly quoted or closely paraphrased from sources, even if cited correctly.