Running head: Risk Management Plan 1

Risk Management Plan

Student Name

Institutional Affiliation
Risk Management Plan 2

Introduction
Since the emergence and subsequent popularity of the internet and digital solutions to
problems faced by businesses, some accompanying risks warrant significant attention to prevent
adverse outcomes. Health Network Inc. is a health services organization that faces significant
threats to its operation and information integrity. These threats justify the need for a new risk
management plan, granted that the Health Network administration has determined that the
existing plan does not meet the accepted threshold in light of prevailing conditions both within
and outside the business. This document recommends a revised risk management plan that is up
to date and can protect the business from different kinds of threats, thus ensuring information
integrity and fewer weaknesses that can potentially affect the value realized through the firm's
digital and internet-enabled assets.
Importance
This risk management plan is intended to protect the Health Network Inc.'s digital assets
from a few potential threats identified through a previous risk assessment exercise. These risks
include loss of protected health information, private data, corrupted production data, internet
threats, insider threats and evolution of the regulatory landscape, all of which may hamper the
business' operations. Thus, the key stakeholders will be better protected from financial losses,
blackmail by malicious parties and legal recourse following the compromising of any privileged
data and protected health information (PHI). The private information of key stakeholders can
also be better protected once the entire organization is more aware of sophisticated tactics by
malicious parties such as malware, spyware and social engineering, and user-centered errors such
as inappropriate hardware decommission.
Scope
This risk assessment plan will be directly associated to Health Network Inc's digital,
computerized and internet-connected assets. These include company-owned laptops, mobile
devices, production servers, data centers, production systems, digitized health information and
private information of involved stakeholders. Thus, this plan will not apply to brick and mortar
assets, hard copies of information, inventory and any acquisitions held in stock.
The key stakeholders involved with the risk management plan will be risk assessment
team, data center personnel, security personnel on each of the different premises, employees and
administrators of the Health Network Inc. organization. The measures developed in this plan will
be periodically assessed and will apply to the entire enterprise rather than limiting them to a few
departments. The risk management plan will protect the company's internet-based assets from
exploitation, both from internal and external threats. It will also protect the key stakeholders
from unintentional data loss that malicious actors can capitalize on.
Implementing the recommendations in this document will require significant amounts of
resources, such as financial software and trained specialists on data security who will advise
Risk Management Plan 3

Health Network Inc. on the best possible measures to take and any acquisitions that will bolster
data security and allow the business to meet the expectations of regulatory measures.
Risks
Theft of Equipment
Health Network Inc. has thousands of valuable pieces of equipment such as servers,
workstations and mobile devices that have access to valuable information and online services.
Lost devices have several implications in the workflow as they cause delays in operations,
financial drawbacks realized when replacing them, and they carry processed information that
take a long time to regain. This challenge is particularly applicable to Health Network Inc.
because it has physical assets distributed over a large geographical area. Without a coherent
physical structure in place and shared between the different business premises, Health Network
Inc. is susceptible to theft of its critical assets that facilitate online services.
Hackers
A hacker is an individual with technical computer skills and use these skills to breach
cybersecurity measures and defenses (Gupta, Singhal & Kapoor, 2016). The healthcare industry
is susceptible to these attacks because there is often a chronic lack of resources. This inadequacy
results from the pressures prompting healthcare organizations to remain open to the public while
concurrently ensuring up-to-date cybersecurity defenses. Despite generating millions of dollars
from its operations every year, Health Network Inc. suffers from a lack of resources and
technical expertise compared to commercial counterparts. Many other market sectors feature
highly paid, well-trained and fully vetted individuals who cater to cyber-resources security
(Abraham, Chatterjee & Sims, 2019). Also, medical facilities are currently short-staffed after the
high turnover rates that occurred due to the pandemic. This lack of support is not the only factor
that makes healthcare organizations a prime target for hackers (Coventry & Branley, 2018).
Organizations like Health Network Inc. host a lot of valuable data that hackers can ransom for
large amounts of financial gain, worsened by the urgency accompanying these data sets since
they are used in life and death scenarios. Thus, holding on to healthcare information increases
the possibility of quick and plentiful financial gain for hackers.
Malware and Spyware Intrusion
Malware is an abbreviation of the term 'malicious software' and refers to any intrusive
software used to steal information, damage computer systems and grant malicious actors access
into privileged data and systems (Touchette, 2016). Malware is often transmitted to victim
machines using phishing emails containing malicious attachments, when users click on malicious
links or view an advertisement containing hidden code, commonly referred to as malvertising
(Dwyer & Kanguri, 2017). Common examples include viruses, spyware, ransomware, adware
and worms. Apart from viruses that destroy data, ransomware is particularly dangerous for
healthcare organizations. This is because ransomware infects computer systems at different
levels and makes them inaccessible and non-functional until the required ransom is paid to a
malicious actor, who may still not be obligated to restore full access to a system's administrators.
Risk Management Plan 4

If any malware infects a system like HNETPay, critical processes can be slowed and become
inoperable, causing significant losses and causing increased risk to the welfare of patients.
Systems Outage
Health Network Inc. operates different co-dependent data centers on far-flung
geographical locations. The result is that any outage in one data center can result in the
organization's computer system being inoperable and critical information being improperly
processed. If a power outage occurs in one data center, another facility may be unable to access
information or process customer payments as expected. Furthermore, system outages may cause
vulnerability in the computer security measures, and as a result may grant a malicious actor the
opportunity to intercept information, causing delays and compromising information integrity.
Also, power outages that result in hardware and software systems shutting down without warning
can cause loss of unsaved data and can corrupt existing files because of improper shutdown
procedures (Kent, 2016).
Safety
Health Network Inc. requires a consistent physical security procedure applied to all its
locations. This includes the need for experienced and vigilant security guards, multi-layer
credentials to access crucial resources like the hardware in data centers and surveillance to
monitor all critical points of access. Employees should be assigned digital badges with chips in
them for identification and access the premises using biometric measures to confirm their
identities and access privileges (Mason et al., 2020).
Business Impact Analysis
Data Loss
Health Network Inc. has a few vulnerabilities in its operations that can result in data loss.
The company has data centers that can be physically accessed by malicious actors who can copy,
destroy or corrupt valuable data. This calls for strong security protocols to limit physical access
to critical hardware, which can be costly and resource-intensive. Also, the company can lose a lot
of data when hardware like servers, user workstations and mobile devices are inappropriately
decommissioned. If the organization inappropriately decommissions its IT assets, it can create
big risks like jeopardizing sensitive data and expose the organization to compliance variations.
This is because older devices can be disposed of before credentials and data are extracted and
properly stored. Furthermore, parties who come across decommissioned devices may find any
leaked credentials, leaving them with the opportunity to corrupt privileged information and
access the organization's digital resources. This is particularly troublesome for Health Network
Inc. whose primary source of revenue is an online service that handles secure electronic medical
messages from large hospitals and routes them to clinics and other services.
Stolen company-owned assets
The cost of employees and other stakeholders having their company-owned laptops and
other mobile devices stolen exceeds more than just the cost of replacing lost items. These devices
Risk Management Plan 5

often have credentials that can be used to access privileged information systems and gain access
to secure places of work. Also, these lost devices contain lots of private information that can be
used to exploit the business for financial gain and other nefarious purposes. The result is that any
stolen devices owned by Health Network Inc. has some potential to expose trade secrets,
proprietary software and private information which affect the organization's monetary value and
business reputation. Also, Morrow (2012) indicates that there are further reaching consequences
for businesses such as loss of productivity while replacement is sorted out, valuable time spent
recovering data, company-wide password changes and potential fines accrued as a result of
losing confidential data. Data is an infinitely valuable resource for modern businesses and thus it
faces increasingly tough regulations. Stolen company assets may compromise the working
mechanism and integrity of HNETExchange, thus affecting the business's primary revenue
source. These assets may also grant unfiltered access into HNETPay, the web portal the Health
Network Inc. uses to facilitate secure payments and billing. The service interacts with credit-
processing organizations and can grant malicious actors unparalleled access to financial services,
causing monetary loss at a large scale.
Exploitation by hackers
Hackers can potentially harm every kind of business, and this concern is more
pronounced in the healthcare sector. Data breaches can harm Health Network Inc. because it
leverages many information and communication technology advances. According to Seh et al.
(2020), healthcare organizations leverage these systems to replace paper-based processing with
electronic health records (EHRs) and other sophisticated systems. These are used to enhance
patient care, develop patient corporation, improve practice efficiency and make health
information more accessible to relevant parties. This is evident in the working mechanism of
Health Network Inc. which uses, among other products and services, HNETExchange that
ensures secure electronic medical messages are transmitted between its customers.
If these systems were to be exploited by hackers, it would result in exposure of sensitive
data, security failures of affiliated software and hardware, disclosure of protected health
information (PHI) and a damaged reputation. Seh et al. (2020) indicates that out of the 2216 data
breaches reported from 65 countries in 2018, the healthcare industry faced 563 breaches, making
it the industry that is most affected by data breaches. Further reports from IBM indicate that
while the average cost of a single data breach was $3.92 million in 2019, a breach in the
healthcare industry costs about $6.42 million during the same period (Seh et al., 2020). This
shows that data breaches by hackers are more frequent in the healthcare industry and cost more
on average. These figures show that hackers are particularly damaging to healthcare
organizations, which spells out significant risks for Health Network Inc., which heavily depends
on computerized and internet-based assets.
Social engineering threats
Social engineering uses psychological manipulation to trick users into leaking sensitive
information and making computer security mistakes. The result is leaked passwords that grant
unauthorized individuals full access to privileged systems. However, the effect of social
Risk Management Plan 6

engineering extends beyond stolen credentials and lost files. The impact extends into a ruined
reputation, since there are few things as difficult for organizations to recover as the good faith of
customers (Chen, Ramamurthy & Wen, 2012). Once information is made public that an
organization has caved to social engineering, the hard-gained trust with customers and potential
leads is lost, and the act of bouncing back takes more than just recovering lost data.
Mitigation
Business Continuity Plan (BCP)
Regular back-ups
Health Network Inc. should acquire a dedicated set of servers onto which critical
information is backed up on a periodical basis. This would reduce the chances of delays to
operation and recovery of data in the event of theft, improper decommissioning and corruption of
critical data. It would also better protect the welfare of patients in critical care where any loss of
data and electronic systems would result in adverse care outcomes. According to Khan & Hoque
(2016), data backups for healthcare organizations ensures that electronic protected health
information is always retrievable. Backups also ensure that business continuity is better
protected, and violations of regulatory standards can be avoided. Health Network Inc. can also
leverage cloud-based tools that are more convenient, offering excellent flexibility and can be
tailored to suit the organization's storage needs based on their operations and volume of data.
Power backups
Health Network Inc. should acquire redundant electricity supply sources. Experts suggest
using a mixture of generators, solar-powered storage and UPS systems in all data centers to
ensure that the systems are always running regardless of circumstances in the different physical
environments. These power back ups can be connected in a sequence to ensure that one power
supply takes over immediately after another becomes inactive. This has a positive chance of
ensuring that operations, payments and access to information is not affected when there are
interruptions to the power supply supporting any of the data centers and the organization's
headquarters.
Decommissioning Equipment
Upgrading equipment is part of the natural order of the workflow, as newer and more
technology is always welcome in the healthcare industry. Thus, the firm should implement a
procedure for decommissioning hardware. This plan should include;
- When to retire equipment
Retiring equipment too early can incur unnecessary costs, while waiting too long can put
applications and data at risk. The organization should have a means of evaluating equipment
before the administrators can decide on decommissioning.
- Preparing the decommissioning of storage media and devices
Risk Management Plan 7

Before decommissioning any equipment with storage media, the IT department should
perform a final backup per data governance policies and internal requirements. This prevents the
loss of proprietary and critical information, while providing proof of what a device was used for
before being decommissioned.
- Protecting decommissioned equipment
This involves taking equipment offline, deleting any data that remains after it has been
marked after being backed up. Any storage media can be extracted and the remaining parts of
equipment repurpose, sold or disposed through vetted third-parties. The IT team can sanitize the
storage media before storing it in a secure location like a data center, in case the storage media is
required to support future use.
- Disposing end of life equipment
Equipment that has been sanitized can be donated, sold, returned to the original vendor,
destroyed or recommissioned. Once the IT team guarantees that any sensitive data has been
backed up and deleted from the piece of equipment according to compliance regulations, the IT
team has greater flexibility with disposal options.
Disaster Recovery Plan (DRP)
Critical Tools and Data
A DRP should detail what data and tools are needed for the organization to recover from
any adverse events. This reduces the possibility of guessing and wasting time when identifying
what is needed to get the computer systems working properly. This part of the plan should focus
on mission critical application, tools and data. According to Murdoch & Detsky (2013), not all
data is equal in a healthcare setting as some data is more relevant to the functioning of the
organization. Being unable to successfully restore mission-critical data following loss or
corruption can hinder the ability of Health Network Inc. to recover rapidly and resume normal
processes.
Communication Plan
A DRP should entail how the Health Network Inc's administration communicates details
about adverse security events to its employees, customers and other key stakeholders. This will
help all involved parties be up to date, and have the right information to play their part in the
organization's response.
Personnel Roles
A DRP should list the specific individuals and their tasks in helping the organization
recover. This would reduce the chance of ill-equipped employees facing tasks which they are not
suited for, and would increase the response rate of the whole organization. This is because
everyone would understand their roles clearly, avoiding any ambiguity.
Taking inventory of hardware and software
Risk Management Plan 8

A DRP should explain who takes inventory after an adverse event, and what needs to be
assessed to ensure operations go on as expected. This would allow the organization to take stock
of what remains after a security event, allowing the administration to plan out how to proceed by
highlighting what is needed and where the most effort is required.
Response Procedures
A DRP should detail how the organization tests its remaining assets to ascertain
functionality and any remaining loopholes after an adverse event has been reigned in. This will
allow the organization to solve remaining vulnerabilities and prevent the same problem from
being experienced a second time. Part of the response process also involved updating and
refining information security assets for protection against future events.
Conclusion
According to a previous risk assessment exercise, Health Network Inc. has many
computer- and internet-based assets that were prone to various kinds of threats such as data loss,
insider exploitation and failure to meet existing regulatory standards. This document sought to
lay out a risk management plan that can help the business steer clear of the aforementioned risks
and any other threats posed to the digital assets that are part of its operations. Some of the main
risks identified were the theft of equipment and mobile devices, exploitation from hackers,
malware and data corruption. The suggested mitigation measures for these risks included
implementing multi-layer power back-up solutions, creating a plan for decommissioning
equipment, and a disaster recovery plan that involves identifying the specific actions, tools and
personnel responsible for specific tasks after an adverse security event. This plan should help
Health Network Inc. easily respond to security breaches, system outages and equipment theft. A
disaster recovery plan is an important tool for Health Network Inc. since it ensures that medical
data can be readily retrieved as needed, and that the experience of customers is not affected by
vulnerabilities that plague the organization as a corporate entity.
Risk Management Plan 9

References
Abraham, C., Chatterjee, D., & Sims, R. R. (2019). Muddling through cybersecurity: Insights
from the US healthcare industry. Business horizons, 62(4), 539-548.
Chen, Y., Ramamurthy, K., & Wen, K. W. (2012). Organizations' information security policy
compliance: Stick or carrot approach?. Journal of Management Information
Systems, 29(3), 157-188.
Coventry, L., & Branley, D. (2018). Cybersecurity in healthcare: A narrative review of trends,
threats and ways forward. Maturitas, 113, 48-52.
Dwyer, C., & Kanguri, A. (2017). Malvertising-a rising threat to the online ecosystem. Journal
of Information Systems Applied Research, 10(3), 29.
Gupta, S., Singhal, A., & Kapoor, A. (2016, April). A literature survey on social engineering
attacks: Phishing attack. In 2016 international conference on computing, communication
and automation (ICCCA) (pp. 537-540). IEEE.
Kent, A. D. (2016). Cyber security data sources for dynamic network research. In Dynamic
Networks and Cyber-Security (pp. 37-65).
Khan, S., & Hoque, A. (2016). Digital health data: a comprehensive review of privacy and
security risks and some recommendations. Computer Science Journal of Moldova, 71(2),
273-292.
Mason, J., Dave, R., Chatterjee, P., Graham-Allen, I., Esterline, A., & Roy, K. (2020). An
investigation of biometric authentication in the healthcare environment. Array, 8, 100042.
Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive
data. Network Security, 2012(12), 5-8.
Murdoch, T. B., & Detsky, A. S. (2013). The inevitable application of big data to health
care. Jama, 309(13), 1351-1352.
Seh, A. H., Zarour, M., Alenezi, M., Sarkar, A. K., Agrawal, A., Kumar, R., & Ahmad Khan, R.
(2020, June). Healthcare data breaches: insights and implications. In Healthcare (Vol. 8,
No. 2, p. 133). Multidisciplinary Digital Publishing Institute.
Touchette, F. (2016). The evolution of malware. Network Security, 2016(1), 11-14.
Risk Management Plan 10