You are on page 1of 2

Christopher Korycki

HCIN. 544
Assignment 1B-Cyber Threats and Mitigations Strategies

Three Potential Cyber Threats:

One: The Physical Hardware

Devices and Threats:


A small two office physician practice would have a few desktop systems, most likely running
Windows 10, networked together and also connected to a wireless network There would be
one desktop for the front desk/receptionist and two workstations, one for each
office/examination room. There could be an additional workstation or desktop (or two) If each
of the physicians had their own office (or section of the rooms partitioned) equipped with a
desktop system. Any of these desktop systems could also be laptops as well in any combination.
If there was a nurse on staff or physicians assistant (or two) they too would have access to the
workstations in the examination rooms and/or have access to wireless tablets to input patient
information.
The main threats regarding office hardware are intentional and unintentional breaches by
staff or third party vendors. Be it a security contractor, HVAC repair person, electrician, the UPS
delivery person, a patient, a patient’s family member; any person could have ill intent and thus
limiting physical access to devices is of utmost importance. Beyond limiting physical access, the
actual devices and hardware themselves should not have any way to input data into them.

Mitigation Strategies:
All these devices should be secured and never leave the office (especially the tablets) in any
way, shape or form. A security system with camera could be added for an extra layer of security
to provide against tampering or theft. There should also be no way to input information into
the physical devices via any type of external device such as an external hard drive, zip or usb
thumb drive or Cd-rom. Many workstations sold by leading manufactures come designed with
no connections for any additional peripheral devices. If there are any usb connections, cd-roms
or anything that allows for an external device then these should all be manually disabled.

Two: Access to the Network


Devices and Threats:
Access to the office intranet network should be guarded carefully. A small two physician
practice would not be able to afford a dedicated security information person or system
administrator (though perhaps if budget allowed this could be outsourced) so all security would
have be to conducted by the physicians and staff. Outside hacks or intrusions as well internal
breaches could be a threat. Therefor the above firewall, secure authentication as well as a
ongoing log of who accessed or logged in when would provide information in case of a breach.

Mitigation Strategies:
The router and network should be connected to a firewall. The local ISP should provide the
newest and most robust encryption. No outside devices of ANY kind, including the staff and
physicians’ own personal devices, should be able to connect to the office wi-fi. Their own
devices (phones etc) can be use their 4G connections and just have separate phones in
addition to their personal as for “business only” but still utilize their own 4G connections.
All devices connected to the network or that wish too need robust password authentication.
Either one or two layer authentication. A small office would perhaps need only one but if the
budget allows then a two layer system would be optimal. Antivirus and anti-malware software
should as well as a rigorous daily and weekly scan and security check for virus, malware and
overall network health and security.

Three: Network Backup

Devices and Threats:


The days of keeping a dedicated office server in an old closet are over. The liability, constant
maintenance and threats to this old method are too great today. Most business’ have migrated
to a cloud based system. These are rather secure (especially AWS and Microsoft Azure) but a
second off-site backup system would be always encouraged. The main concern is who has
access to the data and who does the backup. A malicious (or disgruntled) employee could
access backed up data and transmit it (even if just with taking pictures of the screens with their
phones) elsewhere.

Mitigation Strategies:
Backup should be automatic and often to avoid data loss. The main issue here is access. No
particular person (with the exception of the two partner physicians and even this should be
discussed) should be able to access too much of any particular network. This process is called
compartmentalization so that nobody can be allowed to view too much backed up or saved
information at any one time. If multiple requests of accessing info are made and/or at odd
times then this should be automatically logged and flagged. Access to backed up data should be
severely restricted.

You might also like