Cybersecurity Risk Assessment: MyHealth Case Study

Verified

Added on 2025/04/28

AI Summary

Desklib provides past papers and solved assignments for students. This report details a cybersecurity risk assessment for MyHealth.

Cybersecurity Management
Assignment 1: Risk assessment exercise

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Contents
Task 1.........................................................................................................................................2
1..............................................................................................................................................2
2..............................................................................................................................................7
3..............................................................................................................................................8
Task 2.......................................................................................................................................11
1............................................................................................................................................11
2............................................................................................................................................13
3............................................................................................................................................15
4............................................................................................................................................16
5............................................................................................................................................18
References................................................................................................................................20
Figure 1: ISO 31000 Framework.............................................................................................13
Table 1: Assets………………………………………………………………………………...3
Table 2: Classification of Assets................................................................................................8
Table 3: Vulnerability Assessment..........................................................................................14
Table 4: Risk Management......................................................................................................17
Table 5: Risk Assessment........................................................................................................19

Task 1
1
Table 1: Assets
Asset ID Asset Name Description Location Ownership
P1 Strategy
Strategy means a
plan or structure
of working a
company follows.
The strategy here
is to have an
online system to
store patient
details and the
transactions.
Company Company
S1 Products and
Services
Each company
has something to
sell, buy or rent or
provide i.e., they
are the providers
of services and
goods. The
products and
services provided
by MyHealth are
healthcare,
education, and
research related to
cancer.
Company Company
O1 Research and
Development
Research work
involves
discovering or
inventing
something new
for the benefit of
Company Company

company or
society. The
research work in
Myhealth is
totally aimed at
cancer treatment.
Intellectual
Property
It includes
valuable
copyrights,
procedures,
methods, and
designs which
contribute in
company’s
benefits. Here, the
MyHealth has an
online portal
through which it
can provide the
patients
transactions for
their bill
payments. The
MyHealth can
also track records
of all the patients
they have or had
in that way.
Company Company
O2 Training Material This includes the
various ways the
MyHealth can
adopt to train its
employees of
usage of the
online portal and
also keep coders
in the background
Company or
external
Company or
external

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

for any issue. For
this either they
can hire
professionals and
teach them about
the company or
they can train
their own
employees by
hiring a trainer
from outside.
P2 Marketing Media
Since, the
company has a lot
of work in clinical
department,
educational
department, and
research
department they
need to pose up
advertisements to
get popular. This
can be done by
posters, online ads
and many more.
Company and
external
Company and
external
O3 Customer Lists
The company is
keeping the
customer list and
information of
their transactions
in their database
on single
computer which is
not a great option.
Company Company
O4 Operations The company is
involved in many
operations
Company Company

including
education,
medical facilities,
research and
development.
Each of them is
important and
would require a
lot of planning
and operations to
be efficiently
working.
P3 Decision support
There must be a
decision taking
body in the
company. Be it
the higher
authorities or a
decision making
council which
would take all the
important
discussions and
roles the company
has to perform.
Company Company
O5 Financial The amount of
work done in
MyHealth would
require a lot of
money and capital
and related
investment. This
must be taken
care off in proper
way. The large
structure of the
company would
Company Company or
external

definitely involve
a lot of financial
activities to be
operated whether
its managing
accounts,
investing, taking
loans, lending
discounts or any
other.
(Spacey 2017)
In the table P is for Planning Asset, O is or Operational Asset and S is for Services related
asset.
Classes
The assets need to be classified in order to get them working and properly manageable. The
sensitivity of the information is the basis of this classification. Whether the information assets
is appropriate enough to be shared with all or just he employees or further more
encapsulation is required. And based on this information contained in the information assets
the classes in which they can be divided are:
Internal Information – it would contain the assets which are inside the company and are the
whole property of the company and the information contained in them are not shared with
any outsider be it a patient or any other party.
Restricted Information – these information assets too are not for any external party but for
the company itself. One important fact of these information assets is that they are not even
shared with all the employees of the MyHealth, these are only share with those who manage
them or are at the authority of having a say in their working. The coders behind the portal, the
database managers, the decision takers are some examples of such parties who can have
access to these assets.
Public Information – these are those information assets which are there for the public too.
Anyone can see or access them. Examples of such information are patient names, research
areas, educational providing etc.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Categorising the information based on these classes –
Table 2: Classification of Assets
Internal Information Restricted Information Public Information
Decision Support Financial Customer Lists
Operations Research and Development Marketing Media
Training material Strategy Research and Development
Intellectual Property Services and Products
(Identifying Information Assets and Business Requirements)
2
To have a better output while spending on security an organisation must have a planning
structure to have an Information security governance unit. This will be done by debating what
risks are prevalent the most in the business and then allocate their security budget and finance
accordingly.
The one issue that terrifies all professionals in information security is there will never ever be
enough resources for mitigation of every potential risks in security. This is the job of the
security team to make such critical decisions of the allocation of the limited resources of the
organisation for utmost risk mitigation. It is very important to create an information security
governance unit which would help in prioritising risks and building support in case there is a
requirement of more resources to save the organisation. There are a lot of structures for
security governance unit based on the organisational structure. Yet, it is usual to have
representatives of the governance unit from the following departments: human resources,
Legal, internal audit, compliance and also information security and technology. This would
help in creating an environment which has representatives from almost all decision taking
departments. MyHealth can use such a governance unit to discuss all risks and potential
threats and hence build a support to shift hard information security towards an easy one. The
importance of information security governance is not to be taken in dark. It is a major initial
step towards establishing a better position for the company. Since there will never be
abundant organisational and monetary resources in order for mitigation of all the potential
risks to the information systems, a governance unit is needed to help recognise the ones
present and do something about them. Not only including representatives from all the
departments is plus point in reducing risks but also it helps in spreading information security

knowledge across the organisation hence dramatically increasing the information security
governance’s effectiveness (Granneman 2019).
3
The best options to opt as policies for cybersecurity are as follows:
Updating systems and software
MyHealth should introduce fixes in its software in order to minimise loss from risks. It is
must in IT industry to introduce the latest of software and operating systems in order to be
updated. Here a PUSH strategy is followed which forces new updates to a user, in place of
using the PULL strategy which only notifies that there are updates available and the user
should perform them.
Conducting top to bottom cyber security audits
A company should conduct deep security audits or its information practices and assets. This
will help them to realise the breaches and defects in their security systems by performing an
audit the company can find out all the edges of all the departments and end users.
Social Engineering
Social engineering tells about if the employees are showing vulnerability if it comes to
revealing confidential information. It is as easy as shouting a password from a distance so
that the people in between will easily hear it too. In technical terms it is something like
someone giving his account information to some unknown website while asked.
Audits from business partners and vendors
It also important to have audits from other parties, as they are the ones who would not care
about their position or consequences of judgment. And vendors have been involved in audits
in various companies since a log time and it has turned out to be a very smart step. And
MyHealth also should have audits by them at least annually.
Providing security education
It is important to educate employees about cyber security in their orientation. Usually the
employees do not read all the terms and conditions they are asked to sign at their joining and

in such a case the company needs to have orientation programs regarding the same. This will
ensure fresh stay of security polices in the minds of employees and hence by making them
understand of the concepts.
Watching the edges
Hardware and Software security must be organised in the devices which are used as bots in
organisations. Not all companies are open to such options but they too have devices in remote
locations. These devices need to be taken care of as they are not like humans who will shout
on being stolen or taken out for getting some useful information.
Performing data backups regularly
Many companies are when attacked by some ransomware lose their entire data, unless they
have a backup stored and that too a latest one. Some companies do have backups but when
they try to retrieve data from it they are not able to do so as the data seems to be corrupted at
times. And hence regular backups must be created in organisation s to have their data
secured.
Physically securing the information assets
It is also important to maintain the physical safety of hardware by making sure they are not
placed at some under construction room or hall. Physical security is another important aspect
most companies miss out in their policies.
Keep Industry Compliance
In companies which work for healthcare and concerns with information technology tools it is
must to look out for industry compliances. They should review their security compliances
requirements annually at least and hence update their policies regarding security and the
practices needed.
Informing the CEO and Board
A beneficial cyber security methodology is one in which the employees do not end up on
terms of meeting the board or CEO explaining about the breach ins in security and firewalls.
And hence it is important to have a policy which deals with telling everything about the cyber
security to the CEO, managing directors, the board etc (Shacklett 2018)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Task 2
1
By approval of ISO governing bodies, their technical board released ISO 31000:2009, Risk
Management-Guidelines and Principles in November 2009. The author defined the standard
applicable for any risk type and for any organization, but not able to be certified by ISO
31000.
The two major components Enterprise Risk Management ISO 31000 are:
 Framework, which lead the operation and overall structure of risk management all
over an organization.
 Procedure, which tells about the method of analyzing, identifying and treating risks.
Framework
Framework of ISO 31000 shows the plan, do, check, act (PDCA) cycle, which is similar in all
designs of management system. The standard mentions that “Imposing a management system
is not a plan of this framework, but to help the organization’s management system to combine
risk management in their whole management system”. This expression of views should
motivate organisations for being flexible in including component of framework as required.
The Framework consists of some primary components which are:
 Policy and Governance - Gives the instructions and illustrate the organization’s
responsibility
 Program Design - Design of whole Framework considering risk management on a regular
basis
 Implementation - Implementing the program and structure of risk management
 Monitoring and Review - Monitors the performance and structure of management system
 Continual Improvement - Improvement to overall performance of the management system