Escolar Documentos
Profissional Documentos
Cultura Documentos
Introduction ................................................................................................................................................... 2
Size of the Business ...................................................................................................................................... 2
Privacy Act Australia .................................................................................................................................... 2
Management of Personal Information....................................................................................................... 2
Information Exchange Law....................................................................................................................... 3
Privacy of Sensitive Information .............................................................................................................. 3
Health Act ................................................................................................................................................. 3
Digital Health Business Laws ................................................................................................................... 3
Protected Health Information ........................................................................................................................ 4
Cyber Security Framework for UnityHealth ................................................................................................. 4
Risk Management Plan ................................................................................................................................. 6
Cyber Security Framework for Unity Health ................................................................................................ 7
Risk Identification for IM Gateway & iTherapeutic ..................................................................................... 8
Cyber Security Activities for Framework Implementation in UntiyHealth .............................................. 8
Comparison with other Organizations .......................................................................................................... 9
Introduction
UnityHealth is an independent medical health information provider, based on providing expert
consultancy in all domains of health care and medicine. The company aims to address the
research analytical areas pertaining to the field of medicine and the research required to improve
existing areas of health and medicine (Unityhealth.com.au, 2019). The company provides online
educational platforms for learning and resource utilization which include, IMgateway and
iTherapeutics. With strong partnerships and connections with leading organizations in the health
sector the company provides pharmacists, health professional and medicinal experts with the
knowledge required to expand and succeed in all areas. Since 1998, the company has excelled in
providing innovative and professional tools which have enabled the medicine and health industry
to grow and develop new resources effectively and efficiently (Unityhealth.com.au, 2019).
In general, the hazard the board standards and procedures portrayed in ISO 31000 and bolstered
by the direction of ISO/IEC 31010 give a strong framework that enables an association to
structure and execute a repeatable, proactive and vital program (ISO, 2019). The plan of explicit
program components is exceptionally subject to the objectives, asset, and conditions of the
individual association. Notwithstanding the dimension of usage, the executive’s inclusion in
setting bearing and routinely checking on results ought to be a piece of each program, which
won't just raise the administration of hazard, yet in addition guarantee a proper treatment of
hazard dependent on hierarchical targets and long-haul methodologies. In the case of the
organization under our preview this report further analyzes the program design/ implantation and
monitoring phases of the risk management program (ISO, 2019). In the case of UntiyHealth the
implementation of the ISO risk management framework will prove vital in combating the threats
pertaining to risk and control mechanisms.
Risk Management Plan
The following plan rolls out the threat assessment pertaining to UnityHealth. Its further analyzes
and assesses the threat agents associated with the plan as well as the vulnerabilities associated
with the attacks and intrusions. As per the risk management plan, the mitigation techniques have
also been proposed in this aspect along with the relevant cost effects that need to be considered
when assessing the risk plan under consideration.
The Following factors have been taken under consideration after the GAP Analysis
performed by UnityHealth.
Social Engineering Intruder/ Data Base/ Storage / User The attacker can gain access into the
Base Confidential account database/ confidential
External Attacker
customer data can be breached
Customer Information
Worms and Trojans Hacker/Employee/ Loss Customer Access can be gained to the records
Information/Password and password bases/ User & Tech
Infected Date Injection
Data Base/ Credentials. Information channel can be exposed
and accessed
Phishing/ Hacker/Intruder Data Storage/ Control Access and exposure can be gained
Panel to Control Panel of IM Gateway.
Malware Attacks
Passwords
SQL Injection Attacker/Intruder/Hack Customer Data Base/ Access whole database containing
er Records/ Online Storage confidential information/
& Credentials
gain access to PC & desktop.
The Dashboard of the
settings.
Cyber Security Framework for Unity Health
High: Control Panel Responsiveness & Awareness programs among the Training Costs/
Intrusion/ Data Base/ workforce & employees/ Training and educational
Software Costs/
Storage. Schemes/ High-End encryptions and
firewalls/Dedicated Department to counter the Time Needs to be
contingency. dedicated to
High: A DDoS attack can Black Hole Routing which is used as counter Time Management/
mean that the whole activity/Rate Limiting/Web Application Firewall
Dedicated Personal
channel can crash down
once the traffic is blocked to manage an attack/
High: A Trojan Malware High-level Firewall protection being placed/ High- Software Costs/Employee
attack can cause loss and end Anti-virus/Data encryption/Employee training
Training
theft of data in this case loss
of technology database/
Private Information
High: Malicious Spam ware Dedicated Technical Controls & Mechanisms/ Software Costs/ Time Dedication/
can be introduced in the Training
Training/
system which can be used to
Staff and Skilling
access the confidential files Awareness/
High: SQL Injection can be Input Validation/Parametrized Queries. High Costs/Time Constraint/
used to obtain data Firmware scanning
Extra Staff Effort
preferences illegally. It can
also be used to induce
forgery and grant access
into the main data base &
server.
Firewalls With the fast pace of technological inventions and innovations taking place the element of threat and attacks have meant that there needs to special security measures in Since most attacks and intrusions are an attack on
the internal system of the organization the updated
firewalls and protection measures must always be
active. The organization since connects and deals
with intranet and internet domains the specialized
firmware needs to have firewalls to limit and
counter any case of attack which occurs.
Encryptions For an engineering organization housing personal
information of private information, the database
must be encrypted at the highest level to evade any
possibility of the data leakage and intruder access.
Due to this reason, the data being kept must be
encrypted to limit the usability of it to the third party
in case of an attack being done.
The most famous security structure in human services is recorded as "NIST", with 57.9% of
respondents revealing its utilization at their associations. NIST is the National Institute of
Standards and Technology, the U.S. organization that creates numerous specialized principles
and rules, including for data security. It's one of the numerous offices under the U.S. Division of
Commerce. NIST keeps up a few records that are generally viewed as highest quality levels for
system and information security. While they are ordinarily planned for U.S. government offices,
they are additionally generally utilized in the private part (Calyptix Security, 2019).
Somewhat more than one-fourth of respondents (26.4%) state their association pursued the
security system kept up by the Health Information Trust Alliance (HITRUST). HITRUST
Alliance is a private association driven by agents from probably the greatest names in social
insurance, including Anthem, Humana, UnitedHealth, and Walgreens. The association keeps up
the Common Security Framework (CSF), a lot of rules for data security planned explicitly for the
social insurance segment (Calyptix Security, 2019).
ISO alludes to the International Organization for Standardization, a non-governmental
association that distributes guidelines to encourage world exchange. Participation is involved by
delegates from institutionalization offices in excess of 160 nations. Alongside the International
Electrotechnical Commission (IEC), ISO keeps up a progression of principles for making and
keeping up a data security the board framework, known as ISO/IEC 27000 – or basically "the
ISO". Among respondents, 18.5% utilize the ISO system (Calyptix Security, 2019).
References
Calyptix Security. (2019). Top 5 Cyber Security Frameworks in Healthcare. [online] Available
at: https://www.calyptix.com/hipaa/top-5-cyber-security-frameworks-in-healthcare/ [Accessed
15 Sep. 2019].
Csis.org. (2019). [online] Available at: https://www.csis.org/programs/cybersecurity-and-
governance/technology-policy-program/other-projects-cybersecurity [Accessed 24 Jun. 2019].
Dey, P. and Kinch, J. (2008). Risk management in information technology projects. International
Journal of Risk Assessment and Management, 9(3), p.311.
Dionne, G. (2013). Risk Management: History, Definition, and Critique. Risk Management and
Insurance Review, 16(2), pp.147-166.
Fetzer, D. and West, O. (2008). The HIPAA Privacy Rule and Protected Health
Information. Academic Radiology, 15(3), pp.390-395.
Fruhlinger, J. (2019). What is a cyber-attack? Recent examples show disturbing trends. [online]
CSO Online. Available at: https://www.csoonline.com/article/3237324/what-is-a-cyber-attack-
recent-examples-show-disturbing-trends.html [Accessed 24 Jun. 2019].
Health.act.gov.au. (2019). | Health. [online] Available at: https://www.health.act.gov.au/
[Accessed 15 Sep. 2019].
ISO. (2019). ISO 31000 Risk management. [online] Available at: https://www.iso.org/iso-31000-
risk-management.html [Accessed 24 Jun. 2019].
Jiang, J. and Bai, G. (2019). Evaluation of Causes of Protected Health Information
Breaches. JAMA Internal Medicine, 179(2), p.265.
Legislation.gov.au. (2019). National Health Act 1953. [online] Available at:
https://www.legislation.gov.au/Details/C2017C00250 [Accessed 15 Sep. 2019].
Legislation.gov.au. (2019). Privacy Act 1988. [online] Available at:
https://www.legislation.gov.au/details/c2014c00076 [Accessed 15 Sep. 2019].
Mohseni, A. (2014). Audit Approach to Audit Risk Management, Quantitative Determination of
the Components of Audit Risk and Determine the Impact on the Components of Audit Risk in
Audit Sampling. SSRN Electronic Journal.
OAIC. (2019). The Privacy Act. [online] Available at: https://oaic.gov.au/privacy/the-privacy-
act/ [Accessed 15 Sep. 2019].
Rademaker, M. (2016). Assessing Cyber Security 2015. Information & Security: An
International Journal, 34, pp.93-104.
Services, P. (2018). Cyber Attack - What Are Common Cyberthreats. [online] Cisco. Available
at: https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html.
Unityhealth.com.au. (2019). UnityHealth Pty Ltd. [online] Available at:
http://www.unityhealth.com.au/index.jsp [Accessed 15 Sep. 2019].