Contents

Introduction ................................................................................................................................................... 2
Size of the Business ...................................................................................................................................... 2
Privacy Act Australia .................................................................................................................................... 2
Management of Personal Information....................................................................................................... 2
Information Exchange Law....................................................................................................................... 3
Privacy of Sensitive Information .............................................................................................................. 3
Health Act ................................................................................................................................................. 3
Digital Health Business Laws ................................................................................................................... 3
Protected Health Information ........................................................................................................................ 4
Cyber Security Framework for UnityHealth ................................................................................................. 4
Risk Management Plan ................................................................................................................................. 6
Cyber Security Framework for Unity Health ................................................................................................ 7
Risk Identification for IM Gateway & iTherapeutic ..................................................................................... 8
Cyber Security Activities for Framework Implementation in UntiyHealth .............................................. 8
Comparison with other Organizations .......................................................................................................... 9
Introduction
UnityHealth is an independent medical health information provider, based on providing expert
consultancy in all domains of health care and medicine. The company aims to address the
research analytical areas pertaining to the field of medicine and the research required to improve
existing areas of health and medicine (Unityhealth.com.au, 2019). The company provides online
educational platforms for learning and resource utilization which include, IMgateway and
iTherapeutics. With strong partnerships and connections with leading organizations in the health
sector the company provides pharmacists, health professional and medicinal experts with the
knowledge required to expand and succeed in all areas. Since 1998, the company has excelled in
providing innovative and professional tools which have enabled the medicine and health industry
to grow and develop new resources effectively and efficiently (Unityhealth.com.au, 2019).

Size of the Business

Analyzing the current portfolio of services UnityHealth provides with over 9000 doctors and
professionals in the loop the company is expanding and growing since its inception. The
geographical reach of the company includes Australia and New Zealand. The company provides
training and resource implementation to over 30150 registered users across 4700 pharmacy
stores In Australia. The company also partners and has linkages with other professional health
affiliates for its effective reach and product development (Unityhealth.com.au, 2019).

Privacy Act Australia

At an administrative level, the Privacy Act 1988 (Cth) (Privacy Act) oversees how business
substances and government offices must deal with individual data, to a great extent through the
13 Australian Privacy Principles (APPs) set out inside the Privacy Act (Legislation.gov.au,
2019).
Management of Personal Information
The above privacy act pertaining to Australia additionally expects entities to create and make
promptly accessible a strategy about its administration of individual data.
Application 3, in rundown:
 Grants an APP element to gather individual data just where sensibly fundamental for at
least one of its genuine capacities or exercises
 Requires individual data to be gathered straightforwardly from the person to whom it
relates, except if impracticable or another endorsed special case applies and
 Requires the assent from a person to gather that person's touchy data, or another
recommended special case applies.
Application 5 requires an APP substance to advise an individual (or guarantee they know), at or
before the hour of accumulation, of endorsed matters. Such issues incorporate yet are not
restricted to whether the person's close to home data is gathered from any outsiders, the
purpose(s) of accumulation, to whom individual data is unveiled and the procedures through
which an individual can look for access as well as adjustment to their own data, or generally
grumble about the manner by which it is dealt with (Legislation.gov.au, 2019).
Consistence with APP 5 for the most part requires 'gathering articulations' to be incorporated on
or with structures, or different materials, through which individual data is gathered. Such
proclamations ought to allude and incorporate a connect to the APP element's security
arrangement.
Information Exchange Law
If an APP substance is to uncover individual data to an abroad beneficiary, APP 8 expects it to
find a way to guarantee the beneficiary doesn't rupture the APPs. This typically requires the APP
element to force legally binding commitments on the beneficiary (OAIC, 2019). Pertinently, if
the abroad beneficiary breaches the APPs, the Privacy Act forces obligation on the APP
substance that made the abroad divulgence. There are special cases to this commitment,
including however not restricted to where:
 The APP element sensibly accepts the abroad beneficiary is bound by a law or plan that
ensures individual data in a considerably comparative manner to that of the APPs or
 The individual agrees to the exposure in the information that such assent will discredit the
APP element's commitment to guarantee the abroad beneficiary doesn't rupture the APPs.
Privacy of Sensitive Information
Health Act
The Privacy Act by and large manages a more elevated amount of assurance to 'delicate data'
given its misusing can by and large have an increasingly negative effect on the important person.
'Personal data' is characterized under the Privacy Act and incorporates data about a person's
racial or ethnic root, health records, political feelings, proficient or political or religious
affiliations or enrollments, sexual direction or practices, criminal record, wellbeing, hereditary
qualities and additionally biometrics. For instance, APP 3, which manages the accumulation of
requested individual data, forbids (with certain special cases) the gathering of sensitive data
except if the person to whom it relates agrees to the accumulation and the data is sensibly
fundamental for the gathering element's capacities or exercises (OAIC, 2019). The accumulation
of non-touchy data is generally for the most part allowed where it is sensibly fundamental for the
gathering element's authentic capacities or exercises.
Digital Health Business Laws
The Privacy Act 1988 is generally the Australian partner to HIPAA. As patient wellbeing
information is effectively one of the touchiest sorts of individual data out there, the Privacy Act
was halfway intended to give further layers of insurance to shield said information, among other
material. In a model given by the Australian government, some random organization is required
to acquire the assent of a person before it can gather their wellbeing data. Likewise, every single
wellbeing administration in Australia – regardless of how enormous or little – is bound by the
Privacy Act, further solidifying patient classification. In that capacity, anybody owning or
working a medicinal services business in Australia needs to stick to the principles and guidelines
set out by the Privacy Act. It's enforceable enactment, implying that it's unlawful for any
influenced gathering to quit. Considering this to present affairs, it's of vital significance that
human services associations both comprehend the terms spread out by the Privacy Act, and
energetically authorize them (OAIC, 2019).

Protected Health Information

HIPAA recommends that Protected Health Information (PHI) can be any sort of exclusively
recognizable data: statistic, protection, charging, or restorative. This expansive definition
incorporates any data relating to a patient that conveys with it an identifier novel to that tolerant.
An EKG following that conveys the patient's standardized savings number, a PC CD with a
patient's radio graphic pictures and charging data, an email about treatments from a specialist to a
patient with an email address on it, or a faxed page from a medical clinic diagram with an
engraved date of birth and address all comprise PHI. Obviously, the verbally expressed word
isn't absolve from PHI. Phone calls, voice message, instant messages, information accounts,
discussions with restorative understudies and medical caretakers in the emergency clinic, and up
close and personal discussions on the road fall inside the ambit of PHI and the securities of
HIPAA (Fetzer and West, 2008).
The most troublesome situation for the doctor includes translating the circumstances where
divulgence is appropriate or ill-advised. PHI can generally be imparted to the patient. For some
different circumstances, in any case, separately recognizable patient data ought to be shared
simply after the doctor has gotten explicit composed patient approval that incorporates the name
of the beneficiary. Arrival of PHI to elements that may require this degree of explicit approval
incorporate those included essentially in publicizing, promoting, or web business; managers and
schools; lawyers looking for data without a subpoena or court request; different patients
attempting to contact your patient; and insurance agencies that have never secured your patient
or that are not engaged with your endeavors to gather an installment (Health.act.gov.au, 2019).
Imparting PHI to substances that are engaged with charging, treatment, and human services
activities ought not cause an issue under the HIPAA rubric. These beneficiaries of PHI
incorporate ebb and flow safety net providers and charging clearinghouses; ebb and flow and
previous treating doctors giving consideration or development; emergency clinic and social
insurance organizations associated with proceeding or outpatient care; pharmaceutical,
therapeutic gadget, and think-tanks following results; medical clinic panels or representatives
engaged with moral or research audit issues, illness detailing, quality survey, chance
administration, or credentialing in the ordinary course of business; and government and police
offices looking for data under court request or for required obligatory purposes.

Cyber Security Framework for UnityHealth

With the fast pace of technological inventions and innovations taking place the element of threat
and attacks have meant that there needs to special security measures in place. As a consultant
and evaluating systems from a technical view point this paper will provide the risk details
pertaining to UnityHealth which is engaged in the health sector consultancy. Moreover, with the
pace of technological advancements there need to be strong and effective internal controls put in
place to make sure that efficient working is stimulated in the organization.
The basic and foremost aim of the risk assessment plan is to mitigate and counter the growing
threat problems associated with cyber-attacks and intrusions. The Health sector pertains to one of
the most sensitive and attractive attack institutes for third-party hackers and intruders into
gaining access to sensitive information and records (Dionne, 2013). Thus, UnityHealth will need
to counter the growing threat of intrusions for the organization and implement effective
strategies in this regard. Further, the report will help achieve the objectives of implementing
effective internal controls and regulating the operational functionality of the organization. The
plan will further assure and enhance the security protocol and procedures being implemented.

ISO 3100 Risk Management

In general, the hazard the board standards and procedures portrayed in ISO 31000 and bolstered
by the direction of ISO/IEC 31010 give a strong framework that enables an association to
structure and execute a repeatable, proactive and vital program (ISO, 2019). The plan of explicit
program components is exceptionally subject to the objectives, asset, and conditions of the
individual association. Notwithstanding the dimension of usage, the executive’s inclusion in
setting bearing and routinely checking on results ought to be a piece of each program, which
won't just raise the administration of hazard, yet in addition guarantee a proper treatment of
hazard dependent on hierarchical targets and long-haul methodologies. In the case of the
organization under our preview this report further analyzes the program design/ implantation and
monitoring phases of the risk management program (ISO, 2019). In the case of UntiyHealth the
implementation of the ISO risk management framework will prove vital in combating the threats
pertaining to risk and control mechanisms.
 Risk Management Plan
The following plan rolls out the threat assessment pertaining to UnityHealth. Its further analyzes
and assesses the threat agents associated with the plan as well as the vulnerabilities associated
with the attacks and intrusions. As per the risk management plan, the mitigation techniques have
also been proposed in this aspect along with the relevant cost effects that need to be considered
when assessing the risk plan under consideration.
The Following factors have been taken under consideration after the GAP Analysis
performed by UnityHealth.

Threat Threat Agent Asset Vulnerability

Social Engineering
Intruder/ Data Base/ Storage / User
Base Confidential
External Attacker
Customer Information
The attacker can gain access into the
account database/ confidential
customer data can be breached

DDoS Attack Attacker/Hacker Storage Facilities/ Control Panel/ PC access / Service

Password Storage- Database. Information Security
(IM Gateway +
System Crash down Infrastructure
iTherapeutic)

Worms and Trojans
Hacker/Employee/ Loss Customer
Information/Password
Infected Date Injection
Data Base/ Credentials.
Access can be gained to the records
and password bases/ User & Tech
Information channel can be exposed
and accessed

Phishing/ Hacker/Intruder Data Storage/ Control Access and exposure can be gained
Panel to Control Panel of IM Gateway.
Malware Attacks
Passwords

SQL Injection Attacker/Intruder/Hack Customer Data Base/ Access whole database containing
er Records/ Online Storage confidential information/
& Credentials
gain access to PC & desktop.
The Dashboard of the
settings.
 Cyber Security Framework for Unity Health
Impact
High: Control Panel
Intrusion/ Data Base/
Storage.
High: A DDoS attack can
mean that the whole
channel can crash down
once the traffic is blocked
by the attacker
High: A Trojan Malware
attack can cause loss and
theft of data in this case loss
of technology database/
Private Information
High: Malicious Spam ware
can be introduced in the
system which can be used to
access the confidential files
and thus technical controls
can be accessed.
High: SQL Injection can be
used to obtain data
preferences illegally. It can
Mitigation Cost/Effort
Responsiveness & Awareness programs among the Training Costs/
workforce & employees/ Training and educational
Software Costs/
Schemes/ High-End encryptions and
firewalls/Dedicated Department to counter the Time Needs to be
contingency. dedicated to
awareness and training programs
Black Hole Routing which is used as counter Time Management/
activity/Rate Limiting/Web Application Firewall
Dedicated Personal
to manage an attack/
Software and Tool Cost
High-level Firewall protection being placed/ High- Software Costs/Employee
end Anti-virus/Data encryption/Employee training
Training
Dedicated Technical Controls & Mechanisms/ Software Costs/ Time Dedication/
Training
Training/
Staff and Skilling
Awareness/
Sender Policy Framework
Input Validation/Parametrized Queries. High Costs/Time Constraint/
Firmware scanning
Extra Staff Effort
also be used to induce
forgery and grant access
into the main data base &
server.

Risk Identification for IM Gateway & iTherapeutic

Social designing strategies pose to negative to the honesty and classification pertaining to the
organization’s administrations and to the data of the technological data bases and storage
facilities. For UnitHealth the methods go from illicitly barging in and accessing private
information documents and client databases to acquire data and records. This can be that as it
may be relieved with additional staff preparing and making mindfulness in the administration on
the best way to effectively handle such assaults and tricks when experienced with. DDoS assault
is a risky procedure utilized by interlopers and assailants to redirect the traffic channel of the
technology framework (Dey and Kinch, 2008). This can imply that inside seconds the entire
channel of organizations administrations will close. Such an assault can cause enormous
interruptions in the administrations and cause incredible bother to the organization will's identity
unfit to do every day ordinary routine exchanges (Fruhlinger, 2019). Such assaults need certain
specialized ability to alleviate and require the devotion of talented staff to counter-respond and
foliate any assault into the technological channel causing interruptions.
Cyber Security Activities for Framework Implementation in UntiyHealth

Awareness One of the most important aspects pertaining to

the implementation of risk assessment plan such
as in the case UnityHealth is the need for
creating awareness among the employees about
the new threats that are present and the possible
mitigation and counter-reactions available to
limit the extent of the intrusion.
Training Programs With the advent of the technological era and
innovations pertaining to the cyber industry, the
threats are increasing at an ever-increasing pace. To
counter this training of all the workforce pertaining
to the cyber framework must be done so the
 employees are at all time aware and updated of the
new aspects in order to effectively handle situations
and contingencies.
Dedicated Cyber Department Since the UnityHealth houses sensitive information
pertaining to technological databases and
informational records the organization at all time
should have an actively dedicated department to deal
with contingencies and risk measures concerned
with cyber-attacks and intrusions. This would pace
up the time taken to react to an event in case an
attack occurs on the system.

Firewalls With the fast pace of technological inventions and innovations taking place the element of threat and attacks have meant that there needs to special security measures in Since most attacks and intrusions are an attack on
the internal system of the organization the updated
firewalls and protection measures must always be
active. The organization since connects and deals
with intranet and internet domains the specialized
firmware needs to have firewalls to limit and
counter any case of attack which occurs.
Encryptions For an engineering organization housing personal
information of private information, the database
must be encrypted at the highest level to evade any
possibility of the data leakage and intruder access.
Due to this reason, the data being kept must be
encrypted to limit the usability of it to the third party
in case of an attack being done.

Comparison with other Organizations

This table shows the most popular cyber security frameworks in healthcare, according to the
2018 HIMSS Cybersecurity Survey.
Many hospitals, doctor’s offices, and others – while striving for HIPAA compliance – also
follow one or more security frameworks that have earned widespread respect and adoption in the
infosec industry.

The most famous security structure in human services is recorded as "NIST", with 57.9% of
respondents revealing its utilization at their associations. NIST is the National Institute of
Standards and Technology, the U.S. organization that creates numerous specialized principles
and rules, including for data security. It's one of the numerous offices under the U.S. Division of
Commerce. NIST keeps up a few records that are generally viewed as highest quality levels for
system and information security. While they are ordinarily planned for U.S. government offices,
they are additionally generally utilized in the private part (Calyptix Security, 2019).
Somewhat more than one-fourth of respondents (26.4%) state their association pursued the
security system kept up by the Health Information Trust Alliance (HITRUST). HITRUST
Alliance is a private association driven by agents from probably the greatest names in social
insurance, including Anthem, Humana, UnitedHealth, and Walgreens. The association keeps up
the Common Security Framework (CSF), a lot of rules for data security planned explicitly for the
social insurance segment (Calyptix Security, 2019).
ISO alludes to the International Organization for Standardization, a non-governmental
association that distributes guidelines to encourage world exchange. Participation is involved by
delegates from institutionalization offices in excess of 160 nations. Alongside the International
Electrotechnical Commission (IEC), ISO keeps up a progression of principles for making and
keeping up a data security the board framework, known as ISO/IEC 27000 – or basically "the
ISO". Among respondents, 18.5% utilize the ISO system (Calyptix Security, 2019).
References

Calyptix Security. (2019). Top 5 Cyber Security Frameworks in Healthcare. [online] Available
at: https://www.calyptix.com/hipaa/top-5-cyber-security-frameworks-in-healthcare/ [Accessed
15 Sep. 2019].
Csis.org. (2019). [online] Available at: https://www.csis.org/programs/cybersecurity-and-
governance/technology-policy-program/other-projects-cybersecurity [Accessed 24 Jun. 2019].
Dey, P. and Kinch, J. (2008). Risk management in information technology projects. International
Journal of Risk Assessment and Management, 9(3), p.311.
Dionne, G. (2013). Risk Management: History, Definition, and Critique. Risk Management and
Insurance Review, 16(2), pp.147-166.
Fetzer, D. and West, O. (2008). The HIPAA Privacy Rule and Protected Health
Information. Academic Radiology, 15(3), pp.390-395.
Fruhlinger, J. (2019). What is a cyber-attack? Recent examples show disturbing trends. [online]
CSO Online. Available at: https://www.csoonline.com/article/3237324/what-is-a-cyber-attack-
recent-examples-show-disturbing-trends.html [Accessed 24 Jun. 2019].
Health.act.gov.au. (2019). | Health. [online] Available at: https://www.health.act.gov.au/
[Accessed 15 Sep. 2019].
ISO. (2019). ISO 31000 Risk management. [online] Available at: https://www.iso.org/iso-31000-
risk-management.html [Accessed 24 Jun. 2019].
Jiang, J. and Bai, G. (2019). Evaluation of Causes of Protected Health Information
Breaches. JAMA Internal Medicine, 179(2), p.265.
Legislation.gov.au. (2019). National Health Act 1953. [online] Available at:
https://www.legislation.gov.au/Details/C2017C00250 [Accessed 15 Sep. 2019].
Legislation.gov.au. (2019). Privacy Act 1988. [online] Available at:
https://www.legislation.gov.au/details/c2014c00076 [Accessed 15 Sep. 2019].
Mohseni, A. (2014). Audit Approach to Audit Risk Management, Quantitative Determination of
the Components of Audit Risk and Determine the Impact on the Components of Audit Risk in
Audit Sampling. SSRN Electronic Journal.
OAIC. (2019). The Privacy Act. [online] Available at: https://oaic.gov.au/privacy/the-privacy-
act/ [Accessed 15 Sep. 2019].
Rademaker, M. (2016). Assessing Cyber Security 2015. Information & Security: An
International Journal, 34, pp.93-104.
Services, P. (2018). Cyber Attack - What Are Common Cyberthreats. [online] Cisco. Available
at: https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html.
Unityhealth.com.au. (2019). UnityHealth Pty Ltd. [online] Available at:
http://www.unityhealth.com.au/index.jsp [Accessed 15 Sep. 2019].