Hospital Business Continuity Plan for Systems
Executive Overview
This document describes a cybersecurity business continuity plan for a hospital system and its importance. It states the possible risks that would be present in the system, their causes, and mitigation measures. A risk assessment matrix was used to indicate the risks, the areas that would be vulnerable to the risks, and the impact that would be experienced if the risks occurred. These include denial of service attacks, intrusions, human error, physical damage, masquerading, and malicious software. A business continuity plan (BCP) should be updated periodically to capture and mitigate new risks. Documenting change control is important in ensuring that the updates made on the cybersecurity BCP or the actual IT infrastructure are properly documented and prioritized. This helps to eliminate human errors and maintain the integrity of the BCP.
Document Change Control
Change Control Form | |
Requested by | |
Request Date | |
Project/Item Name | |
Change ID Number | |
Classification | |
Importance | |
Impact | |
Complexity | |
Assessment | |
Business risk |
The above template would be used to request changes in the cybersecurity BCP as well as the BCP process. It is grouped into three parts: requester information and items to be changed, classification of change, and risk assessment. The first part records the details of the person requesting change and the item to be changed. The second part classifies the priority for the change by checking on the importance of the change, its impact, and how complex it is to effect the change. The third part assesses the current risk level of the item to be changed, that is, the level of risk it poses to business continuity when/if the item is not changed immediately. After the requester has filled out the form, they return it to the IT department, where it goes through a documented process to decide on its priority for implementation.
Introduction
A business continuity plan is essential in ensuring that business operations are not brought to a halt to the point of rendering the business obsolete (Božić, 2023). Such a plan is made to cover all areas of the business, including IT. A BCP that is specifically prepared for IT systems is categorized under cybersecurity planning and response (Božić, 2023). A hospital is also a business; therefore, it requires a BCP. An IT BCP for a hospital would ensure that the hospital’s IT infrastructure is not disrupted, and in the event of a disruption, the situation is handled effectively to ensure that operations resume immediately (Ayatollahi & Shagerdi, 2017). Sasaki’s (2020) study on hospitals in Japan after an earthquake in 2011 showed that most hospitals were unable to resume operations for a long time because they lacked proper BCPs. Consequently, this emphasizes the importance of an up-to-date BCP for hospitals.
A cybersecurity BCP identifies the scope of the current IT infrastructure as the first step. The second step evaluates possible risks and impacts. The third step is to create and test a response plan. Lastly, it keeps refining the entire process for proper preparedness (U.S. Department of Health & Human Services, 2022). The IT infrastructure includes users, systems, and data. Therefore, risk assessment analyzes risks that can arise in those three categories. This would also include educating system users on cybersecurity measures they should observe to keep the system secure. In addition, systems are configured to meet security needs. For example, a hospital network would contain a firewall with access control lists that ensure only authorized network traffic is allowed in the hospital’s private network. For software security, software patches should be updated in a timely manner to ensure that hackers do not exploit software vulnerable points.
Further, data security would be maintained through measures such as control assessment levels for users, passwords, backup, and antivirus. The IT department would handle incident response from IT support officers, escalating upwards to the chief security IT officer, depending on the severity of the impact. A detailed response plan is then documented to ensure that each member of the incident response team understands what to do during and after an incident preparedness (U.S. Department of Health & Human Services, 2022). All security measures that could be implemented to avoid a known risk would be implemented in good time. Therefore, only risks that cannot be avoided require the incident response plan. The entire cybersecurity BCP requires periodic updating to ensure the most recent security measures are implemented and the response plan is effective. This would include training on new risks and how to handle them (Kuzminykh et al., 2021).
Risk Assessment Matrix
Risks/Vulnerabilities | Software | Network | Database | Hardware | Firewall |
Human errors | Low | Low | Low | Low | Low |
DOS attacks | Critical | Critical | Critical | Critical | Critical |
Intrusion | Critical | Critical | Critical | Critical | Critical |
Malice (Malicious software) | Critical | Critical | Critical | Low | Critical |
Physical damage | Low | Medium | Low | Medium | Low |
Masquerading | Critical | Critical | Critical | Low | Critical |
The possible risks for a hospital system are stated vertically on the risk matrix, while the vulnerabilities are stated horizontally. Low, medium, and critical are used to describe the risks’ impact on the system. This matrix is important in preparing a BCP because it highlights the areas requiring high priority in security implementation (Argaw et al., 2020). Notably, hospital system breakdown could lead to loss of lives (Argaw et al., 2020). As such, any risk leading to loss of lives is critical and should be adequately mitigated. Therefore, a risk assessment matrix is a crucial part of a cybersecurity BCP for hospital systems.
ARO, SLE, and ALE calculations were done based on U.S. Department of Health & Human Services (2020) research on healthcare systems and data collected.
Risks | Total Asset Value | Exposure Factor | SLE | ARO | ALE |
Human errors | 60,000 | 50% | 30,000 | 5 | 150,00 |
DOS attacks | 900,000 | 100% | 900,000 | 1 | 900,000 |
Intrusion | 200,000 | 75% | 150,000 | 3 | 450,000 |
Malice (Malicious software) | 900,000 | 100% | 900,000 | 1 | 900,000 |
Physical damage | 300,000 | 10% | 30,000 | 5 | 150,000 |
Masquerading | 250,000 | 50% | 125,000 | 5 | 625,000 |
Critical Business Functions Overview
For IT systems to run seamlessly in a hospital environment, three components must be considered: system users, system, and data (U.S. Department of Health & Human Services, 2022). All possible risks based on the three factors should be evaluated to avoid internal and external risks. For example, system users must be trained on measures to observe so that they do not become a threat to the system. This includes using passwords, keeping their passwords a secret, and reporting any suspicious activities noticed within the system. Also, the IT security team should ensure that security updates are done in good time and that all system configurations are properly done. For example, to protect patients’ data in the hospital system, IT system administrators should ensure that only authorized users have access to certain levels of data. This is done by assigning system rights to users based on their job functions, meaning no user should have privileges to assess more data than required to execute their duties. Data backup is also another measure to protect data.
When the above measures are implemented, hospital operations will be difficult to disrupt, and if a disruption occurs, operations will be resumed in a short time (Argaw et al., 2020). For example, if a natural disaster occurs, cloud data backup will ensure that data is secure. Also, a disaster recovery physical office would be used to have IT department staff continue working. The disaster recovery physical office should be an offsite office that is always fully set up for emergency use. With proper network security measures such as vulnerability scans and penetration testing, denial of service attacks would be identified and avoided (U.S. Department of Health & Human Services, 2022). If a DOS attack is identified when it is already happening, the incident response plan, which is part of cybersecurity BCP, would be used to stop the attack and mitigate the impact.
Cyberattacks on hospital systems have been found to cause severe outcomes such as loss of lives (Argaw et al., 2020). This is because when malicious people access a hospital system, they affect several essential services. These include automatic drug dispensing and drug delivery, imagery equipment, and surgery information, among others (Argaw et al., 2020). Also, cyberattacks could cause a data breach that could lead to the exposure of patients’ data. Organizations are responsible for protecting the integrity and privacy of their client’s data.
System users are considered an important part of risk assessment and mitigation. This is because by using the system, they can identify areas that require change for better mitigation. A user can then fill out a change control form and request a change. In addition, IT staff could notice the areas for change when offering IT support services or when performing continuous system monitoring and proceeding to request change by filling out the change form. The form then goes through a duly documented process to determine the priority to be accorded for each proposed change. The cybersecurity BCP process could also be reviewed for change once other advanced technologies are available for use or when the process does not provide efficient results.
References
Argaw, S. T., Troncoso-Pastoriza, J. R., Lacey, D., Florin, M. V., Calcavecchia, F., Anderson, D., Burleson, W., Vogel, J. M., O’Leary, C., Eshaya-Chauvin, B., & Flahault, A. (2020). Cybersecurity of hospitals: Discussing the challenges and working towards mitigating the risks. BMC Med Inform Decis Mak, 20(146). https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7333281/
Ayatollahi, H., & Shagerdi, G. (2017). Information security risk assessment in hospitals. The Open Medical Informatics Journal, 11(1), 37-43. http://dx.doi.org/10.2174/1874431101711010037
Božić, V. (2023). Business continuity management in hospital [Master’s thesis]. https://www.researchgate.net/publication/368652428_Business_Continuity_Management_in_hospital
Kuzminykh, I., Ghita, B., Sokolov, V., & Bakhshi, T. (2021). Information security risk assessment. Encyclopedia, 1(3), 602-617. http://dx.doi.org/10.3390/encyclopedia1030050
Sasaki, H., Maruya, H., Abe, Y., Fujita, M., Furukawa, H., Fuda, M., Kamei, T., Yaegashi, N., Tominaga, T., & Egawa, S. (2020). A scoping review of hospital business continuity plans to validate the improvement after the 2011 Great East Japan earthquake and tsunami. The Tohoku Journal of Experimental Medicine, 251, 147-159. http://dx.doi.org/10.1620/tjem.251.147
U.S. Department of Health & Human Services. (2020). Quantitative Risk Management for Healthcare Cybersecurity (202005071030). https://www.hhs.gov/sites/default/files/quantitative-risk-management-for-healthcare-cybersecurity.pdf
U.S. Department of Health & Human Services. (2022). Healthcare system cybersecurity readiness & response considerations. https://files.asprtracie.hhs.gov/documents/aspr-tracie-healthcare-system-cybersercurity-readiness-
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
As the Chief Information Security Officer, I suggest the following for a Hospital Business Continuity Plan (BCP).
Executive Overview: Be precise and detailed and provide a thorough understanding of the program.
Document Change Control: The table should be completed.
Introduction: Include the overview, plan scope, and applicability that evaluate the appropriateness of cybersecurity frameworks for developing a cybersecurity program to align with business needs, plan objectives, and plan assumptions. Analyze various cyber threat models used to identify and protect against cybercrime threat vectors, motivations, and ideologies.
Risk Assessment Matrix: Complete a Risk Assessment Matrix. Evaluate system risks, threats, vulnerabilities, practices, and processes to ensure the safety and security of the hospital information systems.
Critical Business Functions Overview: Detail components that are critical to business operations and provide a clear understanding of what the program is designed to address.
Note: A minimum of six scholarly resources are needed.