Case Study: Securing the City Hospital

Scenario: City Hospital, a large urban hospital, is undergoing a digital transformation. They're
implementing a new Electronic Health Record (EHR) system, expanding their telehealth capabilities, and
connecting various medical devices to a central network. The Chief Information Security Officer (CISO),
Sarah Chen, is tasked with ensuring the security of these new systems and the hospital's existing
infrastructure.

The Challenge: Sarah needs to conduct a thorough risk assessment to identify potential threats and
vulnerabilities before the new systems go live. She knows that failing to do so could lead to significant
financial losses, reputational damage, and even harm to patients. The hospital's existing security
measures are outdated, and the new interconnected systems introduce new complexities.

The Hospital's Assets:

• People: Doctors, nurses, administrative staff, IT personnel, external contractors (for EHR
implementation), patients.

• Procedures: Standard operating procedures for accessing patient data, incident response plans,
password policies, data backup procedures, telehealth protocols.

• Data: Patient medical records (highly sensitive), financial data, research data, employee
information.

• Software: EHR system, telehealth platform, medical device software, operating systems (servers
and workstations).

• Hardware: Servers, workstations, medical devices (e.g., infusion pumps, ventilators), network
infrastructure (routers, switches), security devices (firewalls, intrusion detection systems).

• Networking: Local Area Network (LAN) connecting hospital departments, Internet connection
for telehealth and administrative functions, cloud-based storage for backups.

Identifying Threats and Vulnerabilities :

Sarah's team identifies several potential threats:

• Ransomware attacks: Targeting the EHR system and patient data.

• Phishing attacks: Targeting employees to gain access credentials.

• Insider threats: Malicious or negligent employees accessing or modifying patient data.

• Medical device vulnerabilities: Exploitable vulnerabilities in connected medical devices could

lead to malfunction or data manipulation.

• Data breaches: Unauthorized access to patient data through network vulnerabilities.

• Denial-of-service attacks: Disrupting hospital operations by overwhelming the network.

• Physical security breaches: Unauthorized access to hospital facilities and equipment.

Prioritizing Assets and Threats:

Sarah uses a weighted factor analysis to prioritize assets based on their criticality, value, and potential
impact of compromise. Patient medical records are ranked highest, followed by the EHR system and
then critical medical devices. Ransomware attacks targeting the EHR system and data breaches are
considered the most serious threats.

Risk Assessment :

Sarah's team uses a risk matrix to assess the likelihood and impact of each threat exploiting a
vulnerability in a specific asset. They consider existing controls (firewalls, antivirus software, access
control lists) and the potential for mitigation.

Questions for Students:

1. Based on the scenario, what are the top three most valuable assets at City Hospital and why?
Justify your answer (e.g., impact on revenue, profitability, public image, cost of replacement).

Based on the scenario, what are the top three most valuable assets at City Hospital and

why? Justify your answer (e.g., impact on revenue, profitability, public image, cost of

replacement).

1. People (Doctors, Nurses, Administrative Staff, IT Personnel, and Patients)

Justification:

Patient Safety and Trust: Patients' well-being and trust are integral to the hospital’s mission and
reputation.

2. Data (Patient Medical Records)

Justification:

Criticality: Patient medical records are essential for diagnosis, treatment, and continuity of care.

3. Software (EHR System)

Justification:

Operational Dependency: The EHR system integrates and manages critical patient and
operational data. A failure could halt essential hospital functions, including admissions, billing,
and care delivery.
 4. Networking (LAN, Internet, Cloud Storage)

Justification:

Cost of Replacement: Rebuilding secure, reliable network infrastructure is expensive and

resource intensive.

5. Hardware (Medical Devices: Infusion Pumps, Ventilators, etc.)

Justification:

Reputation and Compliance: Incidents involving compromised medical devices can lead to
lawsuits, loss of accreditation, and reputational harm.

2. Identify three specific vulnerabilities that could be exploited by the identified threats. Explain
how each vulnerability could be exploited and the potential consequences.

• Phishing Susceptibility among employees: hackers can send phishing attacks to

employees (nurses, doctors) and trick them into revealing their credentials via
fraudulent emails.

• physical security: Inadequate security measures can leave hospital facilities and
equipment vulnerable, potentially allowing unauthorized individuals to gain physical
access. This poses significant risks to both patient safety and the integrity of healthcare
operations.

• Ransomware vulnerabilities and potential exploits:

Cyber criminals could encrypt patient data, demanding a ransom for decryption, delaying a
patient care and causing repetitional and financial damage.

3. Propose three specific risk mitigation strategies that Sarah could implement to reduce the
likelihood and impact of the identified threats. Explain how each strategy addresses a specific
threat or vulnerability.

• implement advanced endpoint protection and regular backups :

Addresses: Ransomware attacks

Explanation: Deploying advanced anti-malware tools and maintaining regular, encrypted

backups ensures rapid recovery without paying ransoms.
 • Conduct Security Awareness Training for Employees:

Addresses: Phishing attacks.

Explanation: Regular training on identifying phishing attempts reduces the likelihood of

credential theft.

• Secure Medical Devices with Network Segmentation and Patching:

Addresses: medical device vulnerability.

Explanation: isolating medical devices from other networks and ensuring timely updates protect
against unauthorized access and malware infections

4. How would a TVA worksheet help Sarah organize and analyze the information gathered during
the risk identification and assessment process?

The TVA worksheet would enable Sarah to systematically organize, analyze, and prioritize risks,
ensuring a clear path to identifying appropriate mitigation strategies. It serves as both a
planning tool and a communication aid, helping to align technical efforts with broader hospital
objectives. Allows Sarah to evaluate risks by analyzing how threats exploit vulnerabilities in
critical assets.

Shatha Adel Al-Dossary 2240005624

Zainab Ali Al-Ramadhan 2240005053
Zahra Hussain Al-Muslem 2240005262