I. Facility Overview

Mooseville County Hospital (MCH) is a 300 bed acute care facility which serves the tri-county area in the northwest corner of Alaska. Mooseville is an affiliate hospital within the Alaska Health System, the teaching medical facility for the state. Inpatient admissions run on average 13,000 per year while outpatient visits average 28,300 per year. Services provided by the hospital include general medicine, obstetrics, cardiology, orthopedic surgery, and the finest oncology center in the northwest part of Alaska.

Current Systems Environment-

MCH went LIVE with Afterburn EHR using a big bang approach (both financial and clinical at once)- they have been live for 6 months and trying to stabilizeall of their focus has been on the success of the EHR, but security has not been top of mind.

Patient Accounting and Patient Management

Afterburn EHR provides the following patient financial and patient management applications:

Patient Accounting

Admission, Discharge, Transfer (ADT)

Master Patient Index

Medical Records/DRG/Transcription

Chart Deficiency/Location/History

Clinical Applications

Afterburn EHR provides the following clinical functions:

Order entry/Results Reporting

Laboratory

Pharmacy (and CPOE)

Radiology

Nursing Documentation

Physician Documentation and Patient/Provider Portal

General Financial Applications

MCH is using Worlds Best System (WBS) for general financial applications. The following modules are currently in production:

General Ledger

Accounts Payable

Payroll/Personnel

Fixed Assets

Decision Support/Budgeting

Time & Attendance

Other- Email- MSFT Exchange version 2016- on-site

II. Security Breach, Audit and Mitigation Scenario

While MCH has been somewhat settling down with their new EHR, they had the misfortune of recently being audited by the Office of Civil Rights (OCR) in response to an information security breach that impacted over 500 patients due to a stolen, unencrypted laptop. To add insult to injury, the organization experienced a ransomware attack caused by an email phishing scam where a hyperlink was clicked on by internal employees on site and even an ex-employee who still had access to the system on their personal mobile device (External users can access there applications via an SSL encrypted tunnel through Citrix Receiver). This also resulted in another breach with over 500 patients protected health information being ex-filtrated, even though they paid the ransom. As we have learned, breaches over 500 patients instantly trigger a Federal audit.

The OCR audit started small, but the more they learned about the MCH security practices, or lack thereof, it grew into a larger endeavor as one can imagine. From the findings, there were three key processes that were deemed critical risks to the organization and the patients it serves. You are assigned one of these three findings. Please see your specific risk mitigation assignment below as it relates to the audit.

The findings included:

Security configurations on hardware (i.e. Laptop without encryption) and other protections ranging from the network firewall all the way down to the endpoint device (i.e. Pc, desktop, thin client, laptop, tablet, etc.) were lacking and not in alignment with industry standards.

*Hint- There are numerous mature software solutions in the marketplace and operational workflow solutions that can be used in conjunction these to mitigate your risk.

You should do the following:

1) Identify the solution to mitigate the risk using a software solution and/or operational workflow changes, as well as;

2) Document the policy and procedure that will drive your organizations regulatory compliance.

Remember, the Office of Civil Rights will make sure these areas are fixed and if not satisfied, come back for another visit!

III. HI620 Project Parameters

1. The student project focus should be on applying what you have learned in class along with external research on the scenario your group has been designated. While you may reference security Policies and Procedures from other entities, you should not copy plans that you find on the internet and in other sources. If a publicly available plan was used to develop your presentation, it should be properly referenced.

2. In your research for solutions (i.e. Vendor based and/or operational workflow) presentation, be sure to explain WHY you feel that a particular strategy or solution is appropriate for your mitigation plan. The why does not need to be written up in detail in your written but should be discussed in your presentation. You should also elaborate on why other solutions were considered but not chosen. Focus your efforts on solving the problem, but keep in mind feature function and compare those apples to apples while also considering the costs for years 1-3.

3. The project should be addressed with a mid-level approach. While you are expected to discuss details and examples in your plan, do not attempt to get too far down into the weeds and overwhelm us with minute details. Instead, focus on explaining your overall strategy to the audience and why each part of the security mitigation strategy is vital to getting out of hot water with OCR (and any potential class action law-suits, as letters to your patients have already been sent out and youve made the news!).

4. In your project, you should keep the concept of a layered approach to security at the forefront. Think of it this way: the audience is a group of hackers seeking to steal your information. As they probe deeper into your network, they should meet a variety of security barriers. What are those barriers, why are they there, and how do they support one another?