Please respond in complete, written sentences with appropriate statutory/regulatory citation (HIPAA only, no state law) as you deem necessary.Your score will be based on identifying the relevant issues and not on citation format. (However, although optional, the inclusion of relevant citations may assist me in confirming your identification of relevant issues in the hypothetical.)

You have recently been appointed as the Privacy and Security Officer of Phishing Memorial Hospital. On your first day on the job, you decide to review the organization's most recent Security Risk Assessment (SRA), which is about four years old.While reviewing the SRA you notice that the hospital's employees seem to have a real problem following the hospital's email and internet usage policy.It seems that employees regularly surf the internet and regularly send and receive personal emails. Understanding the risk that personal internet and email usage can cause, you have decided that one of your first tasks will be to revamp the hospital's security training and awareness program.

Unfortunately, before you even have the chance to start designing the new training and awareness program, you get an urgent call from the hospital's Risk Manager.It seems that a front desk employee, Willa Clickonanything, clicked on what she thought was an email from Amazon.However, the email was not from Amazon and upon clicking on it her computer screen froze with a message telling her that all the system files had been encrypted and that she had 72 hours to send 500 Bitcoin to the account listed on the screen or else all the system files would be deleted.Within moments of Willa's screen freezing it became apparent that the hospital's entire business management system was locked down and no files could be accessed.Fortunately, the hospital's electronic medical record was not directly linked to the affected system and it remained fully operational.The business management system that was impacted contains, among other things, full patient account information including names, dates of birth, and home addresses.There are well over 100,000 individual accounts accessible in the system.

While you are still trying to absorb this, you get a call from the hospital's CEO.Apparently, word travels fast at the hospital. Some members of the Board of Directors are already aware of the issue and are expecting the CEO to present an action plan to the Board. The Board absolutely does not want this be treated as a reportable breach if at all possible.