Security and threat management
“Launch of “Smart Care” – A Smart Healthcare System”
Smart Care is a start-up established in the South Wales Valleys to offer Smart Health Care digital services across Europe. You have recently joined the company as an employee-partner and asked to do a security and threat analysis and submit a report with recommendations regarding secure launch and operation of Smart Care. The features of Smart Care are following:
• Telemedicine operations
• Smart hospitals
• Augmented Reality/ Virtual Reality patient appointments
• Remote Patient monitoring devices
• Drone-assisted medicine delivery to smart homes
Figure 1: Smart Care at the centre of Digital Health Care Services ecosystem
Figure 1 shows the operating landscape of Smart Care. The main Smart Care participants include patients, healthcare service providers, pharmaceutical companies, regulatory bodies and Government entities. Once you have moved from the Boardroom to the Breakroom, you have scribbled down the following requirements that you aim to complete as a set of activities as part of the more complex process:
Question 1: Identify data assets, their owners, their sensitivity level and specify data handling controls: (marks 18%; approximately 250 words)
a) Identify data assets (minimum five non-overlapping data assets for each participant, namely, doctors, patients and regulatory body) (marks 3%; approximately 30 words)
b) Identify data asset owner for all identified 15 data assets (marks 3%; approximately 30 words)
c) Evaluate data asset classification levels (i.e., sensitivity as high, moderate, and low) for CIA Triad. (marks 3%; approximately 15 words)
d) Identify adequate data handling controls for operations, namely, access control (confidentiality), encryption (confidentiality and integrity) and monitoring (integrity and availability) for high, moderate, and low sensitive data. (marks 9%; approximately 175 words)
Question 2: As a result of a joint-venture with a US organisation, Smart Care is expected to grow as a medium-sized organisation (50 to 249 employees).
You are required to write few sections of an Information Security Management Policy document. (marks 40%; approximately 1150 words)
a) Asset Management (marks 10%; approximately 300 words)
b) Physical Security Controls (marks 10%; approximately 300 words)
c) Disaster Recovery Plan for Business Continuity (marks 20%; approximately 550 words)
Question 3: Solve the following problems: (marks 42%; approximately 1000 words)
A. James Anderson works in a team that supports smart water company customers who are struggling to keep up with the payments. He’s just received a call from an uncle of one of the customers, who is asking for details about a customer’s difficulties so that he can help the customer. What do you think James should do in this situation? (5 marks; approximately 150 words)
B. Catherine runs a large smart transport company. She’s recently advertised for new staff. She’s been inundated with applications and doesn’t have a long time to review them all. She is travelling with a colleague to a conference tomorrow, so she’s planning to take a laptop on the aeroplane, along with the paper CVs she’s received. That way, they can both sort through everything on the journey. How would you advise her to take appropriate actions to protect personal data of applicants? Provide technical advice. (5 marks; approximately 150 words)
C. Meet Mr Khan. He’s got an appointment to visit his doctor, but unfortunately, it doesn’t turn out quite how he expected. As Mr Khan arrives at the surgery, he’s surprised to find personal details about his appointment on display in the waiting room, for all to see. Then when he eventually talks to the doctor, it turns out she’s referring to the wrong patient file. It’s all very annoying. The doctor is unable to find his file anywhere. List the data mismanagement issues and identify possible solutions to avoid this type of situation in the future. (6 marks; approximately 200 words)
D. Know your enemy: identify misclassified threats from the following figure and suggest corrective measure. (14 marks; approximately 300 words) Figure Source: Information Security Essentials – Understanding the Threats (USW)
E. Discuss one example related to Social Engineering Threats in each of the following categories in the smart emergency services scenario: identify a relevant security control and mention its ISO 27001 Standard category: (technical; physical; legal and administrative): (12 marks; approximately 200 words )
a. Authority
b. Liking
c. Reciprocation
d. Social Validation