A Custom Security Plan
The ransomware attack on the MDH’s network, which resulted in the loss of COVID-19 data, was blamed on a lack of upgrades to the “server outage.” The data breach jeopardized the Maryland Department Of Health’s protected health information. Additionally, the hack disabled tools generally available on the agency’s website, including sites urging Maryland residents to enroll for Medicaid, obtain free at-home testing for sexually transmitted diseases, and access information on local nursing facility safety (Staff, 2022). As a result, on MDH’s networks and computer systems, a customized security model will serve as the primary means of assigning duties for the safe management and control of information. Establishing procedures and processes to ensure that the Information Assurance principles of nonrepudiation, availability, authentication, confidentiality, and integrity are consistently applied.
Custom security planning is aimed at enhancing the security of company data. MDH’s systems include highly confidential data that must be safeguarded in accordance with industry standards. A bespoke security plan is needed to document this level of protection for a system. Using this unique security strategy, MDH will be given an overview of the various security measures in place. We found weaknesses in every type of system, online application, software, and network in our security evaluation of MDH as a victim of the cyberattack. Among the most troubling aspects of the MDH breach is that it goes far beyond ordinary identity theft. One of the most vulnerable systems to cyberattacks. MDH’s information security is threatened by a lack of staff education and training, a lack of standardized and strong encryption technologies, and the use of unpatched operating systems for a lengthy period of time, according to a vulnerability assessment. To help MDH achieve their security plan’s major goals, here is a short list of tactics MDH can use to get there.
Operating System and Network Management
Analyze and review the present network and operating system, noting any patches that are expired or out of date. Apply the most recent updates to the network and operating system that are supported by suppliers who are capable of providing patches that adhere to modern security standards. A capability upgrade of the present operating system to enable the installation of missing software fixes. Patches can include new features, such as the addition of new functionality or the expansion of platform support. This frequently results in chances for MDH to expand or improve their services. Conduct regular penetration tests and vulnerability scans on the operating system and network, simulating a real-world cyber-attack, and implement the necessary defenses. The advantage of routine patch management is that it ensures that nothing falls between the cracks at any point in time.
Security guidelines and policies
The critical step for the organization in developing the finest cybersecurity environment is to use and design the best security guidelines and policies that are tailored to MDH’s objectives and mission regarding the protection of information’s Confidentiality, Integrity, and Availability. The goal of security policies and guidelines is to provide an overview of the system’s security needs and to define the controls that have been implemented or are being implemented to meet those criteria. Additionally, the security policy and guidelines define the obligations and anticipated conduct of all MDH system users. The policy and standards should be consistent with and adhere to federal requirements governing the organization’s security processes, such as FIPS, NIST, and FISMA (NIST, 2021). Constantly upgrading existing regulations and standards to reflect the present environment’s ongoing changes. These regulations will offer an uniform framework for defining the data security requirements. The amended policies will establish standards for all users and ensure the security of data. These regulations will establish a road map for enhancing cybersecurity defenses and establishing a framework compliant with HIPAA (CDC, 2019). The security policy changes can include but not limited to:
- Procedures and Risk Assessment Standards Policy
- Authorization, Authentication, and User Identification Policy
- Acceptable Key Management and Encryption Policy
- Data Backup Policy
- End User Encryption Key Protection Policy
- Secure Systems Management Policy
Maryland Department Of Health is a technology-dependent organization, and as a result of this reliance, it is becoming increasingly vulnerable to cyber-attack occurrences. Cyberattacks occur as a result of hostile acts committed by individuals, such as hackers hacking a network in order to compromise sensitive information. They may, however, be inadvertent, such as a human error that momentarily disables a system (Nozaki & Tipton, 2011). Risk occurrences might originate externally, from cybercriminals or supply chain partners, or inside, from employees or contractors. After identifying hazards, the information security professional should prioritize and categorize them. Maryland Department Of Health should bring on board and sought the help of Experts in information management security and cybersecurity. MDH should hire consultants to find all of the vulnerabilities that exist in the organization’s system, network, software, and online application. Hiring an experienced and well-trained MDH information technology security officer will ensure that all confidential data is protected in the organization. Set up a month-long campaign to raise awareness about the dangers of cyberattacks among the Maryland Department Of Health’s staff and contractors.
In light of the scope of the cyberattack at MDH, the “CIA” trinity is an adequate starting point for improving the network’s security. A few more attributes are required for network security at MDH because of the nature of the healthcare industry. The Clark-Wilson model’s security application attributes can be integrated with the Clinical Information System model’s attributes to update the network security infrastructure. Combined, these two models specify the following security protocols: record opening dates and times, information flow, access control lists (ACL), aggregation controls, consent, and notification processes (Nozaki & Tipton, 2011). In order to preserve the MDH network’s data and avoid security breaches, human error must be minimized. Encryption is the greatest way to safeguard data that travels over the network or sits on the operating system. It is critical for the Maryland Department of Health to encrypt data in accordance with federal requirements mandated by FISMA (NIST, 2021). Upgrade the current encryption system’s security by adding cryptography to the hardware and software already in place.
As far as cybersecurity is concerned, a company needs to know its stuff. The foundation for preventing a cyber breach or attack is having a solid understanding of cybersecurity and information technology. In order to avoid or disclose a security danger, employees must be informed about cybersecurity (and given the appropriate training to do so). At first glance, this may seem self-evident, but you might be surprised. Because of human mistake, cyber training is needed to protect against this most common threat in the world (Sloan, 2021). To achieve employee training, Maryland Department Of Health can adopt the following steps;
- Reimburse employees’ security training programs and certifications to encourage further study and certification by personnel.
- Employees should receive frequent training on data security from cyber security experts.
- Employees should be encouraged to participate in information security conferences and webinars
- Make annual information assurance training for staff a requirement.
CDC. (2019, February 21). Health Insurance Portability and Accountability Act of 1996 (HIPAA). Centers for Disease Control and Prevention. https://www.cdc.gov/phlp/publications/topic/hipaa.html
NIST. (2021, July 8). Compliance FAQs: Federal information processing standards (FIPS). https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips
Nozaki, M. K., & Tipton, H. F. (2011). Information security management handbook (6th ed.). CRC Press.
Sloan, K. (2021, October 8). Cybersecurity training for employees: What you need to know. Cybint. https://www.cybintsolutions.com/cybersecurity-training-for-employees-what-you-need-to-know/
Staff, C. B. (2022, January 12). Maryland Department of Health confirms ransomware attack caused disruption in COVID-19 data last month. CBS Baltimore. https://baltimore.cbslocal.com/2022/01/12/maryland-department-of-health-confirms-ransomware-attack-caused-disruption-in-covid-19-data-last-month/