After examining the incident, there are some key things that stick out as major risks, these include:
• Accounts existed before EHR system was deployed.
• Accounts were undocumented.
• Non Authorized remote users had access to the EHR application.
• Undocumented account was created/added to a new system.
• Method or Vulnerability to gain privilege escalation outside of change control policy.
This led me to propose three policies, each address some of these key issues from separate fronts. The three policies include a Remote Access Policy, Application Deployment, and a Routine Maintenance policy. The Remote Access policy aims to correct the issue that non-authorized users were able to access the EHR system. HIPAA has included provision in the Security Rule that allows for remote access, but with certain limitations. I have included provision that restricts remote access based on Job Role and Job Necessity(ISO 27002:2005, 7.1.1), and restricted to assets that are owned by the hospital which have enhanced security (ISO 27002:2005, 7.1.1) (NIST, 164.312(a)(1))(ISO 27002:2005, 11.4.2). The Application Deployment policy aims to close security loop holes that appear to have been open for months before the EHR system was even deployed. There were no check on accounts when importing, and no alerts when permissions were escalated. Some of the key standards that I see as aiding in creating this policy is better change management (ISO 27002:2005, 10.1.2) (NIST, 164.308(a)(5)(ii)), operating system auditing after patching (ISO 27002:2005, 12.5.2), a better separation of development systems (ISO 27002:2005, 10.1.4)(ISO 27002:2005, 11.4.5)(ISO 27002:2005, 12.4.2), and better security on the production system (NIST, 164.312(a)(1))(NIST, 164.308(a)(5)(ii)(D)). The Routine Maintenance policy aims to take care of the loose ends that may have...