INFA610 – Risk Assessment Report

Instructions

Risk Assessment Report Overview

The objective of this assignment is to develop a Risk Assessment Report for a company, government agency, or other organization (the “subject organization”). The analysis will be conducted using only publicly available information (e.g., information obtainable on the Internet, company reports, news reports, journal articles, etc.) and based on judicious, believable extrapolation of that information. Your risk analysis should consider subject organization information assets (computing and networking infrastructure), their vulnerabilities and legitimate, known threats that can exploit those vulnerabilities. Your assignment is then to derive the risk profile for the subject organization. Your report should also contain recommendations to mitigate the risks.

There is a wealth of business-oriented and technical information that can be used to infer likely vulnerabilities and assets for an organization. It is recommended that students select their organizations based at least in part on ease of information gathering, from a public record perspective.

Steps to be followed:

1. Pick a Subject Organization: Follow these guidelines:
   1. No insider or proprietary information. All the information you collect must be readily available for anyone to access. You will describe in your proposal how you intend to collect your
   2. You should pick a company or organization that has sufficient publicly available information to support a reasonable risk analysis, particularly including threat and vulnerability

2. Develop Subject Organization Information: Examples of relevant information includes:
   1. Company/Organization name and location
   2. Company/Organization management or basic organization structure
   3. Company/Organization industry and purpose (i.e., the nature of its business)
   4. Company/Organization profile (financial information, standing in its industry, reputation)
   5. Identification of relevant aspects of the company/organization’s computing and network infrastructure, Note: Do not try to access more information through Social Engineering, or through attempted cyber attacks or intrusion

 3.   Analyze Risks

For the purposes of this assignment, you will follow the standard risk assessment methodology used within the U.S. federal government, as described in NIST Special Publication 800-30 (United States. National Institute of Standards and Technology (2002). Risk Management Guide for Information Technology Systems (Special Publication 800-30). Retrieved from: http://csrc.nist.gov/publications/nistpubs/800- 30/sp800-30.pdf)

b. In conducting your analysis, focus on identifying threats and vulnerabilities faced by your subject organization.

c. Based on the threats and vulnerabilities you identify, next determine both the relative likelihood and severity of impact that would occur should each of the threats materialize. This should produce a listing of risks, at least roughly ordered by their significance to the organization.

For the risks you have identified, suggest ways that the subject organization might respond to mitigate the risk.

4.   Prepare Risk Assessment Report

1. Reports should be 12 pages (exclusive of cover, title page, table of contents, endnotes and bibliography), double-spaced, and should follow a structure generally corresponding to the risk assessment process described in NIST Special Publication 800-30.
2. The report should be prepared using the APA Style. All sources of information should be indicated via in-line citations and a list of
3. Reports should be submitted via the Assignment

ANSWER:

1. Introduction

1.1 Purpose

Intermountain Healthcare is the largest healthcare organization in Utah state.  It serves the residents of Utah, Southern Nevada, and Southern Idaho. The organization’s primary business is providing healthcare services to the people living in Utah, parts of Idaho, and Nevada.  It has implemented technology-based systems in healthcare delivery, and which will be the focus of this assessment.  Intermountain Healthcare is a market leader in the health industry, and it brings together hospitals and clinics, thus, mirroring the healthcare system in the country.  The organization was selected for this assessment owing to its structure and implementation of health information technology.  Intermountain Healthcare presents a model that has succeeded in implementing effective healthcare technology.

1.2 Scope

The risk assessment will focus on health information technology at Intermountain Healthcare. “Technology in healthcare, particularly electronic medical records systems (EMRs), is paramount in the quality of care” (Colicchio, Borbolla, Colicchio, Scammon, Del Fiol, Facelli, Bowess, & Narus, 2019, p 21).  However, the technology faces a risk of misuse if accessed by unauthorized persons.  Malicious individuals are always attempting to access the information through hacking. “The organization has developed a publish-subscribe infrastructure to support its EMRs” (Narus, Rahman, Mann, & Haug, 2018, p. 801).  It also has a “hospital clinical information system to supplement the EMRs” (Clayton, Narus, Huff, & Pryor, 2003, p. 3).  Intermountain Healthcare has an electronic health reporting system to “guide public health efforts with through insights obtained from the EMRs” (Rajeev, Staes, Evans, Price, Hill, Mottice, Risk, & Rolfs, 2011, p. 1146)…..To continue reading, click on the button below.