Problem Statement The subject is a cybersecurity solution for a major hospital, identified as Big City Hospital. The hospital uses a variety of IT systems connected via a hospital local area network (LAN) to create a hospital information enterprise. The enterprise interacts with external organizations and users via the public Internet. This IT environment is used to manage: Patient records and related data. Pharmacy data on drug inventories, dispensing, ordering, disposal, etc. Medical supplies data, including inventories, usage, and ordering. Scheduling of operating theaters, treatment facilities, and other shared facilities, equipment, and resources. Staff records, including medical professionals, affiliated providers, administrative staff, and maintenance staff. Food service operations, including a cafeteria and room service for patients. General operations data such as building and equipment maintenance, janitorial services, non- medical supplies, telecommunications and net-work services, etc. Much of the hospitals data is highly sensitive. Patient information is protected by public law (e.g. HIPAA), and other personal data requires a high level of protection. Pharmacy data can be stolen or corrupted as part of the theft of expensive drugs for illegal resale. Personal data on staff members is also subject to theft, including identity theft. Other data requires various levels of protection based on its sensitivity. Corruption, hostile encryption, or deletion of patient records has major implications for their care and thus raises a serious safety concern. Threats to these information assets can arise from the full spectrum of Threat Agents. A particular concern of the health care industry is ransomware attacks, in which the attacker gains access to data repositories, encrypts them, and demands payment to provide the key to decrypt the files. Organized crime is known to be using stolen drugs as a major source of revenue. Hackers, disgruntled current or former employees, and others may attempt to breach the hospital enterprise for a variety of reasons. Insiders, both malicious and inadvertent, are involved in many attack scenarios. The hospitals owners and executives have promulgated a security policy with the following key features: Business Security Objectives the following represent the acceptable level of residual risk after security controls are implemented: No more than one data breach per year of any kind. Probability of exposure of Most Sensitive data < 1% per year (1 exposure every 100 years). System Availability > 98%. IT Security Policy the following specific security measures will be implemented as part of an overall balanced and operationally effective cybersecurity solution: Strong Authentication maximize confidentiality by minimizing the risk of unauthorized access to resources. Mandatory Access Control all sensitive assets will have explicit access permissions. Role-Based Fine-Grained Authorizations/Access Permissions each di.

1. Problem Statement
The subject is a cybersecurity solution for a major hospital, identified as Big City Hospital. The
hospital uses a variety of IT systems connected via a hospital local area network (LAN) to create a
hospital information enterprise. The enterprise interacts with external organizations and users via
the public Internet. This IT environment is used to manage:
Patient records and related data.
Pharmacy data on drug inventories, dispensing, ordering, disposal, etc.
Medical supplies data, including inventories, usage, and ordering.
Scheduling of operating theaters, treatment facilities, and other shared facilities, equipment, and
resources.
Staff records, including medical professionals, affiliated providers, administrative staff, and
maintenance staff.
Food service operations, including a cafeteria and room service for patients.
General operations data such as building and equipment maintenance, janitorial services, non-
medical supplies, telecommunications and net-work services, etc.
Much of the hospitals data is highly sensitive. Patient information is protected by public law (e.g.
HIPAA), and other personal data requires a high level of protection. Pharmacy data can be stolen
or corrupted as part of the theft of expensive drugs for illegal resale. Personal data on staff
members is also subject to theft, including identity theft. Other data requires various levels of
protection based on its sensitivity. Corruption, hostile encryption, or deletion of patient records has
major implications for their care and thus raises a serious safety concern.
Threats to these information assets can arise from the full spectrum of Threat Agents. A particular
concern of the health care industry is ransomware attacks, in which the attacker gains access to
data repositories, encrypts them, and demands payment to provide the key to decrypt the files.
Organized crime is known to be using stolen drugs as a major source of revenue. Hackers,
disgruntled current or former employees, and others may attempt to breach the hospital enterprise
for a variety of reasons. Insiders, both malicious and inadvertent, are involved in many attack
scenarios.
The hospitals owners and executives have promulgated a security policy with the following key
features:
Business Security Objectives the following represent the acceptable level of residual risk after
security controls are implemented:
No more than one data breach per year of any kind.
Probability of exposure of Most Sensitive data < 1% per year (1 exposure every 100 years).
System Availability > 98%.
IT Security Policy the following specific security measures will be implemented as part of an
overall balanced and operationally effective cybersecurity solution:
Strong Authentication maximize confidentiality by minimizing the risk of unauthorized access to
resources.
Mandatory Access Control all sensitive assets will have explicit access permissions.
Role-Based Fine-Grained Authorizations/Access Permissions each distinct protected asset will
have specific access permissions.

2. Active User Account Management accounts will be actively maintained to enforce only current
access permissions, will be monitored for unusual activity, and will be closed immediately upon
employee termination/departure.
Principle of Least Privilege users will be granted only the access permissions associated with
their current job responsibilities.
Layered Defense security controls will be implemented in an architecture based on Defense-in-
Depth and Zero-Trust.
Data Integrity maximize integrity by protecting data at rest, in use, and in motion.
Intrusion Prevention/Data Loss Prevention active protection will be implemented to detect and
block suspicious or unauthorized at-tempts to access protected assets.
Protection Against Insider Threats measures will be implemented to train and motivate employees
in secure practices and to identify suspicious behaviors that may indicate malicious activity.
Questions
(4) Assume a risk has been identified resulting from a vulnerability in the system that manages the
Patient Information Database. The estimated cost to restore the database if it is entirely lost or
corrupted is assessed as $1M, and the economic damage due to patients and doctors moving to
other hospitals is estimated to be an additional $1M. Based on published information on
cyberattacks in the health care industry, the estimated number of successful attacks based on
exploitation of the vulnerability is four (4) per year, and each successful attack is estimated to cost
the hospital 5% of the estimated total potential loss. Further assume that a commercial product
has been identified that will reduce the loss from a breach by a factor of ten (10) to 0.5% of the
total. What is the maximum annual total cost for this product to achieve a positive return on the
investment to procure it (i.e., a positive Control Value)?
(3) Layered Defense. Describe a layered defense strategy for the Big City Hospital IT enterprise
based on Defense-in-Depth and Zero-Trust. Base your approach on the Problem Statement,
including the threats and vulnerabilities you have identified, various levels of asset sensitivity, and
the IT Security Policy. Consider the balance between the cost and operational impact of your
solution vs. achieving the acceptable level of risk (dont just write down every countermeasure
youve heard of). At a minimum, address the following:
(a) Identify a set of DiD layers and specific security controls to be implemented in each layer. [25
points]
(b) Identify an approach to network segmentation. [15 points]
(c) Briefly describe how other elements of a Zero-Trust architecture can be implemented. [20
points]
(d) Briefly describe an approach to maintain data Integrity. [15 points]
(5) Governance. Summarize a Cybersecurity Governance strategy for the Big City Hospital.
Specifically:
(a) Identify organizational roles and responsibilities in Governance. [20 points]
(b) Identify three Administrative Governance activities. [15 points]
(c) Identify three Technical Governance activities. [15 points]