Situation: Your team represents the IT leadership of a large healthcare organization that is preparing to purchase a smaller hospital group consisting of: 2 Metro hospitals (1 is a learning hospital, which means students are in scope) 3 Rural hospitals 2 Shared data centers (located within 5 miles of each other) 25 Physician practices 1 Lab 1 Coordinated business office Your objective is to evaluate the sites prior to purchase from a risk and compliance standpoint, with a focus on access controls at both the logical and physical standpoint.  Part of the agreement allows for your organization to thoroughly test the systems, which includes: 1 Electronic medical record (EMR) system 2 Mobile applications (1 has the ability to accept credit card payments) 5 External websites (1 has the ability to accept credit card payments) 3 Cloud based systems (1 Infrastructure as a service, 2 Software as a service) Internet connectivity is not shared between the physician practices and main hospital locations 75 Patient care applications (25 developed internally) 500 Patient care devices See individual assignments for deliverables (1 - 8) Consolidate all project sections into one document, each team member will submit the same document individually. Team Details  Document your roles in the organization (e.g., CIO, CISO, Architect, etc.) (each team member) Develop job descriptions for each role, include a salary range 2. Information Security Policy  Select a best practice framework, review the control family recommendations and document a policy for the existing organization with the expectation that the new sites will follow the policy. Note: Still follow APA for this assignment, which may not be appropriate in an organization. 3. Testing Methodology Policy and Procedure  Research and document preferred testing methodologies for: EMR, Mobile Apps, Patient Care devices, External websites, SDLC (hint: vulnerability scanning, penetration testing, medical device scanning, static code analysis, dynamic code analysis, etc.). (each team member) Research and document preferred remediation cycles for the in scope systems (hint: HIPAA, PCI, FERPA) Research and document preferred reporting cycles / methods for the in scope systems (hint: vulnerability metrics, such as CVSS, NVD). Note: Still follow APA for this assignment, which may not be appropriate in an organization. 4. Network Diagram  Develop a proposed network diagram for after the purchase to aid in security and administration (reference required security controls in your policy) (You can use PowerPoint if you don’t have Vizio or another option). 5. Physical Security Assessment Procedure  Develop a physical security assessment plan for the new entity (reference this in your policy). Note: This can be a checklist. 6. Project Plan  Include timelines, expected level of efforts, RACI model, remediation expectations (if you decide to also use third party resources, you’l.

1. Situation:
Your team represents the IT leadership of a large healthcare
organization that is preparing to purchase a smaller hospital
group consisting of:
2 Metro hospitals (1 is a learning hospital, which means
students are in scope)
3 Rural hospitals
2 Shared data centers (located within 5 miles of each other)
25 Physician practices
1 Lab
1 Coordinated business office
Your objective is to evaluate the sites prior to purchase from a
risk and compliance standpoint, with a focus on access controls
at both the logical and physical standpoint. Part of the
agreement allows for your organization to thoroughly test the
systems, which includes:
1 Electronic medical record (EMR) system
2 Mobile applications (1 has the ability to accept credit card
payments)
5 External websites (1 has the ability to accept credit card
payments)
3 Cloud based systems (1 Infrastructure as a service, 2 Software
as a service)

2. Internet connectivity is not shared between the physician
practices and main hospital locations
75 Patient care applications (25 developed internally)
500 Patient care devices
See individual assignments for deliverables (1 - 8)
Consolidate all project sections into one document, each team
member will submit the same document individually.
Team Details
Document your roles in the organization (e.g., CIO, CISO,
Architect, etc.) (each team member)
Develop job descriptions for each role, include a salary range
2. Information Security Policy
Select a best practice framework, review the control family
recommendations and document a policy for the existing
organization with the expectation that the new sites will follow
the policy. Note: Still follow APA for this assignment, which
may not be appropriate in an organization.

3. 3. Testing Methodology Policy and Procedure
Research and document preferred testing methodologies for:
EMR, Mobile Apps, Patient Care devices, External websites,
SDLC (hint: vulnerability scanning, penetration testing, medical
device scanning, static code analysis, dynamic code analysis,
etc.). (each team member)
Research and document preferred remediation cycles for the in
scope systems (hint: HIPAA, PCI, FERPA)
Research and document preferred reporting cycles / methods for
the in scope systems (hint: vulnerability metrics, such as CVSS,
NVD). Note: Still follow APA for this assignment, which may
not be appropriate in an organization.
4. Network Diagram
Develop a proposed network diagram for after the purchase to
aid in security and administration (reference required security
controls in your policy) (You can use PowerPoint if you don’t
have Vizio or another option).
5. Physical Security Assessment Procedure
Develop a physical security assessment plan for the new entity
(reference this in your policy). Note: This can be a checklist.
6. Project Plan

4. Include timelines, expected level of efforts, RACI model,
remediation expectations (if you decide to also use third party
resources, you’ll need to estimate those costs since you have
already created your own hourly rate).
7. Risk Acceptance / Risk Tolerance Procedure
Develop a method for leadership to receive risk details and
determine appropriate risk actions.
8. Final Presentation
Summarize items 1 – 7 to present to the class