Hospital Corporation of America Healthcare Cybersecurity Assessment

1. Hospital Corporation of
America Healthcare
Cybersecurity Assessment
Mar 31, 2024
Bryson Ullmer
Maggie Bowles
Shurika Brunson
A’Rai Hyman

2. Table of Contents
Company Profile 1
Description 1
History 1
About The Industry 2
Key Products 2
Stock Performance 4
Introduction 5
Asset Ranking 6
Risk Management Matrix 8
Assessment Recommendations 10
Asset 1: Electronic Health Records (Bryson Ullmer) 10
Asset 2: Telecommunications Systems (Bryson Ullmer) 13
Asset 3: Laboratory Information System (Maggie Bowles) 16
Asset 4: Hospital Information System (Maggie Bowles) 18
Asset 5: Personally Identifiable Information (PII) (Shurika Brunson) 20
Asset 6: Network Infrastructure Data Breach Risks (Shurika Brunson) 22
Asset 7: Telehealth Platform (A’rai Hyman) 25
Asset 8: Technology (A’rai Hyman) 27
Conclusion 30
References 31

3. 1
Company Profile
Description
In addition to offering patients excellent medical treatment, HCA Healthcare is a pioneer
in the medical services sector. In serving communities around the country, HCA Healthcare uses
a variety of hospitals, outpatient clinics, and connected institutions. Preventative care, wellness
programs, and sophisticated medical surgeries are just a few of the many medical services that
HCA Healthcare provides. HCA Healthcare is committed to enhancing patient-centered care,
clinical quality, and innovation to impact people's lives positively. It also ensures that all patients
have access to state-of the-art medical technology and a robust network regardless of their
financial situation.
History
HCA Healthcare was one of the first hospital companies ever founded in the United
States of America. In 1968, HCA Healthcare (Hospital Corporation of America) was founded by
Doctor Thomas Frist Senior, Doctor Thomas Frist Junior, and Jack Massey, in Nashville,
Tennessee (Our History, n.d.). HCA Healthcare’s first hospital location was called ParkView
Hospital (HCA HEALTHCARE HISTORY, n.d.). Park View Hospital was a very small hospital, it
could house a maximum of 200 patients. In 1969, HCA Healthcare went public on the New York
Stock Exchange (NYSE). In 1980, HCA Healthcare acquired General Health Services, which
owned and operated 14 hospitals. One year later, they acquired their competitor’s company,
Hospital Affiliates International. Fast forward to today and the company has continued to grow
exponentially, through continuous technological innovation, expansion, and the acquisition of its

4. 2
competition. Today, the company is worth 75.74 billion USD and owns 182 hospitals across 20
states (most of the hospitals are in Texas, Florida, and Tennessee), and even has locations within
the United Kingdom.
About The Industry
HCA Healthcare is focused on the healthcare industry through hospitals and healthcare
facilities subsectors. This industry is driven by the rapid growth of population, increasing
healthcare needs, and more complex diseases through the years. Hospitals and healthcare
organizations are subjected to complex regulations and compliances mandated by the
government. With continuously evolving technologies the medical field must also keep up with
the advancements, implementing them where they are able to help their patients.
Key Products
Delivering a wide range of IT products and services to HCA Healthcare's vast portfolio
of companies and partners, including Parallon, HealthTrust, and Sarah Cannon, the HCA
Healthcare Information Technology Group (ITG) is at the forefront of healthcare innovation.
ITG, a forerunner in the field for many years, has played a vital role in transforming healthcare
and bringing in a new age focused on connection and quality. ITG is essential to advancing and
improving modern healthcare, enabling doctors and clinicians to provide patients with
cutting-edge, inventive treatment using the organization's broad reach and profound
technological competence. A fundamental component of ITG's goal is its dedication to using
technology to revolutionize healthcare and promote a "Healthcare Inspired culture." A wide
range of technological services, including strategy, implementation, analysis, and support, are

5. 3
offered by the committed staff of ITG as they collaborate towards this admirable goal. Improved
business processes and patient care are made possible by ITG's comprehensive range of IT
services, which include business analysis, product development, infrastructure operations,
information security, and customer support. ITG offers top-notch healthcare technology solutions
through partnerships with major industry providers and business partners. PatientKeeper, an
intuitive interface for electronic health records; Mobile Heartbeat, secure mobile communication;
HealthTrust, fundamental systems for supply chain management and group purchasing;
CereCore, electronic medical record solutions; and Parallon, customized tools for the healthcare
industry's business side, are some of these solutions. Serving a range of healthcare environments
in the US and the UK, ITG offers a wide range of services and support. These environments
include acute care hospitals, physician practices, urgent care centers, freestanding emergency
rooms, ambulatory surgery centers, and behavioral health centers.

6. 4
Stock Performance

7. 5
Introduction
This report is a summary of Hospital Corporation of America Healthcare’s assets, based
upon an asset ranking, risk management matrix, and a detailed description of eight total assets.
These assets will contain a full description of related risks, controls, and applicable policies that
can be applied to each. Their related controls and policies are based upon the National Institute
of Standards and Technology (NIST) cybersecurity framework, which ranks assets based upon
the categories of ‘identify,’ ‘protect,’ ‘detect,’ ‘respond,’ and ‘recover.’ The relevant controls and
policies, such as encryption, response plans, access control, and intrusion detection systems, are
based upon proven real-world cybersecurity defense and mitigation methods.
HCA Healthcare is made up of various healthcare facilities, which are located in several
states (as well as the United Kingdom), that are involved in the technological healthcare sector.
Throughout the facilities, there are a multitude of employed technologies (which all fall under
the IoT classification) and require cybersecurity techniques and protocols in order to keep HCA
Healthcare safe as an organization from cyber threats. HCA Healthcare offers medical services
such as emergency hospitals, outpatient care centers, imagining centers, urgent care facilities,
and physician clinics, which house a multitude of medical hardware (such as ultrasound
machines, CT scanners, computer diagnostics, hemodialysis machines, patient monitors, and
anesthesia machines). HCA Healthcare must prioritize the maintenance of a strong cybersecurity
posture regarding its provided online applications, which include Patient Keeper, Mobile
Heartbeat, Health Trust, Cere Core, and Parallon.

8. 6
Asset Ranking
Asset Name Asset Description Asset Ranking Explanation
Electronic Health Records
(Bryson Ullmer)
Electronic Health Records include
information such as patient
medical history, diagnoses,
treatments, surgeries, and other
healthcare data.
10
I listed electronic healthcare records as
asset value ten because patients cannot be
properly cared for without knowledge of
their prior medical diagnoses, treatments,
and surgeries. If this information is
unknown, doctors could prescribe
treatments that harm their patients. This
data is also extremely valuable because it
is all very personal information that is
directly tied to patients. This data should
be digitally and physically safeguarded at
all costs.
Telecommunications Systems
(Bryson Ullmer)
This includes telemedicine
applications, VoIP systems, and
other methods of communication.
8
I listed telecommunications systems as
asset value eight because it streamlines the
process of communication immensely.
However, if a network outage or cyber
attack occurred, these systems can no
longer be depended upon. It is still
possible for hospital staff to communicate
without the use of modern
telecommunication systems, it would just
have to be done via mail or landline
telephone systems (which although they
are a lot slower means of communication,
they do still work).

9. 7
Asset Name Asset Description Asset Ranking Explanation
Laboratory Information System
(Maggie Bowles)
Manage and track lab testing,
processing, and results
6
Accurate and efficient communication,
results, and decision making between staff
members
Hospital Information System
(Maggie Bowles)
Digital version of the patient's
medical history
9
Centralized patient information, facilities
communication, prioritizes patient safety
and quality of care
Personally Identifiable
Information (PII)
(Shurika Brunson)
Any information that can be used
to identify an individual.
5
Patient PII is highly valuable and when
compromised leads to serious hardships
such as identity theft, financial and
damaged patient/client trust.
Network Infrastructure Data
Breach
(Shurika Brunson)
Interconnected data exchange
within an organization’s
network composed of
hardware and software that
facilitates smooth
communication.
5
Occurs when networks are
compromised due to exploited
vulnerabilities or traffic interruptions
thus resulting in unauthorized access,
sensitive data manipulation and theft of
patented property.
Medical Imaging System
(A’Rai Hyman)
Systems for storing and
organizing medical pictures,
including X-rays, MRIs, and CT
scans.
7
Medical imaging systems are essential for
diagnosis and treatment planning, allowing
for precise and fast patient care decisions.
Telehealth Platform
(A’Rai Hyman)
Virtual healthcare systems that
allow for remote consultations
and telemedicine services.
3
Telehealth systems are becoming
increasingly important for providing
access to healthcare services, particularly
in instances such as the COVID-19
pandemic.

10. 8
Risk Management Matrix
Related
Asset
Risk Description
Business
Consequences
Severity Likelihood Score Mitigation Contingency
Electronic
Health
Records
(Bryson
Ullmer)
Data Breach
An EHR data breach can
leave all of HCA
Healthcare's patients at
risk of identity theft or
black mai.
100 95% 95
Identification of
security vulnerabilities
Incident response plan
Telecommuni
cations
Systems
(Bryson
Ullmer)
Communications
interception
Communications
interceptions could expose
HCA Healthcare’s
information to
unauthorized parties. This
information could be used
for blackmail.
100 20% 20
Identification of
security vulnerabilities
Vulnerability patches and
management
Laboratory
Information
System
(Maggie
Bowles)
Data loss or
corruption
Loss of critical test results,
lab operations, delays in
diagnosis/treatment, and
compromised quality care
80 60 48
Data backup/recovery
procedures for LIS and
staff training on data
handling
Data integrity checks and
recovery plan
Hospital
Information
System
(Maggie
Bowles)
Data Breach
Exposure of confidential
hospital operational data,
efficiency, and legal
ramifications
85 65 55.25
Role-based access
controls/authentication,
security training, and
data encryption
Compliance and access
control monitoring

11. 9
Related
Asset
Risk Description
Business
Consequences Severity Likelihood Score Mitigation Contingency
Personally
Identifiable
Information
(PII)
(Shurika
Brunson)
Any information
that can be used to
identify an
individual.
Damage reputation and
patient trust, can lead to
legal and regulatory
penalties.
95% 90% 86%
Implement controls and
policies like access
control, encryption,
DLP, Staff Training,
Continuous monitoring
and Incident Response
Plans.
Implementing contingency
plans like recovery plans,
communication strategies
and response plans.
Data Center
Infrastructure
(A’Rai
Hyman)
To support the
hardware and
software of the
center, data center
components need a
substantial
infrastructure.
A power outage in the
center
85% 20% 17%
Incorporate redundant
power saving materials
to lessen the use of
power.
Data centers hold and
handle massive volumes
of patient information and
health records. In the case
of an interruption or
breakdown, a strong data
center architecture
guarantees.
Telehealth
Platform
(A’Rai
Hyman)
The technical
infrastructure,
services, and
support that
enables secure,
confidential,
HIPAA-compliant,
and high-quality
virtual medical
consultations.
HCA Healthcare may
confront difficulties in
properly utilizing
healthcare resources, as
patients may need to
attend healthcare facilities
for non-urgent medical
conditions that may be
managed via telehealth
consultations.
90% 20% 18%
Conduct frequent risk
assessments to uncover
any flaws and threats to
the telehealth platform.
Improve cybersecurity
procedures to guard
against potential cyber
attacks and maintain the
confidentiality, integrity,
and availability of patient
information.

12. 10
Assessment Recommendations
Asset 1: Electronic Health Records (Bryson Ullmer)
Asset Identification
One critical asset that must be protected is patient EHRs (Electronic Health Records).
The risk associated with this asset is data breaches. Data breaches are a common threat
associated with assets similar to patient EHRs because they contain a wealth of PII (Personally
Identifiable Information). Associated risks with this asset can be mitigated through the
implementation of the NIST framework category ‘protect’ and subcategories PR.AC-1 through
PR.AC-7. These NIST framework subcategories deal with access control. Exercising proper
access control procedures is imperative to maintaining the CIA triad associated with EHRs.
Access control is a mission-critical mitigation technique for protecting EHRs because it protects
against security threats such as unauthorized access, privilege escalation, and potential data
breaches. Proper implementation of an effective access control policy can improve HCA
Healthcare’s overall cybersecurity posture and reduce its attack surface and points of failure in
the event of a cyber-attack (The Definition, Types, and Benefits of Access Control, n.d.). NIST
framework subcategories PR.AT-1 and PR.AT-2 can also be utilized to safeguard EHRs. One
common attack vector present in all data breaches is phishing emails. Data breaches through
phishing can be easily mitigated through adequate employee awareness and training sessions,
which both senior employees and new hires should attend mandatory information sessions for.
Phishing mitigation techniques include verifying the spelling and legitimacy of the sender’s

13. 11
email address, reading the email and looking for signs of poor English (poor spelling and or
grammar), and suspicious file attachments or web URLs (Irwin, 2022).
Risk Management
Early detection of a data breach can give HCA Healthcare’s cybersecurity team adequate
response time to thwart an attacker or minimize the impact of the data breach. NIST Framework
subcategory DE.CM-8 should be conducted regularly to determine current network
vulnerabilities, this will give the cybersecurity team time to address and fix these underlying
network vulnerabilities. A good cybersecurity practice is constantly monitoring current network
activity and comparing it to network baselines, as mentioned in NIST Framework subcategories
DE.AE-1 and DE.CM-1. If HCA Healthcare’s cybersecurity team determines that a network
security incident is occurring, the NIST Framework subcategory DE.AE-2 should be utilized to
determine network attack vectors. While a network security incident is occurring, NIST
Framework subcategory DE.AE-3 should be utilized to collect real-time data about the attack.
This data can be analyzed during the recovery phase and it could be used to identify and detect
future network attacks.
Detect Strategy
Electronic Health Records are extremely valuable to HCA Healthcare because they
contain PII (personally identifiable information) and patients’ medical information. Due to the
value of EHRs, they are vulnerable to a variety of cybersecurity attack vectors, including
ransomware, data interception, phishing, and distributed denial of service attacks. Adequate
response to attacks on EHRs can be accomplished through NIST’s Cyber Incident Response
framework, which primarily outlines procedures for mitigating and correcting a cyber attack, and

14. 12
how to isolate affected systems to minimize loss of assets (Swanson et al., 2010). NIST
recommends actions such as keeping all host clocks synchronized, data filtering, and running
packet sniffers to collect a large volume of accurate data during a network security incident
(Cichonski et al., 2012). These tasks are to be executed by cybersecurity team analysts and
consultants. This data is to be used for analysis during the recovery phase of the NIST
framework. The Cyber Incident Response framework can be enforced at HCA Healthcare
through monthly employee training, weekly cybersecurity staff meetings, and bi-weekly reviews
of cyber incident response tactics and measures formulated by the cybersecurity team.
Recommended Policies, Procedures, and Controls
It is the legal duty of HCA Healthcare to report any network security incidents after
occurrence to company stakeholders, external organizational partners, and the public. By law,
HCA Healthcare must do this within 24 hours. HCA Healthcare’s cybersecurity team must
follow post-incident guidelines, as outlined in section 3.4 of NIST’s Computer Security Incident
Handling Guide. HCA Healthcare’s cybersecurity team needs to evaluate team performance by
asking questions such as:
● What exactly happened?
● How well did staff perform during the security incident?
● What can staff do differently during the occurrence of another security incident?
● What corrective actions can be performed to prevent similar incidents in the
future?
Ransomware mitigation is achieved through the utilization of regular data backups,
regular software updates, blacklisting potentially malicious websites on HCA Healthcare’s

15. 13
computer network, filtering network traffic to specific parameters (through network firewalls),
implementing email filtering and multi-factor authentication across all employee accounts,
patching known vulnerabilities as soon as possible, and utilizing the least privilege model
(National Cyber Security Centre, 2020). DDoS attack mitigation is achieved by dropping
malicious traffic requests from bots, rerouting network traffic, and utilizing firewall network
traffic filtration protocols (Cloudflare, n.d.). Data interception mitigation methods include using
encrypted communication protocols, using secured and trusted internet networks, and monitoring
network traffic through intrusion detection systems (Afidence, 2023). All of these suggested
actions are non-negotiable and are to be carried out across all HCA Healthcare computer
networks on a daily, weekly, and monthly basis, by appropriate cybersecurity team members.
This is to ensure that EHRs are not compromised from a confidentiality, integrity, and
availability standpoint. Protecting EHR data is mission-critical to successfully running HCA
Healthcare as an organization.
Asset 2: Telecommunications Systems (Bryson Ullmer)
Asset Identification
Another critical asset that HCA Healthcare must protect is its telecommunications
systems. Telecommunications for HCA Healthcare include VoIP systems, LAN networks, instant
messaging protocols, and phone calls. Telecommunications systems are highly valuable as an
asset to HCA Healthcare because they entail everything that is occurring inside and outside of
the organization. Examples include communications between doctors, communications between

16. 14
doctors and patients, or cross-departmental communications. A key risk associated with
telecommunications systems is data interception.
Risk Management
Data interception is achieved through the cybersecurity attack vectors of packet sniffing,
wiretapping, and MITM (man-in-the-middle) attacks. Data interception can be mitigated through
the utilization of the NIST framework category “identify” and subcategories ID.AM-1,
ID.AM-3, and ID.AM-4. NIST framework subcategory ID.AM-1 handles the physical
devices/systems used for telecommunications by HCA Healthcare. It is critical to know which
devices will be used for communication, so data interceptors can be more easily identified. NIST
framework subcategory ID.AM-3 suggests mapping communication and data flow. This is
crucial to determine where data and communications should go and where they should not go.
This strategy will allow HCA Healthcare’s cybersecurity team to determine where data and
communications are being intercepted or leaked. NIST framework subcategory ID.AM-4
requires that external information systems be cataloged. This means that HCA Healthcare must
know which devices outside of HCA Healthcare’s internal network will receive communications
and data.
Protect Strategy
NIST framework category ‘protect’ and subcategories PR.DS-1, PR.DS-2, PR.DS-5,
PR.DS-6, and PR.DS-8 can all be implemented into the cybersecurity plan of HCA Healthcare.
NIST framework subcategories PR.DS-1 and PR.DS-2 entail the handling of data-at-rest and
data-in-transit. These subcategories are very useful and effective because they directly address

17. 15
and mitigate against data interception. NIST framework subcategories PR.DS-5, PR.DS-6, and
PR.DS-8 suggest patching vulnerabilities that could result in a data leak, as well as the
implementation of systems to verify hardware, software, and data integrity. These subcategories
directly address another associated risk with telecommunications systems, data leaks.
Recommended Policies, Procedures, and Controls
Associated risks of telecommunication systems can be mitigated through the enforcement
of a strong password policy, the identification and classification of sensitive data, employee
awareness training, wiping data records off of devices when no longer needed, and employing
data seeding (Irwin, 2022). According to the US Cybersecurity and Infrastructure Security
Agency (CISA), effective password policies utilize passwords that are at least sixteen characters
long, are randomized (mixed-case letters, numbers, and symbols), and are unique (meaning each
password is only used on one user account). Also, an effective password policy utilizes a secure,
enterprise-level password manager (Require Strong Passwords, n.d.). Enterprise-level password
managers are useful for ensuring that organization employees are utilizing strong passwords and
that passwords are easily recoverable when/if employees forget their passwords. Data seeding is
the purposeful storing of different sets of fake data across multiple devices. Data seeding helps
organizations determine where data leaks are occurring so the affected devices can be segmented
and quarantined from the network. Also, data seeding can help cybersecurity professionals
determine if insider threats are occurring (meaning that employees are purposefully leaking
information about their employer). Data classification can be performed by classifying data into
four major categories. These categories are public information, confidential information,
sensitive information, and personal information (PII). The difference between confidential and

18. 16
sensitive information is that confidential data primarily encompasses proprietary information,
trade secrets, employee data, and organizational contracts and agreements, while sensitive data is
data that pertains to organizational secrets (Smith, 2022).
A strong password policy for HCA Healthcare can be enforced by changing all
passwords every three months (McAfee, n.d.). Although there are no time interval guidelines on
how to handle data identification and classification, I believe that this task should be performed
every few months. This will allow HCA Healthcare to collect large quantities of data and then
determine what classification level the collected data belongs to. Data seeding should be
performed daily. This is because data leaks can occur at any moment in time, they are not
predictable, so HCA Healthcare’s seeded data should not be predictable as a result.
Asset 3: Laboratory Information System (Maggie Bowles)
Asset Identification
The laboratory information system (LIS) serves a crucial function in the various facilities
of HCA Healthcare, providing a focal point for managing and processing laboratory data such as
patient information, testing results, and diagnostics. Machines like point-of-care testing, medical
imaging systems, and numerous analyzers all rely heavily on differing types of LIS. It is a key
component in efficient performance by contributing diagnosis and treatment options promptly.
These systems integrate important functionalities that aid operations with interfacing, sample
tracking, quality control, and reporting accurate results with lab equipment. As a strong base of
operations, it allows healthcare workers to make knowledgeable clinical decisions and supply
methodical patient care.
Risk Management

19. 17
A primary risk that is associated with LIS is data loss or potential corruption, which can
be caused by a multitude of factors ranging from unexpected natural disasters to system failures.
Other factors that have more anticipated intentions must be prepared for as well, for example,
cyber attacks and human error. The loss or corruption of operations, data, or results can lead to
critical disruptions in healthcare services or diagnostic treatment delays. Overall, these risks can
jeopardize the integrity of HCA Healthcare with compromised care quality and possible legal
ramifications. Ensuring a continuous structured system for laboratory operations is required to
safeguard confidentiality, integrity, and availability of data that builds trust with patients.
Recovery Strategy
To have a successful recovery strategy, it needs to be constantly examined for areas to
improve or gaps and updated based on previous personal, partner’s, or peer’s experiences.
However, inspecting is just the beginning, the plan must also undergo periodic testing to review
responsiveness and keep pace with cyber advancements. In the NIST’s cybersecurity framework,
RC.IM-2 is where the recovery strategies are updated based on the review, emerging threats, and
post-incident updates. In the reviews, the response, impact, and success rates should be
calculated and adjusted accordingly to face the challenges of an ever-evolving landscape. In
executing a recovery strategy, communication and key personnel roles must be clearly defined.
These outlines for subcategory RC.RP-1 should list actions for IT, laboratory personnel,
cybersecurity experts, and specified management during or after an incident. Actions should be
prompt following the detection of any issue to minimize the impact and promote a quick
recovery to normal operations.
Recommended Policies, Procedures, and Controls

20. 18
Supporting a recovery strategy and mitigating the risks associated with data loss or
corruption in the LIS can be easily executed with simple guidelines and distributed
responsibilities. The first step is to implement vigorous data backup and recovery policies that
will explicitly state the frequency of backups, storage areas, and authentication procedures. Data
handling policies should also be in place for storage, access, transmission, and even dismissal.
Access monitoring and user authentication are measures that should be applied to limit ingress to
sensitive data. These will mitigate human errors, and prevent unauthorized modifications or
deletions while ensuring data integrity and availability. Performing consistent training and
awareness programs for employees for education on best practices in data handling, the
company’s unique incident response procedures, and possible cybersecurity threats is one of the
most imperative elements of maintaining a workspace with strong cybersecurity hygiene.
Asset 4: Hospital Information System (Maggie Bowles)
Asset Identification
Healthcare-related data inside hospital settings revolves around the broad platform that
manages and processes it, which is known as the hospital information system (HIS). This
centralized system is the digital backbone for storing and managing hospital functions, namely,
patient information, financial records, workflow operations, and administrative methods. HIS
orchestrates collaboration throughout different departments inside the facility and allows patient
care a more coordinated approach. The valuable data within and analytical capabilities are used
to keep tabs on patient information and track trends. Resource allocation is another area of aid
that the HIS provides that also improves the operational efficiency of their facilities.
Risk Management

21. 19
The monumental threat to HIS is a data breach that could lead to an exposure of
confidential data that compromises the patient’s privacy and diminishes organizational integrity.
Exposure like this can end with fraud, identity theft, and various medical inaccuracies.
Unauthorized access holds a high risk of leading to disruptions throughout the facility’s normal
operations. If the hospital requires system downtime to locate and eradicate the threat, it could
hinder appointment scheduling, billing, and widespread diminishment of medical attention.
These incidents have the potential to result in heavy fines and legal repercussions with any
failure to comply with data privacy regulations such as the Health Insurance Portability and
Accountability Act (OCR).
Protection Strategy
By utilizing the role-based access controls and authentication measures as suggested by
the NIST framework PR-AC-1, the HIS can reduce the risk of intrusion and data breaches,
allowing only trusted workers access to area-specific data. Adding encryption technologies
supports data protection while stagnant or in transit and minimizes breach impact which is also
emphasized. Regular cybersecurity training for staff about preserving patient data while
identifying and reporting suspicious activity is emphasized within PR.IP-5 of the framework, the
physical operating environment’s policies. “Physical exploitation of a device may defeat
technical controls that are otherwise in place.” (Epalm). Devices that automate incident
reporting and alert systems for possible intrusions or threats add to workplace efficiency,
allowing that time to be allocated to other time-sensitive patient care. Each aspect should involve
an appropriate monitoring solution and is a crucial point inside a well-structured cybersecurity
policy.

22. 20
Recommended Policies, Procedures, and Controls
Developing an uncomplicated IT security policy that clearly outlines user access,
encryption standards, and incident reporting/investigation procedures is key to a simple and safe
workplace. Keeping up to date with relevant healthcare privacy laws with a compliant data
privacy policy and including a secure disposal policy is important as well. However, it isn’t
enough to ensure that just the company and its employees adhere to policies and procedures, but
outside partners as well. Therefore, a necessary feature is a vendor management policy to verify
that third-party service providers maintain HCA Healthcare’s security policies. Restricting access
to private data inside the HIS is manageable through network segmentation. Firewalls, intrusion
detection, and intrusion prevention systems also support monitoring and denying unauthorized
access from malicious users.
Asset 5: Personally Identifiable Information (PII) (Shurika Brunson)
Asset Identification
Asset identification is the foundation of HCA Healthcare's patient PII protection strategy.
All PII assets inside the organization, including electronic health records, billing information,
and patient demographics require cataloging using its category identification. Thanks to
ID.AM-5, HCA Healthcare can better understand its PII environment and prioritize risk
mitigation operations. PII refers to any information used to identify a specific individual such as
name, address, social security number, and health records. Due to the sensitivity of medical data,
any breach of a patient’s sensitive information might have serious consequences: financial loss,

23. 21
reputational damage, and legal penalties. HCA Healthcare should implement detailed processes
that align with managing related PII risks.
Risk Management
HCA Healthcare must adhere to category identification ID.RM-1 to implement a
thorough risk management strategy tailored to the unique challenges PII assets pose. It is
necessary to do thorough risk assessments to detect possible dangers and weaknesses, such as
illegal access, data breaches, or insider threats. HCA Healthcare may lessen the possibility and
effect of PII-related events by taking proactive measures to manage these risks.
Response Strategy
A quick and efficient reaction plan is essential to reduce losses and protect patient
privacy in a PII-related event. It is essential to develop explicit protocols and escalation
processes for addressing breaches or unauthorized disclosures of PII to comply with category
identifiers RS.CO-5 and RS.MI-3. It entails contacting impacted parties and authorities as soon
as possible and putting corrective measures in place to stop such incidents in the future.
Recommended Policies, Procedures, and Controls
To strengthen its asset and risk management initiatives, HCA Healthcare should put the
following suggested guidelines, protocols, and controls into place:
1. PII Classification Policy: Clearly define the criteria by which PII assets require being
categorized according to their sensitivity levels, ensuring each category has the necessary
protections in place.
2. Procedures for Access Control: To prevent unwanted access to PII systems and data,

24. 22
implement strong access controls, such as multi-factor authentication and role-based
access rights.
3. Encryption Standards: Require PII to be encrypted while in transit and at rest to guard
against illegal access and data theft.
4. Incident Response Plan: Guidelines for identifying, handling, and recovering from
network security breaches.
5. Employee Education and Awareness: Hold frequent training sessions to enlighten staff
members on the significance of protecting PII, highlighting their responsibility for
securing sensitive data and identifying possible security risks.
In conclusion, safeguarding PII assets within HCA Healthcare requires a multi-faceted
approach encompassing asset identification, risk management, and response strategies. By
adhering to category identifiers ID.AM-5, ID.RM-1, RS.CO-5, RS.MI-3, and implementing
recommended policies, procedures, and controls, HCA Healthcare can fortify its defenses against
PII-related risks, preserving patient privacy and trust in the organization's commitment to data
security.
Asset 6: Network Infrastructure Data Breach Risks (Shurika Brunson)
Network Infrastructure Data Breaches

25. 23
The network infrastructure of HCA Healthcare enables information sharing, data storage,
and communication within the organization’s network. However, the network environments often
have many flaws that lead to the exploitation of sensitive data. Thus, causing elevated risks for
data breaches due to: outdated software, misconfigured hardware, and inadequate access
restrictions. For example, improperly configured firewalls or unpatched software allow bad
actors easy access to the network giving the ability to extract patented or sensitive patient
information. Moreover, data breaches are more likely because of the heightened use of cloud
services or interconnected devices, which introduce complexities and increase vulnerabilities.
Prioritizing network security processes to mitigate risk by administering frequent assessments,
network segmentation, encryption, and access control methods will prove to strengthen HCA
Healthcare’s defenses against network infrastructure data breaches.
Detection Strategies
HCA Healthcare is susceptible to vulnerabilities within confidential networks and
databases. To minimize the detrimental effects, robust detection is essential to protect against
data breaches and manage risks effectively. Anomaly detection is a necessary approach to detect
network data breaches through incident response capabilities and real-time monitoring
(DE.AE-1). Network traffic monitoring is necessary when detecting strange patterns conclusive
of a data breach. Utilizing intrusion detection systems (IPS) and security information and event
management (SIEM) technologies aids in facilitating timely detection and remediation of threats
(DE.DP-3).
Recovery Strategies

26. 24
After a breach, quick recovery plans are necessary to reduce losses and continue
operations (RC.CO-1). Technical procedures, including sanitizing data, backups, and encryption
protocols are essential for restoring data and recovering systems. HCA’s security posture
(RC.RP-1), includes coordination efforts and stakeholder involvement to ensure that
communication lines are open thus, increasing public confidence from regulators, consumers,
and related supporters. Proactive recovery planning may reduce system downtime and business
continuity allowing resiliency during crisis.
Recommended Policies, Procedures, and Controls
Implementing incident response procedures, data preservation regulations, and open
communication guidelines to control the speed of data breaches. Stakeholder participation is
paramount to ensure the proper escalation as well as defining responsibilities will foster trust and
confidence. Technological protocols such as backup solutions and intrusion detection systems
will strengthen controls. Proper crisis management ensures HCA facilitates coordination between
media relations, internal, and external communications are clear while ensuring the
organization's safety.
In conclusion, early detection and recovery procedures are instrumental in decreasing the
effects of data breaches while still safeguarding organizational assets. HCA may strengthen its
defenses against attacks by addressing network infrastructure vulnerabilities, enforcing strict
access controls, and establishing robust policies, procedures, and controls. Protecting sensitive
data and maintaining confidentiality within patient PII will increase trust and mitigate risks
through strategic detection and recovery plans.

27. 25
Asset 7: Telehealth Platform (A’rai Hyman)
Asset Identification
Telehealth platforms are essential because they provide valuable remote healthcare
assistance that comes with essential risks that need to be addressed to ensure safety, privacy, and
effectiveness for the patient. An important risk interconnected with telehealth platforms is
Cybersecurity Risks within the Information Security risk function in the Data Privacy
sub-category. Ensuring compliance with telehealth rules, licensure requirements, and data
protection legislation is critical for avoiding legal ramifications and maintaining patient and
healthcare provider trust in the telehealth platform. Addressing these concerns through strong
cybersecurity protections, clinical procedures, and compliance frameworks is critical to creating
a safe, dependable, and compliant telehealth environment that can provide quality remote
healthcare services.
Identify
Identifying (ID.AM) and keeping track of approved and illegal devices and software on
the Telehealth Platform and Network Infrastructure is critical for successful risk management.
With the wide range of hardware and software used in telehealth operations, such as medical
devices, methods of communication, and network components, a complete asset management
system provides visibility into possible risks. Unauthorized or uncorrected devices and software
can pose security threats, thus it is critical to identify and manage them to avoid future
exploitation. A strong asset management strategy helps with vulnerability evaluation, risk

28. 26
prioritization, and timely upgrades, all of which contribute to the telehealth platform's overall
security posture.
Risk Management
Risk management for telehealth platforms at HCA Healthcare entails a thorough and
proactive strategy to identify, assess, and mitigate possible risks to ensure the safe and successful
delivery of remote healthcare services. HCA Healthcare has a multifaceted risk management
strategy that includes Cybersecurity Risk Management under the Information Security function,
with a focus on the Data Privacy sub-category, to secure patient data and prevent cyber attacks.
This involves deploying sophisticated security measures, encryption technology, and conducting
frequent vulnerability assessments to reduce the risk of data breaches and illegal access. HCA
Healthcare also addresses Clinical Risk Management within the Clinical Safety function,
specifically in the Quality of Care sub-category, by developing clinical procedures, guidelines,
and training programs to guarantee accurate diagnosis, suitable treatment recommendations, and
adherence to clinical best practices in telehealth services. Furthermore, HCA Healthcare
prioritizes Regulatory and Compliance Risk Management under the Legal and Regulatory
Compliance department, with an emphasis on the Telehealth rules sub-category, to guarantee
adherence to telehealth rules, license requirements, and data protection legislation. This includes
ongoing monitoring of regulatory changes, the installation of compliance frameworks, and
frequent audits to ensure that legal and regulatory requirements are met and any legal risks are
mitigated. By incorporating these risk management strategies, HCA Healthcare hopes to create a
secure, dependable, and compliant telehealth environment that ensures the integrity, safety, and
quality of remote healthcare services given to patients.

29. 27
Recommended Control
Recommended controls for HCA Healthcare's telehealth platforms should include a mix
of technological, administrative, and physical precautions to assure the security, privacy, and
quality of remote healthcare services. From a cybersecurity standpoint, it is critical to create
robust Access Control measures to prevent unwanted access to patient data, such as multi-factor
authentication, secure password rules, and role-based access controls. Encrypting sensitive data
at rest and in transit is critical to preventing data breaches and unwanted interception. Security
audits and monitoring should be performed regularly to discover and respond to security events
as they occur. Implementing Clinical Decision Support Systems can help healthcare practitioners
make accurate diagnosis and treatment decisions, improving the quality and safety of care.
Healthcare practitioners should get training and education to guarantee their competency in
telehealth technology as well as adherence to medical standards and best practices. HCA
Healthcare should implement a thorough Telehealth Compliance Program to guarantee
compliance with telehealth legislation, licensure requirements, and data protection laws. This
involves receiving frequent updates on regulatory requirements, implementing compliance
monitoring mechanisms, and performing both internal and external compliance audits to ensure
conformity to legal and regulatory standards.
Asset 8: Technology (A’rai Hyman)
Asset Identification

30. 28
Identifying technological assets is a vital component of HCA Healthcare's IT
management approach. Technology assets include a diverse spectrum of hardware, software, and
network infrastructure components that are critical to the organization's operations and
healthcare service delivery. To successfully manage and protect these assets, HCA Healthcare
takes a systematic approach to asset identification, which entails generating and maintaining an
accurate and comprehensive inventory of all technological assets within the business. This
comprises servers, workstations, network devices, software, databases, and other information
technology assets. Each asset is properly recorded, including facts such as asset kind,
characteristics, location, ownership, and importance to company operations. HCA Healthcare can
improve visibility and control over its IT infrastructure, expedite asset management procedures,
enable proactive maintenance and support, maximize asset utilization, and fortify cybersecurity
measures to guard against potential risks and vulnerabilities by keeping an accurate and
up-to-date inventory of its technology assets. This will ensure the technology infrastructure's
dependability, performance, and security in support of the organization's mission to provide
high-quality healthcare services.
Risk Management
HCA Healthcare relies heavily on technology assets. This role is classified as IT
Infrastructure Management, with a subcategory called Cybersecurity, which focuses on network
security. To handle the related risks and protect the organization's IT infrastructure, HCA
Healthcare has created the Network Security Policy. This policy defines standards and
recommendations for network infrastructure security, such as the implementation of firewalls,

31. 29
intrusion detection systems, and network segmentation, to guard against cyber attacks and
unauthorized access. The Vulnerability Management Procedure complements this policy. This
approach describes the steps for detecting, assessing, and mitigating vulnerabilities in IT
infrastructure through frequent vulnerability assessments, patch management, and system
hardening. As a safeguard, the firm employs Intrusion Detection and Prevention Systems (IDPS).
These technologies are used to monitor network traffic, detect suspicious activity or possible
security breaches, and automatically take action to avoid or mitigate security events, improving
the overall cybersecurity posture of HCA Healthcare's IT infrastructure.
Recommended Control
HCA Healthcare's recommended controls for technology assets should include a
comprehensive cybersecurity strategy to secure the organization's IT infrastructure and prevent
potential cyber-attacks and unauthorized access. Network security measures, such as firewalls,
intrusion detection and prevention systems (IDPS), and network segmentation, are critical
controls. Firewalls serve as a protective barrier between HCA Healthcare's internal and external
networks, screening incoming and outgoing traffic to prevent unwanted access and cyberattacks.
IDPS continually monitors network traffic, detects suspicious activity or possible security
breaches, and automatically takes action to avoid or mitigate security events, improving the
overall cybersecurity posture. Network segmentation separates a network into smaller, isolated
pieces to reduce the lateral flow of threats and mitigate the effect of possible security breaches.
In addition, regular security audits and vulnerability assessments should be performed to detect
and remediate weaknesses in the IT infrastructure proactively. Multi-factor authentication (MFA)
and strong password policies should be used to improve access control and prevent unwanted

32. 30
access to critical systems and data. Furthermore, Endpoint Protection Solutions, such as
Antivirus and Antimalware Software, should be used to identify and remove hazardous software
from endpoints, protecting the integrity and security of HCA Healthcare's technological
resources. By implementing these suggested controls, HCA Healthcare can build a strong
cybersecurity framework that protects the confidentiality, integrity, and availability of its
technological assets while also reaffirming its dedication to supplying secure and high-quality
healthcare services.
Conclusion
In conclusion, HCA Healthcare must protect and maintain the confidentiality, integrity,
and availability of its most valuable cyber assets, through the utilization of the recommendations
and guidelines of the NIST framework, as well as industry-standard cybersecurity hygiene
practices, at all times. HCA Healthcare’s most valuable cyber assets include patient PII,
Electronic Health Records, telecommunications systems, hospital information systems,
laboratory information systems, and network data. All of the mentioned assets rank high
regarding importance and associated risks. Without adequate cyber defenses for these assets,
HCA Healthcare will not have the ability to perform significant organizational operations and
provide high-quality services to its customers. These assets are integral for knowing how to treat
patients, who and where to send patient information to, and the secure storage of patient PII,
medical conditions, medical treatments, medical diagnoses, communications records, hospital
information system data, laboratory information system data, network infrastructure details, and
network infrastructure source code.

33. 31
References
Burgess, M. (2020, March 24). What is GDPR? The summary guide to GDPR compliance in the
UK. WIRED.
https://www.wired.com/story/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018/
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August). Computer Security Incident
Handling Guide. NIST. Retrieved March 16, 2024, from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Cloudflare. (n.d.). What is DDoS mitigation? Retrieved March 16, 2024, from
https://www.cloudflare.com/learning/ddos/ddos-mitigation/#:~:text=DDoS%20mitigation%20ref
ers%20to%20the,%2Dservice%20(DDoS)%20attack.
De Groot. (2023, April 28). What is Data Loss Prevention (DLP)? Definition, Types & Tips.
Digital Guardian. Retrieved March 16, 2024, from
https://www.digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data-loss-prevent
ion
De Groot. (2023, May 6). What Is Data Encryption? (Definition, Best Practices & More). Digital
Guardian. Retrieved March 16, 2024, from
https://www.digitalguardian.com/blog/what-data-encryption
Dickerson, R. (2004, September 4). Incident Management 101 Preparation and Initial Response
(aka Identification). Sans . Retrieved March 31, 2024, from
https://sansorg.egnyte.com/dl/xA2zHfNRL2

34. 32
Kosutic, D. (n.d.). What is ISO 27001? A detailed and straightforward guide. 27001Academy.
https://advisera.com/27001academy/what-is-iso-27001/
Lutkevich, B. (2020, August 28). HIPAA (Health Insurance Portability and Accountability Act).
Health IT. https://www.techtarget.com/searchhealthit/definition/HIPAA
McAfee. (n.d.). How Often Should You Change Your Passwords? Retrieved March 27, 2024,
from
https://www.mcafee.com/learn/how-often-should-you-change-your-passwords/#:~:text=But%20
how%20often%20should%20you,has%20access%20to%20your%20account.
More than a Password | CISA. (n.d.). Cybersecurity and Infrastructure Security Agency CISA.
https://www.cisa.gov/MFA
National Cyber Security Centre. (2020, February 13). Mitigating malware and ransomware
attacks. Retrieved March 16, 2024, from
https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
Require Strong Passwords. (n.d.). Cybersecurity and Infrastructure Security Agency. Retrieved
March 24, 2024, from
https://www.cisa.gov/secure-our-world/require-strong-passwords#:~:text=Require%20strong%2
C%20unique%20passwords.,of%205%20%E2%80%937%20random%20words
Smith, P. (2022, July 12). A guide to data classification: confidential data vs. sensitive data vs.
public information. RecordPoint. Retrieved March 27, 2024, from
https://www.recordpoint.com/blog/a-guide-to-data-classification-confidential-vs-sensitive-vs-pub
lic-information

35. 33
Swanson, M., Bowen, P., Phillips, A., Gallup, D., & Lynes, D. (2010, May). Contingency
Planning Guide for Federal Information Systems. NIST. Retrieved March 16, 2024, from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
Tunggal, A. T. (2023, October 25). What is the Cost of a Data Breach in 2023? UpGuard.
Retrieved March 31, 2024, from https://www.upguard.com/blog/cost-of-data-breach
Zhang. (2023, May 5). What is Role-Based Access Control (RBAC)? Examples, Benefits, and
More. Digital Guardian. Retrieved March 16, 2024, from
https://www.digitalguardian.com/blog/what-role-based-access-control-rbac-examples-benefits-an
d-more#:~:text=Role%2Dbased%20access%20control%20(RBAC)%20restricts%20network%20
access%20based,employees%20have%20to%20the%20network.
(OCR), O. for C. R. (2022, March 31). Privacy. HHS.gov.
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
Epalm. (2021, December 16). Cybersecurity in Healthcare. HIMSS.
https://www.himss.org/resources/cybersecurity-healthcare
https://csf.tools/reference/nist-cybersecurity-framework/v1-1/rc/rc-rp/rc-rp-1/
https://csf.tools/reference/nist-cybersecurity-framework/v1-1/rc/rc-im/rc-im-2/
https://csf.tools/reference/nist-cybersecurity-framework/v1-1/pr/pr-ip/pr-ip-5/
https://csf.tools/reference/nist-cybersecurity-framework/v1-1/pr/pr-ac/