/
DRAFT WHCS Risk Assessment

DRAFT WHCS Risk Assessment

Owned by Kian Colestock
Oct 14, 2014

Scope


This is a risk assessment scoped broadly to the overall environment of Wellness, Health, and Counseling Services (WHCS) with a special emphasis on the Student Health Center (SHC).
SHC processes, stores, and transmits very sensitive data about individuals including, but not limited to:

  • Personally Identifiable Information
    • Name
    • Medical Information
    • Medical Insurance Numbers
  • Electronic Protected Health Information
  • Credit Card Transactions

Methodology


This risk assessment used the UC Irvine Baseline Information Security Control Requirements via the Security Risk Assessment Questionnaire. This was not an audit and security controls were not tested.
The methodology used to conduct this risk assessment is qualitative, and no attempt was made to determine any loss expectancies, cost projections, or cost-effectiveness of security safeguard recommendations.

Risk


The data involved are regulated by a number of laws and requirements such as California Civil Code 1798 (informally "SB 1386"), the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA),
If these data were breached the privacy impact to individuals would be considerable.
If these data were breached the financial impact to the University would be considerable.
The assessment of security controls to mitigate the risk of a high impact incident found 87 gaps. Large effort has been made to secure WHCS systems and these gaps reflect the difficult challenge in securing this type of environment and not a lack of diligence.

Gap Analysis


Control Category

Controls Addressed

Inventory of Devices

0/3

Inventory of Software

1/5

Secure Configuration of Devices

7/11

Vulnerability Assessment

1/6

Malware Defenses

1/6

Application Security

2/15

Wireless Device Control

0/6

Data Recovery Capability

3/4

Security Training

0/3

Secure Configuration of Network Devices

TBD

Control of Network Ports

TBD

Administrative Privileges

5/14

Boundary Defenses

1/7

Security Audit Logs

0/8

Controlled Access

2/5

Data Loss Prevention

0/7

Incident Response Capability

0/6

Secure Network Engineering

TBD

Penetration Tests

0/4

TOTAL

23 / 110

Recommendations


  • Address individual control gaps by meeting the requirement / documenting compensating controls or provide justification for accepting the risk
  • Implement a robust and comprehensive malware defense program that includes monitoring of anti-virus logs
  • Provide in-depth HIPAA training for all involved technical staff
  • Remove or upgrade non-enterprise wireless network(s)
  • Better segment networks to narrow medical information scope
  • Restrict ingress and egress web access from network(s) with medical information scope
  • Conduct threat assessment table-tops three times a year
  • Assign dedicated percentage of security analyst / project management resources to assist teams in evaluating and implementing controls