General case exercise:
The Choice Care Health Group (CCHG) in operation for over 30 years is made up of 12 general practitioners (GPs) who also function as family physicians. The front desk uses four terminals to
schedule patients and to complete billing tasks. In addition the terminals are connected to two centralized personal computers that run an old version of the Linux operating system. They are also
connected to several older printers used to print billing forms and other pertinent financial information. This system was installed almost 12 years ago by a local computer business that has since
CCHG has hired Mary Jordan a certified Healthcare Information Security and Privacy Practitioner to help them determine what their needs are and gradually introduce new technology. Mary and Jake
Thomas the CCHG office manager have been meeting to discuss the technologies that CCHG might want to consider purchasing and installing.
Mary also met with the GPs about how implementing new technologies could benefit CCHG. Although they are interested in new technologies that can help CCHG several voiced concerns about security.
One GPs home computer was recently the victim of a virus attack. Although the damage was minimal and the system was restored it still has made him very cautious about the security of the
computers at CCHG. The GP wants to know what security protections CCHG needs to protect the computers and information from attackers. How will Mary respond?
Assume you are in Marys position as the consultant.
For this case complete the following:
1. What type of attacks should CCHG protect itself against? Lists at least four different attacks how they could impact CCHG if successful and what CCHG should do to protect its information from
2. Jake is particularly concerned about phishing attacks because there is no technology that can be used to stop them. He has asked Mary to create a training session for CCHGs employees. Research
the Internet regarding phishing attacks and defenses. Develop a bullet list that describes phishing how to recognize a phishing attack and what employees should do in the event of an attack.
3. Jake also tells Mary that CCHGs data backup system does not always function properly. What type of data backup would you suggest for CCHG?
4. How can Mary the Healthcare Information Security and Privacy Practitioner (HCISPP) in this scenario most effectively communicate the risk to CCHG senior management?
General case exercise: