Strayer Information Security Legal Issues Case Study 1: HIPAA, CIA, and Safeguards
Due Week 2 and worth 100 points
This assignment consists of two sections: a written paper and a PowerPoint presentation.
Health Information Technology (HIT) is a growing field within health services organizations today; additionally, health information security is a major concern among health organizations, as they are required to maintain the security and privacy of health information.
The Department of Health and Human Services (HHS) provides extensive information about the Health Insurance Portability and Accountability Act (HIPAA). In March 2012, the HHS settled a HIPAA case with the Blue Cross Blue Shield of Tennessee (BCBST) for $1.5 million. As an IT security manager at a regional health services organization, your CIO has asked for the following: an analysis of this incident, an overview of the HIPAA security requirements necessary to prevent this type of an incident, and a briefing for management on the minimum security requirements to be HIPAA compliant.
Section1: Written Paper
1. Write a three to five page paper in which you:
a. Describe the security issues of BCBST in regard to confidentiality, integrity, availability, and privacy based on the information provided in the BCBST case.
b. Describe the HIPPA security requirement that could have prevented each security issue identified if it had been enforced.
c. Analyze the corrective actions taken by BCBST that were efficient and those that were not adequate.
d. Analyze the security issues and the HIPAA security requirements and describe the safeguards that the organization needs to implement in order to mitigate the security risks. Ensure that you describe the safeguards in terms of administrative, technical, and physical safeguards.
e. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.
Your written paper must follow these formatting requirements:
• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required page length.
Section 2: PowerPoint Presentation
2. Create a six to eight slide PowerPoint presentation in which you:
a. Provide the following on the main body slides:
i. An overview of the security issues at BCBST
ii. HIPAA security requirements that could have prevented the incident
iii. Positive and negative corrective actions taken by BCBST
iv. Safeguards needed to mitigate the security risks
Your PowerPoint presentation must follow these formatting requirements:
• Include a title slide, four to six main body slides, and a conclusion slide.
Download Now(sent via email)
Select a type of organization (such as Financial or Health Care) and
describe the legal ramifications of providing the security goals of
confidentiality, integrity, and availability. Include the challenges of
providing these security goals.
Health Care is an organization where the legal ramifications of security goals
not being met have become more broad in recent years. HIP AA was established
to maintain these security goals and ensure patient information is not misused
and that the organization is taking precautions to safeguard it to their full
ability. In June 2005, the U.S. Department of Justice (DOJ) clarified who can
be held criminally liable under HIP AA. Covered entities and specified
individuals, as explained below, whom ”knowingly” obtain or disclose
individually identifiable health information in violation of the Administrative
Simplification Regulations face a fine of up to $so,ooo, as well as
imprisonment up to one year. Offenses committed under false pretenses allow
penalties to be increased to a $1oo,ooo fine, with up to five years in prison.
Finally, offenses committed with the intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain or
malicious harm permit fines of $250,ooo, and imprisonment for up to ten
Confidentiality is the main goal of HIP AA. However in the healthcare field
availability can be another cause for legal ramifications. For example, if a
patient is seen at a hospital and doesn’t tell (or isn’t able to verbally
communicate) an allergy that is otherwise noted in their medical records, the
staff need to have access to their records to have this information. If the data
isn’t available then this allergy could be missed, causing a reaction, and the
patient can sue for negligence. Health Care organizations must meet the highest
levels of CIA to ensure safety of the patients, bad or missing information could
be the difference between life or death.
Select two different types of organizations (such as Financial or
, Health Care) and describe the similarities and differences with the
types of computer and networking security protection, and security
controls needed within the organization.
As discussed above Health Care organizations need to maintain the highest
level of CIA to best care for and protect patients. With a financial organization
they must also meet the highest form of CIA however in this situation its much
less likely a life or death situation. The financial organizations must meet the
needs of availability and confidentiality with the same high standards to ensure
that customers have access to their funds and that their banking information is
kept safe from intrusion.
From thee-Activity, describe the threats and vulnerabilities of social
engineering and social media; include how they are similar and how
1 they are different.
Threats from social engineering and social media can be very similar. In both
cases you can have someone pretending to be someone they are not to gain
access to information that they as themselves should not have access to. Social
media can be a way for someone to access your personal life without you even
knowing they are watching, the things you post, pictures you’re in, etc. can all
paint a picture for a perpetrator that will allow them access to your life. Some
social engineers will even use social media against you, they know where you
shop, they know where you eat and where you work so they have enough
information to figure out what you would believe.
Differences are that social engineering uses social media to prepare. The
medium of the social engineer can also be social media so really, social media
in itself isn’t a type of attack but a means that can be used to carry out an
From thee-Activity, describe the control measures that
organizations and individuals need to implement to minimize the
vulnerabilities associated with social engineering and social media.
We discuss this in the workplace all the time. Take basic precautions, don’t give
out information to just anyone. It doesn’t matter if someone who looks like an IT
person comes in and asks for your credentials, ask for verification of who they
are. Always second guess anyone who asks for private information. If its a
phone call, ask to call the person right back on their business line to ensure that
they are working in the office they say that they are.
When it comes to social media, just be careful what you post .. don’t give out
your personal information online and never post things like when you ‘II be on
vacation. Even if you think you know evezyone that can see your status’s you
just never know whos targeting you.