Strayer University HIPAA and IT Audits Case Study

Case Study: HIPAA and IT AuditsImagine you are the Information Security Officer at a medium-sized hospital chain. The CEO
and the other senior leadership of the company want to ensure that all of their hospitals are and
remain HIPAA compliant. They are concerned about the HIPAA Security and Privacy Rules and
its impact on the organization. You begin looking at the information provided by the Department
of Health and Human Services, located at
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html. Specifically, you are asked to
provide an analysis of two (2) of the cases found here with emphasis on what was done to
resolve the compliance issues.
Section 1. Written Paper
Non-compliance with HIPAA regulations can result in significant fines and negative publicity.
To help ensure that your organization remains in compliance with HIPAA regulations you have
been asked to write a three to five (3-5) page paper in which you:
1a. Create an overview of the HIPAA Security Rule and Privacy Rule.
1b. Analyze the major types of incidents and breaches that occur based on the cases
reported.
1c. Analyze the technical controls and the non-technical controls that are needed to
mitigate the identified risks and vulnerabilities.
1d. Analyze and describe the network architecture that is needed within an organization,
including a medium-sized hospital, in order to be compliant with HIPAA regulations.
1e. Analyze how a hospital is similar to and different from other organizations in regards
to HIPAA compliance.
1f. List the IT audit steps that need to be included in the organization’s overall IT audit
plan to ensure compliance with HIPAA rules and regulations.
1g. Use at least four (4) quality resources in this assignment. Note: Wikipedia and similar
Websites do not qualify as quality resources.
Your assignment must follow these formatting requirements:
•
•
Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins
on all sides; citations and references must follow APA. Check with your professor for
any additional instructions.
Include a cover page containing the title of the assignment, the student’s name, the
professor’s name, the course title, and the date. The cover page and the reference page are
not included in the required assignment page length.
Section 2. Network Architecture
2a. Create a network architecture diagram (using Visio or an open-source equivalent to
Visio for creating diagrams), based on the description of the network architecture that you
defined above for the organization to be compliant with HIPAA regulations.
2b. Include in the diagram the switches, routers, firewalls, IDS / IPS, and any other
devices needed for a compliant network architecture.
The specific course learning outcomes associated with this assignment are:
•
•
•
•
•
Describe the process of performing effective information technology audits and general
controls.
Explain the role of cybersecurity privacy controls in the review of system processes.
Describe the various general controls and audit approaches for software and architecture
to include operating systems, telecommunication networks, cloud computing, serviceoriented architecture and virtualization.
Use technology and information resources to research issues in information technology
audit and control.
Write clearly and concisely about topics related to information technology audit and
control using proper writing mechanics and technical style conventions.
Grading for this assignment will be based on answer quality, logic / organization of the paper,
and language and writing skills, using the following rubric.
Points: 125
Case Study 2: HIPAA and IT Audits
Unacceptable
Fair
Proficient
Exemplary
Criteria
Below 70% F
Section 1: Written Paper
1a. Create an overview of
the HIPAA Security Rule
and Privacy Rule.
Weight: 10%
1b. Analyze the major types
of incidents and breaches
that occur based on the
cases reported.
Weight: 10%
1c. Analyze the technical
controls and the nontechnical controls that are
needed to mitigate the
identified risks and
vulnerabilities.
Weight: 10%
1d. Analyze and describe
the network architecture
that is needed within an
organization, including a
medium-sized hospital, in
order to be compliant with
HIPAA regulations.
Weight: 10%
70-79% C
80-89% B
90-100% A
Did not submit or
incompletely created
an overview of the
HIPAA Security Rule
and Privacy Rule.
Partially created an
overview of the
HIPAA Security Rule
and Privacy Rule.
Satisfactorily created
an overview of the
HIPAA Security Rule
and Privacy Rule.
Thoroughly created
an overview of the
HIPAA Security Rule
and Privacy Rule.
Did not submit or
incompletely
analyzed the major
types of incidents and
breaches that occur
based on the cases
reported.
Did not submit or
incompletely
analyzed the technical
controls and the nontechnical controls that
are needed to mitigate
the identified risks
and vulnerabilities.
Partially analyzed the
major types of
incidents and
breaches that occur
based on the cases
reported.
Satisfactorily
analyzed the major
types of incidents and
breaches that occur
based on the cases
reported.
Thoroughly analyzed
the major types of
incidents and
breaches that occur
based on the cases
reported.
Partially analyzed the
technical controls and
the non-technical
controls that are
needed to mitigate the
identified risks and
vulnerabilities.
Satisfactorily
analyzed the technical
controls and the nontechnical controls that
are needed to mitigate
the identified risks
and vulnerabilities.
Thoroughly analyzed
the technical controls
and the non-technical
controls that are
needed to mitigate the
identified risks and
vulnerabilities.
Did not submit or
incompletely
analyzed and
described the network
architecture that is
needed within an
organization,
including a mediumsized hospital, in
order to be compliant
with HIPAA
regulations.
Partially analyzed and
described the network
architecture that is
needed within an
organization,
including a mediumsized hospital, in
order to be compliant
with HIPAA
regulations.
Satisfactorily
analyzed and
described the network
architecture that is
needed within an
organization,
including a mediumsized hospital, in
order to be compliant
with HIPAA
regulations.
Thoroughly analyzed
and described the
network architecture
that is needed within
an organization,
including a mediumsized hospital, in
order to be compliant
with HIPAA
regulations.
1e. Analyze how a hospital
is similar to and different
from other non-medical
organizations in regards to
HIPAA compliance.
Weight: 10%
1f. List the IT audit steps
that need to be included in
the organization’s overall
IT audit plan to ensure
compliance with HIPAA
rules and regulations.
Weight: 10%
1g. 3 references
Did not submit or
incompletely
analyzed how a
hospital is similar to
and different from
other non-medical
organizations in
regards to HIPAA
compliance.
Did not submit or
incompletely listed
the IT audit steps that
need to be included in
the organization’s
overall IT audit plan
to ensure compliance
with HIPAA rules
and regulations.
No references
provided
Weight: 5%
1h. Clarity, writing
mechanics, and formatting
requirements
More than 6 errors
present
Partially analyzed
how a hospital is
similar to and
different from other
non-medical
organizations in
regards to HIPAA
compliance.
Satisfactorily
analyzed how a
hospital is similar to
and different from
other non-medical
organizations in
regards to HIPAA
compliance.
Thoroughly analyzed
how a hospital is
similar to and
different from other
non-medical
organizations in
regards to HIPAA
compliance.
Partially listed the IT
audit steps that need
to be included in the
organization’s overall
IT audit plan to
ensure compliance
with HIPAA rules
and regulations.
Satisfactorily listed
the IT audit steps that
need to be included in
the organization’s
overall IT audit plan
to ensure compliance
with HIPAA rules
and regulations.
Thoroughly listed the
IT audit steps that
need to be included in
the organization’s
overall IT audit plan
to ensure compliance
with HIPAA rules
and regulations.
Does not meet the
required number of
references; some or
all references poor
quality choices.
5-6 errors present
Meets number of
required references;
all references high
quality choices.
Exceeds number of
required references;
all references high
quality choices.
3-4 errors present
0-2 errors present
Partially created a
network architecture
diagram based on the
description of the
network architecture
that you defined
above for the
organization to be
compliant with
HIPAA regulations.
Satisfactorily created
a network architecture
diagram based on the
description of the
network architecture
that you defined
above for the
organization to be
compliant with
HIPAA regulations.
Thoroughly created a
network architecture
diagram based on the
description of the
network architecture
that you defined
above for the
organization to be
compliant with
HIPAA regulations.
Partially included in
the diagram the
switches, routers,
firewalls, IDS/IPS,
and any other devices
needed for a
compliant network
architecture.
Satisfactorily
included in the
diagram the switches,
routers, firewalls,
IDS/IPS, and any
other devices needed
for a compliant
network architecture.
Thoroughly included
in the diagram the
switches, routers,
firewalls, IDS/IPS,
and any other devices
needed for a
compliant network
architecture.
Weight: 10%
Section 2: Network Architecture
2a. Create a network
architecture diagram based
on the description of the
network architecture that
you defined above for the
organization to be
compliant with HIPAA
regulations.
Weight: 15%
2b. Include in the diagram
the switches, routers,
firewalls, IDS/IPS, and any
other devices needed for a
compliant network
architecture.
Weight: 10%
Did not submit or
incompletely created
a network architecture
diagram based on the
description of the
network architecture
that you defined
above for the
organization to be
compliant with
HIPAA regulations.
Did not submit or
incompletely included
in the diagram the
switches, routers,
firewalls, IDS/IPS,
and any other devices
needed for a
compliant network
architecture.