Physical Vulnerabilities and Threats

The below report attempts to explain how threats and vulnerabilities can critically affect the regular operations of any organization (Papp, Ma and Buttyan 2015). This report tries to review the report made by Autojor Security Consultants on the medical supplier business Psinuvia Inc. and provides responses that are demanded from the respective fields. The report begins by discussing the physical vulnerabilities and threats associated with the medical devices supplied by the business followed by the logical vulnerabilities and threats as also mentioning how these risks comprise the operations (Omar 2017). Next the report mentions and discusses the ISO standards that apply to the business operations and need to be followed. Thereafter the compliance duties that are required to be followed by the different departments is explained along with a solution of how the company can ensure it. After that the PCI-DSS compliant policy is suggested for securing the card based payment modules. Then the report provides the solution by which the GDPR compliance can be followed. Next the HIPAA conformance is analysed and necessary steps identified to figure out penalties. Then, after providing the business continuity plan the report ends with concluding notes. 

The company Psinuvia Incorporated focuses on efficient and effective use of advanced medical implantable devices like pacemakers and defibrillators by modernizing the use of these heart defibrillation and resynchronization machines. However, these devices are often exposed to threats than can inflict physical damages and compromise their functioning (Shedden et al. 2016). There exists numerous machinery and devices which can interfere with these Implantable Cardioverter Defibrillators or ICDs through electromagnetic waves that they generate. This can affect the product reliability of medical devices offered by Psinuvia. As a result, the usage of these devices made available by Psinuvia Inc are to contain clearly defined usage policies for warning of exposure to those specific devices. These can be cell phones, MP3 players, headphones, radios and other magnetic devise. EAS or Electronic Article Surveillance systems and metal detectors is another threat that can similarly affect. These systems are installed in shopping malls and stores and hence the user of these devices should be warned. The ICDs are vulnerable to the radio frequency associated with some wireless forms of communications like those involving use of wireless telemetry protocol as the data being transmitted remotely can be exploited by unauthorized users leading to improper functioning of the device. Additionally, it is a must that the complexity of the operational environment as well as to catalog the technical vulnerabilities. These product vulnerabilities can affect the quality of products and services offered by Psinuvia. Cybersecurity protection is not just a technical issue the potentially insecure and unsuitable environments like humid weather and dusts can significantly affect the physical health of the medical devices. This can negatively affect the product endurance of medical devices made available by Psinuvia. To prevent these risks, the company is required to keep in place several quality checks and performance evaluation with respect to varying environments in their lab thereby offering structured mechanisms in tackling physical risks.

Logical Vulnerabilities and Threats

The logical threats associated with the pacemakers and defibrillators that Psinuvia seeks to modernize mostly involves hackers (Khan, Abbas and Al-Muhtadi 2015). Here it is observed that attackers can easily reverse engineer the communications protocols gain access to information of the ICDs and by using this can manipulate the functioning.  The potential logical security vulnerabilities pertaining to ICDs involve the hacking vulnerability where the implantable cardiac devices are vulnerable to attackers as they can remotely gain access to these devices by causing alterations to the transmitter (Kearns 2016). Both these threats and vulnerabilities can significantly damage the product quality of medical devices being provided by Psinuvia. This can enable hackers in draining away battery life of the implanted device or even use the device to generate inappropriate set of shocks thereby harming the patient. This can negatively affect the reputation and reliability of the services that Psinuvia Inc. intends to offer. These risks can be prevented by restricting the Psinuvia network with DMZ and firewalls as well as antimalware applications to constitute the overall structured security program for logical risks.

The ISO standard ISO 13485 has been designed to be followed by organizations in the business of designing, producing, supplying, installation and servicing of medical devices and services associated with them (Sánchez, Casado and Jarén 2018). This standard can also be used internally as also by external parties like certification authorities. Similar to rest of the ISO system standards, organizations are not always required to have certifications to ISO 13485 and businesses can utilize benefits of implementing this standard regardless. All ISO standards get reviewed every five years for establishing revisions if required so that the standard remains relevant to the market. The revised standard ISO 13485:2016 has been designed in order to respond to up to date system practices is the area of quality management. This includes changes regarding technology as also requirements related to regulations. The revised standard emphasizes more on risk management and risk oriented method to taking informed decisions thereby enabling organizations adequately follow the HIPAA provisions.

This is because the revised policy ensures better protection of the personal identifiable information or PII and personal identifiable health information or PHI. This should be used across the organization of Psinuvia. To recommend this to users along with password based verifications in secure usage practises will also help mitigate risks to Psinuvia products.

ISO 16142-2:2017 is a revision of the ISO 16142 standard which governs the necessary principles for performance and safety of medical devices across different platforms (Design and Current 2017). These numerous platforms include mobile devices from which access to medical devices can be obtained through passwords for specific user profiles. This standard prescribes relevant guides which should be used for assessing conformity of medical devices with respect to the require principles identified which if met, indicates that medical devices are safe and performing accordingly.

Industry Standards

Policies should be applied by Psinuvia Inc. such that Personal Identifiable Information from users are obtained securely and responsibilities in keeping the data secure is shared among the company and the user. These PII for the employees are to include submission of biographic and demographic information, criminal records, home address, grievances, disciplinary record, leaves and payroll benefits and health information.

The use of mobile phones should only be allowed after registration of the devices. The users are to obtain password to network access for the devices only after successful registration. In other words, to make the BYOD services available to the Psinuvia staff, no access to the company Wi-Fi should be permitted without valid usernames and passwords.

For the compliance duties to be fulfilled by IT departments it is necessary to employ a Corporate Compliance Officer or CCO who will be responsible for overseeing administration, management, development and implementation of daily operational tasks that are required to maintain effective compliance programs (Eaton and Tumelty 2017). The purpose here is to direct initiatives to promote compliance of policies across the company.

This CCO should be granted unrestricted authority over reviewing documents as also information which relates to compliance duties and performing audits (Elgammal et al. 2016). The CCO should also have access to employees, team of agents and professionals as well as assistance from third party firms so as to supervise department staff.

The functional responsibilities of reviewing compliance should be divided among the compliance team headed by the CCO, the audit committee and the board. These functional responsibilities should include performing functional reporting by the senior management of the teams instead of the officers.

The responsibilities of the CCO in Psinuvia is to include the following:

• Developing and updating compliance policies and procedures.
• Administration of compliance activities and supervision of compliance staff.
• Monitoring of compliance as per Code of Conduct
• Conducting compliance checks and regular audits
• Reporting of compliance issues regularly to the audit committee and board.

The IT department duties pertaining to the compliance and risk departments of Psinuvia can be structured in the following way:

IT Department Duties	Department	Director of Security
Evaluation, investigation and documentation of non-compliance	Risk	Chief Information Security Officer
Maintaining reports of policy compliance	Compliance	Chief Compliance Officer
Development and review of compliance awareness programs	Compliance	Chief Compliance Officer
Show strong technical knowhow in reviewing compliance	Compliance	Chief Technology Officer

The functional areas of the CCO involves the following:

The CCO is to advice the senior management on compliance laws, standards and rules in staying informed on developments in the area.

The functions for compliance are to assist the senior management in educating company staff on compliance issues.

Identifications, measurements and assessment of compliance risks needs to be carried out. This compliance function must be dealt with in proactive ways.

The compliances that apply within the company must be constantly monitored, tested and reported.

The PCI-DSS compliant policies required for the organization are – installation and maintenance of firewall configurations for protecting information of cardholders purchasing the medical equipment from Psinuvia (Hendre and Joshi 2015). To use different credentials that gets supplied by vendors as the default login data. Use of encrypted payment methods for interested customers. Use of antivirus security software and regular updating of the threat definitions of these software applications in the network that involves transactions regarding medical devices (Porter 2017). Ensure ID based access of payment information sent by the customer and through testing of the payment gateway for providing comprehensive quality check certifications before making the service available to customers.

Policies

The different roles and responsibilities for the tokenization process should vary with respect to the stakeholders that are involved. These are mainly the Tokenization Service Provider or TSP based on the deployment and the merchant himself. For implementation of each component, the reduction in scope of PCI DSS has to be evaluated carefully.

To protect customer information in accordance with GDPR, every interaction with the customer needs to be protected (Albrecht 2016). To conform by GDPR end to end encryption techniques are to be applied to messaging, mailing and chat services on the portal where the interactions with the customers take place. This is to be done through developing support for the web app of ProtonMail which is a world leader in providing encrypted mailing services. The application is more assuring when it comes to GDPR compliance as it is also used by European Union Governments.

The company Psinuvia can conform to the GDPR compliances in the following ways. These are:

1. Understanding the basic rights and responsibilities
2. Understanding the data, business deals with and respecting its sensibility
3. Reviewing and defining the data consent policy being exercised
4. Disposing of old and unnecessary data
5. Providing secure data storage services
6. Appointing data protection officers to secure the stored data
7. Include training for handling of data
8. Creation of Subject Access Request Plans
9. Ensuring that supplier are also compliant with GDPR
10. Creation of notices for processing of data

Health Insurance Portability and Accountability Act or HIPAA which controls how personally identifiable information (PII) should be stored, used, gathered and accounted for by businesses in the field of healthcare (Berwick and Gaines 2018). These HIPAA provisions are – The health insurance of members who have changed or lost jobs needs to be protected, and the insurance should not be granted to employees with history of illnesses. The second provision directs the US department of Human Services and Health for standardizing electronic hardware transaction processing across the nation. The third HIPAA provision prescribes guidelines for generic medical care and tax compliance. The fourth provision defines reforms for individuals having pre-existing diseases. The fifth provision relates to insurances by company for individuals having lost citizenship for tax issues.

Among the above mentioned HIPAA provisions, Psinuvia Inc. is mainly required to follow the second and third provisions. This involves standardization of transactions concerning electronic hardware for healthcare and the prescription of guidelines for healthcare and compliance of taxes respectively.

The steps necessary for the company Psinuvia in conforming to HIPAA compliance are:

1. Developing the privacy policies
2. Appointing security as well as privacy officers
3. To regularly conduct risk assessments
4. Adopting policies for mailing services
5. Adopting policies for mobile devices
6. Providing training to staff
7. Providing notices for Privacy Practises
8. Concluding with valid agreements
9. Addressing potential breaches in protocols
10. Implementing Privacy Policies

While steps are being taken in Psinuvia Inc. to conform to the HIPAA provisions, there exists federal fines for noncompliance and HIPAA violations that have already been committed by this company. Hence investigations are to be conducted to get an account of the federal fines that can be charged against Psinuvia for past violations.

The only form of business continuity plan currently present within the organization of Psinuvia involves a rudimentary plan for dealing with the effects of natural disasters. This is mainly since the major hub of operations is located in the Dallas region of Texas which is often subjected to Tornadoes and floods. To ensure a comprehensive business continuity plan, precautions need to be taken from all kinds of threats to the normal functioning of the firm (Furfaro, Gallo and Saccà 2016). This should include preventions of power failure, network failure, hardware failure as well as preventing the business systems from getting infected by viruses, malwares and data theft by hackers. For this, regular maintenance of power, network and computer hardware systems are to be conducted along with procurement of backup power devices and redundancies in network infrastructure. To prevent infection from information security risks, DMZ networks, firewalls and antivirus software applications need to be installed. On top of this the company staff should be trained to follow secure usage policies and compliances.

To have the business continuity plan consistent with CISSP practises, the BCP needs to be deployed in the following steps:

1. Initiation and management of Project
2. Business Impact Analysis
3. Strategizing Recovery
4. Plan designing and development
5. Training Testing and Implementation

Conclusion

The below report attempts to explain how threats and vulnerabilities can critically affect the regular operations of any organization. This report tries to review the report made by Autojor Security Consultants on the medical supplier business Psinuvia Inc. and provides responses that are demanded from the respective fields. The report begins by discussing the physical vulnerabilities and threats associated with the medical devices supplied by the business followed by the logical vulnerabilities and threats as also mentioning how these risks comprise the operations. Next the report mentions and discusses the ISO standards that apply to the business operations and need to be followed. Thereafter the compliance duties that are required to be followed by the different departments is explained along with a solution of how the company can ensure it. After that the PCI-DSS compliant policy is suggested for securing the card based payment modules. Then the report provides the solution by which the GDPR compliance can be followed. Next the HIPAA conformance is analysed and necessary steps identified to figure out penalties. Then the report ends after providing the business continuity plan.   

References

Albrecht, J.P., 2016. How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, p.287.

Berwick, D.M. and Gaines, M.E., 2018. How HIPAA harms care, and how to stop it. Jama, 320(3), pp.229-230.

Design, B. and Current, G., 2017. The Roundup. Birth of a Standard, p.360.

Eaton, S. and Tumelty, M.E., 2017. Director’s duties under the Companies Act 2014.

Elgammal, A., Turetken, O., van den Heuvel, W.J. and Papazoglou, M., 2016. Formalizing and appling compliance patterns for business process compliance. Software & Systems Modeling, 15(1), pp.119-146.

Furfaro, A., Gallo, T. and Saccà, D., 2016, August. Modeling cyber systemic risk for the business continuity plan of a bank. In International Conference on Availability, Reliability, and Security (pp. 158-174). Springer, Cham.

Hendre, A. and Joshi, K.P., 2015, June. A semantic approach to cloud security and compliance. In 2015 IEEE 8th International Conference on Cloud Computing (pp. 1081-1084). IEEE.

Kearns, G.S., 2016. Countering mobile device threats: A mobile device security model. Journal of Forensic & Investigative Accounting, 8(1), pp.36-48.

Khan, J., Abbas, H. and Al-Muhtadi, J., 2015. Survey on mobile user’s data privacy threats and defense mechanisms. Procedia Computer Science, 56, pp.376-383.

Omar, S., 2017. Information system security threats and vulnerabilities: evaluating the human factor in data protection (Doctoral dissertation).

Papp, D., Ma, Z. and Buttyan, L., 2015, July. Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In 2015 13th Annual Conference on Privacy, Security and Trust (PST) (pp. 145-152). IEEE.

Porter, J., 2017. Evaluating and designing a network and information security solution for a company in accordance with PCI DSS.

Sánchez, M.E., Casado, J. and Jarén, G., 2018. Implementación de la Norma ISO 13485 en Laboratorios de Verificación de Equipamiento Médico. Revista Argentina de Bioingeniería, 22(1), pp.37-44.

Shedden, P., Ahmad, A., Smith, W., Tscherning, H. and Scheepers, R., 2016. Asset identification in information security risk assessment: A business practice approach. Communications of the Association for Information Systems, 39(1), p.15.