Lab 1 Organizational Profile

Case Organization: Chesapeake HealthConnect (CHC)

(Fictional Organization)

1. Organization Overview

Organization Name: Chesapeake HealthConnect (CHC)

Industry: Healthcare Services & Digital Health

Headquarters: Maryland, USA

Employees: ~650

Annual Revenue: ~$180 Million

Service Area: Mid-Atlantic Region

Chesapeake HealthConnect (CHC) is a mid-sized healthcare provider operating six outpatient clinics, two specialty care centers, and a growing telehealth platform.

2. Mission and Business Objectives

Mission: To provide accessible, high-quality, technology-enabled healthcare services while protecting patient privacy and maintaining regulatory compliance.

Strategic Objectives:

Expand telehealth services by 30% within two years

Improve patient experience

Maintain HIPAA compliance

Reduce operational costs

Strengthen cybersecurity governance

3. Core Systems and Technology Environment

Major Systems:

Electronic Health Record (Cloud)

Patient Portal (Cloud)

Billing System (On-Prem)

Telehealth Platform (SaaS)

HR System (Cloud)

Network Infrastructure (On-Prem)

Characteristics:

Microsoft 365

VPN

Partial MFA

Legacy Servers

Limited Logging

4. Data Classification and Information Assets

Primary Data Types:

PHI (High)

PII (High)

Financial Data (High)

HR Records (Moderate)

Research Data (Moderate)

5. Regulatory and Compliance Environment

Applicable Regulations:

HIPAA Privacy Rule

HIPAA Security Rule

HITECH Act

Maryland Health Information Exchange Regulations

FTC Safeguards Rule (for financial data)

6. Organizational Structure and Governance

CHCs leadership structure includes a Chief Executive Officer (CEO), Chief Medical Officer (CMO), Chief Information Officer (CIO), Director of Compliance, and an IT Manager. The organization does not employ a full-time Chief Information Security Officer, and cybersecurity responsibilities are divided between the CIO and IT Manager. This distributed model has resulted in limited centralized governance, informal risk reporting processes, and reduced visibility of cybersecurity risks at the executive and board levels. Competing clinical priorities and budget constraints further limit strategic security planning.

7. Business Operations and Dependencies

The organizations core business operations include patient care delivery, appointment scheduling, prescription management, insurance billing, and telehealth services. These operations are highly dependent on the availability and reliability of digital systems. CHC relies heavily on third-party cloud service providers, Internet service providers, payment processors, medical device vendors, and a managed IT service provider. Disruption to any of these dependencies could significantly affect patient safety, service delivery, and organizational revenue.

8. Threat Landscape

CHC faces a dynamic and evolving cyber threat landscape that reflects trends across the healthcare sector. Primary threats include phishing and social engineering attacks, ransomware campaigns, insider threats, credential theft, and third-party supply chain breaches. The increased use of telehealth platforms and remote access technologies has expanded the organizations attack surface. Recent ransomware incidents affecting regional healthcare providers have heightened executive concern regarding cybersecurity preparedness.

9. Current Security Posture

The organization has implemented several baseline security controls, including antivirus and endpoint protection, perimeter firewalls, partial multi-factor authentication, annual HIPAA training, and weekly system backups. However, security maturity remains limited. CHC lacks a formal Zero Trust architecture, maintains an incomplete asset inventory, conducts vulnerability assessments infrequently, and has not fully developed its incident response and recovery plans. Penetration testing is performed only on an ad hoc basis.

10. Business Impact Considerations

A significant cybersecurity incident could have severe consequences for CHCs operations and reputation. Potential impacts include disruptions to patient care, compromise of protected health information, regulatory investigations, financial penalties, civil litigation, and loss of public trust. Prolonged system outages could affect revenue collection and clinical services. Industry benchmarking suggests that a major breach could result in direct and indirect costs ranging from four to seven million dollars. Estimated Impact: $47 million

——————————————————————————————-

Lab Assignment #1: Organizational Risk Foundations & CIA Analysis

Title: Enterprise Risk Baseline & CIA Impact Assessment

Course Alignment: Weeks 13 (Risk Management + Managing Risk + Compliance)

Purpose

This lab builds students ability to:

• Summary of the organizations risk environment. Students should be able to provide a synopsis of cyber hygiene based on the information provided.
• Apply the CIA Triad
• Identify threats and vulnerabilities
• Connect risk to business impact

Scenario

Students act as a Risk Analyst for a mid-sized organization

They must assess the organizations baseline cyber risk posture.

Student Tasks

Part 1: Organizational Profile

Students describe:

• Organization type
• Core systems
• Sensitive data handled
• Regulatory exposure
• Business priorities

Part 2: CIA Risk Analysis

For three critical systems, students evaluate:

System

Confidentiality Risk

Integrity Risk

Availability Risk

Impact

They must explain:

• How each CIA element could be compromised
• Operational consequences
• Legal/compliance risks

Part 3: ThreatVulnerability Mapping

Students identify:

• 5 major threats
• Related vulnerabilities
• Likely exploitation paths

Example:

Phishing > Weak training > Credential theft > Data breach

Part 4: Executive Summary

Students translate findings into business language:

• Top 3 risks
• Business impact
• High-level mitigation priorities

Deliverables

One document containing:

1. Organizational profile
2. CIA analysis
3. Threat mapping
4. Executive summary with action plan.

Length: 46 pages (APA format)

Grading Criteria

Area

Points

Risk Identification

4

CIA Analysis

4

Business Translation

3

Organization & Writing

2

Sources & Citations

2

Total: 15 points