The management team at a mid-sized hospital that employs 400 people decided to conduct an information-security risk evaluation. The president of the hospital was very concerned about impending data security regulations that are a part of the Health Insurance Portability and Accountability Act (HIPAA). Management team members also believed that improving the hospital's security posture makes good business sense. Any disruptions to operations would likely have financial, productivity, and patient health implications. Reducing risks that could affect hospital operations would also likely improve the overall operational effectiveness of the hospital. A subcommittee was assigned to review several security evaluation approaches; it recommended that the hospital use the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method.
The OCTAVE Method is a self-directed information-security risk evaluation in which people from an organization manage and direct the evaluation for their organization. The OCTAVE Method achieves self-direction by requiring a small, interdisciplinary team of an organization's personnel, called the analysis team, to lead the organization's evaluation process.
The hospital includes several clinics and labs, some of which are at remote locations. The organizational structure includes the following functional areas:
Permanent administrative organization
Permanent and temporary medical personnel, including
- Medical staff
Permanent and temporary maintenance personnel, including
- Facility staff
- Maintenance staff
Small information technology (IT) department (10 people) responsible for onsite computer and network maintenance and for help desk activities
Each functional area of the hospital contains one or more operational areas. The head of each operational area is considered to be a middle manager in the organization. Figure 1 shows the organizational chart for the hospital.
An independent contractor provides support for most of the hospital's systems as well as for the network. The hospital's IT staff maintains some of the legacy systems still being used by medical and administrative staff members. The in-house IT staff also provides onsite help desk support and basic system maintenance.
Figure 1 Organizational chart for the hospital.