Competency C

Demonstrate strong understanding of security and ethics issues related to informatics, user
interface, and inter-professional application of informatics in specific fields by designing and
implementing appropriate information assurance and ethics and privacy solutions.

Introduction and PLO Discussion

Cybersecurity Breaches and Incidents

From November 2023-April 2024, 6,845,908,997 known records were breached in 2,741 publicly disclosed incidents (IT Governance, 2024). In terms of the most breached sectors in the USA, unsurprisingly, IT services and software came in 1st with 4,299,434,845 breaches (by known records breached) and health care came in 1st with 415 publicly disclosed incidents (IT Governance, 2024). These staggering statistics highlight the concerning increase of cybersecurity incidents over the years, and as technologies continue to evolve and the rapid adoption of AI becomes more prevalent, it seems likely that the risks to individuals’ privacy and security will experience an inevitable increase.

Privacy, Security, and Ethics

Although sometimes used interchangeably, the principles of privacy and security bear similar yet distinct meanings. Privacy is the right to control how your personal information is viewed and used while security is the protection against threats through the application of safeguards (Okta, 2024). The aforementioned principles of privacy and security are interrelated with the concept of ethics which defines “right and wrong actions in specific situations and is fundamental to society (Augusta University, n.d.).”

The Significance of Cybersecurity in the Healthcare Sector

While cybersecurity is an important consideration for any organization, it is particularly vital to the healthcare sector due to the sheer amounts of protected health information (PHI) and personally identifiable information (PII) involved. PHI refers to “any health information that includes any of the 18 elements identified by the Health Information Portability and Accountability Act (HIPAA) and maintained by a covered entity or any information that can be reasonably used to identify a person (IRB Office, n.d.).” On a similar yet distinct vein, PII pertains to “data used in research that is not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules (IFB Office, n.d.).” Due to the ever-evolving tactics and methods utilized by malicious actors/entities, cybersecurity incidents in the healthcare industry are becoming a steady yet unwelcome presence.

Relevant Coursework and Future Goals

The courses that I believe most closely tie in with Competency C are the following two courses: INFM 202: Informatics Security Overview and INFM 208: Information Security – Information Assurance. Through discussion boards and a presentation, I obtained a foundational understanding of concepts related to information security, cybersecurity, privacy, ethics, and protective/safeguarding mechanisms. Simulation labs provided me with the opportunity to learn, explore, and apply this knowledge related to information security as well as common tactics utilized by hackers and other malicious actors. More importantly, these assignments and projects reaffirmed to me the significance of securing and safeguarding devices whether at a personal or corporate level. Though I did not explore the Cybersecurity Pathway, I believe that the core courses of INFM 202 and INFM 208 were integral components of the MS in Informatics program and that having a basic understanding of cybersecurity is beneficial for any information science professional to possess. As a future educational goal, I hope to take the Google x Coursera Cybersecurity Professional Certificate program to add to my basic understanding of the cybersecurity realm. Additionally, I believe it would be worthwhile to study for and take at least one certification exam by CompTIA.

References

Evidence #1: INFM 202 (Identity Theft Resource Center Discussion)

Evidence #2: INFM 208 (Final Presentation)

This discussion post for INFM 202: Informatics Security Overview delves into five distinct data breaches out of several hundreds of data cybersecurity breaches reported by the Identity Theft Resource Center. The Identity Theft Resource Center is a national non-profit that maintains the largest U.S. aggregate of data breach information as well as empowering and guiding individuals and organizations “to minimize risk and mitigate the impact of identity compromise and crime (Identity Theft Resource Center, n.d.).” Through this particular exercise, I selected 5 organizations which were affected by cybersecurity breaches and went on to identify which assets were compromised, the method of attack utilized, and the type of threat actor(s) involved. LA County Department of Mental Health was one organization that stood out in particular to me as information related to one’s mental health is particularly sensitive and the subject matter of mental health is one that is close to my heart. For this particular cybersecurity incident, I was particularly struck at how the malicious actor was able to gain access to an employee’s Microsoft account through push notification spamming. This unfortunate situation showcases how nefarious entities will go to great lengths to infiltrate and gain access to such crucial information.

As part of INFM 202: Informatics Security Overview, I am presenting my Information Security Fundamentals performance report as evidence of competency C. Throughout this course, I gained a comprehensive overview of topics including recognizing and understanding security threats and vulnerabilities and obtaining knowledge of the most up-to-date methods, skills, and tools to best protect and safeguard information resources and assets. These hands-on InfoSec labs provided me a glimpse of the information security/cybersecurity realm and assisted me in demonstrating a keen understanding of and applying my understanding of various topics including the following: Securing the pfSense Firewall, Implementing Security Policies on Windows and Linux, Crafting and Deploying Malware Using a Remote Access Trojan (RAT), and Using Public Key Encryption to Secure Messages.

For INFM 208: Information Security-Information Assurance, I designed this presentation, showcasing an information assurance plan for my organization of choice Mt. Sinai Chicago – Health a muti-site healthcare system. I demonstrated my understanding of information assurance and its significance as well as other key areas including compliance with National Institute of Standards and Technology (NIST), critical regulatory compliance requirements, relevant security policies, and various types of risk assessments (Risk Assessment Plan, SWOT Analysis, and Gap Analysis). Abiding by the standards set forth in the NIST Framework and/or other cybersecurity frameworks, adhering to critical regulatory compliance requirements, implementing relevant security policies, and consistently and routinely conducting risk assessments are all essential to maintaining the overall data security and well-being of one’s organization.  In my closing presentation slide, I emphasized that by learning from the past, maintaining and fortifying the present, and safeguarding the future information science professionals are well-equipped to tackle the cybersecurity issues and incidents that present themselves.

Evidence #2: INFM 202 (Information Security Fundamentals Performance Report)

Due to their explicit connection with information security and cybersecurity principles, I selected my evidence from INFM 202: Informatics Security Overview and INFM 208: Information Security – Information Assurance. While providing a foundational knowledge in the aforementioned principles, these two courses heavily emphasized upholding the values of privacy, security, and ethics. As information science professionals, it is essential to have a good grasp of information security in order to better protect and safeguard the information resources and assets we work with.

Conclusion