{ "_provenance": { "methodology": "Single-stage evidence-to-findings eval mirroring Bastion's analyze-evidence prompt and model. The system/user prompts are a verbatim port of Bastion's buildEvidenceAnalysisPrompt (prompt key analyze-evidence, version 6.1.0) with the NIST CSF 2.0 framework context and FULL_WRITING_STANDARDS; the output shape mirrors evidenceAnalysisSchema from parsers.ts. Bastion invokes this prompt through the Vercel AI SDK Output.object wrapper; the harness reproduces the prompt text verbatim and appends an explicit JSON schema instruction in place of that wrapper, calling the Anthropic Messages API directly. Control descriptions come from Bastion's seed migration and per-control assessment guidance from assessment-meta.ts, exactly as the production analyze route enriches them. Scoring is a pinned golden contract: a case passes when every mustFind expectation is matched (findingType match, severity at or above the expected floor for gaps/risks, and at least one keyword present in the finding's observation/gaps text) and no mustNot rule is violated (no findings for controls outside the assigned set; every finding's quote must appear verbatim in the evidence document, whitespace-normalized). RAG retrieval, Haiku bottom-up discovery, smart filtering, batching/dedup, and the multi-stage Haiku verification pass are NOT exercised; production also post-filters out-of-scope findings that this eval instead reports as violations. Evidence documents are canned synthetic scenarios about a fictional company, written for this eval. The artifact renders whatever happened, including failures. Numbers come from the corrected scorer described in scoringReview, re-applied to the SAME first-run model responses, which are committed at scripts/studies/bastion-eval/responses/; no response was regenerated, edited, or retried.", "rawResponses": "The unedited first-run Anthropic API response bodies are COMMITTED at scripts/studies/bastion-eval/responses/.json (model outputs over synthetic fixtures; no client data, no secrets). Each is keyed to a sha256 of model id + system + user prompt, so any drift in the prompt, the case, or Bastion's model id invalidates it. Re-score them without any API access via `node scripts/studies/bastion-eval/run-eval.mjs --rescore-only`; this regenerates the artifact identically except generatedAt. The rescore re-derives the prompt and control definitions from the Bastion repo (read-only, BASTION_REPO env var), which is private; without it you can still audit the committed responses, cases, and scorer source directly.", "scoringReview": { "reviewedAt": "2026-06-11", "firstRunPublished": "The first run was published raw on 2026-06-11: 1/20 cases passed, mustFind recall 52.5%, citation validity 71.9%. The mandated review step had not run. This review then audited every one of the 28 unmatched mustFind expectations against the cached model responses and the evidence documents.", "firstRunArtifactNote": "The raw 1/20 first-run artifact file itself was NOT preserved: the scorer was corrected in place before this repo adopted the practice of keeping versioned score artifacts, so the 1/20 figure survives only as this review's recorded starting point, not as a regenerable file. What IS preserved and committed: the unedited first-run model responses (scripts/studies/bastion-eval/responses/) and the corrected scorer, which together reproduce this artifact's published numbers exactly via --rescore-only.", "classification": { "unmatchedMustFindsReviewed": 28, "harnessDefect": 17, "phrasing": 1, "realMiss": 10, "realMissBreakdown": "5 findings surfaced but rated below the expected severity floor, 3 strength expectations where the model produced no strength-typed finding at all, 2 seeded gaps not surfaced in any finding." }, "defectsFixed": [ "Citation normalization (affected 27 of 32 invalid citations): the checker rejected quotes that faithfully reproduce the evidence's prose but not its markup. The model omits markdown bold/emphasis markers, blockquote '>' prefixes and NOTE/OBSERVATION labels, renders table pipes as punctuation, and swaps double quotes for single quotes inside JSON strings. Bastion's own verification pass accepts near-verbatim quotes, so the scorer was stricter than the system it mirrors. Fix: markup characters and quote marks are stripped from both sides; stitched multi-sentence quotes pass only if every quoted sentence of 20+ chars appears verbatim. The 5 remaining invalid citations are genuine: 3 light paraphrases in gv-00 (the model inserted a word into the quote) and 2 reconstructed table rows in rs-01 presented as quotes.", "Finding-type escalation (affected 17 of 28 unmatched mustFinds): when the model reported a seeded gap as findingType 'risk', often with HIGHER severity than the expectation floor, the exact-type match scored it as a miss. Bastion's prompt and analyze route rank risk as strictly worse than gap with identical downstream handling, so escalation is correct behavior, not a miss. Fix: a risk-typed finding now satisfies a gap expectation; the severity floor still applies; a gap finding still does not satisfy a risk expectation." ], "expectationTunes": [ "rc-02-recovery-interview mf-1 (PHRASING, loosened): the model surfaced the seeded restore-without-scanning gap as 'restored ... without scanning for ransomware binaries' (risk/high), but the keyword net only listed 'ransomware binary' (singular) and two phrasings the model did not use. Added the model-independent variants; see the _tuned note in the case file.", "id-02-risk-cadence mf-2 (tightened, anti-credit): the 'risk register' keyword would have cross-matched the ID.RA-05 overdue-assessment finding already credited to mf-1, granting spurious credit after the escalation fix. Removed it so mf-2 tracks only the seeded treatment-plan item, which the model rated below the expected severity floor and which therefore stays a REAL miss." ], "controlsCoverageAudit": "Verified for every case that the prompt included the control definition for each controlId the expectations reference (no mustFind hints a control absent from the prompt), that no findings were dropped in parsing (raw analyses count equals scored count for all 20 cases), and that no response was truncated (stop_reason end_turn everywhere). No case required a live re-run; every number derives from the original first-run responses committed at scripts/studies/bastion-eval/responses/." }, "bastionRepo": "C:/Users/semaa/Documents/GitHub/Bastion (read-only mirror; never written or git-mutated by this harness)", "bastionSha": "968c574c3a8266089e2d8cfb85f7844855c5eafd", "mirroredFiles": [ "src/lib/llm/prompts/analyze-evidence.ts", "src/lib/llm/prompts/writing-standards.ts", "src/lib/llm/client.ts", "src/lib/llm/parsers.ts", "src/lib/frameworks/registry.ts", "src/lib/frameworks/assessment-meta.ts", "supabase/migrations/003_seed_nist_csf.sql", "src/app/api/analyze/evidence/route.ts" ], "promptKey": "analyze-evidence", "promptVersion": "6.1.0", "modelResolution": "Bastion's analyze route resolves the analysis model via BYOK -> ANTHROPIC_API_KEY env -> AI Gateway. With ANTHROPIC_API_KEY set (the credential this harness uses), Bastion calls the direct Anthropic SDK with DIRECT_MODELS.analysis = \"claude-sonnet-4-20250514\" (gateway alias when no key is present: \"anthropic/claude-sonnet-4.6\"). The harness parses this id from client.ts at runtime; it is not hardcoded.", "harness": "scripts/studies/bastion-eval/run-eval.mjs" }, "generatedAt": "2026-06-11T08:51:27.786Z", "model": "claude-sonnet-4-20250514", "casesTotal": 20, "casesPassed": 10, "aggregate": { "mustFindRecall": 0.831, "mustFindMatched": 49, "mustFindTotal": 59, "shouldFindRecall": 0.86, "shouldFindMatched": 49, "shouldFindTotal": 57, "citationValidityRate": 0.956, "citationsValid": 109, "citationsTotal": 114, "severityAccuracy": 0.94, "severityAccuracyPool": 84 }, "cases": [ { "caseId": "de-01-logging-policy", "csfFunction": "DE", "pass": true, "fromCache": true, "controlIds": [ "DE.CM-01", "DE.CM-03", "DE.AE-03", "PR.PS-04" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "EHR", "CareBridge", "database-tier", "audit logging", "ePHI" ], "controlIdHint": "PR.PS-04", "matched": true, "matchedControlId": "PR.PS-04", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "retention", "30 days", "cold archive", "365" ], "controlIdHint": "PR.PS-04", "matched": true, "matchedControlId": "PR.PS-04", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "medical device", "infusion", "biomedical" ], "controlIdHint": "DE.CM-01", "matched": true, "matchedControlId": "DE.CM-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "NTP", "time synchronization", "clock drift" ], "controlIdHint": "DE.AE-03", "matched": true, "matchedControlId": "DE.AE-03", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "weekly authentication", "privileged-access log review", "never reassigned" ], "controlIdHint": "DE.CM-03", "matched": true, "matchedControlId": "DE.CM-03", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "Splunk", "centralized", "onboarding", "append-only" ], "controlIdHint": "DE.AE-03", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 4, "valid": 4 }, "usage": { "inputTokens": 5813, "outputTokens": 1249 }, "summary": "The Security Logging and Monitoring Policy (POL-LM-007 v1.3) establishes a framework for enterprise logging via Splunk SIEM but reveals critical operational gaps. Medical device VLANs containing 1,100 devices are completely excluded from monitoring, log retention requirements are not met due to decommissioned archive infrastructure, and CareBridge EHR audit records are not forwarded to the SIEM despite handling ePHI.", "findings": [ { "controlId": "DE.CM-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Network monitoring excludes medical device VLANs containing 1,100 infusion pumps, telemetry monitors, and imaging workstations. Policy requires perimeter and internal firewalls plus network infrastructure to generate logs to Splunk SIEM, but biomedical device VLANs carry no network monitoring sensors and generate no log records.", "gaps": "Approximately 1,100 medical devices on biomedical VLANs are completely excluded from network monitoring and log collection. No east-west traffic monitoring for medical device communications. Medical device network activity presents blind spot for lateral movement detection.", "quote": "The biomedical device VLANs, covering approximately 1,100 infusion pumps, telemetry monitors, and imaging workstations, are excluded from log collection entirely. No medical device log records reach the SIEM, and the biomedical VLANs carry no network monitoring sensors.", "quoteValid": true }, { "controlId": "DE.CM-03", "coverage": "partial", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "Weekly privileged-access log review process has been abandoned since January 2026 when the responsible analyst left. Direct database access to ePHI in CareBridge production cluster is unlogged after database-tier audit logging was disabled in October 2025 during performance incident.", "gaps": "No ongoing review of privileged access patterns. Database-level access to ePHI is unmonitored. Personnel activity monitoring limited to application-tier login events only.", "quote": "The weekly authentication and privileged-access log review has not been performed since January 2026, when the analyst who owned the task left the company. The duty was never reassigned.", "quoteValid": true }, { "controlId": "DE.AE-03", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Clock drift of up to 4 minutes between domain controllers and Azure-hosted workloads prevents reliable cross-source correlation. Azure workloads sync to vendor defaults rather than internal NTP hierarchy. CareBridge EHR audit records are not forwarded to SIEM, eliminating correlation with other security events.", "gaps": "Time synchronization issues prevent accurate correlation of fast-moving security events. Critical EHR audit data isolated from SIEM correlation engine. Medical device networks excluded from correlation entirely.", "quote": "A February 2026 correlation exercise found clock drift of up to 4 minutes between the domain controllers and Azure-hosted workloads, which sync to vendor defaults rather than the internal NTP hierarchy. Cross-source correlation of fast-moving events is unreliable at this level of drift.", "quoteValid": true }, { "controlId": "PR.PS-04", "coverage": "partial", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "Log retention requirements are not met - Splunk holds only 30 days of searchable data instead of required 365 days minimum and 6 years for ePHI. Cold archive tier was decommissioned during FY2025 budget reduction and never replaced. CareBridge EHR generates ePHI audit records but does not forward them to SIEM.", "gaps": "365-day and 6-year retention requirements not met for any log source. ePHI audit records not centrally collected. Medical device logs not generated. Firewall, VPN, and authentication events older than 30 days are unrecoverable.", "quote": "Splunk hot and warm storage currently holds 30 days of searchable data. The cold archive tier was decommissioned during the FY2025 budget reduction and was never replaced. Firewall, VPN, and authentication events older than 30 days are unrecoverable. The 365-day and 6-year retention requirements ar…", "quoteValid": true } ], "findingsTotal": 4 }, { "caseId": "de-02-soc-alert-triage", "csfFunction": "DE", "pass": false, "fromCache": true, "controlIds": [ "DE.CM-01", "DE.CM-09", "DE.AE-02", "DE.AE-07", "DE.AE-08" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "suppression", "silenced", "lateral movement" ], "controlIdHint": "DE.AE-02", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": true, "severityMet": false }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "after-hours", "nights and weekends", "shared mailbox", "Monday morning" ], "controlIdHint": "DE.CM-01", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "declaring an incident", "declaration criteria", "gut feel" ], "controlIdHint": "DE.AE-08", "matched": true, "matchedControlId": "DE.AE-08", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "threat intelligence", "intel feeds", "CISA advisories" ], "controlIdHint": "DE.AE-07", "matched": true, "matchedControlId": "DE.AE-07", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "threat hunting", "purely reactive" ], "controlIdHint": "DE.CM-09", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "CrowdStrike", "Falcon", "EDR", "98 percent" ], "controlIdHint": "DE.CM-09", "matched": true, "matchedControlId": "DE.CM-09", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 5, "valid": 5 }, "usage": { "inputTokens": 5919, "outputTokens": 1162 }, "summary": "The SOC demonstrates strong endpoint detection capabilities with 98% CrowdStrike EDR coverage and documented triage processes, but faces critical gaps in threat intelligence integration and incident declaration criteria. A significant operational risk exists due to suppressed lateral movement detections and complete absence of after-hours monitoring coverage.", "findings": [ { "controlId": "DE.CM-01", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Network monitoring is limited to perimeter devices only. Splunk SIEM receives feeds from firewalls and VPN but lacks internal network visibility for east-west traffic monitoring. No dedicated network monitoring tools like IDS/IPS or network traffic analysis platforms are deployed.", "gaps": "No east-west traffic monitoring; no dedicated network IDS/IPS deployment; limited to firewall and VPN logs at network perimeter only", "quote": "Firewalls, VPN, the Windows domain, and CrowdStrike. Those four feeds carry essentially all of our detection content. Anything outside them, we are blind at the SIEM layer and we know it.", "quoteValid": true }, { "controlId": "DE.CM-09", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "CrowdStrike Falcon EDR achieves 98% deployment coverage across workstations and servers with automated containment capabilities. The system has successfully prevented ransomware propagation through automatic containment policies, stopping 2 ransomware precursors in the current year.", "quote": "CrowdStrike Falcon is deployed on 98 percent of workstations and servers, and the automatic containment policy has stopped two ransomware precursors this year", "quoteValid": true }, { "controlId": "DE.AE-02", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "SOC has documented triage runbooks for phishing and malware alerts with a 30-minute acknowledgment SLA that is consistently met during business hours. However, lateral movement detection capabilities have been completely suppressed since November 2025 due to a misconfigured suppression rule that disabled the entire detection category rather than targeting specific noisy hosts.", "gaps": "Lateral movement detection category completely suppressed for 5 months; no tuning time allocated to rebuild detection searches; detection gap at SIEM layer for this attack vector", "quote": "The suppression rule silenced the entire lateral movement detection category, not just the noisy hosts, and it has been active for five months.", "quoteValid": true }, { "controlId": "DE.AE-07", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "No threat intelligence feeds are integrated into the SIEM platform. Analysts rely on manual processes including reading vendor blogs and CISA advisories when time permits, with indicator checks performed through manual copy-paste operations rather than automated correlation.", "gaps": "No threat intelligence platform integration; no automated IOC correlation; manual indicator checking only; no structured threat intelligence consumption process", "quote": "No threat intelligence feeds are integrated into the SIEM.", "quoteValid": true }, { "controlId": "DE.AE-08", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "No documented criteria exist for declaring security incidents, resulting in inconsistent escalation practices that depend on which analyst is on shift. This inconsistency was demonstrated when one analyst managed a credential-stuffing case as a routine ticket for 9 days while another analyst would have declared it an incident immediately.", "gaps": "No documented incident declaration criteria; no severity definitions or escalation thresholds; inconsistent incident classification between analysts", "quote": "We have no documented criteria for declaring an incident. It depends who is on shift; the senior analysts escalate by gut feel.", "quoteValid": true } ], "findingsTotal": 5 }, { "caseId": "de-03-log-pipeline-review", "csfFunction": "DE", "pass": false, "fromCache": true, "controlIds": [ "DE.AE-01", "DE.AE-03", "DE.CM-01", "DE.CM-02", "DE.CM-06" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "Azure", "Event Hub", "client secret", "feed-silence" ], "controlIdHint": "DE.AE-03", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "east-west", "NetFlow", "baseline", "clinical VLAN" ], "controlIdHint": "DE.AE-01", "matched": true, "matchedControlId": "DE.AE-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "risk", "severityAtLeast": "high", "anyKeywords": [ "ClearWell", "vendor", "SFTP", "exfiltration" ], "controlIdHint": "DE.CM-06", "matched": true, "matchedControlId": "DE.CM-06", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "badge", "camera", "physical", "Genetec" ], "controlIdHint": "DE.CM-02", "matched": true, "matchedControlId": "DE.CM-02", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "Suricata", "IDS", "perimeter", "file integrity" ], "controlIdHint": "DE.CM-01", "matched": true, "matchedControlId": "DE.AE-03", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 5, "valid": 5 }, "usage": { "inputTokens": 6221, "outputTokens": 1335 }, "summary": "Meridian Health Systems has a functioning SIEM with good perimeter monitoring but critical gaps in internal network visibility and vendor monitoring. Azure logging has been dead for 4 months without detection, clinical east-west traffic lacks any monitoring, and the primary billing vendor operates in a complete monitoring blind spot.", "findings": [ { "controlId": "DE.AE-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No baseline of expected data flows has been established for clinical networks. The memo explicitly states 'no baseline of expected traffic flows has ever been established' for east-west traffic between clinical VLANs, representing a fundamental gap in network operations baseline management.", "gaps": "No documented baselines exist for normal network operations between clinical VLANs. No process in place to establish traffic flow baselines or use them for anomaly detection. Missing baseline means lateral movement between clinical systems would be undetectable.", "quote": "We have no east-west visibility between clinical VLANs, and no baseline of expected traffic flows has ever been established", "quoteValid": true }, { "controlId": "DE.AE-03", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "SIEM correlates data from 6 active sources including Palo Alto firewalls (9 GB/day), Windows domain controllers (6 GB/day), CrowdStrike EDR (4 GB/day), GlobalProtect VPN (1.5 GB/day), Suricata IDS (2 GB/day), with 64 active correlation searches across different data types.", "gaps": "Azure Event Hub connector has been dead for 4 months (since 2026-01-07). Clinical network east-west traffic and vendor SFTP/VPN activity are not integrated into correlation. ClearWell integration server and badge/camera feeds are not onboarded.", "quote": "The SIEM carries 64 active correlation searches. Distribution by data source: - 41 target Windows domain telemetry (authentication, privilege use, lateral movement) - 12 target firewall and VPN data - 11 target CrowdStrike detections", "quoteValid": true }, { "controlId": "DE.CM-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Network monitoring covers perimeter with Palo Alto firewalls and Suricata IDS, but has zero east-west visibility inside clinical networks. No NetFlow exporters or internal sensors exist on clinical core switches, creating a blind spot for lateral movement detection.", "gaps": "No east-west traffic monitoring between clinical VLANs. No NetFlow deployment on clinical core switches. Vendor VPN tunnel logging was disabled in 2024 to reduce license volume. Clinical network interior traffic is completely unmonitored.", "quote": "There are no NetFlow exporters or internal sensors on the clinical core switches. We have no east-west visibility between clinical VLANs", "quoteValid": true }, { "controlId": "DE.CM-02", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Physical environment monitoring exists via badge readers and camera network on separate Genetec platform, but Security has no visibility into physical access events. No integration between physical access controls and security monitoring infrastructure.", "gaps": "No badge or camera feed reaches the SIEM. Security cannot detect badge anomalies such as after-hours data center access. Physical security monitoring operates in isolation from cybersecurity monitoring.", "quote": "No badge or camera feed reaches the SIEM, and Security has no visibility into badge anomalies such as after-hours access to the data center cage", "quoteValid": true }, { "controlId": "DE.CM-06", "coverage": "none", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "ClearWell Revenue Partners, the outsourced billing vendor with ePHI access, has no monitoring of SFTP sessions or VPN activity. The integration server is not onboarded to SIEM and vendor tunnel logging was disabled in 2024, creating complete visibility gap for third-party data access.", "gaps": "ClearWell SFTP sessions and VPN activity generate no log events in SIEM. Integration server not onboarded. Vendor tunnel excluded from firewall logging. Credential theft would be indistinguishable from normal operations.", "quote": "ClearWell's SFTP sessions and VPN activity generate no log events in the SIEM; the integration server is not onboarded, and the vendor tunnel was excluded from firewall logging in 2024 to reduce license volume", "quoteValid": true } ], "findingsTotal": 5 }, { "caseId": "gv-00-golden-ciso-interview", "csfFunction": "GV", "pass": false, "fromCache": true, "controlIds": [ "GV.PO-02", "GV.SC-07", "DE.AE-02", "DE.AE-03", "DE.CM-01", "DE.CM-09", "RS.MA-01", "RC.RP-01", "RC.RP-03", "PR.DS-11", "PR.AT-01", "PR.IR-01" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "SIEM", "centralized", "correlat" ], "controlIdHint": "DE.AE-03", "matched": true, "matchedControlId": "DE.AE-03", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "tabletop", "incident response plan", "IR plan" ], "controlIdHint": "RS.MA-01", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": true, "severityMet": false }, { "id": "mf-3", "findingType": "risk", "severityAtLeast": "high", "anyKeywords": [ "backup job", "failing", "three weeks", "3 weeks" ], "controlIdHint": "PR.DS-11", "matched": true, "matchedControlId": "RC.RP-03", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "EC2", "scanning scope", "blind spot", "IoT", "unscanned" ], "controlIdHint": "DE.CM-09", "matched": true, "matchedControlId": "DE.CM-09", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "24/7", "business hours", "after-hours" ], "controlIdHint": "DE.CM-01", "matched": true, "matchedControlId": "DE.AE-02", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-3", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "RTO", "aspirational", "full restoration", "never been validated" ], "controlIdHint": "RC.RP-01", "matched": true, "matchedControlId": "PR.DS-11", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-4", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "90 days", "60 days", "never updated", "policy document" ], "controlIdHint": "GV.PO-02", "matched": true, "matchedControlId": "GV.PO-02", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-5", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "vendor", "PAM", "privileged access management", "SOC 2" ], "controlIdHint": "GV.SC-07", "matched": true, "matchedControlId": "GV.SC-07", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-6", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "awareness", "training" ], "controlIdHint": "PR.AT-01", "matched": true, "matchedControlId": "PR.AT-01", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null }, { "id": "sf-7", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "segmentation" ], "controlIdHint": "PR.IR-01", "matched": true, "matchedControlId": "PR.IR-01", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [ { "rule": "missCitations", "details": [ "DE.CM-01", "PR.AT-01", "PR.IR-01" ] } ], "citations": { "total": 12, "valid": 9 }, "usage": { "inputTokens": 6971, "outputTokens": 2494 }, "summary": "The interview reveals an organization in transition with mixed security maturity. While foundational controls like MFA deployment, network segmentation, and security awareness are functioning, critical detection and response capabilities have major gaps including no SIEM, untested IR plan, and failed backup monitoring that went undetected for weeks.", "findings": [ { "controlId": "GV.PO-02", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Password policy shows poor lifecycle management practices with documented inconsistency between written policy (90-day rotation) and actual enforcement (60-day rotation). CISO acknowledged that the Active Directory GPO was changed to enforce 60 days but the policy document was never updated.", "gaps": "Policy document not updated to reflect current enforcement. No evidence of formal policy review cadence or governance process. Policy versioning and approval processes unclear.", "quote": "The written policy says 90 days — that's the old standard from before my time. When I joined, I changed the Active Directory GPO to enforce 60 days, but I never updated the policy document. That's on me.", "quoteValid": true }, { "controlId": "GV.SC-07", "coverage": "none", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "Third-party risk management is absent with persistent vendor VPN access that has not been reviewed for years. CloudOps has maintained elevated privileges since 2022 without formal security assessment. No vendor security assessments are conducted proactively, and SOC 2 reports are only reviewed when provided voluntarily.", "gaps": "No vendor risk assessment process. No ongoing monitoring of vendor access. No defined intervals for vendor reassessment. No vendor incident tracking process.", "quote": "This is one of our weakest areas, and I know it. We have vendors with persistent VPN access that hasn't been reviewed. Some of those connections go back years. I know CloudOps has been connected since 2022 and they have elevated privileges we should audit.", "quoteValid": true }, { "controlId": "DE.AE-02", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No formal event analysis capabilities exist. Limited to basic automated alerts from endpoint AV and firewall blocks with no SOC analysts available after business hours. The team of 2 security analysts only provides coverage during business hours.", "gaps": "No triage playbooks or enrichment sources. No escalation criteria defined. No detection engineering practices. Limited analyst coverage to business hours only.", "quote": "We don't have 24/7 coverage. Our analysts work business hours, and we rely on automated alerts for after-hours. The problem is, without a SIEM, those automated alerts are very basic — just endpoint AV alerts and firewall blocks.", "quoteValid": true }, { "controlId": "DE.AE-03", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No centralized SIEM exists, preventing correlation of security information across multiple sources. Security logs are dispersed across individual systems with firewall logs, endpoint logs, and cloud audit logs in separate consoles. Manual correlation would take days during an incident.", "gaps": "No SIEM deployment. No correlation rules or capabilities. No centralized log aggregation. Multiple isolated log sources cannot be correlated.", "quote": "We don't have a centralized SIEM. Security logs sit on individual systems — our firewall logs go to one place, endpoint logs go to another, and our cloud audit logs are in yet another console. If we had an incident, correlating those logs manually would take days.", "quoteValid": true }, { "controlId": "DE.CM-01", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "medium", "observation": "Network monitoring exists with firewall logging and automated blocking capabilities, but lacks centralized correlation and analysis. Network segmentation is described as solid, indicating some level of monitoring infrastructure.", "gaps": "No centralized network monitoring analysis. Limited to basic firewall alerts without correlation. No SIEM integration for network monitoring data.", "quote": "our network segmentation is solid, and our security awareness program is getting results. But we have significant gaps in detection and response capabilities.", "quoteValid": false }, { "controlId": "DE.CM-09", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Endpoint monitoring exists through AV alerts, but coverage is incomplete with cloud workloads representing a blind spot. Approximately 40 EC2 instances, 20 Azure VMs, and container workloads in EKS are not monitored. IoT devices including 200 IP cameras and building management systems are completely unmonitored.", "gaps": "Cloud workloads not monitored. Container environments unmonitored. IoT devices excluded from monitoring. No EDR deployment mentioned.", "quote": "But our cloud workloads are a blind spot. We have about 40 EC2 instances and 20 Azure VMs that aren't in the scanning scope. And we have no scanning for our container workloads in EKS. IoT devices — we have about 200 IP cameras and building management systems — those are completely unscanned.", "quoteValid": true }, { "controlId": "RS.MA-01", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Incident response plan exists from 2023 covering standard phases but has never been tested through tabletop exercises or simulations. Contact information is outdated with the previous SOC Manager still listed on escalation lists 6 months after departure.", "gaps": "No testing of IR plan through tabletop or simulation. Outdated contact information. No evidence of third-party coordination procedures being validated.", "quote": "We do. It was written in 2023 when I first joined. It covers the standard phases — preparation, identification, containment, eradication, recovery, lessons learned. But I'll be honest with you — we haven't tested it. No tabletop exercises, no simulations. And some of the contact information is outd…", "quoteValid": true }, { "controlId": "RC.RP-01", "coverage": "unclear", "findingType": "gap", "severity": "medium", "confidence": "medium", "observation": "Recovery procedures are not explicitly described as part of the incident response process. While the IR plan mentions recovery as one of the standard phases, no testing or validation of recovery procedures has occurred.", "gaps": "No evidence of recovery plan testing or execution. Recovery procedures not validated through simulation.", "quote": "It covers the standard phases — preparation, identification, containment, eradication, recovery, lessons learned. But I'll be honest with you — we haven't tested it.", "quoteValid": true }, { "controlId": "RC.RP-03", "coverage": "none", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "No backup integrity verification process exists before restoration. A critical backup failure for the main financial database went undetected for 3 weeks due to failed alert monitoring, indicating no proactive integrity verification.", "gaps": "No backup integrity verification procedures. No malware scanning of backup media. Failed backup monitoring demonstrates lack of validation processes.", "quote": "I actually found out last week that our main financial database backup job has been failing for about 3 weeks. The alerts were going to the old SOC Manager's email.", "quoteValid": true }, { "controlId": "PR.DS-11", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Backups run nightly for critical databases and file servers using Veeam for on-premises and native tools for cloud, but full restoration has not been tested in over a year. The main financial database backup has been failing for 3 weeks undetected, and RTO/RPO targets are aspirational and unvalidated.", "gaps": "No restoration testing in over a year. Backup monitoring failures. RTO/RPO targets never validated through testing. Unknown backup coverage and integrity status.", "quote": "But we haven't tested a full restoration in over a year. Our BCP document defines an RTO of 4 hours and RPO of 24 hours for critical systems, but those targets are aspirational — they've never been validated.", "quoteValid": true }, { "controlId": "PR.AT-01", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "medium", "observation": "Security awareness program is active and producing results according to CISO assessment. Program appears to be achieving its intended outcomes for general cybersecurity awareness training.", "quote": "our network segmentation is solid, and our security awareness program is getting results", "quoteValid": false }, { "controlId": "PR.IR-01", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "medium", "observation": "Network segmentation is described as solid by CISO, indicating proper logical access controls and network protection are in place.", "quote": "our network segmentation is solid", "quoteValid": false } ], "findingsTotal": 12 }, { "caseId": "gv-01-risk-governance", "csfFunction": "GV", "pass": true, "fromCache": true, "controlIds": [ "GV.RM-01", "GV.RM-02", "GV.RM-03", "GV.RM-04", "GV.RM-05", "GV.RM-06", "GV.OV-03" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "risk appetite", "tolerance threshold", "not been approved" ], "controlIdHint": "GV.RM-02", "matched": true, "matchedControlId": "GV.RM-02", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "risk register", "not been updated", "twelve months", "stale" ], "controlIdHint": "GV.OV-03", "matched": true, "matchedControlId": "GV.OV-03", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "scoring criteria", "personal judgment", "methodology", "standardized" ], "controlIdHint": "GV.RM-06", "matched": true, "matchedControlId": "GV.RM-06", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "enterprise risk", "erm register", "not reconciled" ], "controlIdHint": "GV.RM-03", "matched": true, "matchedControlId": "GV.RM-03", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "board", "quarterly", "escalation" ], "controlIdHint": "GV.RM-05", "matched": true, "matchedControlId": "GV.RM-05", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 7, "valid": 7 }, "usage": { "inputTokens": 5957, "outputTokens": 2016 }, "summary": "Meridian Health Systems has established basic cybersecurity risk management framework with ServiceNow GRC implementation and Board reporting, but critical governance gaps exist. The organization lacks approved risk appetite statements and operates with inconsistent risk rating methodology, while cybersecurity risks remain isolated from enterprise risk management processes.", "findings": [ { "controlId": "GV.RM-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Policy MHS-POL-RM-001 v1.3 references a risk appetite statement but implementation is incomplete. Document states a draft risk appetite statement was prepared by the GRC Office in October 2024 but has not been approved by the Executive Risk Committee or Board, and has not been communicated to any business unit. Risk acceptance decisions are currently made case by case with no defined tolerance thresholds.", "gaps": "Risk appetite statement lacks formal approval from senior leadership (Executive Risk Committee or Board). No defined tolerance thresholds exist to guide risk-based decision-making. Risk acceptance is conducted on ad-hoc basis rather than against established criteria.", "quote": "A draft risk appetite statement was prepared by the GRC Office in October 2024. As of this revision, **the draft has not been approved by the Executive Risk Committee or the Board, and it has not been communicated to any business unit.** Risk acceptance decisions are currently made case by case wit…", "quoteValid": true }, { "controlId": "GV.RM-02", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No established risk appetite and tolerance statements exist. The policy documents a draft risk appetite statement from October 2024 that remains unapproved by the Executive Risk Committee or Board. No evidence of communication to operational staff or business units. Risk decisions are made without reference to approved tolerance statements.", "gaps": "No formally approved risk appetite statement. No communication mechanism for risk tolerance to operational staff. No defined review intervals for risk appetite statements. No training materials explaining organizational risk tolerance.", "quote": "A draft risk appetite statement was prepared by the GRC Office in October 2024. As of this revision, **the draft has not been approved by the Executive Risk Committee or the Board, and it has not been communicated to any business unit.**", "quoteValid": true }, { "controlId": "GV.RM-03", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Cybersecurity risk management operates separately from enterprise risk management. Policy v1.3 explicitly states cybersecurity risks are not represented in the ERM register, the GRC Office does not participate in the ERM committee, and the two registers use different rating scales without reconciliation. Finance department administers ERM for clinical, financial, and regulatory risks while cybersecurity risks remain isolated in ServiceNow GRC.", "gaps": "No integration between cybersecurity and enterprise risk registers. Different rating scales prevent risk comparison across domains. No participation in enterprise risk committees. No unified governance reporting for cyber and enterprise risks.", "quote": "**Cybersecurity risks are not represented in the ERM register, and the GRC Office does not participate in the ERM committee.** The two registers use different rating scales and are not reconciled.", "quoteValid": true }, { "controlId": "GV.RM-04", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Policy v1.3 defines clear risk response options (Accept, Mitigate, Transfer, Avoid) with documented justification requirements. Risk acceptance authority matrix is established with escalation thresholds: department directors for Low/Moderate risks, VP of Information Technology for High risks, and Executive Risk Committee for Critical risks. All responses require documented justification in the ServiceNow GRC register.", "quote": "Approved response options are Accept, Mitigate, Transfer, and Avoid. Every response requires a documented justification, and acceptance of any High or Critical risk must be recorded in the register with written sign-off per Section 3.2.", "quoteValid": true }, { "controlId": "GV.RM-05", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Formal communication channels exist for cybersecurity risks including quarterly Board reporting and out-of-cycle escalation procedures. GRC Office prepares quarterly cybersecurity risk reports for the Board Audit and Compliance Committee covering top 10 risks, rating changes, and remediation status. Out-of-cycle escalation path to Committee chair exists for Critical risks and was exercised twice in 2025 with documented Committee minutes.", "gaps": "No mention of third-party or supplier risk communications. No evidence of cross-functional risk meetings or regular operational risk communication cadences below Board level.", "quote": "The GRC Office prepares a quarterly cybersecurity risk report for the Board Audit and Compliance Committee. The report covers the top ten risks, rating changes since the prior quarter, and remediation status. An out-of-cycle escalation path to the Committee chair exists for newly identified Critica…", "quoteValid": true }, { "controlId": "GV.RM-06", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Policy v1.3 establishes 4-tier risk rating scale (Low, Moderate, High, Critical) using likelihood and impact evaluation, but lacks standardized scoring criteria. Document explicitly states no standardized scoring criteria exist for likelihood or impact, with risk owners assigning ratings based on personal judgment. This led to inconsistent ratings during Q1 2026 internal review where the same third-party connectivity risk was rated both Moderate and Critical by different owners with no document…", "gaps": "No standardized scoring criteria for likelihood or impact assessment. No documented risk assessment methodology or industry framework reference (FAIR, NIST SP 800-30, ISO 27005). No staff training on consistent risk rating application.", "quote": "**No standardized scoring criteria exist for likelihood or impact.** Risk owners assign ratings based on personal judgment. During the Q1 2026 internal review, the same third-party connectivity risk was rated Moderate by one owner and Critical by another, with no documented rationale for either rat…", "quoteValid": true }, { "controlId": "GV.OV-03", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Risk register maintenance shows poor performance with 47 of 62 open risks not updated in over 12 months, 9 entries listing departed employees as risk owners, and 11 risks past target remediation dates with no revised dates or treatment decisions. Policy requires quarterly risk owner updates but compliance appears limited based on ServiceNow GRC register status as of 2026-05-29.", "gaps": "No defined cybersecurity risk performance metrics or KPIs mentioned. No evidence of management review processes that drive corrective actions. Poor risk register hygiene suggests limited performance monitoring and continuous improvement processes.", "quote": "As of 2026-05-29 the register contains 62 open risks. **47 of the 62 open risks have not been updated in more than twelve months.** Nine entries list a risk owner who left the organization in 2024 or 2025, and eleven risks past their target remediation date carry no revised date and no documented t…", "quoteValid": true } ], "findingsTotal": 7 }, { "caseId": "gv-02-leadership-interview", "csfFunction": "GV", "pass": true, "fromCache": true, "controlIds": [ "GV.RR-01", "GV.RR-02", "GV.RR-03", "GV.RR-04", "GV.PO-01", "GV.PO-02" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "vacant", "accountab", "no security owner", "seventeen months" ], "controlIdHint": "GV.RR-02", "matched": true, "matchedControlId": "GV.RR-02", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "budget", "staffing", "resourc", "30 percent" ], "controlIdHint": "GV.RR-03", "matched": true, "matchedControlId": "GV.RR-03", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "policy review", "2022", "annual", "outdated" ], "controlIdHint": "GV.PO-02", "matched": true, "matchedControlId": "GV.PO-02", "matchedSeverity": "medium", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "exception", "informal", "verbal" ], "controlIdHint": "GV.PO-01", "matched": true, "matchedControlId": "GV.PO-01", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "board", "standing", "quarterly agenda" ], "controlIdHint": "GV.RR-01", "matched": true, "matchedControlId": "GV.RR-04", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": null }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "termination checklist", "offboarding", "same day", "onboarding" ], "controlIdHint": "GV.RR-04", "matched": true, "matchedControlId": "GV.RR-04", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 6, "valid": 6 }, "usage": { "inputTokens": 6135, "outputTokens": 1485 }, "summary": "Leadership interview reveals critical governance gaps stemming from 17-month Director vacancy, with security responsibilities informally distributed and absent from job descriptions. Resource constraints include 30% budget cuts and inadequate staffing ratios for healthcare environment. Policy framework exists but review process has failed, with majority of policies outdated since 2022.", "findings": [ { "controlId": "GV.RR-01", "coverage": "partial", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "Director of Information Security role vacant for 17 months since January 2025 with no interim appointment. VP states security is not in anyone's job description and no individual is formally accountable for cybersecurity risk. However, Board added cybersecurity as quarterly standing agenda item in 2025 and approved funding for Director search and external assessment in April 2026.", "gaps": "No executive with formal cybersecurity accountability, leadership vacuum for 17 months, security responsibilities absent from all job descriptions despite having 4,200 employees across healthcare facilities", "quote": "the role has been vacant since, so about seventeen months now. Her responsibilities were split up informally. I picked up vendor and budget decisions, our GRC analyst Priya Raman picked up the risk register and audit responses, and our infrastructure manager handles firewall and patching approvals.…", "quoteValid": true }, { "controlId": "GV.RR-02", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No RACI matrix exists for cybersecurity functions. Security responsibilities are distributed informally among VP (vendor/budget), GRC analyst (risk register/audit), and infrastructure manager (firewall/patching) with no documentation. VP confirms no one has security in their job description.", "gaps": "No formal RACI matrix, no documented role assignments, security absent from all job descriptions, informal responsibility distribution with no clear accountability", "quote": "Security is not in my job description, and it is not in anyone else's either.", "quoteValid": true }, { "controlId": "GV.RR-03", "coverage": "partial", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "Security function materially under-resourced with 1 dedicated security engineer plus 0.5 FTE GRC analyst supporting 4,200 employees across 6 hospitals and 30 clinics. Fiscal 2026 security budget cut 30% from prior year, security awareness training renewal dropped. Staffing shortfall escalated to executives twice and deferred both times.", "gaps": "Insufficient staffing ratio for healthcare environment, budget cuts during expansion, executive leadership deferring resource requests despite known shortfalls", "quote": "The fiscal 2026 security operating budget was cut 30 percent from the prior year, and the security awareness training renewal was dropped to absorb part of that cut. I have flagged the staffing shortfall to the executive team twice; both times it was deferred to the next budget cycle.", "quoteValid": true }, { "controlId": "GV.RR-04", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "HR integration shows strong offboarding controls with joint HR-IT termination checklist ensuring same-day badge and account access removal. Internal audit verified zero exceptions. Security expectations included in onboarding for all new hires with policy acknowledgment signing.", "gaps": "No mention of background checks, security performance reviews, or ongoing awareness beyond initial onboarding", "quote": "HR and IT run a joint termination checklist, badge and account access are removed the same day someone leaves, and the last internal audit verified that with zero exceptions. Security expectations are also written into onboarding for every new hire.", "quoteValid": true }, { "controlId": "GV.PO-01", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Framework includes 14 information security policies with new hire acknowledgment process during onboarding. However, policy exception process is informal with verbal approvals, no documentation, no register, and no time limits. VP cannot quantify active exceptions.", "gaps": "No formal policy exception process, exceptions granted verbally without documentation or expiry dates, no exception register maintained", "quote": "There is no exception register, nothing is documented, and nothing is time-limited. I could not tell you today how many exceptions are in effect.", "quoteValid": true }, { "controlId": "GV.PO-02", "coverage": "partial", "findingType": "risk", "severity": "medium", "confidence": "high", "observation": "Framework states annual review cycle for 14 policies, but 11 of 14 policies last reviewed in 2022 or earlier. Remote access standard references decommissioned Citrix gateway from 2024. Policy review calendar maintained by former Director stopped updating when she left in January 2025.", "gaps": "Policy review cadence broken for majority of policies, outdated content referencing decommissioned systems, no designated policy owner since Director departure", "quote": "eleven of the fourteen were last reviewed in 2022 or earlier. The remote access standard still references the Citrix gateway we decommissioned in 2024", "quoteValid": true } ], "findingsTotal": 6 }, { "caseId": "gv-03-vendor-access-audit", "csfFunction": "GV", "pass": true, "fromCache": true, "controlIds": [ "GV.SC-04", "GV.SC-05", "GV.SC-06", "GV.SC-08", "GV.SC-10" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "terminated", "contract end", "offboard", "fourteen months" ], "controlIdHint": "GV.SC-10", "matched": true, "matchedControlId": "GV.SC-10", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "inventory", "criticality", "tiering", "no inventory record" ], "controlIdHint": "GV.SC-04", "matched": true, "matchedControlId": "GV.SC-04", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "contract", "clause", "breach notification", "right to audit" ], "controlIdHint": "GV.SC-05", "matched": true, "matchedControlId": "GV.SC-05", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "due diligence", "security assessment", "soc 2", "questionnaire" ], "controlIdHint": "GV.SC-06", "matched": true, "matchedControlId": "GV.SC-06", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "tabletop", "incident response exercise", "carebridge" ], "controlIdHint": "GV.SC-08", "matched": true, "matchedControlId": "GV.SC-08", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 5, "valid": 5 }, "usage": { "inputTokens": 5874, "outputTokens": 1442 }, "summary": "The audit reveals significant gaps in third-party risk management at Meridian Health Systems. While technical controls like MFA enforcement are functioning, governance processes are largely absent - no vendor criticality assessment exists, 70% of contracts lack security provisions, and no security due diligence occurs at onboarding. Most critically, terminated vendor MedTransScribe maintained active VPN access for 14 months after contract end, demonstrating the absence of offboarding procedures.", "findings": [ { "controlId": "GV.SC-04", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No vendor criticality assessment or tiering exists. The vendor inventory maintained on SharePoint lacks fields for criticality, data access level, or ePHI exposure classification. Internal Audit confirmed that no vendor prioritization by criticality exists in any system reviewed during the assessment.", "gaps": "No criticality classifications exist for the 31 active vendor accounts. The organization cannot prioritize vendors by business impact, service dependency, or data access level. The inventory system lacks basic risk categorization fields required for supply chain risk management.", "quote": "The inventory has no field for criticality, data access level, or ePHI exposure. **No vendor tiering or prioritization by criticality exists in any system reviewed.**", "quoteValid": true }, { "controlId": "GV.SC-05", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Contract security requirements are largely absent. Internal Audit sampled 10 active vendor contracts and found 7 contained no cybersecurity clauses whatsoever - no breach notification requirements, no right to audit, and no minimum security requirements. The 3 contracts with security language were drafted by CareBridge EHR on their paper, not Meridian's standard template. Procurement confirmed no standard security addendum exists.", "gaps": "70% of sampled contracts lack cybersecurity provisions. No standard security contract template exists. No systematic approach to embedding security requirements based on vendor criticality. Breach notification, audit rights, and security standards are not contractually required.", "quote": "**7 of the 10 sampled contracts contain no cybersecurity clauses of any kind: no breach notification requirement, no right to audit, and no minimum security requirements.**", "quoteValid": true }, { "controlId": "GV.SC-06", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No vendor security due diligence process exists at onboarding. RadiantView Imaging was granted VPN access to the radiology VLAN within 5 business days of contract signature in February 2026 with no security assessment, questionnaire, or SOC 2 report review. Procurement confirmed that no vendor has ever been asked for SOC 2 reports or equivalent attestations as part of the onboarding process.", "gaps": "No pre-contract security assessments are conducted. No SOC 2 or equivalent certification requirements exist. No security questionnaires or third-party risk ratings are obtained before granting access. Vendors receive privileged network access without security validation.", "quote": "**No security assessment, questionnaire, or SOC 2 report was requested before access was provisioned.**", "quoteValid": true }, { "controlId": "GV.SC-08", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "CareBridge EHR, the organization's most critical supplier, participated in the 2025 annual incident response tabletop exercise alongside Meridian's IT and clinical engineering teams. The exercise report documents joint containment and communication steps for an EHR outage scenario, demonstrating integration of key suppliers into incident response planning.", "quote": "CareBridge EHR, Meridian's most critical supplier, **participated in the 2025 annual incident response tabletop exercise** alongside Meridian's IT and clinical engineering teams. The exercise report documents joint containment and communication steps for an EHR outage scenario.", "quoteValid": true }, { "controlId": "GV.SC-10", "coverage": "none", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "No vendor offboarding procedures exist, creating active security exposure. MedTransScribe's contract terminated on 2025-03-31, yet account MTS-SVC02 remained enabled and recorded a successful VPN login on 2026-05-28, fourteen months after contract termination. Neither procurement nor IT could identify who is responsible for requesting access revocation when vendor contracts end. The account was only disabled during audit fieldwork on 2026-05-29.", "gaps": "No documented vendor offboarding process exists. No clear ownership for access revocation when contracts end. No systematic review of terminated vendor access. Active accounts exist for vendors with expired contracts, creating unauthorized access exposure.", "quote": "The MedTransScribe contract was terminated effective 2025-03-31, yet **account MTS-SVC02 remains enabled and recorded a successful VPN login on 2026-05-28, fourteen months after contract end.** No offboarding procedure for departing vendors exists.", "quoteValid": true } ], "findingsTotal": 5 }, { "caseId": "id-01-asset-inventory", "csfFunction": "ID", "pass": true, "fromCache": true, "controlIds": [ "ID.AM-01", "ID.AM-02", "ID.AM-03", "ID.AM-04", "ID.AM-08" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "biomedical", "infusion", "untracked", "not recorded in any inventory" ], "controlIdHint": "ID.AM-01", "matched": true, "matchedControlId": "ID.AM-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "SaaS", "software inventory", "shadow IT" ], "controlIdHint": "ID.AM-02", "matched": true, "matchedControlId": "ID.AM-02", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "sanitization", "certificate of destruction", "disposal", "decommissioned" ], "controlIdHint": "ID.AM-08", "matched": true, "matchedControlId": "ID.AM-08", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "supplier", "managed services", "supplier-provided" ], "controlIdHint": "ID.AM-04", "matched": true, "matchedControlId": "ID.AM-04", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "reconciliation", "CMDB", "19 months" ], "controlIdHint": "ID.AM-01", "matched": true, "matchedControlId": "ID.AM-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "network architecture diagram", "data flows", "version controlled" ], "controlIdHint": "ID.AM-03", "matched": true, "matchedControlId": "ID.AM-03", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 5, "valid": 5 }, "usage": { "inputTokens": 5834, "outputTokens": 1403 }, "summary": "Meridian Health Systems has established formal asset management policies with ServiceNow CMDB and quarterly network documentation updates, but implementation gaps create significant exposure. Critical findings include unsanitized PHI-bearing assets awaiting disposal for 26 months and complete absence of software/SaaS inventory management enabling shadow IT processing of patient data.", "findings": [ { "controlId": "ID.AM-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Meridian maintains a ServiceNow CMDB as the inventory of record with a 5-day deployment requirement, but the last full reconciliation was November 2024 (19 months ago). A May 2026 spot audit of 250 devices across two campuses found 41 devices (16.4%) not recorded in the CMDB. Approximately 1,100 networked biomedical devices (infusion pumps, patient monitors) exist without any inventory tracking.", "gaps": "CMDB reconciliation frequency exceeds 90-day validation threshold; 16.4% of sampled devices untracked; ~1,100 clinical IoT devices completely unmanaged in any inventory system", "quote": "The last full CMDB reconciliation was completed in **November 2024, 19 months before this review**. A spot audit in May 2026 sampled 250 devices across the Lakeview and Eastgate campuses and **could not match 41 of the 250 devices to any CMDB record**.", "quoteValid": true }, { "controlId": "ID.AM-02", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Meridian maintains no centralized software or SaaS inventory. Network egress review identified 63 SaaS applications in use, but only 18 were known to IT. Application owners track software within departments via undefined methods. Shadow IT includes applications processing patient billing data without central oversight.", "gaps": "No centralized software inventory; 71% of SaaS applications unknown to IT (45 of 63); shadow IT processing sensitive data without governance; no automated discovery tools mentioned", "quote": "**Meridian maintains no centralized software or SaaS inventory.** A network egress review in April 2026 identified 63 SaaS applications in active use across the organization; only 18 of these were known to the IT department.", "quoteValid": true }, { "controlId": "ID.AM-03", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Network architecture diagrams maintained in Confluence with quarterly updates by Network Engineering. Diagrams include authorized data flows between clinical, corporate, and guest zones. Version control and peer review implemented. Most recent revision dated 2026-04-30. Firewall rule changes require updated flow diagrams.", "quote": "Network architecture diagrams, including authorized data flows between the clinical, corporate, and guest network zones, are maintained in Confluence and updated quarterly by the Network Engineering team. Diagrams are version controlled, peer reviewed at each revision, and the most recent revision …", "quoteValid": true }, { "controlId": "ID.AM-04", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "No inventory of supplier-provided services exists. Managed services including offsite radiology reads, dictation, transcription, claims clearinghouse, and hosted PACS archive are known only to contracting departments. IT Security cannot produce a list of suppliers receiving, storing, or processing Meridian data.", "gaps": "No centralized supplier service inventory; IT Security lacks visibility into data-sharing arrangements; managed services tracked only at department level", "quote": "**No inventory of supplier-provided services is maintained.** Managed services in active use, including offsite radiology reads, dictation and transcription, the claims clearinghouse, and the hosted PACS archive, are known only to the individual departments that contracted them.", "quoteValid": true }, { "controlId": "ID.AM-08", "coverage": "partial", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "Asset lifecycle includes procurement review and NIST SP 800-88 sanitization requirements with 7-year certificate retention. However, 23 decommissioned servers and 60 hard drives at Lakeview campus await disposal without sanitization records. No disposal certificates located for assets retired since January 2024. Several servers previously hosted legacy laboratory information system.", "gaps": "Sanitization policy exists but not executed; disposal certificates missing for 26 months of retired assets; legacy clinical systems improperly disposed creating PHI exposure risk", "quote": "A storage room audit at the Lakeview campus in May 2026 found **23 decommissioned servers and approximately 60 loose hard drives awaiting disposal with no sanitization records**. No certificates of destruction could be located for any asset retired since January 2024.", "quoteValid": true } ], "findingsTotal": 5 }, { "caseId": "id-02-risk-cadence", "csfFunction": "ID", "pass": false, "fromCache": true, "controlIds": [ "ID.RA-01", "ID.RA-02", "ID.RA-04", "ID.RA-05", "ID.RA-06", "ID.IM-02" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "risk assessment", "two and a half years", "annual", "overdue" ], "controlIdHint": "ID.RA-05", "matched": true, "matchedControlId": "ID.RA-05", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "treatment plan", "past their target dates", "tracked to completion" ], "controlIdHint": "ID.RA-06", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": true, "severityMet": false }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "threat intelligence", "Health-ISAC", "feeds", "information sharing" ], "controlIdHint": "ID.RA-02", "matched": true, "matchedControlId": "ID.RA-02", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "validate", "vulnerability register", "Qualys", "shared mailbox" ], "controlIdHint": "ID.RA-01", "matched": true, "matchedControlId": "ID.RA-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "penetration test", "Jira", "tracked to closure", "roadmap" ], "controlIdHint": "ID.IM-02", "matched": true, "matchedControlId": "ID.IM-02", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "5 by 5", "likelihood and impact", "scoring methodology" ], "controlIdHint": "ID.RA-04", "matched": true, "matchedControlId": "ID.RA-04", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 6, "valid": 6 }, "usage": { "inputTokens": 6112, "outputTokens": 1566 }, "summary": "Meridian Health Systems demonstrates operational capabilities in vulnerability scanning and penetration test management, but faces critical gaps in risk program execution. The enterprise risk assessment is 29 months overdue, vulnerability findings accumulate unread, and risk treatment tracking is non-functional with 62% of plans past due.", "findings": [ { "controlId": "ID.RA-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Qualys vulnerability scanning operates on a monthly schedule across corporate and clinical server segments with documented good coverage. However, vulnerability findings are delivered as PDFs to a shared mailbox without validation, recording in a register, or triage processes.", "gaps": "Scan findings are not validated or triaged; no vulnerability register exists; no process to distinguish real vulnerabilities from false positives; no remediation tracking mechanism; findings accumulate unread in shared mailbox.", "quote": "Qualys scans run monthly across the corporate and clinical server segments, and coverage there is good. But the results go to a shared mailbox as a PDF. Nobody validates the findings or records them in a vulnerability register. There is no triage step, so we cannot say which of the criticals from t…", "quoteValid": true }, { "controlId": "ID.RA-02", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Meridian Health Systems has no formal threat intelligence capability. The organization is not a member of Health-ISAC, subscribes to no threat intelligence feeds, and learns about healthcare sector threats from news sources or insurance broker notifications.", "gaps": "No membership in health sector information sharing organizations; no commercial or open source threat intelligence feeds; no process to evaluate external threat reports against internal environment; reactive threat awareness limited to news and vendor communications.", "quote": "Meridian is not a member of Health-ISAC and we subscribe to no threat intelligence feeds. We hear about healthcare ransomware campaigns from the news or from our cyber insurance broker. When the Change Healthcare incident happened, we found out from a vendor email. There is no process for taking an…", "quoteValid": true }, { "controlId": "ID.RA-04", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "The organization employs a documented 5x5 likelihood and impact matrix with defined criteria for consistent risk scoring. This methodology ensures impacts and likelihoods are recorded systematically rather than estimated subjectively.", "gaps": "Risk assessment methodology exists but enterprise risk assessments are 29 months overdue, limiting current application of this capability.", "quote": "The other thing I would defend is our scoring methodology. When we do assess, we use a documented 5 by 5 likelihood and impact matrix with defined criteria, so impacts and likelihoods are recorded consistently rather than guessed.", "quoteValid": true }, { "controlId": "ID.RA-05", "coverage": "partial", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "A risk register exists with 47 open risks, but the enterprise cybersecurity risk assessment is 29 months overdue against an annual requirement. The current register predates major infrastructure changes including Epic go-live and Azure data warehouse migration, making it obsolete for current risk prioritization.", "gaps": "Enterprise risk assessment 29 months overdue; risk register does not reflect current environment post-Epic implementation and Azure migration; quarterly steering committee reviews have not occurred since 2024; no process for incorporating new systems into risk assessment.", "quote": "We have not completed an enterprise cyber risk assessment in almost two and a half years. The analyst who ran the methodology left in mid 2024 and the role was never backfilled. We started the 2025 assessment, got through two of the four hospitals, and it stalled. So the current risk register refle…", "quoteValid": true }, { "controlId": "ID.RA-06", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Risk treatment plans are assigned with owners and target dates, but 29 of 47 treatment plans are past their target dates with no status updates recorded. The organization lacks tracking mechanisms for treatment plan completion and has no escalation process for overdue responses.", "gaps": "No tracking system for treatment plan completion; 62% of treatment plans (29 of 47) past due with no status updates; no escalation process for missed deadlines; quarterly steering committee review has not occurred since 2024; leadership reporting limited to risk counts rather than progress metrics.", "quote": "We have 47 open risks in the register, and I could not tell you how many of the treatment plans have actually been completed. Nobody tracks them after assignment. When I pulled the register last month, 29 of the 47 treatment plans were past their target dates with no status update recorded. There i…", "quoteValid": true }, { "controlId": "ID.IM-02", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Annual penetration testing program operates with disciplined tracking and remediation processes. Every finding is logged in Jira with assigned owners and tracked through closure, with lessons learned feeding directly into the next year's security roadmap.", "quote": "Every pen test finding is logged in Jira, assigned an owner, and tracked to closure, and the lessons feed directly into the next year's security roadmap. Last year's test drove the network segmentation work between the guest and clinical networks.", "quoteValid": true } ], "findingsTotal": 6 }, { "caseId": "id-03-data-classification", "csfFunction": "ID", "pass": true, "fromCache": true, "controlIds": [ "ID.AM-03", "ID.AM-05", "ID.AM-07" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "PHI", "unsanctioned", "data inventory", "FTP" ], "controlIdHint": "ID.AM-07", "matched": true, "matchedControlId": "ID.AM-07", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "classification label", "criticality", "12 percent", "unlabeled" ], "controlIdHint": "ID.AM-05", "matched": true, "matchedControlId": "ID.AM-05", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "data flow", "HL7", "interfaces", "diagrams" ], "controlIdHint": "ID.AM-03", "matched": true, "matchedControlId": "ID.AM-03", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "Epic", "Restricted", "data owner", "retention" ], "controlIdHint": "ID.AM-07", "matched": true, "matchedControlId": "ID.AM-05", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": null }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "Varonis", "100 percent", "discovery" ], "controlIdHint": "ID.AM-07", "matched": true, "matchedControlId": "ID.AM-07", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 5, "valid": 5 }, "usage": { "inputTokens": 5805, "outputTokens": 1485 }, "summary": "This architecture review reveals significant data governance gaps at Meridian Health Systems. While a data classification standard exists and discovery tooling is deployed, implementation is incomplete with only 12% of data stores properly classified and no data inventory to track PHI location, ownership, or retention. The organization has PHI scattered across 14 unsanctioned locations including cleartext transmission via legacy FTP, creating compliance and security risks.", "findings": [ { "controlId": "ID.AM-03", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Network data flow documentation exists via the Rhapsody integration engine catalog but is outdated and incomplete. The catalog's data flow diagrams were last updated in October 2023 (19 months old), and 3 new HL7 interfaces (lab outreach results to two reference labs, submissions to the state immunization registry, and a real-time payer eligibility feed) have gone into production since then with no flow documentation.", "gaps": "Data flow diagrams are 19 months out of date, exceeding the 12-month validation threshold. Three active production interfaces lack documentation and do not appear in network data flow diagrams used for firewall reviews.", "quote": "The catalog's data flow diagrams were last updated in October 2023. Since then, three new HL7 interfaces have gone into production with no flow documentation: lab outreach results to two reference labs, submissions to the state immunization registry, and a real-time payer eligibility feed. None of …", "quoteValid": true }, { "controlId": "ID.AM-05", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Meridian adopted a four-tier data classification standard in 2024 (Restricted, Confidential, Internal, Public) and maintains a CMDB with criticality fields, but implementation is severely incomplete. Only 38 of 312 data stores (12%) carry any classification label, and 71% of server records in the CMDB have blank criticality fields, forcing infrastructure teams to make DR tier assignments via best-guess rather than formal business impact assessment.", "gaps": "Classification standard exists but is applied to only 12% of data stores. CMDB criticality field is blank for 71% of servers, preventing proper prioritization for disaster recovery and patching. No systematic asset prioritization based on business impact.", "quote": "Of the 312 data stores identified across the file cluster and database estate, only 38 (12 percent) carry any classification label. In the CMDB, the criticality field is blank for 71 percent of server records, so DR tier assignments are being made by the infrastructure team on a best-guess basis ra…", "quoteValid": true }, { "controlId": "ID.AM-05", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "The Epic EHR production database demonstrates proper asset classification implementation with Restricted label, named data owner (VP of Health Information Management), documented ten-year retention schedule, encryption at rest and in transit, and quarterly access certification. This serves as an internal template for the classification standard fully applied.", "quote": "Epic EHR production database. Correctly labeled Restricted, with a named data owner (VP of Health Information Management), a documented ten-year retention schedule, encryption at rest and in transit, and quarterly access certification. This is the standard fully applied.", "quoteValid": true }, { "controlId": "ID.AM-07", "coverage": "none", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "Meridian maintains no data inventory recording the location, owner, or retention period for PHI stores. The Varonis scan identified PHI in 14 unsanctioned locations beyond the sanctioned Epic EHR, PACS archive, and Azure data warehouse, including an analytics sandbox with 2.3 million patient records and a legacy FTP server receiving cleartext lab results. Nobody contacted could identify the owner of the analytics sandbox extract or justify its existence.", "gaps": "No data inventory exists. PHI discovered in 14 unsanctioned locations with no documented ownership or retention schedules. Critical data governance gap leaves organization unable to manage data lifecycle or compliance obligations.", "quote": "Meridian maintains no data inventory recording the location, owner, or retention period for any of these stores. Nobody contacted during this review could say who owns the analytics sandbox extract or why it still exists.", "quoteValid": true }, { "controlId": "ID.AM-07", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "The Varonis deployment provides automated data discovery capabilities covering 100% of the Windows file services cluster with weekly re-scanning. This tool identified PHI patterns using SSN, MRN (Meridian format M-#######), and ICD-10 matching with high confidence threshold, making unsanctioned data stores continuously measurable going forward.", "quote": "The Varonis deployment now covers 100 percent of the Windows file services cluster and re-scans weekly, so the unsanctioned-store problem is at least continuously measurable going forward.", "quoteValid": true } ], "findingsTotal": 5 }, { "caseId": "pr-00-golden-access-policy", "csfFunction": "PR", "pass": true, "fromCache": true, "controlIds": [ "PR.AA-01", "PR.AA-02", "PR.AA-03", "PR.AA-05", "GV.SC-04", "GV.SC-07" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "access review", "12 months", "informally" ], "controlIdHint": "PR.AA-05", "matched": true, "matchedControlId": "PR.AA-05", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "risk", "severityAtLeast": "high", "anyKeywords": [ "persistent VPN", "domain admin", "CloudOps", "not been reviewed or time-limited" ], "controlIdHint": "GV.SC-07", "matched": true, "matchedControlId": "PR.AA-05", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "2-3 business days", "24 hours", "revocation", "deprovision" ], "controlIdHint": "PR.AA-05", "matched": true, "matchedControlId": "PR.AA-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "not monitored or recorded", "vendor sessions", "session recording" ], "controlIdHint": "GV.SC-07", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "MFA", "multi-factor", "FIDO2" ], "controlIdHint": "PR.AA-03", "matched": true, "matchedControlId": "PR.AA-03", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null }, { "id": "sf-4", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "12 characters", "password", "lockout" ], "controlIdHint": "PR.AA-01", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 6, "valid": 6 }, "usage": { "inputTokens": 5780, "outputTokens": 1505 }, "summary": "This Access Control Policy demonstrates structured identity management processes with defined approval workflows and MFA implementation including FIDO2 for privileged users. However, critical gaps exist in execution - access reviews have not been conducted in 12 months despite quarterly requirements, and vendor access controls are failing with 3 vendors maintaining persistent, unreviewed access since 2021-2023.", "findings": [ { "controlId": "PR.AA-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Policy establishes identity lifecycle management process with manager approval for account creation, CISO approval for privileged accounts, and 24-hour termination SLA. However, deprovisioning SLA is consistently missed - actual time to full access revocation averages 2-3 business days versus the 24-hour requirement due to manual ticketing system operating only during business hours.", "gaps": "Deprovisioning SLA consistently missed (2-3 days actual vs 24 hours required); no evidence of IAM platform automation; no documented service account inventory management process; manual ticketing system creates delays in access revocation", "quote": "NOTE: The current offboarding process relies on a manual ticketing system. HR submits a ticket and IT processes it during business hours. Average time to full access revocation is 2-3 business days, not 24 hours as specified.", "quoteValid": true }, { "controlId": "PR.AA-02", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Access Control Policy POL-AC-002 v2.0 does not document any identity proofing process for verifying user identities before credential issuance. No evidence of defined assurance levels based on access context or alignment with identity verification standards.", "gaps": "No documented identity proofing process; no defined identity assurance levels for different access contexts; no verification procedures for user identity before credential issuance", "quote": "All user accounts must be requested through the IT Service Desk ticketing system. Requests require manager approval before provisioning.", "quoteValid": true }, { "controlId": "PR.AA-03", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "MFA enforced for VPN access, email from external networks, all administrative consoles, and cloud application portals using Microsoft Authenticator. Hardware FIDO2 security keys deployed to IT Security team and system administrators, providing phishing-resistant authentication for privileged users.", "gaps": "MFA scope limited to specific access vectors; no evidence of conditional access policies or SSO coverage metrics", "quote": "MFA is required for: - VPN access - Email access from external networks - All administrative consoles - Cloud application portals (Office 365, AWS, Azure) MFA implementation uses Microsoft Authenticator app. Hardware FIDO2 security keys are issued to all members of the IT Security team and system a…", "quoteValid": true }, { "controlId": "PR.AA-05", "coverage": "partial", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "Policy defines quarterly access reviews for sensitive data systems and monthly privileged account reviews. However, Q2 2024 audit revealed no formal periodic access review completed in the last 12 months. System owners report informal reviews with no documentation. Additionally, 3 vendors maintain persistent VPN access without review or time limits since 2021-2023, with 2 having domain admin equivalent privileges.", "gaps": "Access reviews not conducted per policy (quarterly required, none in 12 months); no documentation of review activities; vendor access not time-limited or reviewed; excessive vendor privileges without justification; no evidence of PAM solution implementation", "quote": "OBSERVATION: As of the most recent audit (Q2 2024), no formal periodic access review has been completed in the last 12 months. System owners report they review access \"informally\" but no documentation exists.", "quoteValid": true }, { "controlId": "GV.SC-04", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Access Control Policy POL-AC-002 mentions vendor access procedures but provides no evidence of vendor inventory, criticality classification, or supplier prioritization framework. The policy addresses tactical vendor access provisioning but not strategic supplier management.", "gaps": "No vendor inventory documented; no criticality classification system for suppliers; no evidence of supplier prioritization based on business impact or data access levels", "quote": "Third-party vendors requiring system access are provisioned through the Vendor Access Request form. Vendor accounts are time-limited (maximum 90 days, renewable).", "quoteValid": true }, { "controlId": "GV.SC-07", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No evidence of ongoing vendor risk monitoring, assessment, or incident tracking processes. Policy focuses solely on access provisioning mechanics without addressing supplier risk management throughout the relationship lifecycle.", "gaps": "No ongoing vendor risk monitoring process; no defined reassessment intervals for critical vendors; no vendor incident tracking procedures; no continuous monitoring of vendor security posture", "quote": "Third-party vendors requiring system access are provisioned through the Vendor Access Request form. Vendor accounts are time-limited (maximum 90 days, renewable). Vendor sessions are not monitored or recorded.", "quoteValid": true } ], "findingsTotal": 6 }, { "caseId": "pr-01-mfa-coverage", "csfFunction": "PR", "pass": false, "fromCache": true, "controlIds": [ "PR.AA-01", "PR.AA-03", "PR.AA-05" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "MedChart Classic", "EX-2021-014", "exempt", "username and password only" ], "controlIdHint": "PR.AA-03", "matched": true, "matchedControlId": "PR.AA-03", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "shared", "generic account", "NURSE-STATION", "cannot be attributed" ], "controlIdHint": "PR.AA-01", "matched": true, "matchedControlId": "PR.AA-05", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "FIDO2", "hardware security key", "CyberArk" ], "controlIdHint": "PR.AA-03", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "SMS", "one-time passcode" ], "controlIdHint": "PR.AA-03", "matched": true, "matchedControlId": "PR.AA-03", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "exception register", "no expiry" ], "controlIdHint": "PR.AA-05", "matched": true, "matchedControlId": "PR.AA-05", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "breached", "800-63", "lockout" ], "controlIdHint": "PR.AA-01", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 3, "valid": 3 }, "usage": { "inputTokens": 5741, "outputTokens": 985 }, "summary": "The MFA and Password Standard demonstrates mature technical controls including FIDO2 enforcement for privileged users, CyberArk PAM implementation, and Okta-based authentication. However, critical gaps exist around legacy system exceptions, shared account usage, and absence of documented identity lifecycle processes.", "findings": [ { "controlId": "PR.AA-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "The policy establishes MFA enrollment during new-hire orientation with identity verification via government-issued photo ID, and factor recovery via manager callback verification. However, the document does not address credential deprovisioning or lifecycle management processes for departed users, service accounts, or hardware credentials.", "gaps": "No documented deprovisioning process for user accounts, service accounts, or hardware credentials. No SLA specified for account deactivation upon termination. No mention of automated identity lifecycle workflows or service account inventories.", "quote": "MFA enrollment occurs at new-hire orientation; the service desk verifies a government-issued photo ID before activating the first factor", "quoteValid": true }, { "controlId": "PR.AA-03", "coverage": "partial", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "MFA is enforced for remote access, cloud applications, EHR, and administrative consoles via Okta, with mandatory FIDO2 for 22 IT Infrastructure and Security staff. However, MedChart Classic at 2 hospitals remains accessible from internet with password-only authentication under exception EX-2021-014, which has no expiry date and has not been reviewed since October 2021.", "gaps": "Legacy EHR system (MedChart Classic) accessible from internet without MFA under stale exception. 612 active users still use SMS as primary factor despite FIDO2/Okta Verify availability.", "quote": "MedChart Classic, the legacy EHR module still in production at Lakeshore Community Hospital and Maple Grove Medical Center, does not support modern authentication protocols. Under exception EX-2021-014 it is exempt from MFA and is reachable from the internet through the clinician remote portal with…", "quoteValid": true }, { "controlId": "PR.AA-05", "coverage": "partial", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "The policy mandates privileged accounts be separate from standard accounts and implements CyberArk PAM with FIDO2 authentication and session recording for privileged access. However, 38 shared generic accounts remain active across clinical workstations with passwords unchanged since 2022, some providing access to medication dispensing systems without individual user attribution.", "gaps": "No documented access review process or frequency. IAM exception register not reviewed since October 2021. 38 shared accounts violate individual accountability with stale passwords and access to critical systems like Pyxis medication dispensing.", "quote": "38 shared generic accounts (for example NURSE-STATION-3W and ED-TRIAGE-01) remain in active use on clinical workstations across all three hospitals. The passwords for these accounts have not been changed since 2022, several of the accounts grant access to the Pyxis medication dispensing interface, …", "quoteValid": true } ], "findingsTotal": 3 }, { "caseId": "pr-02-deprovisioning", "csfFunction": "PR", "pass": false, "fromCache": true, "controlIds": [ "PR.AA-01", "PR.AA-05", "PR.AA-06" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "contractor", "travel nurse", "agency", "spreadsheet" ], "controlIdHint": "PR.AA-01", "matched": true, "matchedControlId": "PR.AA-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "Domain Admins", "database administrator", "admin account", "three weeks" ], "controlIdHint": "PR.AA-05", "matched": true, "matchedControlId": "PR.AA-05", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "SCIM", "Workday", "15 minutes", "automated" ], "controlIdHint": "PR.AA-01", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "badge", "weekly batch", "physical access" ], "controlIdHint": "PR.AA-06", "matched": true, "matchedControlId": "PR.AA-06", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "recertification", "group membership", "Server Operators", "never been through a documented review" ], "controlIdHint": "PR.AA-05", "matched": true, "matchedControlId": "PR.AA-05", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "mustNotViolations": [], "citations": { "total": 3, "valid": 3 }, "usage": { "inputTokens": 5885, "outputTokens": 979 }, "summary": "Meridian demonstrates strong identity lifecycle management for regular employees with automated Workday-to-Okta deprovisioning tested monthly. However, significant gaps exist for non-employee populations (contractors tracked in spreadsheets), privileged account management (no AD group recertifications), and physical access (4-day badge revocation delay).", "findings": [ { "controlId": "PR.AA-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Meridian has automated identity lifecycle management for regular employees via Workday SCIM to Okta (15-minute deprovisioning) with monthly testing. However, contractor and agency staff are excluded from this system: 23 contractor accounts found active past assignment end dates, with the oldest enabled 7 months after contract termination and retaining VPN entitlement. Privileged admin accounts are created manually outside the SCIM flow and do not receive automated deprovisioning.", "gaps": "Contractors and agency staff lack formal lifecycle management; privileged accounts bypass automated deprovisioning; no service account management discussed.", "quote": "Travel nurses and agency staff are not in Workday. The staffing office tracks them in a spreadsheet, and offboarding depends on the unit manager emailing the service desk when an assignment ends. Nobody owns the follow-up. In our April access audit we found 23 contractor accounts still active past …", "quoteValid": true }, { "controlId": "PR.AA-05", "coverage": "partial", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "Meridian conducts quarterly Okta access certifications with 96% completion rate for federated applications. However, Active Directory privileged group membership (Domain Admins, Server Operators, MedChart superuser roles) has never been formally reviewed. A terminated DBA retained enabled Domain Admins membership for 3 weeks after termination, with system logon activity on February 9 (3 weeks post-termination).", "gaps": "No recurring recertification of Active Directory privileged groups; privileged accounts bypass standard review cycles; no evidence of least privilege enforcement for admin roles.", "quote": "But we have never run a formal recertification of Active Directory privileged group membership. Domain Admins, Server Operators, and the MedChart superuser roles have never been through a documented review. The April audit was a one-off that the CISO requested after the DBA incident.", "quoteValid": true }, { "controlId": "PR.AA-06", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Physical access controls include badge systems with weekly deactivation batches and separated server room access for 30 authorized personnel. However, terminated employees retain working badges for up to 4 days due to weekly batch processing. Badge systems are not integrated with identity systems, and server room access follows the same weekly deactivation schedule.", "gaps": "Badge deactivation delayed up to 4 days post-termination; no integration between badge and identity systems; server room access not immediately revoked upon termination.", "quote": "Badge deactivation is a weekly batch. Physical Security runs the termination list against the badge system every Friday afternoon. So someone terminated on a Monday keeps a working badge for up to four days.", "quoteValid": true } ], "findingsTotal": 3 }, { "caseId": "pr-03-encryption-review", "csfFunction": "PR", "pass": false, "fromCache": true, "controlIds": [ "PR.DS-01", "PR.DS-02", "PR.DS-11" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "not encrypted at rest", "TDE is not enabled", "unencrypted", "LUN 47" ], "controlIdHint": "PR.DS-01", "matched": true, "matchedControlId": "PR.DS-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "HL7", "MLLP", "cleartext", "port 6661" ], "controlIdHint": "PR.DS-02", "matched": true, "matchedControlId": "PR.DS-02", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "Managed HSM", "Key Vault", "Transparent Data Encryption", "TDE using AES-256" ], "controlIdHint": "PR.DS-01", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "TLS 1.0", "3DES" ], "controlIdHint": "PR.DS-02", "matched": true, "matchedControlId": "PR.DS-02", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "restore test", "restoration", "18 months" ], "controlIdHint": "PR.DS-11", "matched": true, "matchedControlId": "PR.DS-11", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "immutable", "Commvault", "14-day" ], "controlIdHint": "PR.DS-11", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 3, "valid": 3 }, "usage": { "inputTokens": 5973, "outputTokens": 1228 }, "summary": "This encryption architecture review reveals a mixed security posture with strong controls for some systems but critical gaps in others. The organization demonstrates mature encryption practices for Azure-hosted systems with proper key management, but legacy on-premises systems present significant exposure risks through unencrypted databases and cleartext clinical interfaces.", "findings": [ { "controlId": "PR.DS-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Encryption at rest is implemented for most systems but with critical gaps in the LabTrak database. MedChart One uses Azure SQL TDE with AES-256 and customer-managed keys in Azure Key Vault Managed HSM (FIPS 140-3 Level 3) with annual rotation. Endpoints enforce BitLocker through Intune compliance policy. However, LabTrak database containing 1.9 million patient records over 11 years runs on unencrypted SQL Server 2014 with no TDE or volume-level encryption on Dell Unity LUN 47.", "gaps": "LabTrak database storing 1.9 million patient records is completely unencrypted at rest. The underlying SAN volume (Dell Unity LUN 47) also lacks volume-level encryption. This represents a significant exposure of 11 years of laboratory results data.", "quote": "LabTrak runs on SQL Server 2014 (extended support ended July 2024) at the Riverton General data center. The database is not encrypted at rest: TDE is not enabled, and the underlying SAN volume (Dell Unity LUN 47) has no volume-level encryption. The database holds approximately 1.9 million patient r…", "quoteValid": true }, { "controlId": "PR.DS-02", "coverage": "partial", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "External TLS implementation includes modern ciphers (TLS 1.2/1.3) and HSTS on the patient portal, with IPsec-encrypted site-to-site MPLS links using AES-256-GCM. However, critical gaps exist: all 41 HL7 v2 interfaces transmit patient data (names, DOB, MRNs, results) in cleartext over MLLP/TCP port 6661 across the hospital LAN. One legacy API still accepts TLS 1.0 and 3DES for IVR integration.", "gaps": "All 41 production HL7 interfaces carrying PHI operate without encryption despite Rhapsody supporting MLLP over TLS. Legacy appointment-reminders-api accepts deprecated TLS 1.0 and 3DES cipher suites. Both represent active data exposure risks.", "quote": "HL7 v2 messages exchanged between LabTrak, MedChart One, and the Rhapsody interface engine are transmitted as MLLP over TCP port 6661 in cleartext across the hospital LAN. These messages carry patient names, dates of birth, medical record numbers, ordering providers, and result values. None of the …", "quoteValid": true }, { "controlId": "PR.DS-11", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Backup protection includes Commvault with AES-256 encryption in transit and at rest, secondary replication to Azure immutable blob storage with 14-day lock, and keys escrowed in Azure Managed HSM. Daily monitoring tracks backup job success rates. However, restore testing is inadequate: no LabTrak restore test in 18 months, last MedChart One test in October 2024, with restore capability asserted rather than demonstrated.", "gaps": "Backup restoration capability is not regularly validated. The most recent documented restore test for any clinical system was MedChart One in October 2024, with no LabTrak restoration testing in the last 18 months.", "quote": "No test restoration of the LabTrak database has been performed in the last 18 months. The most recent documented restore test for any clinical system was MedChart One in October 2024. Backup job success rates are monitored daily, but restore capability is asserted, not demonstrated.", "quoteValid": true } ], "findingsTotal": 3 }, { "caseId": "rc-01-bcdr-policy", "csfFunction": "RC", "pass": false, "fromCache": true, "controlIds": [ "RC.RP-01", "RC.RP-02", "RC.RP-03", "RC.CO-01", "PR.DS-11", "ID.IM-04" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "failover", "over two years", "never been validated" ], "controlIdHint": "RC.RP-01", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": true, "severityMet": false }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "EHR database", "restoration test", "deferred" ], "controlIdHint": "PR.DS-11", "matched": true, "matchedControlId": "PR.DS-11", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "integrity verification", "malware scanning", "assumed clean" ], "controlIdHint": "RC.RP-03", "matched": true, "matchedControlId": "RC.RP-03", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "call tree", "no longer employed", "communications lead" ], "controlIdHint": "RC.CO-01", "matched": true, "matchedControlId": "RC.CO-01", "matchedSeverity": "medium", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "immutable", "3-2-1", "AES-256" ], "controlIdHint": "PR.DS-11", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "tier", "dependencies", "restoration order" ], "controlIdHint": "RC.RP-02", "matched": true, "matchedControlId": "RC.RP-02", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 6, "valid": 6 }, "usage": { "inputTokens": 5990, "outputTokens": 1477 }, "summary": "Meridian Health Systems maintains a structured Business Continuity and Disaster Recovery Policy with defined recovery tiers, backup procedures following 3-2-1 rule, and formal integration with incident response processes. However, critical gaps exist in testing validation - the primary clinical system (MedTrak EHR) has never undergone restoration testing, and no full failover exercises have occurred since 2023, undermining confidence in actual recovery capabilities.", "findings": [ { "controlId": "RC.RP-01", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Recovery procedures are documented in runbook RB-114 and formally triggered by the incident response process. The document specifies 'When recovery is initiated by the incident response process, operators follow runbook RB-114' with 4-step restoration procedure including Incident Commander confirmation.", "quote": "When recovery is initiated by the incident response process, operators follow runbook RB-114", "quoteValid": true }, { "controlId": "RC.RP-02", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Recovery prioritization is established through tier model (Tier 0: 4 hours, Tier 1: 24 hours, Tier 2: 72 hours) with dependencies mapped in Appendix B. System restoration order within tiers is pre-approved by the CIO.", "gaps": "RTO/RPO values were set in 2023 workshop but have never been validated through full failover exercise", "quote": "Recovery tiers were defined in a 2023 workshop with clinical and revenue-cycle leadership. Each tier lists upstream and downstream dependencies in Appendix B, and restoration order within a tier is pre-approved by the CIO.", "quoteValid": true }, { "controlId": "RC.RP-03", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Restoration procedure includes no integrity verification or malware scanning before restoration. Policy explicitly states 'Backups are assumed clean' with no verification steps documented.", "gaps": "No integrity verification, malware scanning, or validation procedures before restoration. Restoration from potentially compromised backup media poses security risk.", "quote": "The policy does not require integrity verification or malware scanning of backup media before restoration. Backups are assumed clean.", "quoteValid": true }, { "controlId": "RC.CO-01", "coverage": "partial", "findingType": "risk", "severity": "medium", "confidence": "high", "observation": "Communication procedures are documented with recovery call tree in Appendix A and defined stakeholder notifications. However, call tree contains 2 of 5 recovery coordinators no longer employed at Meridian, including the incident communications lead, and was last updated in June 2023.", "gaps": "Outdated call tree with 40% of listed personnel no longer employed. Missing current contact information poses communication failure risk during actual recovery.", "quote": "The recovery call tree in Appendix A was last updated in June 2023. Two of the five named recovery coordinators are no longer employed at Meridian, including the listed incident communications lead.", "quoteValid": true }, { "controlId": "PR.DS-11", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "Backup strategy follows 3-2-1 rule with nightly Veeam backups, AES-256 encryption, and 30-day immutable repository. Quarterly testing is required for Tier 0 and Tier 1 systems. However, 2025 testing covered only file shares and 2 application VMs - MedTrak EHR database shows 'deferred' status in all four quarters.", "gaps": "Critical Tier 0 system (MedTrak EHR database) has never been included in restoration testing despite quarterly testing requirements. Inability to restore primary clinical system poses patient care continuity risk.", "quote": "Restoration tests performed during 2025 covered only file shares and two application VMs. The MedTrak EHR database has never been included in a restoration test. The resilience register shows the EHR entry as \"deferred\" in all four quarters of 2025.", "quoteValid": true }, { "controlId": "ID.IM-04", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Business Continuity Policy POL-BC-007 v3.1 has defined annual review cycle with last review on 2025-11-04. Document shows 4 versions since 2021 indicating maintenance activity. However, required annual full failover exercises have not occurred since October 2023 - both 2024 and 2025 exercises were cancelled or not scheduled.", "gaps": "Annual disaster recovery exercises required but not performed for over 2 years. Policy testing and validation incomplete despite documentation maintenance.", "quote": "The last full failover exercise was completed in October 2023. The 2024 exercise was cancelled due to the MedTrak version 11 upgrade freeze, and the 2025 exercise was never scheduled. No full failover test has been performed in over two years.", "quoteValid": true } ], "findingsTotal": 6 }, { "caseId": "rc-02-recovery-interview", "csfFunction": "RC", "pass": true, "fromCache": true, "controlIds": [ "RC.RP-01", "RC.RP-02", "RC.RP-03", "RC.RP-05", "RC.CO-01", "RC.CO-02", "ID.IM-03" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "scan the backup", "ransomware binary", "ransomware binaries", "unverified backups", "malware scanning of backup", "without scanning" ], "controlIdHint": "RC.RP-03", "matched": true, "matchedControlId": "RC.RP-03", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "integrity checks", "validated the application", "back into production" ], "controlIdHint": "RC.RP-05", "matched": true, "matchedControlId": "RC.RP-05", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "executive team", "status updates", "clinic manager" ], "controlIdHint": "RC.CO-01", "matched": true, "matchedControlId": "RC.CO-01", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "tier list", "improvised", "restore order" ], "controlIdHint": "RC.RP-02", "matched": true, "matchedControlId": "RC.RP-02", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "lessons learned", "improvement actions" ], "controlIdHint": "ID.IM-03", "matched": true, "matchedControlId": "ID.IM-03", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "Ohio Department of Health", "regulator", "reporting window" ], "controlIdHint": "RC.CO-02", "matched": true, "matchedControlId": "RC.CO-02", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 7, "valid": 7 }, "usage": { "inputTokens": 5968, "outputTokens": 1639 }, "summary": "The organization demonstrates strong tactical execution capabilities with documented recovery procedures and regulatory compliance, but lacks critical verification and improvement processes. Recovery from a recent ransomware incident was completed within RTO targets using current runbooks, and external regulatory notifications followed proper procedures. However, the organization restored unverified backups and returned systems to production without integrity validation, discovering data corruption one week later.", "findings": [ { "controlId": "RC.RP-01", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Documented recovery procedure (runbook RB-114) exists and was executed successfully during the February 17-18 ransomware incident. Recovery team was assembled within 40 minutes and followed current runbook steps, achieving recovery within the 24-hour RTO target at 11 hours total duration.", "quote": "Once the incident commander declared containment complete, we initiated recovery from runbook RB-114, our documented ransomware recovery procedure. The recovery team was assembled within 40 minutes, and honestly that part went well. The runbook steps were current and the on-call engineers knew them.", "quoteValid": true }, { "controlId": "RC.RP-02", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Recovery prioritization was improvised during the incident rather than following a documented procedure. The business continuity plan contains outdated tier lists and system dependency mappings that do not reflect current reality, forcing the team to create restore order decisions on a whiteboard at 2 a.m.", "gaps": "BC plan tier list does not match current environment; dependency appendix references decommissioned systems; no current prioritization framework resulted in suboptimal restore order (billing interface before lab results interface when lab was more urgently needed)", "quote": "The tier list in the BC plan did not match reality. Nobody could tell me which system to bring back first, so we improvised on a whiteboard at 2 a.m. We restored the billing interface before the lab results interface, and the clinic actually needed lab results far more urgently. The dependency appe…", "quoteValid": true }, { "controlId": "RC.RP-03", "coverage": "none", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "No backup integrity verification process exists. During the February incident, the team restored directly from Monday night Veeam backups without scanning for ransomware binaries or verifying the backup was taken before the compromise occurred. The organization acknowledges they 'got lucky that the backup was clean.'", "gaps": "No documented procedure for backup integrity verification; no malware scanning of backup media before restore; no validation that backup pre-dates the compromise", "quote": "We did not scan the backup images for the ransomware binary before restoring, and we did not check whether the attacker had been in the environment before that restore point was taken. In hindsight we got lucky that the backup was clean.", "quoteValid": true }, { "controlId": "RC.RP-05", "coverage": "none", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "No integrity verification process exists for restored systems. Imaging servers were returned to clinical production the same night without integrity checks on restored data or application validation. Radiologists served as an inadvertent smoke test, and 2 corrupted study folders were discovered one week later.", "gaps": "No post-restore integrity checks; no application validation before production use; no functional testing procedures; no defined criteria for declaring normal operating status", "quote": "The imaging servers went back into production the same night. Nobody ran integrity checks on the restored data, and no one validated the application before clinicians started reading studies again the next morning. The radiologists were effectively our smoke test. We found two corrupted study folde…", "quoteValid": true }, { "controlId": "RC.CO-01", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "No internal recovery communication procedures exist. During the February incident, no recovery status updates were provided to executive leadership, resulting in the CEO learning about the outage from a clinic manager rather than the IT team. No communication cadence, templates, or ownership was established.", "gaps": "No defined recovery communication procedures; no status update cadence for executives; no communication ownership during recovery; no recovery communication templates", "quote": "Our CEO learned about the outage from a clinic manager, not from us. We never sent recovery status updates to the executive team during the incident. There was no cadence, no template, nothing. My team was heads-down restoring servers and nobody owned communications.", "quoteValid": true }, { "controlId": "RC.CO-02", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "External regulatory notification process is documented and was executed properly during the February incident. The compliance officer notified the Ohio Department of Health within the required reporting window and maintained ongoing updates through incident closure following documented procedures.", "quote": "Our compliance officer notified the Ohio Department of Health within the required reporting window and kept the regulator updated through closure. That process is documented and she followed it to the letter.", "quoteValid": true }, { "controlId": "ID.IM-03", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "No continuous improvement process exists for operational incidents. Six weeks after the February ransomware incident, no lessons learned session has been conducted, no improvement actions have been logged, and a draft timeline document remains unactioned. The organization acknowledges that if the same incident occurred tomorrow, the same gaps would persist.", "gaps": "No post-incident review process; no lessons learned documentation; no improvement action tracking; no systematic approach to addressing recurring operational issues", "quote": "We have not held a lessons learned session, and it has been six weeks. Everyone went back to project work the following Monday. I have a draft timeline document sitting in my inbox, but no meeting has been scheduled and no improvement actions have been logged.", "quoteValid": true } ], "findingsTotal": 7 }, { "caseId": "rc-03-backup-log-review", "csfFunction": "RC", "pass": false, "fromCache": true, "controlIds": [ "RC.RP-01", "RC.RP-03", "RC.RP-04", "PR.DS-11" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "restore verification", "RESTORE-VERIFY-EHR", "four consecutive months" ], "controlIdHint": "RC.RP-03", "matched": true, "matchedControlId": "RC.RP-03", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "replication", "paused", "stale data" ], "controlIdHint": "RC.RP-01", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": true, "severityMet": false }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "RPO", "transaction log", "24 hours" ], "controlIdHint": "PR.DS-11", "matched": true, "matchedControlId": "PR.DS-11", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "operational baseline", "administrator account", "remains enabled" ], "controlIdHint": "RC.RP-04", "matched": true, "matchedControlId": "RC.RP-04", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "99.2", "success rate", "daily automated report" ], "controlIdHint": "PR.DS-11", "matched": false, "matchedControlId": null, "matchedSeverity": null, "matchedFindingType": null, "hintAgreed": false, "typeKeywordMatched": false, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 4, "valid": 4 }, "usage": { "inputTokens": 5951, "outputTokens": 1184 }, "summary": "The backup and DR infrastructure shows mixed maturity with documented processes and encryption standards, but critical operational gaps create recovery risks. While backup jobs maintain high success rates, verification testing has failed for 4 months and DR replication is stale by 9 weeks, potentially compromising recovery capabilities when needed.", "findings": [ { "controlId": "RC.RP-01", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "medium", "observation": "Evidence shows recovery procedures were executed during the February 2026 Westgate imaging incident, with three imaging servers restored from backup. However, the document references recovery activities without evidence of a documented recovery plan or formal integration with incident response processes.", "gaps": "No documented recovery plan visible in evidence. Recovery appears ad-hoc rather than following a structured procedure integrated with IR processes.", "quote": "Following the February 2026 Westgate imaging recovery, the three restored imaging servers were returned to service from backup images taken before the incident.", "quoteValid": true }, { "controlId": "RC.RP-03", "coverage": "partial", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "Monthly RESTORE-VERIFY-EHR job exists to verify backup integrity via automated test restore and checksum comparison. However, this verification has failed for 4 consecutive months (December 2025 through March 2026) due to storage issues on VERIFY-HOST-02, leaving no current evidence that EHR backups are restorable.", "gaps": "Backup integrity verification failing for 4 months with no remediation. No alerting on verification failures. Critical system backup restorability unknown.", "quote": "The restore verification job for the EHR database has failed for four consecutive months with the same storage error. No ticket was opened for any of the four failures. The job result is excluded from the daily automated report because verification jobs were never added to the report scope. As of t…", "quoteValid": true }, { "controlId": "RC.RP-04", "coverage": "none", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "After the February 2026 Westgate incident recovery, restored imaging servers were returned to service without establishing updated operational baselines or applying security hardening. The local administrator account compromised during the incident remains enabled with the same password, creating ongoing exposure.", "gaps": "No post-incident security improvements implemented. Compromised credentials still active. Hardening recommendations from containment phase not applied to restored systems.", "quote": "No updated operational baseline was established for the restored servers after recovery. The local administrator account that the attacker used for lateral movement remains enabled on all three restored imaging servers, with the same password it had before the incident. Hardening recommendations fr…", "quoteValid": true }, { "controlId": "PR.DS-11", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Backup infrastructure covers 412 production workloads with 99.2% success rate in Q1 2026. Veeam Backup & Replication 12 with immutable hardened repository provides 3-2-1 compliance. All backup data encrypted with AES-256. However, critical gaps exist: EHR backup verification failing for 4 months, DR replication paused for 9 weeks, and transaction log frequency misaligned with RPO (24 hours vs 4 hour target).", "gaps": "Backup testing failures unresolved for 4 months. DR replication stale by 9 weeks. RPO targets not met due to insufficient backup frequency.", "quote": "Backup job success rate for the quarter was 99.2 percent across all 412 protected workloads. Failures are surfaced in a daily automated report delivered to the infra-ops channel each morning at 06:00, and all 11 backup job failures in Q1 were remediated within one business day. All backup data is e…", "quoteValid": true } ], "findingsTotal": 4 }, { "caseId": "rs-01-ir-plan-testing", "csfFunction": "RS", "pass": false, "fromCache": true, "controlIds": [ "RS.MA-01", "RS.MA-02", "RS.MA-03", "RS.MA-04", "RS.MA-05", "ID.IM-02", "ID.IM-04" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "tabletop", "never been tested", "untested", "exercise" ], "controlIdHint": "ID.IM-02", "matched": true, "matchedControlId": "ID.IM-02", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "roster", "escalation contact", "no longer employed", "outdated", "departed" ], "controlIdHint": "RS.MA-04", "matched": true, "matchedControlId": "RS.MA-04", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "recovery", "criteria", "safe to rebuild" ], "controlIdHint": "RS.MA-05", "matched": true, "matchedControlId": "RS.MA-05", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "retainer", "law enforcement", "external", "third part", "insurance" ], "controlIdHint": "RS.MA-01", "matched": true, "matchedControlId": "RS.MA-01", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "severity", "classification", "matrix", "prioritiz" ], "controlIdHint": "RS.MA-03", "matched": true, "matchedControlId": "RS.MA-03", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [ { "rule": "missCitations", "details": [ "RS.MA-02", "RS.MA-03" ] } ], "citations": { "total": 7, "valid": 5 }, "usage": { "inputTokens": 6121, "outputTokens": 2029 }, "summary": "Meridian Health Systems has established a structured incident response policy with defined severity levels and internal escalation procedures, but critical gaps exist in plan testing and third-party coordination. The policy demonstrates organizational maturity through version control and clinical leadership involvement in severity definitions, yet poses operational risks due to untested procedures and outdated contact information.", "findings": [ { "controlId": "RS.MA-01", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "The incident response policy (POL-IR-001 v1.2) contains escalation procedures for internal stakeholders but lacks defined coordination with external third parties. No incident response retainer is in place with forensics firms, and the policy states that coordination with third parties is left 'to the discretion of the CISO' without pre-established contacts or activation procedures.", "gaps": "No external forensics retainer in place; no defined procedures for engaging law enforcement, cyber insurance carriers, or external counsel; no pre-established third-party contacts; policy has never been tested end-to-end since approval in February 2024.", "quote": "Meridian does not hold an incident response retainer with any external forensics firm. This policy does not define when or how to engage law enforcement, the cyber insurance carrier, or external counsel during an incident; coordination with third parties is left 'to the discretion of the CISO' with…", "quoteValid": true }, { "controlId": "RS.MA-02", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "The incident response policy establishes a formal triage process where all suspected incidents are classified using a four-level severity matrix. Severity is assigned by the on-duty analyst and validated by the Security Operations Manager. Response targets are defined for each level (15-minute acknowledgment for SEV1, 1-hour for SEV2, 4-hour for SEV3, next business day for SEV4).", "quote": "All suspected incidents are classified at triage using the following matrix: SEV1 - 15 minute acknowledgment, immediate CISO notification; SEV2 - 1 hour acknowledgment; SEV3 - 4 hour acknowledgment; SEV4 - Next business day. Severity is assigned by the on-duty analyst and validated by the Security …", "quoteValid": false }, { "controlId": "RS.MA-03", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "The policy defines a detailed 4-level severity classification matrix with specific criteria, examples, and response targets. SEV1 incidents (confirmed impact to patient care or suspected ePHI exposure) receive 15-minute acknowledgment and immediate CISO notification, while lower severity incidents have progressively longer response times. The severity definitions were developed collaboratively with clinical leadership in 2024.", "gaps": "Escalation roster contains outdated contact information with 2 of 6 contacts no longer employed by Meridian as of November 2024.", "quote": "Level SEV1: Confirmed impact to patient care delivery or suspected ePHI exposure, Example: Ransomware on clinical systems, Response Target: 15 minute acknowledgment, immediate CISO notification. The severity definitions were workshopped with clinical leadership in 2024 and include explicit patient-…", "quoteValid": false }, { "controlId": "RS.MA-04", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "The policy defines escalation procedures with SEV1 incidents requiring immediate CISO and VP notification. However, the Escalation Roster (Appendix A) contains significant inaccuracies - it was last updated in November 2023 and still lists the former Security Operations Manager who left in November 2024, plus an out-of-service phone number for Network Engineering.", "gaps": "Escalation roster is 14 months outdated; 2 of 6 escalation contacts no longer work for Meridian; one listed phone number is no longer in service; no evidence of escalation execution validation in past incidents.", "quote": "The Escalation Roster in Appendix A was last updated in November 2023. It still lists Priya Raman as Security Operations Manager and as the primary SEV1 contact; she left Meridian in November 2024. Two of the six escalation contacts on the roster are no longer employed by Meridian.", "quoteValid": true }, { "controlId": "RS.MA-05", "coverage": "none", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "The policy lacks defined criteria for confirming containment completion before recovery begins. The recovery decision is made 'when the incident commander judges it appropriate' with no objective criteria. During the December 2025 malware incident, restoration from backup was initiated while the affected VLAN was still under investigation, demonstrating active risk of premature recovery.", "gaps": "No defined criteria for containment verification; no recovery authorization checklist; documented case of premature recovery during December 2025 incident while investigation was ongoing.", "quote": "The decision to begin recovery is made 'when the incident commander judges it appropriate.' No criteria are defined for confirming that containment is complete before restoration begins. During the December 2025 malware event on a clinic file server, restoration from backup was started while the af…", "quoteValid": true }, { "controlId": "ID.IM-02", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "The policy requires annual tabletop exercises and semiannual technical drills, but no testing has occurred since the plan's approval in February 2024. The required annual tabletops for 2024 and 2025 did not occur, no technical drills have been scheduled, and the plan has never been tested end-to-end according to Security Operations confirmation.", "gaps": "No tabletop exercises conducted since plan approval in February 2024; required annual exercises for 2024 and 2025 not performed; no semiannual technical drills scheduled; plan never tested end-to-end; no exercise reports or after-action documents exist.", "quote": "No tabletop exercise or simulation has been conducted since this plan was approved in February 2024. The required annual tabletops for 2024 and 2025 did not occur and no technical drills have been scheduled. Security Operations confirmed the plan has never been tested end to end, and no exercise re…", "quoteValid": true }, { "controlId": "ID.IM-04", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "The incident response policy (POL-IR-001 v1.2) shows active version management with 3 revisions since February 2024 and was last reviewed in January 2025. However, the plan has never been tested since establishment, and the escalation roster contains outdated contact information, indicating incomplete maintenance and communication processes.", "gaps": "Plan has never been tested end-to-end since establishment; escalation roster contains outdated contacts; no evidence of plan distribution to stakeholders after updates; no testing-based improvements implemented.", "quote": "This plan must be exercised through an annual tabletop exercise involving Security Operations, Infrastructure, Legal, and Communications, plus a semiannual technical drill simulating a SEV1 scenario. No tabletop exercise or simulation has been conducted since this plan was approved in February 2024.", "quoteValid": true } ], "findingsTotal": 7 }, { "caseId": "rs-02-escalation-comms", "csfFunction": "RS", "pass": true, "fromCache": true, "controlIds": [ "RS.MA-02", "RS.MA-03", "RS.MA-04", "RS.CO-01", "RS.CO-02", "RS.CO-04" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "after-hours", "after hours", "shared mailbox", "on-call", "overnight" ], "controlIdHint": "RS.MA-04", "matched": true, "matchedControlId": "RS.MA-02", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": false, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "breach notification", "HIPAA", "regulator", "Office for Civil Rights", "OCR" ], "controlIdHint": "RS.CO-02", "matched": true, "matchedControlId": "RS.CO-02", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "public", "press", "reporter", "holding statement", "spokesperson" ], "controlIdHint": "RS.CO-04", "matched": true, "matchedControlId": "RS.CO-04", "matchedSeverity": "medium", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "triage", "ServiceNow", "30 minute", "validated" ], "controlIdHint": "RS.MA-02", "matched": true, "matchedControlId": "RS.MA-02", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "judgment call", "no written criteria", "inconsistent", "discretion" ], "controlIdHint": "RS.MA-04", "matched": true, "matchedControlId": "RS.MA-04", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "mustNotViolations": [], "citations": { "total": 9, "valid": 9 }, "usage": { "inputTokens": 6212, "outputTokens": 1744 }, "summary": "Meridian demonstrates strong business-hours incident triage capabilities with automated ServiceNow integration and 95%+ SLA achievement, but critical gaps exist in after-hours coverage and stakeholder coordination. The March incident revealed an 8-hour detection blind spot and ad hoc coordination beyond technical teams.", "findings": [ { "controlId": "RS.MA-02", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "During business hours, Meridian operates a disciplined triage process with automated ServiceNow ticket creation, 30-minute SLA achievement over 95% of the time, and manager validation of SEV1/SEV2 classifications. However, after-hours coverage is non-existent.", "gaps": "No after-hours triage capability. Alerts route to an unmonitored shared mailbox after 6pm and weekends, creating an 8-hour detection blind spot confirmed in incident INC-2026-0142 where a Sunday 11:40pm CrowdStrike alert went unnoticed until Monday morning.", "quote": "We hit our 30 minute triage target on better than 95 percent of tickets during business hours", "quoteValid": true }, { "controlId": "RS.MA-02", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "After-hours incident triage capability is completely absent. Critical alerts during off-hours remain unattended until the next business day, as demonstrated in the March incident where an attacker had 8 hours of undetected access.", "gaps": "No on-call rotation, no MDR service, no after-hours monitoring. Funding requests for coverage have been denied twice.", "quote": "After 6 pm and on weekends, alerts route to a shared mailbox that nobody is required to watch.", "quoteValid": true }, { "controlId": "RS.MA-03", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Meridian operates a documented SEV1 to SEV4 severity matrix with Security Operations Manager validation of high-severity (SEV1/SEV2) classifications during business hours.", "gaps": "Categorization criteria are undefined, leading to inconsistent analyst decisions. No documented escalation criteria beyond the severity matrix.", "quote": "assigns a severity from our SEV1 to SEV4 matrix", "quoteValid": true }, { "controlId": "RS.MA-04", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Escalation decisions rely on individual analyst judgment without documented criteria. The formal escalation roster in the IR policy contains outdated contact information, with the Security Operations Manager maintaining current contacts informally in personal phone records.", "gaps": "No written escalation criteria such as 'confirmed lateral movement equals immediate escalation.' Escalation roster lists predecessor as primary contact. Inconsistent escalation behavior across analysts.", "quote": "whether something gets escalated is a judgment call by whoever is on shift", "quoteValid": true }, { "controlId": "RS.CO-01", "coverage": "partial", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Technical incident coordination functions effectively with dedicated Teams channels, bridge lines, and participation from Infrastructure and Epic teams during SEV1 incidents, as demonstrated during the March incident.", "gaps": "Coordination beyond technical teams is undefined. Legal and Communications have never participated in incident response despite being named in the IR policy.", "quote": "For SEV1 we spin up a dedicated Teams channel and a bridge line, and that part works well.", "quoteValid": true }, { "controlId": "RS.CO-01", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Non-technical stakeholder coordination is undefined in practice. Legal and Communications teams listed in the IR policy have never participated in actual incidents, with the general counsel seeing the IR policy for the first time during the March incident.", "gaps": "Legal and Communications have never been on incident bridges. General counsel unaware of assigned IR role until March incident. No practiced coordination procedures beyond technical teams.", "quote": "Legal and Communications have never been on an incident bridge, ever.", "quoteValid": true }, { "controlId": "RS.CO-02", "coverage": "none", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "No defined owner or process exists for regulatory breach notification. During the March incident, Security and Legal teams each assumed the other was responsible for HIPAA notifications, with no documented decision authority or HHS reporting timeline knowledge.", "gaps": "No breach notification owner, no HIPAA/OCR notification templates, no documented reportability decision process, no HHS reporting timeline awareness among staff.", "quote": "There is no named owner for breach notification. I assumed Legal handled HIPAA notification; Legal told our GRC analyst they assumed Security did.", "quoteValid": true }, { "controlId": "RS.CO-02", "coverage": "none", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "Executive status reporting during incidents lacks defined cadence, templates, or single communication channel. During the March incident, conflicting impact summaries circulated among executives due to ad hoc email updates.", "gaps": "No status update template, no defined cadence, no single communication channel for executive updates.", "quote": "There is no defined update cadence, no status template, and at one point two different versions of the impact summary were circulating among the executive team.", "quoteValid": true }, { "controlId": "RS.CO-04", "coverage": "none", "findingType": "risk", "severity": "medium", "confidence": "high", "observation": "No public communications process exists for incidents. The communications office learned about the March incident from external press rather than internal notification, with no preapproved messaging or designated spokesperson authority.", "gaps": "No preapproved holding statements, no designated incident spokesperson, no notification process to communications team, no public messaging templates.", "quote": "Our communications office first heard about the March incident from a reporter's email, not from us.", "quoteValid": true } ], "findingsTotal": 9 }, { "caseId": "rs-03-forensics-readiness", "csfFunction": "RS", "pass": true, "fromCache": true, "controlIds": [ "RS.AN-03", "RS.AN-06", "RS.AN-07", "RS.AN-08", "RS.MI-01", "RS.MI-02" ], "mustFind": [ { "id": "mf-1", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "reimaged", "forensic", "disk image", "unrecoverable", "evidence preservation" ], "controlIdHint": "RS.AN-07", "matched": true, "matchedControlId": "RS.AN-07", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-2", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "chain of custody", "investigation log", "from memory", "reconstructed" ], "controlIdHint": "RS.AN-06", "matched": true, "matchedControlId": "RS.AN-06", "matchedSeverity": "high", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "mf-3", "findingType": "gap", "severityAtLeast": "high", "anyKeywords": [ "magnitude", "scope", "ePHI", "patient records", "dwell" ], "controlIdHint": "RS.AN-08", "matched": true, "matchedControlId": "RS.AN-08", "matchedSeverity": "high", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true } ], "shouldFind": [ { "id": "sf-1", "findingType": "gap", "severityAtLeast": "medium", "anyKeywords": [ "root cause", "MFA", "multi-factor", "not investigated" ], "controlIdHint": "RS.AN-03", "matched": true, "matchedControlId": "RS.AN-03", "matchedSeverity": "medium", "matchedFindingType": "gap", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-2", "findingType": "gap", "severityAtLeast": "low", "anyKeywords": [ "retention", "overwritten", "rotate", "14 days" ], "controlIdHint": "RS.AN-07", "matched": true, "matchedControlId": "RS.AN-07", "matchedSeverity": "critical", "matchedFindingType": "risk", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": true }, { "id": "sf-3", "findingType": "strength", "severityAtLeast": null, "anyKeywords": [ "containment", "isolated", "18 minutes", "eradication" ], "controlIdHint": "RS.MI-01", "matched": true, "matchedControlId": "RS.MI-01", "matchedSeverity": null, "matchedFindingType": "strength", "hintAgreed": true, "typeKeywordMatched": true, "severityMet": null } ], "mustNotViolations": [], "citations": { "total": 6, "valid": 6 }, "usage": { "inputTokens": 6326, "outputTokens": 1665 }, "summary": "The post-incident review reveals an organization with functional technical containment and eradication capabilities but critical gaps in forensic readiness and investigation procedures. While CrowdStrike Falcon enabled rapid containment and verified clean eradication, the lack of evidence preservation protocols led to permanent loss of critical forensic data including disk images and VPN logs.", "findings": [ { "controlId": "RS.AN-03", "coverage": "partial", "findingType": "gap", "severity": "medium", "confidence": "high", "observation": "The post-incident technical review attempted timeline reconstruction using multiple sources (ServiceNow, Falcon telemetry, Splunk events, Exchange traces), but failed to establish complete root cause. The documented root cause 'user clicked phishing link' addresses the initial vector but does not explain how the attacker bypassed multi-factor authentication on the jump server, leaving critical attack chain gaps unanalyzed.", "gaps": "Root cause analysis incomplete - no investigation of MFA bypass mechanism. Phishing kit was never examined. Multiple candidate explanations for MFA bypass (MFA fatigue, legacy auth path, session token theft) were not investigated. No MITRE ATT&CK mapping documented.", "quote": "This review found no analysis of how the attacker satisfied multi-factor authentication on the jump server. Candidate explanations (MFA fatigue prompting, a legacy authentication path on the VPN gateway, or session token theft) were not investigated, and the phishing kit was never examined. The rec…", "quoteValid": true }, { "controlId": "RS.AN-06", "coverage": "none", "findingType": "risk", "severity": "high", "confidence": "high", "observation": "No investigation logging procedures were followed during INC-2026-0142 response. Investigation actions were reconstructed from memory and scattered Teams messages three weeks after the fact, with several timestamps uncorroborated by system records. Chain of custody for the only preserved evidence (phishing mailbox PST) was not maintained - the file was distributed by email among three analysts with no custody documentation.", "gaps": "No investigation log template exists. No chain of custody procedures implemented. Evidence handling violated forensic integrity standards - PST file circulated without custody tracking, and three retained copies differ in file size with no canonical version established.", "quote": "No investigation log was kept during the response. The analyst actions in Section 2 were reconstructed from memory and from scattered Teams messages roughly three weeks after the fact. Several timestamps could not be corroborated by any system record.", "quoteValid": true }, { "controlId": "RS.AN-07", "coverage": "none", "findingType": "risk", "severity": "critical", "confidence": "high", "observation": "Critical incident data was permanently lost due to lack of preservation procedures. MER-JMP-02 was reimaged by Infrastructure on 2026-03-17 without any forensic disk imaging or memory capture, making original disk contents unrecoverable. GlobalProtect VPN logs containing attacker source address and session activity rotated at 14 days and were overwritten before analysis could occur.", "gaps": "No forensic hold procedures exist to prevent evidence destruction. No forensic imaging capabilities documented. No procedures to preserve volatile data or extend log retention for active investigations. Original attack evidence is permanently lost.", "quote": "MER-JMP-02 was reimaged by the Infrastructure team on 2026-03-17 before any forensic disk image or memory capture was taken. The original disk contents are unrecoverable.", "quoteValid": true }, { "controlId": "RS.AN-08", "coverage": "partial", "findingType": "gap", "severity": "high", "confidence": "high", "observation": "The incident involving Epic EHR jump server MER-JMP-02 was closed without determining actual impact scope. Epic access audit logs for the 8-hour dwell window (2026-03-15 23:38 to 2026-03-16 08:10) were never pulled, leaving the critical question 'were patient records exposed?' unanswered. The reportability analysis performed by the response team lacked factual basis for breach notification requirements.", "gaps": "No scoping procedures for clinical access incidents. Epic audit log review was not performed despite PHI exposure risk. Magnitude estimation incomplete - actual data accessed during dwell time unknown. Breach notification analysis performed without impact facts.", "quote": "The incident was closed without any estimate of what the attacker accessed during the roughly eight-hour dwell window. No one determined whether the attacker reached Epic or viewed ePHI. Epic access audit logs for the dwell window were never pulled, and the question 'were patient records exposed?' …", "quoteValid": true }, { "controlId": "RS.MI-01", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Containment was executed effectively once the incident reached an analyst. Falcon EDR network containment isolated MER-JMP-02 within 18 minutes of first human review at 08:10 on 2026-03-16. The credential compromise playbook was followed in sequence, with the compromised account disabled and all Active Directory sessions and tokens revoked by 08:45. This demonstrates functional technical containment capabilities and documented procedures.", "quote": "Containment performed well once the incident was in front of an analyst. Falcon network containment isolated the host in minutes, the playbook steps for credential compromise were followed in order", "quoteValid": true }, { "controlId": "RS.MI-02", "coverage": "full", "findingType": "strength", "severity": null, "confidence": "high", "observation": "Eradication procedures were executed with verification steps. MER-JMP-02 was completely reimaged by Infrastructure on 2026-03-17, and eradication was verified through an estate-wide Falcon scan completed 2026-03-20 showing clean results. A credential audit was also completed, with no persistence mechanisms found on any other host. The response team verified eradication rather than assuming completion.", "quote": "eradication was verified rather than assumed: the closing ticket includes the clean estate scan and the credential audit results. This sequence is a repeatable strength.", "quoteValid": true } ], "findingsTotal": 6 } ] }