Project 1: Technical Report onHealthcare OrganizationWaise SekanderUniversity of Maryland UniversityCollege AbstractTechnologyis ever-advancing and constantly creating new avenues for vulnerabilities inour information systems to be exploited. Midyear 2016, 60 percent of databreaches were attributed to hacking (HIPAA Journal, 2017). Although we are notthe only ones who have fallen victim to cyberattacks, our duty to protect ourcustomer’s personal health information (PHI) should remain top priority. With amore comprehensive security posture we barricade these vicious avenues fromnegatively impacting our patients.
Information Systems InfrastructureThe chart below explains the organizationalstructure of Whole HealthCare, which is based off of two key structuresadministrative operations and information efficacy. The information center storesall the patient’s data for each healthcare unit. Latest trendshave healthcare centers with their own information centers as a separate entitywhich are supervised by experienced personnel. This further divides the departmentsto work separately in order to provide assistance, technical services andinformation services to required departments and end users. Informationefficacy occurs when the increased use of computers to enhance coordination andsupporting in technical services and information technology.
Among businessunits, like pharmacy and a business strategy, which could function in hospitals,the staff of the Health Center can coordinate by working towards efficientclinical and management skills. Organizational Structure Business UnitsMission Critical SystemOne of the mission critical system’s isencryption software for the electronic health records of patients. The need forencryption software in organizations that store sensitive information iscritical. Computerizedphysician order entry (CPOE) is the process of a medical professional enteringmedication orders or other physician instructions electronically instead of onpaper charts. It helps reduce errors related to poor handwriting ortranscription of medication orders. (Rouse, 2014) It’s alsoimportant for protecting health information by restricting access to justphysicians and nurses in order to avoid delays of the entire system especiallyin medication orders and delivery.
The CPOE software should be used in order torestrict access to only physicians, nurses and authorized staff. Every user shouldhave a particular password, as the software is password protected to haveaccountability in case of a breach. HardwareOur security posture relieson the configurations we set for our information systems. Our server roomshould be labeled as a mission critical area as a whole. Backup generatorsshould be in working order at all times and power to these systems, even if it isjust to shut them down properly, should be enforced. Our physical servers, andvirtual ones within, are crucial to the hospital’s ability to operate during adisaster.
Disaster Recovery Plans are already in place for our organizationwhich adds to our security posture when unexpected events arise.Not only are our networkingdevices considered mission critical, our mechanical and electrical systems alsohave a significant impact on our business continuity during a disaster. OurHVAC systems ensure proper temperatures are set and controlled throughout thefacility. This is especially important to house patients and medicines thatrequire controlled temperatures at all times. Our nurse call system and firealarm systems should also remain in working order during emergencies.
Thesesystems are crucial in acknowledging life-threatening situations and notifyingstaff members of emergencies (Ross, 2008).SoftwareThe OpenSystem Interconnection (OSI) protocol comprises of 7 layers, which handles thedata in a way that is different from one another. The unit in which a certainlayer handles data is called a Protocol Data Unit (PDU). Some layers addlayer-specific information to the data and can be in the form of a header, atrailer, or both. The header information is added at the start of the PDU, whereasthe trailer information is added at the end of the PDU. This header or trailercontains information that is useful in controlling the communication betweentwo entities.
(Alani, 2014)TCP/IP protocolTCP (TransmissionControl Protocol) is the communication protocol that connects hosts to theinternet and manages the transmission of data between installed applications inthe information system hardware. It’s a standard procedure for transmittingdata over networks. The Internet Protocol (IP) deals with transmitting data betweenthe host computers connected with information system.
CIA of PHIThe CIA triad refers to theconfidentiality, integrity, and availability of information – in our case, PHI.Our current security posture is strong, but can be made stronger by tighteningsecurity in smaller areas. The confidentiality of information is protected byour system’s access controls. Those who require access to the system aregranted it and those who do not are denied. The confidentiality of informationis pertinent because it ensures that our information has not been compromised.The integrity of our information is backed by our encryption procedures. PerHIPAA Security Rule, we should be encrypting PHI in transmission to mitigateinterception. It should be encrypted when deemed appropriate (HIPAA EncryptionRequirements, n.
d.). For us, this means when it is stored in our file systemsand transmitted. While these guidelines are mandatory, our organization shouldstress this to employees who handle PHI frequently.
The availability of PHI ismaintained with our Disaster Recovery and Business Continuity Plans. By makingthis information constantly available we are enforcing the CIA triad.Vulnerabilitiesto Identity ManagementThe issue at hand is ouridentity management processes. In order to effectively control unauthorizedaccess, the identities of individuals should be validated. It is not enough toimpose partial security standards. Multiple methods should be in place toprotect the failure of any one of them. For example, if password requirementsare that the key must be 14 characters in length, include upper and lowercaseletters, and numbers, that’s a great first step. However, given enough time,this password could still be compromised by password cracking tools.
But, if anaccount lockout policy were in place after 3 incorrect attempts, the chances ofa brute force attack could be mitigated. IdentityManagementWholeHealthCare employs a process of identity managements which utilizes biometrictechnologies to manage identify information of users. The purpose of identitymanagement is to prevent unauthorized users, manage identities, and credentials.Biometric methods do not guarantee absolute precision, although it may be verylow as there is always a chance that a biometric system may incorrectly refuseto authenticate legitimate user, or wrongly accept imposters. (Jovanovi? etal., 2016)Authentication& AuthorizationAuthenticationand authorization are fundamental for both internal and external users, to gainaccess to the healthcare organization’s computer systems.
Identity managementdefines access controls for users including hospital staff and patients or newpatients who need to be authorized and authenticated. PasswordManagement and ProtectionUsers areallowed to create their own passwords to enable access for multiple systems. Allusers of the system must maintain and protect their own passwords because theyare held responsible for protecting their passwords. Password protection is essential,which is why it we recommend creating stronger passwords to make it extremely challengingto impossible for hackers to gain access.MultifactorAuthenticationMultifactorauthentication is recommended to increase security of the healthcareinformation system because it necessitates a second authentication to completelyconfirm the identity of an authorized user.
Single Sign-On is very susceptibleto a breach because it’s authentication that allows a user to access one ormore resources within single security domain. SSO, where client’s login once togain access to different resources connected to a local area network (LAN),without the need to re-enter log-in credentials. (Jovanovi? et al., 2016) AuthorizationThe identitymanagement system authorizes specific users based on their attributes, identity,while limiting the amount of access to be granted. The access control installsthe identity management systems to manage information, future authentication,and authorization request of any authorized member.Access ControlThe access control refers to the enforcement mechanism for the required security with base access controls on physical attributes, sets of rules, lists of individuals’ identities.
(Saxena &Bong Jun, 2015) The access control gives the healthcaremanagement the authentication and authorization to provide security solutionsin order to protect healthcare data.Role-basedAccess ControlThe role-basedaccess control is managed by a central authoritythat determines what permissions subjects are given according to theirindividual roles. These access controls can be used in a computer or network torestrict or allow access based on a variety of criteria e.g. users in the samerole tend to have the same job functions, responsibilities, and dutiesassociated with them.
(Stallings & Brown, 2008)ThreatsConfidentialityis currently one of the vulnerabilities within the CIA triad we are addressing atour health organization. The recent data breach of our systems demonstratesthat authorized users are being neglectful when handling sensitive patient data,eventually leading to a breach by an unauthorized user.Insider ThreatInsiderthreats are considered to be the most damaging to an organization, due to staffand employees having access to the information system. Former employees andstaff could potentially be a threat as well, depending on the circumstances oftheir departure. Sensitive data can be altered and stolen within theorganization, which should lead to precautionary tactics e.g.
an accessing login order to prevent such a situation. Organizations need to keep in mind andimplement security policies that best protect their intellectual propertybecause within an organization, the employee population is the source ofpotential malicious insiders. (Carnaghan, n.d.) IntrusionMotivesIntrusionmotives differ within healthcare information systems. Financial intrusionmotives could target gaining access to patient’s social security numbers, whichcould potentially lead to identity theft such as credit cards being opened upin one of our patient’s name.
HackerPsychologyMost hacker’smotives are clear and defined, in order to protect sensitive data and to preventhackers from getting into the system it’s crucial to understand these motives.Spoofing is when a user receives a fake email with links for websites thatallow the hacker to gain access and steal confidential information of patientsor the healthcare organization.PasswordCracking ToolsCain &Abel and Ophrack were the two password cracking tools used for testing. The methodsBrute Force and Dictionary Attack were available on the Cain & Abelsoftware, while Ophrack possessed a “crack” option to decipher the user’spasswords. One of the benefits of having password cracking tools is thatforgotten passwords can be recovered at a reduced security risk and changedonce cracked. A risk associated with password cracking tools is that it could potentiallybe susceptible to inside threats and then be used unethically, which is why onlyauthorized users should have access to password cracking tools.
BenefitsPassword cracking tools havegiven hackers the ability to solve hashes in minutes. These same tools can alsobe used for penetration testing to determine weak passwords within our owninfrastructure. In using products, such as, Cain and Abel or Ophcrack, ourorganization can gain insight and awareness that can be the stronghold inkeeping our accounts and PHI safe.RisksAs new software is created,passwords will become easier to crack. Technology knows no boundaries in manyaspects which is why securing our networks, strengthening our physical andlogical security, and mitigating every risk that we can becomes of utmostimportance in this technology-ridden world. Comparative AnalysisCain and Abel and Ophcrack,which are the two password cracking tools tested, can be both useful and verydangerous at the same time.
While we can learn from these products, so can ouradversaries. In using these products to test our own password strengths we canforesee vulnerabilities that we perhaps may have overlooked. The passwordsrecovered by Ophcrack were recovered all simultaneously. The passwords were notcomplex they all were relative to the user’s name. The 4 types of character setsare lower case letters (abc), upper-case letters (ABC), digits (123), andspecial characters (@#$). For a strong password a minimum of 15 characters, onefrom each character sets. Current password polices should require users tochange their passwords between 60-90 days. Types of AttacksDictionary attacks can bedebilitating for users who use full words in their passwords.
Word lists can beuploaded to password cracking programs, making it almost effortless to solvehashes. Ensuring that our password policies do not allow for words that can befound in the dictionary, we can mitigate this threat. While it may be difficultto remember complex passwords, users can also spell out words using variouscharacters. For example, the password floridagators could be turned into a moresecure one by substituting characters that look similar; [email protected]@t0R5. It doestake some extra steps to make a password secure, but if this is what ourorganization requires to keep our PHI safe, our users will become more skilledin creating harder passwords. “A brute-force attack is a method of defeatinga cryptographic scheme by trying a large number of possibilities” (SpringerLink,2014, p.
208). In simpler terms, brute force attacks occur when multiplepassword entries are sent to overload a system. Sometimes a correct password isguessed and sometimes a system becomes overloaded. In both scenarios, neitherone is particularly good. Limiting the amount of times an incorrect passwordcan be entered before the account locks is a great way to keep these attacksfrom debilitating our systems. The most common is the number three – afterthree incorrect attempts, an account should lock and administrators can nowcontrol access to the user’s account. In many cases users are required toverify their identity either in person, via video teleconferencing, or bygiving identifying information about themselves.
Our policy should provide morethan one way of validating an individual’s identity and should be approved bythe Chief Security Officer.SpeedThe speed in which theseprograms cracked passwords was impressive. For simpler passwords, such as xmenand M00n, both programs almost immediately solved the hashes. Ophcrack waseasier and faster to use, but only performs by using Rainbow tables. Whereas,Cain and Abel can use a variety of attacks.PrecisionCain and Abel was precise insolving hashes when the correct attack was chosen. Being that not all passwordsinclude dictionary words in them, a dictionary attack can certainly beunsuccessful. The good news— Cain and Abel attacks in more than one way.
Rainbow tables are easily found for use in Ophcrack and make it easier to solvemultiple account passwords in one function. However, for passwords that thehash is unknown, Ophcrack will not be able to find it alone. WorkspaceExercise ResultsFigure 1.1 Ophcrack Figure 1.2 Cain & Abel Brute-Force Figure 1.3Cain & Abel Dictionary Attack User Account results? Xavier: Brute-Force was able crack thepassword, Dictionary Attack no results? Wolverine: Brute-Force was able crack thepassword, Dictionary Attack no results? Shield: Brute-Force will complete in 2 +years, Dictionary Attack no results? EarthBase: Brute-Force will complete in 2 +years, Dictionary Attack no results.? dbmsAdmin: Brute-Force will complete in 2 +years, Dictionary Attack no results ? Kirk: Brute-Force will complete in 2 + years,Dictionary Attack no results? Mouse: Brute-Force will complete in 2 +years, Dictionary Attack cracked the password? Rudolph: Brute-Force will complete in 2 +years, Dictionary Attack no results ? Snoopy: Brute-Force will complete in 2 +years, Dictionary Attack no results ? Spock: Brute-Force will complete in 2 +years, Dictionary Attack no results ? Apollo: Brute-Force will complete in 2 +years, Dictionary Attack no results ? Chekov: Brute-Force will complete in 2 +years, Dictionary Attack no results ? Batman: Brute-Force will complete in 2 +years, Dictionary Attack no results Password strengthPassword strength was themost determining factor for cracking the account passwords. The longer thepassword, the more time consuming it becomes.
Likewise, the more difficult apassword is by including not just letters and numbers, but also symbols, can bethe saving grace or end all in these situations. Requiring passwords to be atleast 14 characters in length, with two uppercase letters, two lowercaseletters, two numbers and two symbols makes solving them more difficult and timeconsuming for hackers.Findings/resultsBoth programs were successfulin solving for simple hashes, dictionary words and short passwords.Essentially, if the password was weak, these programs could crack them in undera minute. While both programs differ in ability, they both can be useful to ourorganization. RecommendationsIt is my recommendation thatboth programs be used for penetration testing on our information systems becausethey are open source products. This comes at no cost, but with plenty ofbenefits.
In using these programs, they will be flagged as malware. The simplesolution would be to advise the IT department to download the programs andleave their testing lab equipment offline when not in use. During penetrationtesting, these machines can be connected to our network to perform theirduties, scanning for weak security, and then disconnected so that they are notconstantly flagged on the network. Although I was asked to determine which ismore appropriate for our infrastructure, I do believe it would be nothing butbeneficial to use them both, one as a first layer of testing and the other as asecond to ensure that all possible vulnerabilities are found.ConclusionThe recommendation to deployboth tools on our networks for penetration testing will significantly reducethe ability of intruders to hack our network effortlessly. By keeping machinesthat house these tools offline until weekly testing is done, we will eliminatethe possibilities of false positives in our anti-virus software. Our anti-virussoftware will flag these machines temporarily, but when disconnected, they willbe able to detect actual malware other than what is already known. Having the ability to identify the faults ofhackers will strengthen our security posture and most importantly, prove to ourpatients that keeping their information safe and secure is of utmost importanceto us.
ReferencesHIPAA Encryption Requirements.(n.d.). Retrieved January 6, 2018, from http://www.hipaajournal.com/hipaa-encryption-requirements/HIPAA Journal.
(2017,February 07). Major 2016 Healthcare Data Breaches: Mid-Year Summary.HIPAA Journal. Retrieved January 6,2018, from http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/ITGCT. (2016, September 28).
The Biggest Security Threats in Healthcare. RetrievedJanuary 7, 2018, fromhttps://www.itgct.com/biggest-security-threats-healthcare/ Korolov, M. (2015, June 09).Healthcare organizations face unique security challenges.
Retrieved January 7, 2018,from http://www.csoonline.com/article/2932978/data-protection/health-care-organization-face-unique-security-challenges.htmlRoss, S. R. (2008, April).
Mission Critical Commissioning forHealthcare Facilities PDF. Retrievedfrom https://content.extremenetworks.com/extreme-networks-blog/mission-critical-networks-what-healthcare-can-teach-the-enterpriseRouse, M. (n.d.
). OSIreference model (Open Systems Interconnection). TechTarget. Retrievedfromhttp://searchnetworking.techtarget.com/definition/OSISpringerLink. (2014).
Applications of mathematics and informaticsin military science (N.J. Daras, Ed.).
Retrieved July 20, 2017, from https://books.google.com/books?id=aYaAinJn2B4C&printsec=frontcover&dq=Applicationsof mathematics and informatics in military science publisherinfo&hl=en&sa=X&ved=0ahUKEwjw5ain6KDVAhXp8YMKHSnmDmYQ6AEIJjAA#v=onepage&q=Applications%20of%20mathematics%20and%20informatics%20in%20military%20science%20publisher%20info&f=false