Project 1: Technical Report on
Healthcare Organization

Waise Sekander

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

University of Maryland University








is ever-advancing and constantly creating new avenues for vulnerabilities in
our information systems to be exploited. Midyear 2016, 60 percent of data
breaches were attributed to hacking (HIPAA Journal, 2017). Although we are not
the only ones who have fallen victim to cyberattacks, our duty to protect our
customer’s personal health information (PHI) should remain top priority. With a
more comprehensive security posture we barricade these vicious avenues from
negatively impacting our patients.

Information Systems Infrastructure

The chart below explains the organizational
structure of Whole HealthCare, which is based off of two key structures
administrative operations and information efficacy. The information center stores
all the patient’s data for each healthcare unit.

Latest trends
have healthcare centers with their own information centers as a separate entity
which are supervised by experienced personnel. This further divides the departments
to work separately in order to provide assistance, technical services and
information services to required departments and end users. Information
efficacy occurs when the increased use of computers to enhance coordination and
supporting in technical services and information technology. Among business
units, like pharmacy and a business strategy, which could function in hospitals,
the staff of the Health Center can coordinate by working towards efficient
clinical and management skills.




Organizational Structure









Business Units

Mission Critical System

One of the mission critical system’s is
encryption software for the electronic health records of patients. The need for
encryption software in organizations that store sensitive information is

physician order entry (CPOE) is the process of a medical professional entering
medication orders or other physician instructions electronically instead of on
paper charts. It helps reduce errors related to poor handwriting or
transcription of medication orders. (Rouse, 2014)

It’s also
important for protecting health information by restricting access to just
physicians and nurses in order to avoid delays of the entire system especially
in medication orders and delivery. The CPOE software should be used in order to
restrict access to only physicians, nurses and authorized staff. Every user should
have a particular password, as the software is password protected to have
accountability in case of a breach.


Our security posture relies
on the configurations we set for our information systems. Our server room
should be labeled as a mission critical area as a whole. Backup generators
should be in working order at all times and power to these systems, even if it is
just to shut them down properly, should be enforced. Our physical servers, and
virtual ones within, are crucial to the hospital’s ability to operate during a
disaster. Disaster Recovery Plans are already in place for our organization
which adds to our security posture when unexpected events arise.

Not only are our networking
devices considered mission critical, our mechanical and electrical systems also
have a significant impact on our business continuity during a disaster. Our
HVAC systems ensure proper temperatures are set and controlled throughout the
facility. This is especially important to house patients and medicines that
require controlled temperatures at all times. Our nurse call system and fire
alarm systems should also remain in working order during emergencies. These
systems are crucial in acknowledging life-threatening situations and notifying
staff members of emergencies (Ross, 2008).


The Open
System Interconnection (OSI) protocol comprises of 7 layers, which handles the
data in a way that is different from one another. The unit in which a certain
layer handles data is called a Protocol Data Unit (PDU). Some layers add
layer-specific information to the data and can be in the form of a header, a
trailer, or both. The header information is added at the start of the PDU, whereas
the trailer information is added at the end of the PDU. This header or trailer
contains information that is useful in controlling the communication between
two entities. (Alani, 2014)

TCP/IP protocol

TCP (Transmission
Control Protocol) is the communication protocol that connects hosts to the
internet and manages the transmission of data between installed applications in
the information system hardware. It’s a standard procedure for transmitting
data over networks. The Internet Protocol (IP) deals with transmitting data between
the host computers connected with information system.


The CIA triad refers to the
confidentiality, integrity, and availability of information – in our case, PHI.
Our current security posture is strong, but can be made stronger by tightening
security in smaller areas. The confidentiality of information is protected by
our system’s access controls. Those who require access to the system are
granted it and those who do not are denied. The confidentiality of information
is pertinent because it ensures that our information has not been compromised.
The integrity of our information is backed by our encryption procedures. Per
HIPAA Security Rule, we should be encrypting PHI in transmission to mitigate
interception. It should be encrypted when deemed appropriate (HIPAA Encryption
Requirements, n.d.). For us, this means when it is stored in our file systems
and transmitted. While these guidelines are mandatory, our organization should
stress this to employees who handle PHI frequently. The availability of PHI is
maintained with our Disaster Recovery and Business Continuity Plans. By making
this information constantly available we are enforcing the CIA triad.

to Identity Management

The issue at hand is our
identity management processes. In order to effectively control unauthorized
access, the identities of individuals should be validated. It is not enough to
impose partial security standards. Multiple methods should be in place to
protect the failure of any one of them. For example, if password requirements
are that the key must be 14 characters in length, include upper and lowercase
letters, and numbers, that’s a great first step. However, given enough time,
this password could still be compromised by password cracking tools. But, if an
account lockout policy were in place after 3 incorrect attempts, the chances of
a brute force attack could be mitigated.


HealthCare employs a process of identity managements which utilizes biometric
technologies to manage identify information of users. The purpose of identity
management is to prevent unauthorized users, manage identities, and credentials.
Biometric methods do not guarantee absolute precision, although it may be very
low as there is always a chance that a biometric system may incorrectly refuse
to authenticate legitimate user, or wrongly accept imposters. (Jovanovi? et
al., 2016)

& Authorization

and authorization are fundamental for both internal and external users, to gain
access to the healthcare organization’s computer systems. Identity management
defines access controls for users including hospital staff and patients or new
patients who need to be authorized and authenticated.


Management and Protection

Users are
allowed to create their own passwords to enable access for multiple systems. All
users of the system must maintain and protect their own passwords because they
are held responsible for protecting their passwords. Password protection is essential,
which is why it we recommend creating stronger passwords to make it extremely challenging
to impossible for hackers to gain access.


authentication is recommended to increase security of the healthcare
information system because it necessitates a second authentication to completely
confirm the identity of an authorized user. Single Sign-On is very susceptible
to a breach because it’s authentication that allows a user to access one or
more resources within single security domain. SSO, where client’s login once to
gain access to different resources connected to a local area network (LAN),
without the need to re-enter log-in credentials. (Jovanovi? et al., 2016)


The identity
management system authorizes specific users based on their attributes, identity,
while limiting the amount of access to be granted. The access control installs
the identity management systems to manage information, future authentication,
and authorization request of any authorized member.

Access Control

The access control refers to the enforcement mechanism for the required security with base access controls on physical attributes, sets of rules, lists of individuals’ identities. (Saxena &
Bong Jun, 2015) The access control gives the healthcare
management the authentication and authorization to provide security solutions
in order to protect healthcare data.

Access Control

The role-based
access control is managed by a central authority
that determines what permissions subjects are given according to their
individual roles. These access controls can be used in a computer or network to
restrict or allow access based on a variety of criteria e.g. users in the same
role tend to have the same job functions, responsibilities, and duties
associated with them. (Stallings & Brown, 2008)


is currently one of the vulnerabilities within the CIA triad we are addressing at
our health organization. The recent data breach of our systems demonstrates
that authorized users are being neglectful when handling sensitive patient data,
eventually leading to a breach by an unauthorized user.

Insider Threat

threats are considered to be the most damaging to an organization, due to staff
and employees having access to the information system. Former employees and
staff could potentially be a threat as well, depending on the circumstances of
their departure. Sensitive data can be altered and stolen within the
organization, which should lead to precautionary tactics e.g. an accessing log
in order to prevent such a situation. Organizations need to keep in mind and
implement security policies that best protect their intellectual property
because within an organization, the employee population is the source of
potential malicious insiders. (Carnaghan, n.d.)


motives differ within healthcare information systems. Financial intrusion
motives could target gaining access to patient’s social security numbers, which
could potentially lead to identity theft such as credit cards being opened up
in one of our patient’s name.


Most hacker’s
motives are clear and defined, in order to protect sensitive data and to prevent
hackers from getting into the system it’s crucial to understand these motives.
Spoofing is when a user receives a fake email with links for websites that
allow the hacker to gain access and steal confidential information of patients
or the healthcare organization.

Cracking Tools

Cain &
Abel and Ophrack were the two password cracking tools used for testing. The methods
Brute Force and Dictionary Attack were available on the Cain & Abel
software, while Ophrack possessed a “crack” option to decipher the user’s
passwords. One of the benefits of having password cracking tools is that
forgotten passwords can be recovered at a reduced security risk and changed
once cracked. A risk associated with password cracking tools is that it could potentially
be susceptible to inside threats and then be used unethically, which is why only
authorized users should have access to password cracking tools.


Password cracking tools have
given hackers the ability to solve hashes in minutes. These same tools can also
be used for penetration testing to determine weak passwords within our own
infrastructure. In using products, such as, Cain and Abel or Ophcrack, our
organization can gain insight and awareness that can be the stronghold in
keeping our accounts and PHI safe.


As new software is created,
passwords will become easier to crack. Technology knows no boundaries in many
aspects which is why securing our networks, strengthening our physical and
logical security, and mitigating every risk that we can becomes of utmost
importance in this technology-ridden world.

Comparative Analysis

Cain and Abel and Ophcrack,
which are the two password cracking tools tested, can be both useful and very
dangerous at the same time. While we can learn from these products, so can our
adversaries. In using these products to test our own password strengths we can
foresee vulnerabilities that we perhaps may have overlooked.


The passwords
recovered by Ophcrack were recovered all simultaneously. The passwords were not
complex they all were relative to the user’s name. The 4 types of character sets
are lower case letters (abc), upper-case letters (ABC), digits (123), and
special characters (@#$). For a strong password a minimum of 15 characters, one
from each character sets. Current password polices should require users to
change their passwords between 60-90 days.

Types of Attacks

Dictionary attacks can be
debilitating for users who use full words in their passwords. Word lists can be
uploaded to password cracking programs, making it almost effortless to solve
hashes. Ensuring that our password policies do not allow for words that can be
found in the dictionary, we can mitigate this threat. While it may be difficult
to remember complex passwords, users can also spell out words using various
characters. For example, the password floridagators could be turned into a more
secure one by substituting characters that look similar; [email protected]@t0R5. It does
take some extra steps to make a password secure, but if this is what our
organization requires to keep our PHI safe, our users will become more skilled
in creating harder passwords.

 “A brute-force attack is a method of defeating
a cryptographic scheme by trying a large number of possibilities” (SpringerLink,
2014, p. 208). In simpler terms, brute force attacks occur when multiple
password entries are sent to overload a system. Sometimes a correct password is
guessed and sometimes a system becomes overloaded.


In both scenarios, neither
one is particularly good. Limiting the amount of times an incorrect password
can be entered before the account locks is a great way to keep these attacks
from debilitating our systems. The most common is the number three – after
three incorrect attempts, an account should lock and administrators can now
control access to the user’s account. In many cases users are required to
verify their identity either in person, via video teleconferencing, or by
giving identifying information about themselves. Our policy should provide more
than one way of validating an individual’s identity and should be approved by
the Chief Security Officer.


The speed in which these
programs cracked passwords was impressive. For simpler passwords, such as xmen
and M00n, both programs almost immediately solved the hashes. Ophcrack was
easier and faster to use, but only performs by using Rainbow tables. Whereas,
Cain and Abel can use a variety of attacks.


Cain and Abel was precise in
solving hashes when the correct attack was chosen. Being that not all passwords
include dictionary words in them, a dictionary attack can certainly be
unsuccessful. The good news— Cain and Abel attacks in more than one way.
Rainbow tables are easily found for use in Ophcrack and make it easier to solve
multiple account passwords in one function. However, for passwords that the
hash is unknown, Ophcrack will not be able to find it alone.










Exercise Results

Figure 1.1 Ophcrack


Figure 1.2 Cain & Abel Brute-Force


Figure 1.3
Cain & Abel Dictionary Attack


User Account results

? Xavier: Brute-Force was able crack the
password, Dictionary Attack no results

? Wolverine: Brute-Force was able crack the
password, Dictionary Attack no results

? Shield: Brute-Force will complete in 2 +
years, Dictionary Attack no results

? EarthBase: Brute-Force will complete in 2 +
years, Dictionary Attack no results.

? dbmsAdmin: Brute-Force will complete in 2 +
years, Dictionary Attack no results

? Kirk: Brute-Force will complete in 2 + years,
Dictionary Attack no results

? Mouse: Brute-Force will complete in 2 +
years, Dictionary Attack cracked the password

? Rudolph: Brute-Force will complete in 2 +
years, Dictionary Attack no results

? Snoopy: Brute-Force will complete in 2 +
years, Dictionary Attack no results

? Spock: Brute-Force will complete in 2 +
years, Dictionary Attack no results

? Apollo: Brute-Force will complete in 2 +
years, Dictionary Attack no results

? Chekov: Brute-Force will complete in 2 +
years, Dictionary Attack no results

? Batman: Brute-Force will complete in 2 +
years, Dictionary Attack no results

Password strength

Password strength was the
most determining factor for cracking the account passwords. The longer the
password, the more time consuming it becomes. Likewise, the more difficult a
password is by including not just letters and numbers, but also symbols, can be
the saving grace or end all in these situations. Requiring passwords to be at
least 14 characters in length, with two uppercase letters, two lowercase
letters, two numbers and two symbols makes solving them more difficult and time
consuming for hackers.


Both programs were successful
in solving for simple hashes, dictionary words and short passwords.
Essentially, if the password was weak, these programs could crack them in under
a minute. While both programs differ in ability, they both can be useful to our


It is my recommendation that
both programs be used for penetration testing on our information systems because
they are open source products. This comes at no cost, but with plenty of
benefits. In using these programs, they will be flagged as malware. The simple
solution would be to advise the IT department to download the programs and
leave their testing lab equipment offline when not in use. During penetration
testing, these machines can be connected to our network to perform their
duties, scanning for weak security, and then disconnected so that they are not
constantly flagged on the network. Although I was asked to determine which is
more appropriate for our infrastructure, I do believe it would be nothing but
beneficial to use them both, one as a first layer of testing and the other as a
second to ensure that all possible vulnerabilities are found.


The recommendation to deploy
both tools on our networks for penetration testing will significantly reduce
the ability of intruders to hack our network effortlessly. By keeping machines
that house these tools offline until weekly testing is done, we will eliminate
the possibilities of false positives in our anti-virus software. Our anti-virus
software will flag these machines temporarily, but when disconnected, they will
be able to detect actual malware other than what is already known.  Having the ability to identify the faults of
hackers will strengthen our security posture and most importantly, prove to our
patients that keeping their information safe and secure is of utmost importance
to us.




















HIPAA Encryption Requirements.
(n.d.). Retrieved January 6, 2018, from

HIPAA Encryption Requirements

HIPAA Journal. (2017,
February 07). Major 2016 Healthcare Data Breaches: Mid-Year

HIPAA Journal. Retrieved January 6,
2018, from

Major 2016 Healthcare Data Breaches: Mid Year Summary

ITGCT. (2016, September 28).
The Biggest Security Threats in Healthcare.

January 7, 2018, from

Korolov, M. (2015, June 09).
Healthcare organizations face unique security challenges.

Retrieved January 7, 2018,

Ross, S. R. (2008, April). Mission Critical Commissioning for
Healthcare Facilities PDF.



Rouse, M. (n.d.). OSI
reference model (Open Systems Interconnection). TechTarget. Retrieved


SpringerLink. (2014). Applications of mathematics and informatics
in military science

J. Daras, Ed.). Retrieved July 20, 2017, from
of mathematics and informatics in military science publisher








Written by

I'm Colleen!

Would you like to get a custom essay? How about receiving a customized one?

Check it out