Abstract

The most common threat in a networked system is unauthorized access to information and computer
resources. This may cause the loss of confidentiality, integrity, and availability of the information
technology assets. To ensure business endurance and minimize potential damage, companies need to
establish a computer-based access control (so- called logical access control) to protect their
proprietary information from intentional or accidental disclosure, modification, erasure, or copying,
as well as their IT resources from misuse. This control provides an organization with the ability to
restrict, monitor, and protect the confidentiality, integrity, and availability of these resources.
Another most common threat is data leakage and how it can impact an organization. Because more
forms of communication are being utilized within organizations, such as Instant Messaging; VOIP;
etc, beyond traditional email, more avenues for data leakage have emerged.
This document provides the details about security policy and strategy for the identified risks from
Community Health Care system such as data leakage and unauthorized disclosure of information,.
The details of real world security breaches, security policies, recommended implementation plans
and other details are explained in this document.

Real World Security Data Breaches - USA Community Health care system
In 2014, a USA based Community Health Systems (CHS) revealed in its Form 8-K SEC filing in
August 2014 that the health care organization computer network had been hacked at minimum twice
in April and June of 2014 through criminal cyber attacks patenting from China.
Community Heath system, which owns, operates and leases 206 hospitals across 29 different
states in US confirmed that these hacking incidents followed in the theft of non-medical, patientidentifying information of 4.5 million individuals who had, in the last five years, been referred to or
received services from physicians affiliated with Community Heath system. This information
included patient names, addresses, birthdates, telephone numbers, and social security numbers.
Although Community Heath system represents the attacks as an incidents in which hackers used
highly classy malware and technology to attack their system and were thereby able to bypass its
security measures to access the personal data of millions of patients sources closer to the
investigation have described a different scenario. According to these sources, Community Heath
systems were hacked through a test server that was never intended to be connected to the Internet at
all. Because Internet connectivity was not expected, the security features that would and should be
deployed in a live production server were not installed on the test server.
Unfortunately, sensitive VPN credentials were stored in the memory of the test server so, when it did
become connected to the Internet, hackers were able to access the test server via the Heartbleed bug
and obtained those VPN credentials. The hackers then used these credentials to access Community
Heath system and had stolen millions of patients' personal information. In a sense, it was as though
Community Heath system left the lights on and a note on the door, saying, "Hey, come on in. The
key is under the doormat!".

CI6231 Security Policy & Strategy

Absolutely voidable:
In these days of seemingly daily reports of data breaches, the danger lies in the potential for
contentment in those charged with overseeing the design, implementation, and maintenance of cybersecurity measures to protect data that healthcare companies collect from their patients. In other
words, those responsible for corporate leadership and governance in the area of cyber security will
become passively resigned to the perceived "inevitability" of a data breach, instead of systematically
and systemically reviewing and transforming the company's cultural approach to cyber security and
risk management
For example, in this case, if cyber security had been deep-rooted as a dominant priority in the
development, maintenance, and security teams at Community Heath system, a "test" server would
never have been loaded with valuable VPN credentials without the corresponding cyber-security
features to prevent unauthorized access in the event that the server was ever connected to the
Internet. If this is in fact how the data breaches occurred, this was an utterly foreseeable occurrence
that could have been easily anticipated and guarded against.
What can healthcare learn?
The healthcare industry has developed, as it must policies, procedures, and redundancies to protect
patients from mistakes made in a medical handling context. The same approach should be taken to
protect patients' personal identifying information. Healthcare organizations must conduct a thorough
review of their cyber-security policies and procedures for their computer network and data systems
from their initial development to their implementation, maintenance, and ultimately, retirement. They
should then document these policies and procedures and bring in an independent third-party vendor
to review them to identify any gaps or vulnerabilities that could be exploited by cyber criminals.
Having documented these cyber-security policies and procedures and closed any gaps or
vulnerabilities identified by a thorough, self-determining review healthcare organizations should then
monitor, on an continuing basis, compliance by their employees and/or vendors with those
documented policies and procedures. Encompassing cyber security as a core value in a healthcare
organization's culture is essential to minimizing, if not altogether excluding, the risk of a data breach
that damages not only the healthcare organization, but the patients who have delegated their personal
information to its care.
As a part of this assignment, we have identified two risks from this health care system security
breach incident. The risks are 1. Unauthorized Disclosure of Information 2. Data Leakage.

Page | 2

CI6231 Security Policy & Strategy

Risk #1: Unauthorized Disclosure of Information

Disclosure of confidential, sensitive information can result in loss of trustworthiness,

reputation, market share and economical advantage.
Risk Assessment
The risk identified from Community healthcare system security breach is unauthorized
disclosure of information through weak access controls and lack of patch management.

System Characterization: Hardware and Software

Asset Identification:
As part of risk assessment phase, the following asset has identified as impact for this risk.

Asset Category
Information
Asset

Asset Name
Patient health
information and
records

Asset Description
This includes all
patient related
health information
that has been
disclosed

Asset Type
Electronic/Paper

Asset Valuation:
The goal of asset valuation is to assign impact values to the assets in the context of
confidentiality, integrity and availability. The following table represents the asset impact
valuation with respect to malicious code.

Area of Impact
Service Delivery Reputation

Value

3.1

Low
Medium

High

Threat

Down:

Service Unfavorable
widespread
completely
press interest
Unavailable

Privacy
Infringement
External
breach of
personal
information
Detrimental
effect on
person and
personal life

Security Concerns
Page | 3

CI6231 Security Policy & Strategy

Confidentiality
Malicious code

Integrity

Availability
Y

Threat Identification

Hackers gain control through weak access controls & outdated/weak Cryptographic
library to inject malicious code to expose the sensitive data.
Threat Source: Hacker
Threat Action: Unauthorized access and malicious code
Threat: Unauthorized access by hacker / Hacker uses classy malware

Vulnerability Identification
Weak access controls and outdated cryptographic library were in place.

Likelihood Determination and Impact Analysis.

As per Likelihood analysis, it is measured high likelihood because hackers are highly
motivated and sufficient skilled, and there are also weak of access controls due to outdated
cryptographic library used. As per Impact analysis, it is measured high impact because
vulnerable servers are connected to Internet without hardening & latest patches and also weak
crypto library in place. Hence it may lead to unauthorized disclosure of information. The
following table provides the analysis of Threat likelihood determination and impact for
sensitive data exposure.

Likelihood Severity High

Hackers are highly motivated and
sufficient skilled to use classy
malware/malicious code.
3.2

Impact Severity- High

Loss of the organization sensitive and
confidential information to unauthorized
public entity

Risk Mitigation Strategy

Deliver high level data security and ensure that there is no unauthorized disclosure of information
incident will happen in any organization by achieving the risk mitigation strategies to protect the
data against from external or internal threats. In order to achieve this organizational goal, a
management security framework shall be time-honored to initiate and control the implementation
of information security across the organization, which will provide clear direction and perceptible
support on matters of information security.

The following are the mitigation strategies for

Unauthorized Disclosure of Information Risk through Internal/External threats.

Page | 4

CI6231 Security Policy & Strategy

Guard the system from unauthorized disclosure of information by implementing proper

logical and physical system access control

Guard the system from exposing sensitive data by implementing up-to-date cryptography
library patches at various layers.

Malicious and Virus protection management.

Should use certified and latest up-to-date cryptography libraries in production

Creating a defense-in-depth system.

Security awareness and Training for users and developers.

Risk Assessment and Mitigation Plan

When a security or privacy breach has occurred, review and revise related policies and
processes as needed.

3.3

Conducting periodic reviews or audits to assess the security of sensitive information

Continuous Vulnerability testing, review and implementation.

Security Policy and Controls Strategies

Policy Details
Scope & Intent of the Policy:
The scope of this policy is appropriate to all Information Technology (IT) resources
owned or operated by any Organization. All users (employees, contractors, vendors or
others) of IT resources are responsible for adhering to this policy. The intention of this
policy to establish an access control capability throughout organization and its commerce
units to help the organization implement security best practices with regard to logical
security, account management, and remote access
Roles & Responsibilities to implement the policy
o

Software Developers and Architects:

Involved from design and development. Ensure all security controls are taken
care.

CIO:
Operating system and other software selection should adhere to organization
strategy.
Page | 5

CI6231 Security Policy & Strategy

Office Heads, and Facility Directors:

Ensure locally purchased software are adhere to organization strategy

System administrators:
Manage patch and virus management

ISO Information Security Officer:

Selection of software and controls are managed and engage with development to
deploy the security fixes.

Access control:

. The following subsets outline the Access Control principles that constitute
Organization policy. Each System is then assured to this policy, and must develop or adhere
to a program plan which establishes compliance with the policy related the standards
documented.
Account Management: All Systems must follow:
Identify account types (i.e., individual, group, system, application, guest/anonymous,
and temporary).
Establish conditions for group membership.
Identify authorized users of the information asset and specifying access privileges.
Require appropriate approvals for requests to establish accounts.
Establish, activate, modify, disable, and remove accounts.
Specifically authorize and monitor the use of guest/anonymous and temporary
accounts.
Notify account managers when temporary accounts are no longer required and when
information asset users are terminated, transferred, or information assets usage or
need-to-know/need-to-share changes.
Deactivate provisional accounts that are no longer required and accounts of
terminated or transferred users.
Grant access to the system based on (1) valid access authorization, (2) intended
system usage, and (3) other attributes as required by the organization or associated
missions/business functions.
Review accounts on a periodic basis or at least annually
Least Privilege: All Systems must employ the concept of least privilege, allowing only
authorized accesses for users (and processes acting on behalf of users), which are
necessary to accomplish assigned tasks in agreement with organizational missions and
business functions
Concurrent Session Control: All Systems must limit the number of concurrent sessions
for each system account to ten for information assets.

Page | 6

CI6231 Security Policy & Strategy

Session Lock: All Systems must prevent further access to the information asset by
initiating a session lock after 60 minutes of inactivity or upon receiving a request from a
user. In addition, Systems must retain the session lock until the user reestablishes access
using established identification and authentication procedures.

Controls Strategies:
Malicious code and Virus Protection
The following requirements shall be followed to at all times to ensure the protection of the
information technology resources:
Prevention and Detection:
The automatic update frequency of software that safeguards against malicious
code should not be disabled, altered or bypassed by end-users to reduce the
frequency of updates.

Response and Recovery:

If malicious code is exposed, or supposed to exist, an attempt should be made to
remove or separate the malicious code using current antivirus or other control
software.

Patch Management Control

Workstations and servers owned by organization must have up-to-date operating system/
software security patches installed to protect the asset from known vulnerabilities. This
includes all laptops, desktops, and servers owned and managed by the organization.

Workstations: Desktops and laptops must have automatic updates enabled for
operating system patches. This is the default configuration for all workstations
built by organization. Any exception to the policy must be documented and
forwarded to the information security office of the organization for review.

Servers: Servers must fulfill with the minimum baseline requirements that have
been approved by the CISO team. These minimum baseline requirements define
the default operating system level, service pack, hotfix, and patch level required
to ensure the security of the organization asset and the data that resides on the
system. Any exception to the policy must be documented and forwarded to the
information security office of the organization for Review

Implementation timeline

Page | 7

CI6231 Security Policy & Strategy

Risk #2: Data Leakage:

Due to the leakage of data in community health care system, the following implications are
identified.
Implications

Legal Liability

Regulatory Compliance

Lost productivity

Business reputation

Financial Loss

Risk Assessment
The second risk identified from the Community healthcare system security breach is Data
(information) leakage through unsecured network/server.

System Characterization: Hardware and Software

Asset Identification:
As part of risk assessment phase, the following asset has identified as impact for this risk.

Asset Category
Information
Asset

Asset Name
Patient health
information and
their records

Asset Description
This includes all
patient related
health information
that has been
disclosed

Asset Type
Electronic/Paper

Asset Valuation:
The goal of asset valuation is to assign impact values to the assets in the context of
confidentiality, integrity and availability. The following table represents the asset impact
valuation with respect to unsecured server.

Value

Area of Impact
Service Delivery Reputation
Low
Medium

Privacy
Infringement
External breach of
personal
Page | 8

CI6231 Security Policy & Strategy

High

Down:

Service Unfavorable
widespread
completely
press interest
Unavailable

information
Detrimental effect
on person and
personal life

Security Concerns
Threat

Confidentiality

Unsecured Network

Integrity

Availability
Y

Threat Identification

Hackers gained access of the community health care system through unsecured
network/servers.

Threat Source: Hacker

Threat Classification: External threat
Threat Action: Unsecured Network
Motivation: Steal intellectual property
Threat: Unsecured network access by Hacker

Vulnerability Identification
Unsecured test server connected to the internet.

Likelihood Determination and Impact Analysis.

As per Likelihood analysis, it is measured high likelihood because hackers are highly
motivated and sufficient skilled to gain access and steal data from community health care
system. As per Impact analysis, it is measured high impact because vulnerable servers are
connected to Internet without strong firewall mechanism, operating system hardening & the
latest patches. Thus, the hackers applied their skills to get control of the health care system
and stolen the data. The following table provides the analysis of Threat likelihood
determination and impact for sensitive data exposure.

Likelihood Severity - High

Impact Severity- High

Page | 9

CI6231 Security Policy & Strategy

Hackers are highly motivated and Loss of the organization sensitive and
sufficient skilled to get access of confidential information to unauthorized
unsecured network/servers
public entity
4.1

Risk Mitigation Strategy.

Information system security risk mitigation strategy is the top most priority today in every
organization .The intruders are targeting on personal information of customers and
intellectual property of the enterprises. In order to protect the information from the
intruders/hackers, the strong security governance and security policy framework should be
in place in every organization. Evaluation procedure of the security policy framework and
system security audit mechanism of security of the governance should be part of
organization policy. To protect the system from the risk of Data Leakage, the risk
assessment is continuous process in system development cycle and continuous discovery
of risk and improvement of risk mitigation strategies are vital for safer environment. We
cannot eliminate the risk totally, but we apply the mitigation strategies to reduce the risk in
advance to minimize the risk. The organizations security governance, guidelines, policies
enables the business to sustain in the uncertain business world.
These are the risk mitigation strategies to mitigate the risk Data Leakage.
1. Implement Host based intrusion detection and data loss prevention system
(IDPS).
2. Implement Network based intrusion detection and data loss prevention
system.
3. Software based application firewall :
Block outgoing and incoming network traffic if it is not legitimate
4. Disallow direct Internet connection from servers/workstations.
5. Patch Operating systems vulnerabilities.
Protect the system from potential operation system vulnerabilities by applying and
maintaining up-to-date patch level of operating systems.
6. Application White listing.
Allow only trusted/authorized program to access the system and protect it from
unauthorized program or malicious code.
Page | 10

CI6231 Security Policy & Strategy

7. Appropriate security governance should be incorporated and integrated in

SDLC of application & system development.
8. Create awareness of System Security and educate all stakeholders.
4.2

Security Policy & Control Strategies

Firewall Management Policy:
A hardware and software based firewall implementation is mandatory in all instances
where sensitive data is transacted and stored. A host based and server based firewall
mechanism should be in place in all instances where sensitive data is transacted and stored.
Objective:
To protect the information asset of organization and to ensure confidentiality, availability
and integrity of information system.
Scope: The policy applies to people, processes and technology across the organization and
the third party vendors.
Role & Responsibilities:
Information security committee
The information security committee is responsible for governing and overseeing
the information system security of organization. Analyze the potential risk and
review the security policies, procedure and recommend for changes. The
committee is also responsible for consistency of the policy and for finding
violation as well.
Chief information officer
The CIO is responsible for influencing and negotiating with the top management
to get fund for investment on security solutions and also responsible for getting
approval for system implementation.
Chief information security officer
The CISO is overall responsible for enterprise security program. CISO gives
direction for all security solutions and for implementation of the solutions. He is
responsible for developing and implementing information system security

Page | 11

CI6231 Security Policy & Strategy

policies, governance, guidelines and standards. Investigate on security incidents

and closely with other business heads for feasible solutions.
Firewall administrator
The firewall administrator is responsible for implementing, monitoring the
firewall and logging and auditing the activities of network traffic.
Authorized users
Individuals who has access to retrieve and transact information asset and he is
responsible to uphold the policies and report to information security committee
for up normal or any vulnerabilities he/she has found out in the information
systems.
Data custodian
Individual or group of operational people who owns and transacts the data

Control Strategies:

Firewall Management
o

All external network connections and changes to firewall shall go through a formal
approval process.

Requirements on a firewall which is placed between internets and internal /DMZ network
shall be clearly defined.

A configuration standard for all the security devices. i.e firewalls ,routers, IPS,proxies
antivirus etc shall be maintained. A firewall shall be configured that denies all traffic
from un-trusted networks and hosts, except for protocols specifically permitted.

Stateful inspection for all the packets shall be implemented.

Controls shall be configured to hide information about the internet network getting
exposed to the outside world.

Backup of the firewall rule base and configurations shall be done on weekly basis.

Any remote access over un-trusted networks to the firewall for administration shall use
strong authentication, such as one time passwords and /or hardware tokens.

Firewall logs shall be examined on a fortnightly basis to determine if attacks have been
detected.

Page | 12

CI6231 Security Policy & Strategy

The firewall shall reject any kind of probing or scanning tool that is directed to it so that
information is being protected is not leaked out by the firewall itself.

The prepared method of firewall administration shall be through console. Physical access
to the firewall terminal shall be limited to the firewall administrator.

If firewall system requires any modification, it shall be ensured that these modifications
are approved and made by firewall administrator only.

No access to the firewall operating software shall be permitted via remote access except
access to internal network through SSH only.

Patch Management
o

An assessment of new released patches and their implication on the critical servers shall
be carried out before installing the patch on any of the critical servers.

Patches on the system where vendor is responsible for providing the maintenance support
shall be applied only after receiving the approval from the concerned vendor.

Patches on critical information system shall be tested before their application in

production environment.

The system at high risk shall be addressed on priority.

Timelines shall be defined and maintained while installing patches on critical servers.

Change Management
o

The user shall be made aware of the steps necessary to determine if their system is
infected and inform system administrators or ISD function if any virus/malicious code
are detected.

Any machine discovered to be infected by a virus shall immediately be disconnected

from all networks.

The machine shall not be reconnected to the network until ISD staff can verify that the
virus has been removed.

When applicable, off the-shelf virus scanning tools shall be used to remove a virus from
an infected file or program.

If virus scanning software fails to remove the virus, all software on the computer shall be
deleted including boot records if necessary.

Software development life cycle

Page | 13

CI6231 Security Policy & Strategy

While

developing

software,

incorporate

organization

security

policy,

governance.guidlines.
o

Follow strict coding standards and do code verification of all segments of programs.

Developer should attend security awareness program before start to do any program

Any unauthorized or non-standard program will not be implemented or accepted by the

information security committee.

All programs should go through security stress test before accepting it for
implementation.

4.2.1

4.3

All program changes should be recorded and monitored.

Schedule

Recommended Implementation Plan

4.3.1

Stakeholders

Business or Functional owners, Approval Authority, Chief information officer, Chief System
security officer, Senior Management, Technical support Personnel, third party vendors,
government agencies, IT Security auditors, IT Consultants, Risk Assessment Officer, IT
Application Programmer, IT Project managers ,IT quality assurance personnel and all other
system Users.
5

Conclusion

Companies are increasingly dependent on computer/network technology for improving the

efficiency and productivity of their business in order to continue and prosper in todays
competitive world. It is a business essential and occasionally is a legal requirement to protect
their trademarked information against the threats of unauthorized disclosure and data leakage.
Companies may undergo financial and efficiency losses, as well as loss of reputation due to
extensive internal and/or external security threats. A properly implemented logical access
control, patch management, Firewall, OS hardening, version and change management provides
for the safeguarding of assets against threats, ensures business continuity, minimizes potential
damages, and maximizes return on investment.

Page | 14

CI6231 Security Policy & Strategy

Reference
Web Page:

http://arstechnica.com/security/2014/08/hackers-steal-records-on-4-5-million-patientsfrom- healthcare-system/

http://www.csoonline.com/article/2466084/data-protection/community-health-systemsblames-china-for-recent-data-breach.html

http://www.giac.org/paper/gsec/3161/unauthorized-access-threats-riskcontrol/105264

http://heartbleed.com/

https://www.owasp.org

http://www.nist.gov

http://arstechnica.com/security/2014/08/hackers-steal-records-on-4-5-millionpatients-from-healthcare-system/

http://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Info
rmation_Security_and_Risk_Management

https://www.manageengine.com/products/netflow/healthcare_it_risk_mitigation.htm
l

https://ist.mit.edu/security/data_risks

Appendix

Presentation slides:

Page | 15

CI6231 Security Policy & Strategy

Page | 16

CI6231 Security Policy & Strategy

Page | 17

CI6231 Security Policy & Strategy

Page | 18

CI6231 Security Policy & Strategy

Page | 19

CI6231 Security Policy & Strategy

Page | 20

CI6231 Security Policy & Strategy

Page | 21

CI6231 Security Policy & Strategy

Page | 22

CI6231 Security Policy & Strategy

Page | 23

CI6231 Security Policy & Strategy

Page | 24