Final Project

Jeffrey Ryan

Recommended Cryptographic Techniques

to Improve
Health Insurance Company Security
 Executive Summary
The healthcare industry is one of the most targeted industries by cyber attackers today,
sometimes more so than the financial services industry. This report describes cryptographic
techniques that can be implemented to help secure our corporate network and ensure secure
communications for our health insurance company, the providers we work with, and our
customers, all while complying with the relevant laws and regulations applicable to healthcare.
Cryptography is ineffective without supporting security policies and controls, many of which are
already in use today. Existing controls may be modified or new controls added to support our
cryptographic goals. The cyber threats we face, from simple data theft to ransomware affecting
multiple sites, are fluid and always evolving. Implementing a sound cybersecurity program with
cryptography costs money, but the costs resulting from a cyber incident and its ramifications
are much, much greater.

Laws, Regulations, Standards, and Publications

Our health insurance company is considered a covered entity [1] by the Health Insurance
Portability and Accountability Act of 1996 (HIPAA). HIPAA is divided up into five Titles, of which
Title II contains two rules relevant to this project. The HIPAA Privacy Rule regulates the use and
disclosure of Protected Health Information (PHI). The HIPAA Security Rule states a covered
entity must implement a mechanism to encrypt and decrypt PHI that we create, receive,
maintain, or transmit in electronic form, or ePHI [2]. The Security Rule also describes
administrative, physical, and technical controls to aid in the confidentiality, integrity, and
availability of ePHI.
An additional federal act that we need to consider is the Health Information for Economic and
Clinical Health (HITECH) Act of 2009. It modified the data breach rule in HIPAA, stating if a
device (i.e., a laptop) containing ePHI is ever lost or stolen, it is not considered a data breach if
the device is encrypted. This designation means the entity will not be fined, nor be required to
notify patients or the media, of the missing device.
The HIPAA Security Rule reads more like a policy, so we look to NIST Special Publications for
recommended cryptographic guidelines and best practices. Several NIST documents are
referenced starting with NIST SP 800-66 which is a guide to implementing the HIPAA Security
Rule [3]. More specific NIST special publications are used for the implementation of
cryptography as a whole, the implementation of TLS, remote access technologies, encryption
technologies, and crypto key management recommendations.

Overview of Cryptographic Techniques

There are five main functions we will use cryptography for in our implementation [5].
1. Maintain the privacy and confidentiality of ePHI by limiting access to authorized users
only.
2. Authentication of valid users to determine authorization for access of ePHI.
 3. Integrity of ePHI while both in transit (wired or wirelessly) and at rest (storage devices,
USB flash drives, etc.).
4. Non-repudiation meaning you prove to be who you say you are and unable to deny
certain actions.
5. Key exchange – a way to securely exchange secret keys between a sender and a
receiver.

The figure above shows our company network topology from a very high level. Some
components mentioned in this report are not shown for the sake of brevity. The cryptographic
techniques we recommend are described from a component-based perspective. Components,
which can be users, groups, or network devices, are divided up into the following categories:
1. External Users – Customers and providers with the ability to access electronic health
records (EHRs) and other ePHI stored in our database.
2. Remote Workers – Employees working from home or away from the office while
traveling, also with the ability to access ePHI.
3. Employees – Employees of the company working at the office connected using a
corporate desktop. May be wirelessly connected to the corporate network with a laptop
or other mobile device.
 4. Databases and storage devices – The ePHI database is the most critical to protect. The
corporate database contains information critical to company operations but doesn’t fall
under HIPAA regulations. There is an off-site backup storage device where all database
backups and other critical business data is stored on a regular basis.
5. Servers – We have a web server and VPN server to permit anyone outside of the
corporate network access to network resources.
6. Workstations – This group includes desktop systems located on-site and laptops that
could be used off-site.
7. Public Key Infrastructure (PKI) – Certificate Authorities used for digital identification
verification and issuance of certificates, both internal and external.
External Users
Customers and providers will be able to access EHRs securely using modern web browsers. Our
web server will support TLS v1.1 and v1.2 using AES symmetric key encryption with a 256-bit
key length. Each logon session will then use a fresh AES-256 session key that is shared between
the user’s web browser and our web server. Secure key exchange will be performed using RSA
with a 2048-bit key length. The integrity of each message sent during the session will be verified
with a Hash-based Message Authentication Code (HMAC) which uses either SHA-1 or SHA-256
hash functions depending on the version of TLS agreed upon for the session.
Remote Workers
Employees working from home or while traveling will be able to access the corporate network
securely with the help of an SSL VPN connection. Only TLS v1.2 will be supported for the
enhanced security level. The rest of each connection session will be very similar to how non-
employee external users connect. AES symmetric key encryption with a 256-bit key length, RSA
with a 2048-bit key length, and HMAC with SHA-256 will all used.
Authentication of remote workers will be performed with Active Directory and Kerberos by
entering user domain credentials into the VPN web portal. Communication will take place with
the corporate domain controller via the VPN server.
Employees
Employees located on-site can access the corporate network with their domain credentials.
Kerberos, part of Active Directory, is already used for authentication and access to other
network resources, notably the ePHI and corporate databases.
Employees may also access the corporate network wirelessly using their company issued
laptops. Connections will be encrypted using WPA2-AES Enterprise with AES using a 256-bit key
length. The integrity of each message sent during the wireless session is verified with a Cipher
Block Chaining Message Authentication Code (CBC-MAC). Similar to the way wired employees
are authenticated, wireless users also utilize Kerberos for authentication and access to other
network resources.
Databases and Storage Devices
The ePHI database and off-site backup storage device containing customer and provider data
will be protected by full disk encryption using AES with a 256-bit key length. Both databases
also grant access to network users utilizing Kerberos.
The secure hash function SHA-256 will also be used to verify the integrity of EHRs and other
ePHI received by the ePHI database.
Servers
The web server communicates with external users at the highest level of TLS, either v1.1 or
v1.2, that the user’s browser will support. The web server cryptographic algorithms match
those of the connecting external user.
The VPN server is very similar but is used by remote workers, not customers and providers. Its
cryptographic algorithms match those of the connecting remote worker.
Workstations
Corporate desktop workstations don’t store ePHI data locally so cryptographic mechanisms
aren’t necessary. However, devices (laptops, tablets, etc.) used remotely are at a higher risk of
being lost or stolen. To mitigate this, any devices used for remote access utilize AES 256-bit full
disk encryption.
Public Key Infrastructure (PKI)
We will use an external Certificate Authority for digital certificates used in our web server.
Internal certificates will be issued by our own Certificate Authority on the corporate network.
Internal certificates are installed on the VPN server, firewalls, and wireless access point.

Security Policies and Controls

We already have several administrative, physical, and technical safeguards in place to protect
our existing network. Many of these policies and controls don’t pertain to cryptography but are
still relevant to maintain HIPAA compliance.
Administrative Safeguards [9]
 Security Management Process – Perform a risk analysis of threats to ePHI we are liable
for. Implement security controls to mitigate the risk to a reasonable level.
 Information Access Management – Implement policies and procedures for authorizing
access to ePHI by employees, providers, and customers.
 Security Awareness Training – Augment our existing training program with the proper
use and handling of ePHI.
 Contingency Plan – Create a contingency plan with policies and procedures for
emergency response. The combined plan will include a data backup plan, disaster
recovery plan, and emergency mode operations plan.
Physical Safeguards [10]
 Facility Access Controls – Implement policies and procedures to limit the physical access
to network devices containing or transmitting ePHI.
 Device and Media Controls – Implement policies and procedures that regulate the
removal of laptops, USB flash drives, portable hard drives, etc. that may contain ePHI.
This includes disposal and re-use of those devices.
Technical Safeguards [2]
 Access Control – Implement controls that allow ePHI access only to those determined by
the Information Access Management safeguard above. This includes specifying a way to
access ePHI in an emergency.
 Audit Controls – Implement ways to record and later examine events on systems that
contain ePHI.
 Integrity – Implement policies and procedures that protect ePHI from unauthorized
modification or deletion.
 Authentication – Implement procedures to verify someone trying to access ePHI is really
who they say they are.
 Transmission Security – Implement technical security measures to protect ePHI being
transmitted across a network.

Potential Threats
The healthcare industry was attacked by cybercriminals more than any other industry in 2015
[6], after not even being listed in the top five the year before. The reasons for this drastic
increase are many but a few of the most prominent are described below.
ePHI Data Theft
The first major reason was the requirement to use EHRs by January 2015 [7]. Since an attacker
can’t hack his way into a physical file cabinet containing EHRs, moving all of these paper records
to the digital world vastly increased the attack surface of PHI. The thought of selling EHRs, even
partial ones, is a powerful financial motivator for cybercriminals. EHRs are selling for an average
of $50 each on the dark web versus $1 each for stolen credit card numbers [7].
You may wonder why EHRs are considered so valuable on the black market. Attackers can use
the information contained within a patient’s EHR to steal their identity and then purchase
medications, only to be resold on the dark web for a hefty profit [8]. Stolen EHRs are also more
difficult to detect, giving attackers or those who purchase stolen EHRs more time to abuse the
information within and reap as much as possible with the hijacked identity.
Ransomware
Ransomware is still quite profitable to cybercriminals in many industries, healthcare being no
exception. If an attacker is able to prevent access to patient EHRs or other critical medical
devices, possibly creating a life or death situation, the victim will be more likely to pay the
ransom. A ransom is much cheaper than a malpractice suit for cybersecurity negligence
resulting in injury or death.
Insider Threats
It is often difficult to think about, but one of the largest threats any company faces is from
those within our perimeter defenses – our employees and contractors. The threat can be either
malicious or simple negligence. An uninformed employee may click on a link within a fraudulent
but legitimate looking email which installs malware on the user’s computer. The malware could
be ransomware, a backdoor, or a keylogger to steal the user’s credentials. Use of valid
credentials by an attacker is often very difficult to detect and can be especially damaging
without good access controls in place.

Threat Mitigation Using Cryptology

Cryptographic mechanisms are most beneficial to policies that help with the confidentiality and
integrity of ePHI. Data theft is the largest threat but with the help of cryptography, ePHI is kept
confidential and private whether it is in transit across the Internet or being stored on one of our
storage devices.
Cryptography won’t protect against ransomware directly but in an indirect way, some of the
policies and controls implemented with cryptography can help fight off a ransomware attack or
make recovery much easier. Security awareness training aids users in the detection of
suspicious emails or documents that may compromise a system with ransomware. A robust
data backup plan, part of our contingency plan, will make recovery from ransomware possible.
Recall that data backups at our off-site storage location are encrypted since they contain ePHI.
Backup file hash values are also stored with the backup to maintain integrity if restoration is
ever required.
Some insider threats can be mitigated with cryptographic mechanisms and access control
policies. For example, an attacker may be able to compromise a system on the corporate
network and move laterally to the ePHI database but since it is encrypted, the data remains
confidential.

Conclusion
This report has detailed how cryptographic mechanisms can be utilized in our corporate health
insurance environment to keep electronic protected health information confidential. The
mechanisms described make us fully compliant with HIPAA and incorporate industry best
practices. Most security policies and controls are already in place, but a few new ones are
needed to support enhanced cryptographic techniques. The cyber threats our company faces
are real and always changing. The cohesive mix of cryptography, policies, and controls will
greatly benefit our company, providers, and customers.
 References
1. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), (45 C.F.R. §
160.103) (2002)
2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), (45 C.F.R. §
164.312) (2002)
3. NIST (October 2008) NIST 800-66 R1 An Introductory Resource Guide for Implementing
the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Retrieved
from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf
4. NIST (May 10, 2017) Annex A: Approved Security Functions for FIPS PUB 140-2, Security
Requirements for Cryptographic Modules. Retrieved from
https://csrc.nist.gov/CSRC/media/Publications/fips/140/2/final/documents/fips1402ann
exa.pdf
5. Kessler, G. (August 15, 2017) An Overview of Cryptography. Retrieved from
http://www.garykessler.net/library/crypto.html
6. Rodionova, Z. (April 21, 2016) Healthcare is now top industry for cyberattacks, says IBM.
Retrieved from http://www.independent.co.uk/news/business/news/healthcare-is-
now-top-industry-for-cyberattacks-says-ibm-a6994526.html.
7. FBI (April 8, 2014) Health Care Systems and Medical Devices at Risk for Increased Cyber
Intrusions for Financial Gain. Retrieved from http://www.illuminweb.com/wp-
content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf
8. Fahey, R. (n.d.) Top Cyber Security Risks In Healthcare. Retrieved from
http://resources.infosecinstitute.com/category/healthcare-information-
security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healthcare/
9. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), (45 C.F.R. §
164.308) (2002)
10. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), (45 C.F.R. §
164.310) (2002)