Professional Documents
Culture Documents
Jeffrey Ryan
The figure above shows our company network topology from a very high level. Some
components mentioned in this report are not shown for the sake of brevity. The cryptographic
techniques we recommend are described from a component-based perspective. Components,
which can be users, groups, or network devices, are divided up into the following categories:
1. External Users – Customers and providers with the ability to access electronic health
records (EHRs) and other ePHI stored in our database.
2. Remote Workers – Employees working from home or away from the office while
traveling, also with the ability to access ePHI.
3. Employees – Employees of the company working at the office connected using a
corporate desktop. May be wirelessly connected to the corporate network with a laptop
or other mobile device.
4. Databases and storage devices – The ePHI database is the most critical to protect. The
corporate database contains information critical to company operations but doesn’t fall
under HIPAA regulations. There is an off-site backup storage device where all database
backups and other critical business data is stored on a regular basis.
5. Servers – We have a web server and VPN server to permit anyone outside of the
corporate network access to network resources.
6. Workstations – This group includes desktop systems located on-site and laptops that
could be used off-site.
7. Public Key Infrastructure (PKI) – Certificate Authorities used for digital identification
verification and issuance of certificates, both internal and external.
External Users
Customers and providers will be able to access EHRs securely using modern web browsers. Our
web server will support TLS v1.1 and v1.2 using AES symmetric key encryption with a 256-bit
key length. Each logon session will then use a fresh AES-256 session key that is shared between
the user’s web browser and our web server. Secure key exchange will be performed using RSA
with a 2048-bit key length. The integrity of each message sent during the session will be verified
with a Hash-based Message Authentication Code (HMAC) which uses either SHA-1 or SHA-256
hash functions depending on the version of TLS agreed upon for the session.
Remote Workers
Employees working from home or while traveling will be able to access the corporate network
securely with the help of an SSL VPN connection. Only TLS v1.2 will be supported for the
enhanced security level. The rest of each connection session will be very similar to how non-
employee external users connect. AES symmetric key encryption with a 256-bit key length, RSA
with a 2048-bit key length, and HMAC with SHA-256 will all used.
Authentication of remote workers will be performed with Active Directory and Kerberos by
entering user domain credentials into the VPN web portal. Communication will take place with
the corporate domain controller via the VPN server.
Employees
Employees located on-site can access the corporate network with their domain credentials.
Kerberos, part of Active Directory, is already used for authentication and access to other
network resources, notably the ePHI and corporate databases.
Employees may also access the corporate network wirelessly using their company issued
laptops. Connections will be encrypted using WPA2-AES Enterprise with AES using a 256-bit key
length. The integrity of each message sent during the wireless session is verified with a Cipher
Block Chaining Message Authentication Code (CBC-MAC). Similar to the way wired employees
are authenticated, wireless users also utilize Kerberos for authentication and access to other
network resources.
Databases and Storage Devices
The ePHI database and off-site backup storage device containing customer and provider data
will be protected by full disk encryption using AES with a 256-bit key length. Both databases
also grant access to network users utilizing Kerberos.
The secure hash function SHA-256 will also be used to verify the integrity of EHRs and other
ePHI received by the ePHI database.
Servers
The web server communicates with external users at the highest level of TLS, either v1.1 or
v1.2, that the user’s browser will support. The web server cryptographic algorithms match
those of the connecting external user.
The VPN server is very similar but is used by remote workers, not customers and providers. Its
cryptographic algorithms match those of the connecting remote worker.
Workstations
Corporate desktop workstations don’t store ePHI data locally so cryptographic mechanisms
aren’t necessary. However, devices (laptops, tablets, etc.) used remotely are at a higher risk of
being lost or stolen. To mitigate this, any devices used for remote access utilize AES 256-bit full
disk encryption.
Public Key Infrastructure (PKI)
We will use an external Certificate Authority for digital certificates used in our web server.
Internal certificates will be issued by our own Certificate Authority on the corporate network.
Internal certificates are installed on the VPN server, firewalls, and wireless access point.
Potential Threats
The healthcare industry was attacked by cybercriminals more than any other industry in 2015
[6], after not even being listed in the top five the year before. The reasons for this drastic
increase are many but a few of the most prominent are described below.
ePHI Data Theft
The first major reason was the requirement to use EHRs by January 2015 [7]. Since an attacker
can’t hack his way into a physical file cabinet containing EHRs, moving all of these paper records
to the digital world vastly increased the attack surface of PHI. The thought of selling EHRs, even
partial ones, is a powerful financial motivator for cybercriminals. EHRs are selling for an average
of $50 each on the dark web versus $1 each for stolen credit card numbers [7].
You may wonder why EHRs are considered so valuable on the black market. Attackers can use
the information contained within a patient’s EHR to steal their identity and then purchase
medications, only to be resold on the dark web for a hefty profit [8]. Stolen EHRs are also more
difficult to detect, giving attackers or those who purchase stolen EHRs more time to abuse the
information within and reap as much as possible with the hijacked identity.
Ransomware
Ransomware is still quite profitable to cybercriminals in many industries, healthcare being no
exception. If an attacker is able to prevent access to patient EHRs or other critical medical
devices, possibly creating a life or death situation, the victim will be more likely to pay the
ransom. A ransom is much cheaper than a malpractice suit for cybersecurity negligence
resulting in injury or death.
Insider Threats
It is often difficult to think about, but one of the largest threats any company faces is from
those within our perimeter defenses – our employees and contractors. The threat can be either
malicious or simple negligence. An uninformed employee may click on a link within a fraudulent
but legitimate looking email which installs malware on the user’s computer. The malware could
be ransomware, a backdoor, or a keylogger to steal the user’s credentials. Use of valid
credentials by an attacker is often very difficult to detect and can be especially damaging
without good access controls in place.
Conclusion
This report has detailed how cryptographic mechanisms can be utilized in our corporate health
insurance environment to keep electronic protected health information confidential. The
mechanisms described make us fully compliant with HIPAA and incorporate industry best
practices. Most security policies and controls are already in place, but a few new ones are
needed to support enhanced cryptographic techniques. The cyber threats our company faces
are real and always changing. The cohesive mix of cryptography, policies, and controls will
greatly benefit our company, providers, and customers.
References
1. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), (45 C.F.R. §
160.103) (2002)
2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), (45 C.F.R. §
164.312) (2002)
3. NIST (October 2008) NIST 800-66 R1 An Introductory Resource Guide for Implementing
the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Retrieved
from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf
4. NIST (May 10, 2017) Annex A: Approved Security Functions for FIPS PUB 140-2, Security
Requirements for Cryptographic Modules. Retrieved from
https://csrc.nist.gov/CSRC/media/Publications/fips/140/2/final/documents/fips1402ann
exa.pdf
5. Kessler, G. (August 15, 2017) An Overview of Cryptography. Retrieved from
http://www.garykessler.net/library/crypto.html
6. Rodionova, Z. (April 21, 2016) Healthcare is now top industry for cyberattacks, says IBM.
Retrieved from http://www.independent.co.uk/news/business/news/healthcare-is-
now-top-industry-for-cyberattacks-says-ibm-a6994526.html.
7. FBI (April 8, 2014) Health Care Systems and Medical Devices at Risk for Increased Cyber
Intrusions for Financial Gain. Retrieved from http://www.illuminweb.com/wp-
content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf
8. Fahey, R. (n.d.) Top Cyber Security Risks In Healthcare. Retrieved from
http://resources.infosecinstitute.com/category/healthcare-information-
security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healthcare/
9. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), (45 C.F.R. §
164.308) (2002)
10. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), (45 C.F.R. §
164.310) (2002)