team ruby final presentation slides r7
TRANSCRIPT
Cybersecurity Assessment for
Soft Touch DentistryPerry Escamilla, Kevin Jones, Jim Patterson,
Leon Slack, Jason Smith & Robert Valdez
National University, Capstone
Professor Bane
Summary• Project Overview
• Project Schedule
• HIPAA
• HIPAA Auditing, Wireless Audit
• Vulnerability Assessment
• DRP/BCP
• Security Plan Development
• Cost Avoidance
• Conclusion
National University2 Jason
Organization Chart
Jason Smith Project Manager
Kevin Jones Vulnerability
Assessor
Leon Slack Disaster Recovery
Robert Valdez HIPAA Auditor
Perry Escamilla Remediation
Planner
Jim Patterson Security Planner
3 National University Jason
Project Overview
Project Overview• Soft Touch Dentistry is a small dental office in Murrieta, CA. Team
Ruby, comprised of six students from National University, proposed to the dentistry a project to conduct a cybersecurity assessment of their medical practice.
• The assessment consisted of a vulnerability assessment, wireless audit and a HIPAA inspection.
• Furthermore, Team Ruby put together a Business Continuity Plan, Disaster Recovery plan and a Security Plan for the dentistry to assist them with those items as well.
• Lastly, Team Ruby performed a cost avoidance analysis to demonstrate how their project benefited the dentistry and how the dentistry was able to now avoid some future costs because of the project being performed for them.
5 National University Jason
Project Schedule
Project Schedule
7 National University Kevin
Project Schedule Cont.
8 National University Kevin
Project Schedule Cont.
9 National University Kevin
Project Gantt Chart
10 National University Kevin
HIPAA
PurposeHIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996.
The purpose the Security Rule:
• To allow better access to health insurance
• Reduce fraud and abuse
• Lower the overall cost of health care
12 National University Robert
Administrative Safeguards
Compliance with the Administrative Safeguards portion must include
implementation of the following:
• Conduct a risk analysis
• Implement risk management controls
• Develop a security plan
• Conduct periodic information system reviews and training
13 National University Robert
Physical Safeguards
Compliance with the Physical Safeguards portion must include
implementation of the following:
• Contingency operations
• Limit facility access and restricting levels of access
• Proper management of organization's computer systems and network
• Appropriate device and media controls
14 National University Robert
Technical Safeguards
Compliance with the Technical Safeguards portion must include
implementation of the following:
• Appropriate access controls such as unique user IDs and permissions
• Automatic logoff procedures
• Encryption and decryption procedures
• Measures to ensure integrity of ePHI
15 National University Robert
Key Elements of Compliance
• Senior Management Support is essential
• Conduct and maintain inventory of ePHI
• Conduct regular and detailed risk analysis
• Determine what is appropriate and reasonable
• Develop and implement security policies
• Prepare for ongoing compliance
• Maintain a security-minded culture within workplace
16 National University Robert
Penalties
Civil penalties vary from $100 to $50,000 per violation with annual max penalty of $1.5 million depending on depth of negligence
Criminal penalties and imprisonment could also be sentenced in
additional to civil penalties
Additional Negatives:
• Negative publicity
• Loss of customers
• Loss of business
• Legal liability
17 National University Robert
Soft Touch Dentistry
Initial assessment
• Administrative Safeguards – Partial Compliance
• Physical Safeguards – Non-Compliant
• Technical Safeguards – Non-Compliant
18 National University RobertRobert
Soft Touch Dentistry Initial Assessment
Safeguards Security StandardsAssessment Percentage
Assessment
Compliance Rating
Administrative Safeguards §164.308(a)(1)(i) Security Management Process 25% Partial
§164.308(a)(2) Assigned Security Responsibility 25% Partial
§164.308(a)(3)(i) Workforce Security 4% Partial
§164.308(a)(4)(i) Information Access Management 20% Partial
§164.308(a)(5)(i) Security Awareness and Training 13% Partial
§164.308(a)(6)(i) Security Incident Procedures 0% Non-Compliant
§164.308(a)(7)(i) Contingency Plan 0% Non-Compliant
§164.308(a)(8) Evaluation 25% Partial
§164.308(b)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant
Physical Safeguards §164.310(a)(1) Facility Access Controls 0% Non-Compliant
§164.310(b) Workstation Use 0% Non-Compliant
§164.310(c) Workstation Security 0% Non-Compliant
§164.310(d)(1) Device and Media Controls 0% Non-Compliant
Technical Safeguards §164.312(a)(1) Access Control 0% Non-Compliant
§164.312(b) Audit Controls 0% Non-Compliant
§164.312(c)(1) Integrity 0% Non-Compliant
§164.312(d) Person or Entity Authentication 0% Non-Compliant
§164.312(e)(1) Transmission Security 0% Non-Compliant
Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant
§164.314(b)(1) Requirements for Group Health Plans 0% Non-Compliant
Policy, Procedures, and
Documentation
§164.316(a) Policy and Procedures 0% Non-Compliant
§164.316(b)(1) Documentation 0% Non-Compliant
19 National University Robert
Soft Touch Dentistry Post Team Ruby
Safeguards Security StandardsAssessment Percentage
Assessment Compliance
Rating
Administrative Safeguards §164.308(a)(1)(i) Security Management Process 88% Partial
§164.308(a)(2) Assigned Security Responsibility 100% Compliant
§164.308(a)(3)(i) Workforce Security 68% Partial
§164.308(a)(4)(i) Information Access Management 60% Partial
§164.308(a)(5)(i) Security Awareness and Training 38% Partial
§164.308(a)(6)(i) Security Incident Procedures 100% Compliant
§164.308(a)(7)(i) Contingency Plan 42% Partial
§164.308(a)(8) Evaluation 75% Partial
§164.308(b)(1) Business Associate Contracts and Other Arrangements 100% Compliant
Physical Safeguards §164.310(a)(1) Facility Access Controls 93% Partial
§164.310(b) Workstation Use 100% Compliant
§164.310(c) Workstation Security 100% Compliant
§164.310(d)(1) Device and Media Controls 56% Partial
Technical Safeguards §164.312(a)(1) Access Control 41% Partial
§164.312(b) Audit Controls 0% Non-Compliant
§164.312(c)(1) Integrity 0% Non-Compliant
§164.312(d) Person or Entity Authentication 0% Non-Compliant
§164.312(e)(1) Transmission Security 0% Non-Compliant
Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 100% Compliant
§164.314(b)(1) Requirements for Group Health Plans 0% Not Applicable
Policy, Procedures, and
Documentation
§164.316(a) Policy and Procedures 100% Compliant
§164.316(b)(1) Documentation 100% Compliant
20 National University Robert
New Soft Touch Dentistry Policies
• Access, Use and Disclosure
• Request for Accounting of Disclosures
• Disclosure of Patient Information to the Public
• Release of Information to Media and Public
• Network, and E-mail Usage (Acceptable Use)
• Facsimile of Information
• Notice of Privacy Practices
• Information Security Program
• Information Security Incident Reporting and Response
• Soft Touch Dentistry Compliance Program
• Credit Card and Payment Card Information Protection
21 National University Robert
HIPAAWireless Audit
Network Topology
STD Network Topology
IP scheme 192.168.77.1
192.168.77.6 192.168.77.51 192.168.77.3192.168.77.50 192.168.77.5
192.168.77.7
192.168.77.230
192.168.77.8
192.168.77.205 192.168.77.2192.168.77.201 192.168.77.202 192.168.77.4
National University23
What Was Found
• Password was all numbers, 129458866.
• Password was protected by WEP (Wired Equivalent Privacy),.
• Password was available for anyone to use.
• Wireless network was connected to the physical business network.
National University24 Kevin
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996
25 National University Kevin
SANS Institute Case Study
• Study performed by Daniel O’Dorisio
• Submitted 12/23/2003
• Singled out five regulations in 164.312 that pertain to wireless communication.
• Expressed the language of the HIPAA safeguards in regular terms and how they could be breached by wireless vulnerabilities.
National University26 Kevin
HIPAA Safeguards
• 164.312 Person Authentication• A covered entity must, in accordance with Sec. 164.306: (d) Standard: Person
or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
• 164.312 Access Control• A covered entity must, in accordance with Sec. 164.306: (a)(1) Standard:
Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).
27 National University Kevin
HIPAA Safeguards
28
• 164.312 Integrity• A covered entity must, in accordance with Sec. 164.306: (c)(1) Standard:
Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
• 164.312 Transmission Security• A covered entity must, in accordance with Sec. 164.306: (e)(1) Standard:
Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
National University Kevin
Vulnerability Assessment
Vulnerability Assessment Defined & Tool
• “A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise” (SANS, 2001).
• Retina • Ease of use
• Free Trials (Savings of $1,700 Dollars)
• Industry Accepted Tool
• Fast Local Scans (3 – 10 minutes per machine)
30 National University Jason
High, Medium & Low
31 National University Jason
May result in the high costly loss of assets; risks that significantly violate, harm or impede operations
May result in the costly loss of assets; risks that violate, harm, or impede operations
May result in the loss of some assets or may affect operations
Vulnerabilities FoundTotal Findings – 1,137
32 National University Jason
76%
Findings Fixed 862
High Not Fixed 3
High False Positive 1
Medium Not Fixed 29
Medium False Positives 24
Low Not Fixed 218
Vulnerabilities Found (Continued)High & Medium Findings Fixed - 862
33 National University Jason
94%
Findings Fixed 862
High Not Fixed 3
High False Positive 1
Medium Not Fixed 29
Medium False Positives 24
Plan of Action & Milestones (Open)
34 National University Jason
Plan of Action & Milestones (Closed)
35 National University Jason
DRP/BCPDisaster Recovery Plan/
Business Continuity Plan
Initial FindingsPhysical Description of the Site
• Located at 25395 Hancock Ave. and is zoned as Office Research Park (ORP) by the city of Murrieta
• The site is between two major freeways, approximately 1 mile east of the I-15 and 0.4 miles west of the I-215 and approximately 0.3 miles north of Murrieta Hot Springs Rd.
• Parcel Map (PM) 26610 and Assessor’s Parcel Number (APN) 910-250-007
• Building construction is Type V–N (also known as V–B); wood framed building with no fire protection for the exterior walls
• Unarmed security guard onsite between 8:00 AM and 5:00 PM during the week and contains a general announcing system
38 National University Leon
Initial Findings (cont.)
Physical Description of the Site (cont.)
• Soft Touch Dental office itself does not have an alarm system or enhanced locks
• The site is approximately 2.2 miles or 6 minutes south of the Murrieta City Police Department at 2 Town Center
• Chances of being a victim of a violent crime are 1 in 1505 in Murrieta as compared to 1 in 252 for the state of California
39 National University Leon
Initial Findings (cont.)
• Physical Description of the Site (cont.)
• Risk to the Physical Property• Fire
• Greatest risk overall
• Building construction is TYPE V-B, offers no protection for the external walls
• Proprietor states that they have insurance
• Flood• The site is not in danger of flooding or other related incidents
• Earthquake• Less than 10% chance of major structural damage
• Building is located on a sandstone formation
• No major active faults nearby
40 National University Leon
• Office Description• The office is located on the 2nd floor and totals less than 800 sq. ft.
• Contains two entry points
• Exam room, private office, rest rooms, employee break area, utility/wiring closet and X-ray area
Initial Findings (cont.)
41 National University Leon
Initial Findings (cont.)• Office Description (cont.)
• Door between the patient waiting area and exam area is unsecured
• Utility/Wiring closet is unlocked
• Water heater risk
PBX Switch
Patch Panel
UPS Units
Network Switch
DSL Router
42 National University Leon
Initial Findings (cont.)
• Office Description (cont.)• One of the ports is not mounted to the break out box and thus exposes the
wiring to possible damage
43 National University Leon
Exposed wiring
Initial Findings (cont.)
• Office Description (cont.)• There are no network connections in the private office space. The connection
for the server and office workstation are ran along the floor out into hallway and then into the x-ray area
44 National University Leon
Office Server
Office Workstation
Hallway
Workstation &
Server Cable
Office Exit
• Office Risks
• Networking and communications equipment at risk from a water heater leak
• Poor wiring may be leading to some spotty network performance
• There are no protections in place on the network. It is recommended that the
network be segmented and a firewall put in place.
Initial Findings (cont.)
45 National University Leon
Initial Findings (cont.)
• Administration• Mutual Aid and Assistance Memorandum of Understanding is a verbal
commitment
• Policies and Procedures do not exist for any IT operations
• Staff performs a manual copy of the server’s D:\ drive on a daily basis to one of two 300 GB external hard drives
• Administrative Risks• The current saves process is inadequate and is not saving any of the Dentrix
data.
• The Mutual Aid and Assistance MOU needs to be formalized
• Written policies and procedures for IT operations need to be developed
46 National University Leon
Asset Inventory and Replacement
• Current Inventory• 7 desktop workstations w/ monitors
• 3 laptop workstations
• 2 MFC printers
• 1 server
• 1 24-port switch
• 2 5-port switches
• Replacement List and Costs• Costs do not reflect any taxes or shipping fees
• The list assumes that all telecommunication and internet connectivity are in place and functional
47 National University Leon
Estimated cost to replace would be: $9,435.74
Asset Inventory and Replacement (cont.)
Item Source Quantity Unit Cost Total Cost
Desktop Workstation Dell Corp 7 $679.00 $4,753.00
Laptop Workstation Dell Corp 3 $479.00 $1,437.00
Server Dell Corp 1 $1,914.44 $1,914.44
MFC Printer Canon 2 $148.98 $297.96
24 Port Network Switch Linksys 1 $177.99 $177.99
Wireless Access Point Amped Wireless 1 $71.99 $71.99
5 Port Network Switch Linksys 2 $39.97 $79.94
KVM Switch Office Depot 1 $73.49 $73.49
Monitors Walmart 7 $89.99 $629.93
Total Estimated Costs $9,435.74
48 National University Leon
DRP/BCP Development Approach
• Small Office with Limited Resources
• Key Personnel• The Owner
• The Office Manager
• Mutual Aid and Assistance Memorandum of Understanding• Developed one based off of an MOU between the California Emergency
Management Agency and the California Dental Identification Team
• Critical Data Sources• Dentrix Database
• Critical Office Correspondence
49 National University Leon
• Critical Services• Access to an alternative site
• Procurement and installation of replacement equipment
• Restoration of Dentrix data and Dentrix operations
• Restoration of critical office correspondence data
• Recovery Process• In the case of the loss of the office spaces, a 5 day plan has been described in
the Disaster Recovery Plan
• Plan can be tailored down for loss of critical infrastructure
DRP/BCP Development Approach (cont.)
50 National University Leon
• Data Backup and Recovery Plan• Continue to use the external hard disk drives
• Need to run Dentrix back-up process from the Server Administration Utility
• Need to test encryption of the back-up drives
• No data restoration procedures have been written at this time• Dentrix restoration requires the removal of all database files
• The office does not have a second server system to use for the restoration check
• Restoration procedures have been added to the POA&M
• Equipment Restoration Plan• Cost was a driving concern
• Chose business class hardware for server and workstations
DRP/BCP Development Approach (cont.)
51 National University Leon
Security PlanDevelopment
Managing Enterprise Risk
• Key activities in managing enterprise-level risk—risk resulting from the operation of an information system:
• Categorize the information system• Select set of minimum (baseline) security controls• Refine the security control set based on risk assessment• Document security controls in system security plan• Implement the security controls in the information system
• Assess the security controls• Determine agency-level risk and risk acceptability• Authorize information system operation• Monitor security controls on a continuous basis
53 National University Jim
Publication Overview
• NIST Special Publication 800-18 (Security Planning)• FIPS Publication 199 (Security Categorization)• NIST Special Publication 800-60 Vol 1 & 2 (Security Category Mapping)• FIPS Publication 200 (Minimum Security Requirements)• NIST Special Publication 800-53R4 (Recommended • Security Controls)• NIST Special Publication 800-30 (Risk Assessment)• NIST Special Publication 800-66R1 (Guide for Implementing HIPAA)• ISO/IEC 27000 (Establishing an Information Security Management System
(ISMS)• ISO/IEC 27002 (Code of practice for information security controls)• NIST Special Publication 800-53A (Security Control Assessment)• NIST Special Publication 800-37 (Certification & Accreditation)
Source: NIST SP 800-18 Pg 11
54 National University Jim
Categorizing Information and Information Systems
(Source: FIPS 199 Table 1 Pg 6)
Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law. 55 National University Jim
Purpose• Enabled Soft Touch Dentistry to implement appropriate controls in a cost effective manner based on potential impact to
defined security objectives.
Objectives• CONFIDENTIALITY: The loss of confidentiality is the unauthorized disclosure of information (EX. ePHI)• INGERITY: The loss of integrity is the unauthorized modification or destruction of information (EX. Payment
Modifications)• AVAILABILITY: The loss of availability is the disrupt of use or access to information or the information system (EX.
Ransomware)
Impacts• A categorization of LOW is defined as having a limited adverse effect on organization mission• A categorization of MODERATE is defined as having a serious effect on organization mission• A categorization of HIGH is defined as having a serious/catastrophic impact on organization mission
Categorizing Information Types
Identification of Information TypesInformation is categorized according to its information type. An information type is a specific category of information;
Soft Touch Dentistry Critical Information• Personally Identifiable Information (PII)• Patient health information (ePHI)• Patient credit card and insurance billing information.
Source: NIST SP 800-60 Vol 1 Pg 16
56 Jim
• Privacy• Proprietary
• Medical• Financial
D.14.4 Health Care Delivery Services Information Type Supports the delivery of health care, planning of health services and the managing of clinical information and documentation. The recommended provisional security categorization for health care delivery services information is as follows:
Security Category = {(confidentiality, Low), (integrity, High), (availability, Low)}
ConfidentialityThe confidentiality impact level is the effect of unauthorized disclosure of health care delivery services on the ability of responsible agencies to provide and support the delivery of health care to its beneficiaries will have only a limited adverse effect on agency operations, assets, or individuals.
Special Factors Affecting Confidentiality Impact Determination: In some cases, unauthorized disclosure of this information such as privacy-protected medical records can have serious consequences for agency operations. In such cases, the confidentiality impact level may be moderate.
Categorizing Information Types
Source: NIST SP 800-60 Vol 2 Pg 171
System Categorization
Recommended Integrity Impact Level: Because of the potential for the loss of human life, the provisional integrity impact level recommended for health care delivery services information is high.
Organizations should: (i) review the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing; (ii) adjust the security objective impact levels as necessary using the special factors guidance found in Volume II, Appendices C and D; and (iii) document all adjustments to the impact levels and provide the rationale or justification for the adjustments.
Provisional Impact Levels
Review and Adjust Impact Levels
Final Information System Categorization was Evaluated as Moderate58
(Source: NIST SP 800-60 Vol 2 Pg 172)
(NIST SP 800-60 Vol 1 Pg 23)
NIST Security Control Selection
FIPS 200 – Provides the minimum security requirements covering seventeen (17) security-related areas.• States that selected set of controls must include at least one baseline• Must include all controls in the baseline unless exceptions based on tailoring
NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations• 18 Control Families
• Seventeen control families for an information system• One control family focusing on organization-wide requirements (Program Management)
• Provides tailored set of baseline security controls based on overall system categorization• 159 Controls based on an information system categorized at the Moderate impact level
• Tailoring Controls• Provides a cost-effective, risk-based security approach that supports organizational mission/business
needs.• Identifying Common Security Controls• Apply Scoping Considerations• Select Compensating Controls• Supplement with Control Enhancements• Documentation
59 National University Jim
ISO 27002 Security Control Selection
ISO 27002 Security Techniques, Code of Practice for Information Security Controls• International standard intended to be used as guidance for organizations implementing commonly accepted
information security controls• States that security controls from any or all clauses could be important, therefore each organization applying this
standard should identify applicable controls based on how important they are to the specific application• Contains the actual “best practices” details of what goes into building a comprehensive IT security program• The selection of controls is dependent upon organizational decisions based on organizational risk acceptance• May be regarded as a starting point for developing organization-specific guidelines
• 14 Security Clauses (Policies, Human Resource Security, Access Control etc.)• 35 Security Control Categories (Policies for Information Security, Review of Policies)
• Objective• 114 Controls
• Implementation Guidance• Other Information
60 National University Jim
Mitigating Findings with Selected Controls
61 Jim
Implementing Controls
• Developed Policies
• Patched Software
• Developed Training
• Implemented Access Controls• Unique user accounts
• Strong passwords
• Group Policy Objects
• Changed Default Passwords
• Made recommendations in POA&M
62 National University Jim
Cost Avoidance
Proposed Cost of the Project
64 National University Perry
HIPAA Fine Breakdown
• Covered entity was not aware of the violation • $100 per violation
• Not to exceed $25,000
• Violation occurred due to “reasonable cause”
• $1,000 per violation
• Not to exceed $100,000
• Due to willful neglect • $10,000 per violation
• Not to exceed $250,000
• Due to willful neglect, Violation is not corrected• $50,000 per incident
• Not to exceed $1,500,000
65 National University Perry
Cost Avoidance
$150,000
National University66 Perry
Lessons Learned& Conclusion
Lessons Learned
• Project Management is the key to completing these assessments.
Conducting this training while doing the project resulted in lessons
learned that were too late to implement
• Small businesses are challenged to maintain compliance with federal
regulations
• Understanding the current environment, personnel, equipment etc..,
is important prior to finalizing project scope and statement of work
• Creating a work breakdown eliminates confusion for task assignments
68 National University Jim
Conclusion
• Project Overview
• Project Schedule
• HIPAA
• HIPAA Wireless Audit
Project Value• Provided a no-cost vulnerability and HIPAA assessment that resulted in the
implementation of controls that significantly hardened from attack the Soft Touch Dentistry information system. Policies and training were also developed that position the organization to take control of their cybersecurity posture in the future.
National University69 Jim
• Vulnerability Assessment
• DRP/BCP
• Security Plan Development
• Cost Avoidance
Questions?
70 National University Jason