Team Ruby Final Presentation Slides R7

Cybersecurity Assessment for

Soft Touch DentistryPerry Escamilla, Kevin Jones, Jim Patterson,

Leon Slack, Jason Smith & Robert Valdez

National University, Capstone

Professor Bane

Summary• Project Overview

• Project Schedule

• HIPAA

• HIPAA Auditing, Wireless Audit

• Vulnerability Assessment

• DRP/BCP

• Security Plan Development

• Cost Avoidance

• Conclusion

National University2 Jason

Organization Chart

Jason Smith Project Manager

Kevin Jones Vulnerability

Assessor

Leon Slack Disaster Recovery

Robert Valdez HIPAA Auditor

Perry Escamilla Remediation

Planner

Jim Patterson Security Planner

3 National University Jason

Project Overview

Project Overview• Soft Touch Dentistry is a small dental office in Murrieta, CA. Team

Ruby, comprised of six students from National University, proposed to the dentistry a project to conduct a cybersecurity assessment of their medical practice.

• The assessment consisted of a vulnerability assessment, wireless audit and a HIPAA inspection.

• Furthermore, Team Ruby put together a Business Continuity Plan, Disaster Recovery plan and a Security Plan for the dentistry to assist them with those items as well.

• Lastly, Team Ruby performed a cost avoidance analysis to demonstrate how their project benefited the dentistry and how the dentistry was able to now avoid some future costs because of the project being performed for them.


Project Schedule

Project Schedule

7 National University Kevin

Project Schedule Cont.


Project Gantt Chart


PurposeHIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996.

The purpose the Security Rule:

• To allow better access to health insurance

• Reduce fraud and abuse

• Lower the overall cost of health care

12 National University Robert

Administrative Safeguards

Compliance with the Administrative Safeguards portion must include

implementation of the following:

• Conduct a risk analysis

• Implement risk management controls

• Develop a security plan

• Conduct periodic information system reviews and training


Physical Safeguards

Compliance with the Physical Safeguards portion must include


• Contingency operations

• Limit facility access and restricting levels of access

• Proper management of organization's computer systems and network

• Appropriate device and media controls


Technical Safeguards

Compliance with the Technical Safeguards portion must include


• Appropriate access controls such as unique user IDs and permissions

• Automatic logoff procedures

• Encryption and decryption procedures

• Measures to ensure integrity of ePHI


Key Elements of Compliance

• Senior Management Support is essential

• Conduct and maintain inventory of ePHI

• Conduct regular and detailed risk analysis

• Determine what is appropriate and reasonable

• Develop and implement security policies

• Prepare for ongoing compliance

• Maintain a security-minded culture within workplace


Penalties

Civil penalties vary from $100 to $50,000 per violation with annual max penalty of $1.5 million depending on depth of negligence

Criminal penalties and imprisonment could also be sentenced in

additional to civil penalties

Additional Negatives:

• Negative publicity

• Loss of customers

• Loss of business

• Legal liability


Soft Touch Dentistry

Initial assessment

• Administrative Safeguards – Partial Compliance

• Physical Safeguards – Non-Compliant

• Technical Safeguards – Non-Compliant

18 National University RobertRobert

Soft Touch Dentistry Initial Assessment

Safeguards Security StandardsAssessment Percentage

Assessment

Compliance Rating

Administrative Safeguards §164.308(a)(1)(i) Security Management Process 25% Partial

§164.308(a)(2) Assigned Security Responsibility 25% Partial

§164.308(a)(3)(i) Workforce Security 4% Partial

§164.308(a)(4)(i) Information Access Management 20% Partial

§164.308(a)(5)(i) Security Awareness and Training 13% Partial

§164.308(a)(6)(i) Security Incident Procedures 0% Non-Compliant

§164.308(a)(7)(i) Contingency Plan 0% Non-Compliant

§164.308(a)(8) Evaluation 25% Partial

§164.308(b)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant

Physical Safeguards §164.310(a)(1) Facility Access Controls 0% Non-Compliant

§164.310(b) Workstation Use 0% Non-Compliant

§164.310(c) Workstation Security 0% Non-Compliant

§164.310(d)(1) Device and Media Controls 0% Non-Compliant

Technical Safeguards §164.312(a)(1) Access Control 0% Non-Compliant

§164.312(b) Audit Controls 0% Non-Compliant

§164.312(c)(1) Integrity 0% Non-Compliant

§164.312(d) Person or Entity Authentication 0% Non-Compliant

§164.312(e)(1) Transmission Security 0% Non-Compliant

Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant

§164.314(b)(1) Requirements for Group Health Plans 0% Non-Compliant

Policy, Procedures, and

Documentation

§164.316(a) Policy and Procedures 0% Non-Compliant

§164.316(b)(1) Documentation 0% Non-Compliant


Soft Touch Dentistry Post Team Ruby

Safeguards Security StandardsAssessment Percentage

Assessment Compliance

Rating

Administrative Safeguards §164.308(a)(1)(i) Security Management Process 88% Partial

§164.308(a)(2) Assigned Security Responsibility 100% Compliant

§164.308(a)(3)(i) Workforce Security 68% Partial

§164.308(a)(4)(i) Information Access Management 60% Partial

§164.308(a)(5)(i) Security Awareness and Training 38% Partial

§164.308(a)(6)(i) Security Incident Procedures 100% Compliant

§164.308(a)(7)(i) Contingency Plan 42% Partial

§164.308(a)(8) Evaluation 75% Partial

§164.308(b)(1) Business Associate Contracts and Other Arrangements 100% Compliant

Physical Safeguards §164.310(a)(1) Facility Access Controls 93% Partial

§164.310(b) Workstation Use 100% Compliant

§164.310(c) Workstation Security 100% Compliant

§164.310(d)(1) Device and Media Controls 56% Partial

Technical Safeguards §164.312(a)(1) Access Control 41% Partial

§164.312(b) Audit Controls 0% Non-Compliant

§164.312(c)(1) Integrity 0% Non-Compliant

§164.312(d) Person or Entity Authentication 0% Non-Compliant

§164.312(e)(1) Transmission Security 0% Non-Compliant

Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 100% Compliant

§164.314(b)(1) Requirements for Group Health Plans 0% Not Applicable

Policy, Procedures, and

Documentation

§164.316(a) Policy and Procedures 100% Compliant

§164.316(b)(1) Documentation 100% Compliant


New Soft Touch Dentistry Policies

• Access, Use and Disclosure

• Request for Accounting of Disclosures

• Disclosure of Patient Information to the Public

• Release of Information to Media and Public

• Network, and E-mail Usage (Acceptable Use)

• Facsimile of Information

• Notice of Privacy Practices

• Information Security Program

• Information Security Incident Reporting and Response

• Soft Touch Dentistry Compliance Program

• Credit Card and Payment Card Information Protection


HIPAAWireless Audit

Network Topology

STD Network Topology

IP scheme 192.168.77.1

192.168.77.6 192.168.77.51 192.168.77.3192.168.77.50 192.168.77.5

192.168.77.7

192.168.77.230

192.168.77.8

192.168.77.205 192.168.77.2192.168.77.201 192.168.77.202 192.168.77.4

National University23

What Was Found

• Password was all numbers, 129458866.

• Password was protected by WEP (Wired Equivalent Privacy),.

• Password was available for anyone to use.

• Wireless network was connected to the physical business network.

National University24 Kevin

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996


SANS Institute Case Study

• Study performed by Daniel O’Dorisio

• Submitted 12/23/2003

• Singled out five regulations in 164.312 that pertain to wireless communication.

• Expressed the language of the HIPAA safeguards in regular terms and how they could be breached by wireless vulnerabilities.

National University26 Kevin

HIPAA Safeguards

• 164.312 Person Authentication• A covered entity must, in accordance with Sec. 164.306: (d) Standard: Person

or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

• 164.312 Access Control• A covered entity must, in accordance with Sec. 164.306: (a)(1) Standard:

Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).


HIPAA Safeguards

28

• 164.312 Integrity• A covered entity must, in accordance with Sec. 164.306: (c)(1) Standard:

Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

• 164.312 Transmission Security• A covered entity must, in accordance with Sec. 164.306: (e)(1) Standard:

Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

National University Kevin

Vulnerability Assessment

Vulnerability Assessment Defined & Tool

• “A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise” (SANS, 2001).

• Retina • Ease of use

• Free Trials (Savings of $1,700 Dollars)

• Industry Accepted Tool

• Fast Local Scans (3 – 10 minutes per machine)


High, Medium & Low


May result in the high costly loss of assets; risks that significantly violate, harm or impede operations

May result in the costly loss of assets; risks that violate, harm, or impede operations

May result in the loss of some assets or may affect operations

Vulnerabilities FoundTotal Findings – 1,137


76%

Findings Fixed 862

High Not Fixed 3

High False Positive 1

Medium Not Fixed 29

Medium False Positives 24

Low Not Fixed 218

Vulnerabilities Found (Continued)High & Medium Findings Fixed - 862


94%

Findings Fixed 862

High Not Fixed 3

High False Positive 1

Medium Not Fixed 29

Medium False Positives 24

Plan of Action & Milestones (Open)


Plan of Action & Milestones (Closed)


DRP/BCPDisaster Recovery Plan/

Business Continuity Plan

Initial FindingsPhysical Description of the Site

• Located at 25395 Hancock Ave. and is zoned as Office Research Park (ORP) by the city of Murrieta

• The site is between two major freeways, approximately 1 mile east of the I-15 and 0.4 miles west of the I-215 and approximately 0.3 miles north of Murrieta Hot Springs Rd.

• Parcel Map (PM) 26610 and Assessor’s Parcel Number (APN) 910-250-007

• Building construction is Type V–N (also known as V–B); wood framed building with no fire protection for the exterior walls

• Unarmed security guard onsite between 8:00 AM and 5:00 PM during the week and contains a general announcing system

38 National University Leon

Initial Findings (cont.)

Physical Description of the Site (cont.)

• Soft Touch Dental office itself does not have an alarm system or enhanced locks

• The site is approximately 2.2 miles or 6 minutes south of the Murrieta City Police Department at 2 Town Center

• Chances of being a victim of a violent crime are 1 in 1505 in Murrieta as compared to 1 in 252 for the state of California



• Physical Description of the Site (cont.)

• Risk to the Physical Property• Fire

• Greatest risk overall

• Building construction is TYPE V-B, offers no protection for the external walls

• Proprietor states that they have insurance

• Flood• The site is not in danger of flooding or other related incidents

• Earthquake• Less than 10% chance of major structural damage

• Building is located on a sandstone formation

• No major active faults nearby


• Office Description• The office is located on the 2nd floor and totals less than 800 sq. ft.

• Contains two entry points

• Exam room, private office, rest rooms, employee break area, utility/wiring closet and X-ray area



Initial Findings (cont.)• Office Description (cont.)

• Door between the patient waiting area and exam area is unsecured

• Utility/Wiring closet is unlocked

• Water heater risk

PBX Switch

Patch Panel

UPS Units

Network Switch

DSL Router



• Office Description (cont.)• One of the ports is not mounted to the break out box and thus exposes the

wiring to possible damage


Exposed wiring


• Office Description (cont.)• There are no network connections in the private office space. The connection

for the server and office workstation are ran along the floor out into hallway and then into the x-ray area


Office Server

Office Workstation

Hallway

Workstation &

Server Cable

Office Exit

• Office Risks

• Networking and communications equipment at risk from a water heater leak

• Poor wiring may be leading to some spotty network performance

• There are no protections in place on the network. It is recommended that the

network be segmented and a firewall put in place.




• Administration• Mutual Aid and Assistance Memorandum of Understanding is a verbal

commitment

• Policies and Procedures do not exist for any IT operations

• Staff performs a manual copy of the server’s D:\ drive on a daily basis to one of two 300 GB external hard drives

• Administrative Risks• The current saves process is inadequate and is not saving any of the Dentrix

data.

• The Mutual Aid and Assistance MOU needs to be formalized

• Written policies and procedures for IT operations need to be developed


Asset Inventory and Replacement

• Current Inventory• 7 desktop workstations w/ monitors

• 3 laptop workstations

• 2 MFC printers

• 1 server

• 1 24-port switch

• 2 5-port switches

• Replacement List and Costs• Costs do not reflect any taxes or shipping fees

• The list assumes that all telecommunication and internet connectivity are in place and functional


Estimated cost to replace would be: $9,435.74

Asset Inventory and Replacement (cont.)

Item Source Quantity Unit Cost Total Cost

Desktop Workstation Dell Corp 7 $679.00 $4,753.00

Laptop Workstation Dell Corp 3 $479.00 $1,437.00

Server Dell Corp 1 $1,914.44 $1,914.44

MFC Printer Canon 2 $148.98 $297.96

24 Port Network Switch Linksys 1 $177.99 $177.99

Wireless Access Point Amped Wireless 1 $71.99 $71.99

5 Port Network Switch Linksys 2 $39.97 $79.94

KVM Switch Office Depot 1 $73.49 $73.49

Monitors Walmart 7 $89.99 $629.93

Total Estimated Costs $9,435.74


DRP/BCP Development Approach

• Small Office with Limited Resources

• Key Personnel• The Owner

• The Office Manager

• Mutual Aid and Assistance Memorandum of Understanding• Developed one based off of an MOU between the California Emergency

Management Agency and the California Dental Identification Team

• Critical Data Sources• Dentrix Database

• Critical Office Correspondence


• Critical Services• Access to an alternative site

• Procurement and installation of replacement equipment

• Restoration of Dentrix data and Dentrix operations

• Restoration of critical office correspondence data

• Recovery Process• In the case of the loss of the office spaces, a 5 day plan has been described in

the Disaster Recovery Plan

• Plan can be tailored down for loss of critical infrastructure

DRP/BCP Development Approach (cont.)


• Data Backup and Recovery Plan• Continue to use the external hard disk drives

• Need to run Dentrix back-up process from the Server Administration Utility

• Need to test encryption of the back-up drives

• No data restoration procedures have been written at this time• Dentrix restoration requires the removal of all database files

• The office does not have a second server system to use for the restoration check

• Restoration procedures have been added to the POA&M

• Equipment Restoration Plan• Cost was a driving concern

• Chose business class hardware for server and workstations

DRP/BCP Development Approach (cont.)


Security PlanDevelopment

Managing Enterprise Risk

• Key activities in managing enterprise-level risk—risk resulting from the operation of an information system:

• Categorize the information system• Select set of minimum (baseline) security controls• Refine the security control set based on risk assessment• Document security controls in system security plan• Implement the security controls in the information system

• Assess the security controls• Determine agency-level risk and risk acceptability• Authorize information system operation• Monitor security controls on a continuous basis

53 National University Jim

Publication Overview

• NIST Special Publication 800-18 (Security Planning)• FIPS Publication 199 (Security Categorization)• NIST Special Publication 800-60 Vol 1 & 2 (Security Category Mapping)• FIPS Publication 200 (Minimum Security Requirements)• NIST Special Publication 800-53R4 (Recommended • Security Controls)• NIST Special Publication 800-30 (Risk Assessment)• NIST Special Publication 800-66R1 (Guide for Implementing HIPAA)• ISO/IEC 27000 (Establishing an Information Security Management System

(ISMS)• ISO/IEC 27002 (Code of practice for information security controls)• NIST Special Publication 800-53A (Security Control Assessment)• NIST Special Publication 800-37 (Certification & Accreditation)

Source: NIST SP 800-18 Pg 11


Categorizing Information and Information Systems

(Source: FIPS 199 Table 1 Pg 6)

Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law. 55 National University Jim

Purpose• Enabled Soft Touch Dentistry to implement appropriate controls in a cost effective manner based on potential impact to

defined security objectives.

Objectives• CONFIDENTIALITY: The loss of confidentiality is the unauthorized disclosure of information (EX. ePHI)• INGERITY: The loss of integrity is the unauthorized modification or destruction of information (EX. Payment

Modifications)• AVAILABILITY: The loss of availability is the disrupt of use or access to information or the information system (EX.

Ransomware)

Impacts• A categorization of LOW is defined as having a limited adverse effect on organization mission• A categorization of MODERATE is defined as having a serious effect on organization mission• A categorization of HIGH is defined as having a serious/catastrophic impact on organization mission

Categorizing Information Types

Identification of Information TypesInformation is categorized according to its information type. An information type is a specific category of information;

Soft Touch Dentistry Critical Information• Personally Identifiable Information (PII)• Patient health information (ePHI)• Patient credit card and insurance billing information.

Source: NIST SP 800-60 Vol 1 Pg 16

56 Jim

• Privacy• Proprietary

• Medical• Financial

D.14.4 Health Care Delivery Services Information Type Supports the delivery of health care, planning of health services and the managing of clinical information and documentation. The recommended provisional security categorization for health care delivery services information is as follows:

Security Category = {(confidentiality, Low), (integrity, High), (availability, Low)}

ConfidentialityThe confidentiality impact level is the effect of unauthorized disclosure of health care delivery services on the ability of responsible agencies to provide and support the delivery of health care to its beneficiaries will have only a limited adverse effect on agency operations, assets, or individuals.

Special Factors Affecting Confidentiality Impact Determination: In some cases, unauthorized disclosure of this information such as privacy-protected medical records can have serious consequences for agency operations. In such cases, the confidentiality impact level may be moderate.

Categorizing Information Types

Source: NIST SP 800-60 Vol 2 Pg 171

System Categorization

Recommended Integrity Impact Level: Because of the potential for the loss of human life, the provisional integrity impact level recommended for health care delivery services information is high.

Organizations should: (i) review the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing; (ii) adjust the security objective impact levels as necessary using the special factors guidance found in Volume II, Appendices C and D; and (iii) document all adjustments to the impact levels and provide the rationale or justification for the adjustments.

Provisional Impact Levels

Review and Adjust Impact Levels

Final Information System Categorization was Evaluated as Moderate58

(Source: NIST SP 800-60 Vol 2 Pg 172)

(NIST SP 800-60 Vol 1 Pg 23)

NIST Security Control Selection

FIPS 200 – Provides the minimum security requirements covering seventeen (17) security-related areas.• States that selected set of controls must include at least one baseline• Must include all controls in the baseline unless exceptions based on tailoring

NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations• 18 Control Families

• Seventeen control families for an information system• One control family focusing on organization-wide requirements (Program Management)

• Provides tailored set of baseline security controls based on overall system categorization• 159 Controls based on an information system categorized at the Moderate impact level

• Tailoring Controls• Provides a cost-effective, risk-based security approach that supports organizational mission/business

needs.• Identifying Common Security Controls• Apply Scoping Considerations• Select Compensating Controls• Supplement with Control Enhancements• Documentation


ISO 27002 Security Control Selection

ISO 27002 Security Techniques, Code of Practice for Information Security Controls• International standard intended to be used as guidance for organizations implementing commonly accepted

information security controls• States that security controls from any or all clauses could be important, therefore each organization applying this

standard should identify applicable controls based on how important they are to the specific application• Contains the actual “best practices” details of what goes into building a comprehensive IT security program• The selection of controls is dependent upon organizational decisions based on organizational risk acceptance• May be regarded as a starting point for developing organization-specific guidelines

• 14 Security Clauses (Policies, Human Resource Security, Access Control etc.)• 35 Security Control Categories (Policies for Information Security, Review of Policies)

• Objective• 114 Controls

• Implementation Guidance• Other Information


Mitigating Findings with Selected Controls

61 Jim

Implementing Controls

• Developed Policies

• Patched Software

• Developed Training

• Implemented Access Controls• Unique user accounts

• Strong passwords

• Group Policy Objects

• Changed Default Passwords

• Made recommendations in POA&M


Cost Avoidance

Proposed Cost of the Project

64 National University Perry

HIPAA Fine Breakdown

• Covered entity was not aware of the violation • $100 per violation

• Not to exceed $25,000

• Violation occurred due to “reasonable cause”

• $1,000 per violation


• Due to willful neglect • $10,000 per violation


• Due to willful neglect, Violation is not corrected• $50,000 per incident

• Not to exceed $1,500,000

65 National University Perry

Cost Avoidance

$150,000

National University66 Perry

Lessons Learned& Conclusion

Lessons Learned

• Project Management is the key to completing these assessments.

Conducting this training while doing the project resulted in lessons

learned that were too late to implement

• Small businesses are challenged to maintain compliance with federal

regulations

• Understanding the current environment, personnel, equipment etc..,

is important prior to finalizing project scope and statement of work

• Creating a work breakdown eliminates confusion for task assignments


Conclusion

• Project Overview

• Project Schedule

• HIPAA

• HIPAA Wireless Audit

Project Value• Provided a no-cost vulnerability and HIPAA assessment that resulted in the

implementation of controls that significantly hardened from attack the Soft Touch Dentistry information system. Policies and training were also developed that position the organization to take control of their cybersecurity posture in the future.

National University69 Jim

• Vulnerability Assessment

• DRP/BCP

• Security Plan Development

• Cost Avoidance

Questions?


Team Ruby Final Presentation Slides R7

Documents

Transcript of Team Ruby Final Presentation Slides R7