Marina Baker, Raghdah Alsaad, Darryl Crowe

Placebo Inc Security Enhancements

CSOL-510

April 18th, 2022

Professor Danny Barnes, D.Sc.

 Table of Contents

 Executive Summary

 Security Goals

 Regulations and Compliances

 Security Compliances overview

 Cyber Security Risks, Threats, and Vulnerabilities

 Cryptographic Standards

 Cryptographic Controls

 Cryptographic Key Areas of Implementation

 Cost and ROI

 Appendix A: Network Security Detailed

 Appendix B: Glossary of Terms

Executive Summary

Leaked information is a great concern to Placebo, Inc. Fines can be $50,000 per piece of

protected health information (PHI) leaked. There is never just one piece that is leaked but usually

thousands or more. This can cost the company an extreme amount of money. Security controls

and mechanisms need to be implemented to protect PHI, and company assets all while following

state and government laws, regulations, and compliances. Set aside from regular network

security cryptographic controls need to be designed and implemented to assist in securing data at

rest and data in transit. These controls will assist in making sure that users are kept safe, the

organization's assets are protected, and most importantly the clients are kept safe and secure.

Analytics of risk, threats, and vulnerabilities is important as the first stage of designing

the type of security controls needed for Placebo, Inc. This allows for costs to be factored in and

designed with implementation to meet the budget requirements. Industry standards used to help

design this security plan validated through the NIST standards. NIST provides information on

best practices for keeping the organization safe while protecting the organization from known

threat actors.

It is important to note that this security plan is to better position the company for success

while having a long career in servicing clients with health insurance. Without the proper controls

and security in place, the company could potentially lose everything while having no clients as

the clients put their trust and faith into Placebo Inc to do what is right for them while securing

their personal information.

Security Goals

There are a lot of security controls that go into the security ecosystem, from networks to

endpoints and beyond. Cryptography is one of the mechanisms that are least talked about,

however extremely important to the success of that security ecosystem. Having a layered

cryptographic system will allow for data to be encrypted in multiple ways depending on if it is in

transit or if it is at rest. AES-256 standard assists with making sure that data is secure while at

rest, while TLS 1.2 assists with securing data in transit. Rivest-Shamir-Adleman (RSA) token

will allow for users to have a second secure six-digit pin code that each user uses to verify who

they are in the system. This allows for multifactor authentication which helps protect the user

along with the company in case a password is hacked by a threat agent. Below is a security

control (Figure 1.) sample of the types of controls in the organization's needs. Each of the

security controls has other controls attached to them in the form of cryptography.

The security goal is to layer the company with cryptography controls to make sure that

each aspect of the organization is secure from internal employees to external employees, along

with the clients that log into their web portal to view their health insurance information. Each of

these controls contributes to the long-term security ecosystem along with the health of the

ecosystem.
 Figure 1.

Regulations and Compliances

I. Scope

Health insurance compliance, laws, and regulators have been a forever changing and ongoing

process that will continue to change. Understanding how these laws, compliances, and
regulations have been developed over time will help to assist with understanding why they

change and how they will continue to change. As more event of breaches happen to companies

that no one has thought would happen also assists with how these milestones shape the future.

II. State Laws

State laws focus on the security of patients and the protection of privacy, confidentiality,

and physical safeguards. State codes for California follow the Confidentiality of Medical

Information Act (CMIA) which is the disclosure of medical information. It falls into line with

HIPPA regulations to make sure that patient information is kept secure as data is shared as big

data within the healthcare industry. Confidentiality of the data is to be safeguarded from

unauthorized access which each health provider is responsible for including Placebo Inc, health

insurance. State laws also support the False Claims Act (FCA) which places liability on the

patient for false or fraudulent claim information knowing that it is false. Another major law

currently in place is the Anti-Kickback Statute (AKS) which makes it a crime to knowingly

award someone for coming to their office by giving money or gift cards or paying for referrals.

III. Regulations

Growing threats within the cyber domain have come to changes in laws, regulations, and

compliances. Understanding past events help to make sure that changes can be made to keep

client data secure. With the major hack on SolarWinds, SonicWall, and Microsoft, the need to

change policies and laws is just within the birth of a new era. Minimizing risk is part of the

highest importance for Placebo Inc, by following the NIST framework to help protect data in

transit and at rest. NIST framework is a regulation standard that Placebo Inc, is implementing to

make sure that Placebo Inc, can follow HIPPA, IPA, and CMIA standards and state laws.
 With data becoming big data and cloud based. Protecting just paper is not good enough

anymore. Through the NIST framework is to protect against cyberattacks in which could gain

proprietary information of clients and staff alike. The Medical Device Cybersecurity Act of 2017

protects medical devices defined as anything with a network capable connecting, Bluetooth,

internet, Wi-Fi etc. to be updated securely without changing how diagnostics is calculated by the

device. The act goes through about retiring devices that are end-of-life within 90 days and how

medical devices cannot be altered.

IV. Compliances

Placebo Inc has mandatory compliances that must be followed within the healthcare provider

field. Making sure that the laws and regulations is followed is part of the compliances. Internal

and external audits are needed to ensure that all regulations and laws are being followed per the

HIPPA, IPA and CMIA policies. Written policies and procedures must fit within Placebo Inc,

goals and obligations to the clients. Training and education of security is part of the compliances

that staff must go through. Understanding the importance of security of the data, and the privacy

laws to protect client information is of the utmost importance to Placebo Inc,

V. Privacy Policies and Acts

Placebo Inc privacy policy helps to define the protection of privacy for everyone that uses the

Placebo Inc services. Being able to protect user information and data is important to the security

of Placebo Inc customers and employees alike. Each privacy domain is configured to keep

control that is governed by policies that are specific to laws and regulations. Each of the Placebo

Inc privacy is maintained within the security domain to help make sure that audits are upheld.
Under the security domain, each of the privacy domains can be maintained and monitored for

PHI domain, Regulated information domain and corporate domain.

Acts

There are multiple policy and privacy acts that Placebo Inc must follow that are both state

and federal mandates. No company can work outside of these policies unless it is to be stronger

and stricter than what is implied by state and federal regulations.

Electronic Communications Privacy Act of 1986 (ECPA): Protects electronical

communications while at rest and in transit while stored within an information system.

Health Insurance Portability and Protection Act (HIPPA) Privacy Rule: Federal law that

address the use and disclosure of individuals health information (protected information) by

entities subject to the privacy rule. (CDC, 2021).

California Confidentiality of Medical Information Act (CMIA): California mandated policy

to protect individual medical information in electronical or paper format from unauthorized

disclosure. (PRC, 2021)

Privacy domains

Domain Policy Description

PHI HIPPA PHI is identifiable health information consisting of

but not limited too name, address, birth date, social

security number etc. HIPPA mandates that PHI has a

RBAC to define who can access the data, the

encryption of the data at rest and in transit. PHI is to

 be transmitted within its own domain.

Regulated Information ECPA, Regulated information is the information that must

CMIA, be mandated by state and federal laws. Making sure

HIPPA that Placebo Inc is follows these regulations will

help to ensure that each of the data that is stored

within the information system is always protected.

Corporate Domain HIPPA, Corporate information is just as important to be

ECPA, protected as client data. Making sure that financial

CMIA, information is kept always encrypted. This helps to

ensure the protection of shareholders within the

company. Employee records need to be kept safe

following the proper RBAC protocols.

Cyber security Risks, Threats, and Vulnerabilities

Threats come in many different shapes and forms. Often time social engineering attacks

are preformed on users to gain their credentials to a system. More advanced style of attacks

specifically to cryptography is Man-in-The-Middle. This is a style of attack where the threat

agent plays a role with the transmission of a message from the employee to a client for example.

Blurp is a tool that can be used for this to steal and alter the message. Often times, it can also be

used to trick users with the help of social engineering to give the threat agent an employee’s

credentials by setting up a phishing website that looks like the real thing. Table 1 is a risk

assessment matrix of the types of attacks that can occur to the ecosystem.

Risk Assessment Matrix

 Likelihood & Severity

Action item

APT 3 2 1 1

End user 5 5 4 4

Denial of Service 3 3 1 1

Phishing 5 4 3 3

Malware Attacks 3 3 2 2

MitM 5 5 5 5

Password Attacks 4 2 1 1

Red = Extreme Orange = Major Yellow=moderate Green = Negligible

Likelihood 1 to 5-point system, 5 being certain

Each of the colors can be associated with either risk, vulnerability, or threat to the

organization. Threats would be considered in the red as end users can give up their credentials to

a threat agent, they can never change their password, complication of the password doesn’t meet

standards etc. Phishing attacks and MitM attacks are threats to the organization as they can steal
credentials while MitM steals the full message which they can then alter or use brute force to

crack a password to a site. Vulnerabilities to the system occur when the controls for the system

are not kept up to date. Changes need to be made on a regular basis as technology changes to

keep a vulnerability turning into a risk or even a threat to the system.

Cryptographic Standards

RSA is a strong encryption algorithm that is approved by NIST. The reason RSA is used

is due to its asymmetric algorithm style, compared to AES which is symmetric. This means that

the RSA key used to send messages is different from the receiving key, while AES uses the same

key to encrypt and decrypt. RSA is a recommended cipher suite for the highest security usage

(NIST, 2007). 

NIST 800-177 and 800-45 accept OpenPGP use within the guidelines if it meets a few

standards. One of the standards that NIST recommends is that the keys are rotated twice a year.

This is part of the PCI audit. Other parameters which NIST requires are key size and domain

security along with other controls pending where the encryption will take place. For example,

email, domain security, DKIM, and DNS security need to be in place along with strong

encryption (NIST, 2015). Additional controls along with the key server security help to create a

strong security system with the use of OpenPGP (Compliance365, 2020). OpenPGP by itself is

not enough security for email. These controls are needed to securely utilize cryptography within

an organization's environment.
Cryptographic Controls

Cryptographic controls are important to assist the security ecosystem through algorithms

and encryption. Essentially, taking plain text and encrypting it so it can not be read unless it is

decrypted first. NIST publication 800-175 provides guidance into proper controls to use the

cryptographic controls for the organization. FIPS is used as a compliance for cryptographic along

with other controls to the ecosystem. Figure 1 shows compliance against the CIA Triad per FIPS

standards

It is recommended that 256bit is used for encryption using RSA and ECDSA encryption types.

RSA provides high security with long keys making it harder for attacks to happen to the
cryptographic control. ECDSA can be used for information that is important but holds no PHI

information. These keys are shorter which require less space on the system and work extremely

fast. This assists with making sure that the system can stay encrypted while utilizing different

algorithms for different tasks. Pending the type of information will depend on the type of

cryptography used. AES-256 is used to assist in encrypting data while at rest while TLS 1.2 is

web traffic information. RSA will be used for PHI information sent to clients.

Cryptographic Areas of Implementation

Through the network diagram displayed in Appendix A, there are some major key areas

in which cryptographic security controls can come into play. Starting with the external

employees the VPN can be secured with an RSA token which is used for MFA practices. This is

an additional layer of security if credentials are stolen or obtained by a threat agent. Without that

MFA pin, the threat agent would have to get lucky and figure out another way around it.

RSA token as second login for remote

users.

Standard IPS/IDS security for the firewalls with DNS filtering will provide a network layer of

security on both the outer and inner firewalls. When it comes to the web servers, those need to

have a multilayer cryptographic security control. Here it is best to use TLS 1.2 for data in transit

while using AES-256 for encrypting data at rest. All data that holds PHI information or

important company information must be always encrypted.

 User and provider data needs to follow the same cryptographic guidelines as the

webservers do. Each of them needs to be encrypted with TLS 1.2 along with AES-256. It is best

practice to encrypt data in transit with TLS 1.2 and data at rest with AES-256 within any point of

the network. The corporate LAN should be setup as a zero-trust environment. The only trust

zones would be for local peripherals like printers for employees to print on. Data being shared

should be done through the server as it can be monitored and centralized.

Cost and ROI

There is always cost value to everything. Even though the pricing upon here looks to be a

lot up front, the return outweighs the cost. If PHI information was stolen it would cost the

company $50,000 per piece of information stolen. The overall cost for this project with training

of the employees is significantly less.

 With the implementations and plan of action to secure Placebo Inc in less than a year it

would pay off. Knowing the fines associated with data breaches, the cost to protect the

information is more valuable than the initial cost to implement.

Summary

Even though the price value may seem high to better secure Placebo Inc ecosystem, the

amount of money saved from a data breach will outweigh the cost. It is important to remember

that one piece of PHI information stolen is a fine of $50,000. There is a lot of security controls

and mechanisms that need to be implemented within the ecosystem, however cryptographic

controls assist in making sure that data is secure at rest and in transit. Taking these precautions

now will better position Placebo Inc financially, ethically and morally to better serve clients and

generate a life long commitment to a successful and profitable organization in the long run.
Appendix A. Network Diagram with control type

Components

#1 Customers: RSA token for MFA, TLS 1.2 data in transit

#2 Providers: RSA token for MFA, Conditional access via IP scheme, TLS 1.2 data in transit

#3 Remote Workers: VPN with RSA token for MFA, TLS 1.2 data in transit

#4 Off-Site Backup: AES-256 at rest, TLS 1.2 while in transit

#5 Outer Firewall: IPS, IDS, DNS Filtering

#6 Web Servers: AES 256, TLS 1.2, RSA Token

#7 VPN: RSA token

#8 Inner Firewall: IPS, IDS, DNS Filtering

#9 User and Provider Data: AES 256

#10 Corporate LAN:

#11 Wireless Access Pont: WPA 2

#12 Corporate Data: AES 256

Interfaces

#13 Customers to Outer Firewall: IPS, IDS, DNS Filtering

#14 Providers to Outer Firewall: IPS, IDS, DNS Filtering

#15 Remote Workers to VPN: RSA token

#16 Outer Firewall to Web Servers: IPS, IDS, DNS Filtering

#17 Web Servers to Inner Firewall: IPS, IDS, DNS Filtering, TLS 1.2

#18 VPN to Inner Firewall: RSA Token, IPS, IDS, DNS Filtering

#19 Inner Firewall to Corporate LAN: IPS, IDS, DNS Filtering, TLS 1.2

#20 Inner Firewall to User and Provider Data: IPS, IDS, DNS Filtering, TLS 1.2

#21 Corporate LAN to User and Provider Data: Zero-Trust, TLS 1.2, AES 256

#22 Wireless Access Point to Corporate LAN: WPA2

#23 Corporate LAN to Corporate Data: Zero-trust, TLS 1.2

Appendix B.- Glossary Terms

RSA - RSA is public-key encryption technology developed by RSA Data Security, Inc., which

was founded in 1982 to co. memorialize the technology

Zerto-Trust - Zero Trust is a strategic approach to cybersecurity that secures an organization by

eliminating implicit trust and continuously validating every stage of a digital interaction.

AES-256 - AES stands for Advanced Encryption Standard, which is the norm used worldwide to

encrypt data. 256 refers to the key size – the larger the size, the more possible keys there are.

ECDSA - ECDSA is a digital signature algorithm that makes use of ECC to create the key pairs

used in the signing and verification process of the digital signature. Because of the advantages of

ECC compared to other public-key algorithms, it is commonly used in blockchain applications to

sign transactions or events.

TLS 1.2 - TLS 1.2 is more secure than the previous cryptographic protocols such as SSL 2.0,

SSL 3.0, TLS 1.0, and TLS 1.1. Essentially, TLS 1.2 keeps data being transferred across the

network more secure.

Cryptography - Cryptography is the study of secure communications techniques that allow only

the sender and intended recipient of a message to view its contents.

NIST - The NIST's goal is to help businesses and organizations secure information that is

sensitive but not classified. The benefits of implementing best practices recommend by the NIST

include Protecting critical infrastructure and information from both insider threats and general

human negligence.

MFA - An authentication system that requires more than one distinct authentication factor for

successful authentication. Multifactor authentication can be performed using a multifactor

authenticator or by a combination of authenticators that provide different factors.

References

PRC. (2021). Health and Medical Privacy Laws.

https://privacyrights.org/consumer-guides/health-and-medical-privacy-laws-california-

medical-privacy-series

BJA. (2021). Electronic Communications Privacy Act of 1985.

https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285

CDC. (2021). HIPPA Privacy Rule.

https://www.cdc.gov/phlp/publications/topic/hipaa.html#:~:text=The%20Health

%20Insurance%20Portability%20and,the%20patient's%20consent%20or%20knowledge.

Varonis. (2021). Data Privacy Guide: Definitions, Explanations and Legislation.

https://www.varonis.com/blog/data-privacy/

AAPC (2021). Healthcare Compliance.

https://www.aapc.com/healthcare-compliance/healthcare-compliance.aspx

Congress. (2021). S.1656 – Medical Device Cybersecurity Act of 2017.

https://www.congress.gov/bill/115th-congress/senate-bill/1656/text?format=txt

CA. Gov (2021) Federal and State Health Laws. https://www.chhs.ca.gov/ohii/health-laws/

NVD BIST (2021). NIST Special Publication 800-53 (Rev 4.) Impact Controls.

https://nvd.nist.gov/800-53/Rev4/impact/MODERATE
National Institute of Standards and Technology. (2004, February 01). Standards for Security

Categorization of Federal Information and Information Systems.

https://csrc.nist.gov/publications/detail/fips/199/final

National Institute of Standards and Technology. (2016). Guideline for using Cryptographic

Standards in the Federal Government: Cryptographic Mechanisms.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175Br1.pdf