Professional Documents
Culture Documents
Danni Lewis
Feena Phakasoum
Nicholas Wicker
Business Sensitive
Table of Contents
Executive Summary 2
Discussion 3
Network Assumptions 8
Other Factors 9
Cryptographic Algorithms 10
References 16
Glossary 18
Business Sensitive
Placebo Inc.
2
Business Sensitive
Executive Summary
Our goal for this project is to recommend cryptographic controls to protect the IT
resources of our health insurance company, Placebo, Inc. As the foundation of modern security
identifiable information (PII), and other confidential data, authenticate identity, prevent
document tampering, and establish trust between servers. Data is vital information in the form of
customer PII, employee PII, intellectual property, business plans, and any other confidential
of sensitive data relies on cryptographical solutions (Gruhn & Probst, 2021). We will discuss
healthcare regulations, security controls in place, chief risks, our current network infrastructure,
Business Sensitive
Placebo Inc.
3
Business Sensitive
Discussion
While providing services to patients and maintaining the well-being of our customers, it
is evident that the healthcare industry is vital for human continuity. While technology is
advancing, cybersecurity has become a known threat within the healthcare industry that can
interrupt our business from providing services to our clients. Our goal at Placebo Inc. is to
provide exceptional services to our customers while maintaining the highest level of protection
of information from unauthorized access, use, and disclosure. A basic rule we follow consists of
the CIA triad, which includes confidentiality, integrity, and availability of all assets and data that
The first regulation we follow is the Health Insurance Portability and Accountability Act
● The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164 sets forth
permitted and required uses and disclosures of protected health information. The
Business Sensitive
Placebo Inc.
4
Business Sensitive
protected health information may exist in any form, including in paper, film, and
● The HIPAA Security Rule, 45 CFR Part 160 and Part 164, Subparts A and C, sets forth
Healthcare. HIMSS).
The next requirement we abide by is Protected Health Information (PHI). Tunggal (2021)
states, “For cybercriminals, PHI is valuable personally identifiable information (PII) that can be
used for identity theft, sold on the dark web, or held hostage through ransomware.” Examples of
Business Sensitive
Placebo Inc.
5
Business Sensitive
PHI in the Healthcare industry include personal names, social security and medical record
HIPAA and PHI compliance standards follow a reasonable approach to administering the
technical and physical information of patients. Per Health Information Privacy (2013), below are
For Placebo Inc., our Information Technology team enforces Antivirus, Two-Factor
Authentication (2FA), and device encryption for all our assets connected to the network. We also
provide annual security training to all our employees to remain educated on current threats and
continuous monitoring and are patching our systems weekly, we utilize defense-in-depth to
Business Sensitive
Placebo Inc.
6
Business Sensitive
mitigate a single point of failure. If one of our systems fails, we have another security control in
place to aid the defense of our infrastructure. For each component listed, we will provide a
security control in place for that specific component. These components are highlighted in
healthcare sector has been attacked numerous times which has resulted in organizations facing
downtime and millions of dollars lost. The chief cyber security threats within our organization
are Ransomware, Phishing, Insider Threats, Data Breaches, and Distributed Denial of Service
(DDoS).
The environment in which healthcare professionals work is swarming with cyber security
risks. Threats occur from both internal and external. This creates very challenging work to
Business Sensitive
Placebo Inc.
7
Business Sensitive
1. Large Attack Surface: No longer the domain of those whose skills, interests, or habits
healthcare professionals working for different organizations and interacting using vastly
2. Data Breaches and Loss of Patient Data: Insiders have elevated access and know-how
to obtain our most important information – our customer data. However, it is more often
simple carelessness of well-intentioned workers who leave laptops logged in, but
unguarded, fail to lock a file cabinet when no one is around, email a spreadsheet with PHI
3. Phishing: Attacks aimed to compromise and violate sensitive information such as HIPPA
by falsifying messages that look like they are coming from a reliable source. Statistics
show that 98% of attackers use social engineering tactics with 96% of those attacks using
Business Sensitive
Placebo Inc.
8
Business Sensitive
5. Ransomware: Falling for ransomware traps can cost our organization lots of time and
money. If ransomware were to infect our network, critical operations and processes will
Network Assumptions
Within our internal network, we assume that everyone with access are trusted user
(employees/contractors/approved guests) who access the network only when conducting work-
related activities and functions. We also assume, that those vetted third parties who access our
network are doing so from protected and secure endpoints via VPN when connecting externally
and not sharing their credentials at any time. Access is being monitored regularly by DLP
controls and quarterly permissions auditing. In addition to security controls, we assume those
users are adhering to our standards, policies, and procedures in place. Our data is encrypted when
at rest, in transit, or stored within the network. When these assumptions prove contrary at any
time, there are specific administrative and technical measures that will happen immediately to
Business Sensitive
Placebo Inc.
9
Business Sensitive
Other Factors
The yearly hidden costs of managing vendor risk are $3.8 million per healthcare provider,
far surpassing the $2.9 million that each data breach costs providers, the research shows. The
cost across the healthcare industry is $23.7 billion per year. The inability to adequately assess
and understand the risks that vendors pose is becoming incredibly costly to healthcare providers,
according to a new report released today by Censinet and the Ponemon Institute (Lagasse, 2019).
Another major factor to consider in the recommendation of cryptographic controls is the cost
tradeoff vs. the risk associated. As mentioned previously, this industry is filled with various
risks, and the cost associated with helping to mitigate these is not a small feat. However, the
consequence of not spending the additional funds to do so will be far worse. Aside from the
obvious chief risks, others could result in lawsuits, leak of PHI and PII, patient sickness, or even
death.
Business Sensitive
Placebo Inc.
10
Business Sensitive
Cryptographic Algorithms
According to the NIST SP 800-175B, Revision 1 (Barker, 2020), there are three types of
asymmetric-key algorithms. FIPS 180 specifies the SHA-1 hash function and the SHA-2 family
of hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA- 512/256.
Symmetric-key algorithms (sometimes called secret-key algorithms) use a single key to both
apply for cryptographic protection and to remove or check the protection (i.e., the same key is
used for a cryptographic operation and its inverse). Asymmetric-key algorithms (often called
public-key algorithms) use a pair of keys (i.e., a key pair): a public key and a private key that are
Business Sensitive
Placebo Inc.
11
Business Sensitive
(Olenski, 2015)
Business Sensitive
Placebo Inc.
12
Business Sensitive
Business Sensitive
Placebo Inc.
13
Business Sensitive
Business Sensitive
Placebo Inc.
14
Business Sensitive
NIST 2020 Recommendations for RSA key bit-length (Factoring Modulus) (Kontsevoy, 2022)
Business Sensitive
Placebo Inc.
15
Business Sensitive
Popularity Most widely implemented Its notorious security history Fairly new but not as Fairly new but favored by
and supported. makes it less popular. popular as EdDSA. most modern cryptographic
libraries.
Performance Larger keys require more Faster for signature generation Public keys are twice the EdDSA is the fastest-
time to generate. but slower for validation. length of the desired bit of performing algorithm across
Security Specialized algorithms like DSA requires the use of a Vulnerable if pseudo- EdDSA provides the highest
Quadratic Sieves and randomly generated random numbers aren't security level compared to the
General Number Field unpredictable and secret value cryptographically strong. key length. It also improves
Sieves exist to factor integers that, if discovered, can reveal the insecurities found in
Common differences between RSA, DSA, ECDSA, and EdDSA algorithms (Kontsevoy, 2022)
Business Sensitive
Placebo Inc.
16
Business Sensitive
References
Barker, E. (2020, March). Guideline for Using Cryptographic Standards in the Federal
Government: Cryptographic Mechanisms. Retrieved April 13, 2022, from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175Br1.pdf
Gruhn, D., & Probst, J. (2021, June 24). What is cryptography and why is it important? Entrust
Blog. Retrieved April 18, 2022, from https://www.entrust.com/blog/2021/06/why-is-
cryptography-so-important-heres-what-you-need-to-know/
HHS. (2013, July 26). Summary of the HIPAA Security Rule. Health Information Privacy.
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
IBM. (2022, March 31). Identification and Authentication. Retrieved April 12, 2022, from
https://www.ibm.com/docs/en/ibm-mq/7.5?topic=mechanisms-identification-authentication
Kontsevoy, E. V. (2022, April 7). Comparing SSH keys - RSA, DSA, ECDSA, or EDDSA?
Retrieved April 14, 2022, from https://goteleport.com/blog/comparing-ssh-keys/
Lagasse, J. (2019, July 10). Third-party risk costs the healthcare industry $23.7 billion per year,
the report finds. Healthcare Finance News. Retrieved April 18, 2022, from
https://www.healthcarefinancenews.com/news/third-party-risk-costs-healthcare-industry-237-
billion-year-report-finds
Olenski, J. (2015, May 29). Elliptic Curve Cryptography. GlobalSign GMO Internet, Inc.
Retrieved April 14, 2022, from https://www.globalsign.com/en/blog/elliptic-curve-cryptography
Business Sensitive
Placebo Inc.
17
Business Sensitive
Paulsen, C., & Toth, P. (2016, November). Small Business Information Security - NIST.
Retrieved April 13, 2022, from https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Tunggal, A, T. (2021, August 25). What is Protected Health Information (PHI)? UpGuard.
https://www.upguard.com/blog/protected-health-information-phi#:~:text=For%20cyber
%20criminals%2C%20PHI%20is,or%20held%20hostage%20through%20ransomware.
Business Sensitive
Placebo Inc.
18
Business Sensitive
Glossary
Health Insurance Portability and Accountability Established in 1996, it is a federal law to protect
Act (HIPAA) patient health records from tampering or misuse.
Personally Identifiable Information (PII) Data that can identify and distinguish a specific
Business Sensitive
Placebo Inc.
19
Business Sensitive
person.
Virtual Private Network (VPN) Extends a private network across a public network
and enables users to send and receive data across
shared or public networks as if their computing
devices were directly connected to the private
network
Business Sensitive
Placebo Inc.