Cryptographic Control Recommendations for Placebo Inc.

Protecting Information Technology Resources

Assignment 7.1 - Final Project

Danni Lewis

Feena Phakasoum

Nicholas Wicker

Program of Cyber Security Operations & Leadership, University of San Diego

CSOL 510-02-SP22: Applied Cryptography

Dr. Danny Barnes

April 18, 2022

 1

Business Sensitive

Distribution to Executive Leadership Only

Table of Contents

Executive Summary 2

Discussion 3

Chief Cyber Security Risks 6

Network Assumptions 8

Other Factors 9

Cryptographic Algorithms 10

Enclosure 1: Network Architecture Diagram & Components Table 12

Enclosure 2: Encryption Key Lengths 14

Enclosure 3. Encryption Options Quick Look 15

References 16

Glossary 18

Business Sensitive

Placebo Inc.
 2

Business Sensitive

Distribution to Executive Leadership Only

Assignment 7.1: Final Project

Executive Summary

Our goal for this project is to recommend cryptographic controls to protect the IT

resources of our health insurance company, Placebo, Inc. As the foundation of modern security

systems, cryptography is used to secure transactions and communications, safeguard personally

identifiable information (PII), and other confidential data, authenticate identity, prevent

document tampering, and establish trust between servers. Data is vital information in the form of

customer PII, employee PII, intellectual property, business plans, and any other confidential

information. Therefore, cryptography is a critical infrastructure because increasingly the security

of sensitive data relies on cryptographical solutions (Gruhn & Probst, 2021). We will discuss

healthcare regulations, security controls in place, chief risks, our current network infrastructure,

cryptographic algorithms, and what we recommend as a full-scale solution to an issue that

plagues many organizations in the healthcare industry today.

Business Sensitive

Placebo Inc.
 3

Business Sensitive

Distribution to Executive Leadership Only

Discussion

While providing services to patients and maintaining the well-being of our customers, it

is evident that the healthcare industry is vital for human continuity. While technology is

advancing, cybersecurity has become a known threat within the healthcare industry that can

interrupt our business from providing services to our clients. Our goal at Placebo Inc. is to

provide exceptional services to our customers while maintaining the highest level of protection

of information from unauthorized access, use, and disclosure. A basic rule we follow consists of

the CIA triad, which includes confidentiality, integrity, and availability of all assets and data that

travel within our organization.

Our organization is regulated by a variety of standards within the Healthcare industry.

The first regulation we follow is the Health Insurance Portability and Accountability Act

(HIPAA). Below are the different sections of HIPAA we abide by:

● The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164 sets forth

permitted and required uses and disclosures of protected health information. The

Business Sensitive

Placebo Inc.
 4

Business Sensitive

Distribution to Executive Leadership Only

protected health information may exist in any form, including in paper, film, and

electronic forms. Protected health information is a form of individually identifiable health

information (Cybersecurity in Healthcare. HIMSS).

● The HIPAA Security Rule, 45 CFR Part 160 and Part 164, Subparts A and C, sets forth

requirements for electronically protected health information. In other words, the

confidentiality, integrity, and availability of electronically protected health information

must be maintained by covered entities and their business associates (Cybersecurity in

Healthcare. HIMSS).

● The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered

entities and their business associates to provide notification following a breach of

unsecured protected health information (Cybersecurity in Healthcare. HIMSS).

The next requirement we abide by is Protected Health Information (PHI). Tunggal (2021)

states, “For cybercriminals, PHI is valuable personally identifiable information (PII) that can be

used for identity theft, sold on the dark web, or held hostage through ransomware.” Examples of

Business Sensitive

Placebo Inc.
 5

Business Sensitive

Distribution to Executive Leadership Only

PHI in the Healthcare industry include personal names, social security and medical record

numbers, insurance plan information, and biometric identifiers.

HIPAA and PHI compliance standards follow a reasonable approach to administering the

technical and physical information of patients. Per Health Information Privacy (2013), below are

the general rules to remain compliant with these regulations:

● Ensure the confidentiality, integrity, and availability of PHI handled

● Identify and protect against reasonably anticipated threats

● Protect against reasonably anticipated, impermissible uses or disclosures

● Ensure compliance by their workforce

For Placebo Inc., our Information Technology team enforces Antivirus, Two-Factor

Authentication (2FA), and device encryption for all our assets connected to the network. We also

provide annual security training to all our employees to remain educated on current threats and

tactics that cybercriminals are attempting on healthcare organizations. While we practice

continuous monitoring and are patching our systems weekly, we utilize defense-in-depth to

Business Sensitive

Placebo Inc.
 6

Business Sensitive

Distribution to Executive Leadership Only

mitigate a single point of failure. If one of our systems fails, we have another security control in

place to aid the defense of our infrastructure. For each component listed, we will provide a

security control in place for that specific component. These components are highlighted in

Enclosure 1 which is the Network Diagram Architecture and Components Table.

As a healthcare facility, cybercriminals are looking to compromise personal data. The

healthcare sector has been attacked numerous times which has resulted in organizations facing

downtime and millions of dollars lost. The chief cyber security threats within our organization

are Ransomware, Phishing, Insider Threats, Data Breaches, and Distributed Denial of Service

(DDoS).

Chief Cyber Security Risks

The environment in which healthcare professionals work is swarming with cyber security

risks. Threats occur from both internal and external. This creates very challenging work to

protect. Here are a few of our chief cyber risks.

Business Sensitive

Placebo Inc.
 7

Business Sensitive

Distribution to Executive Leadership Only

1. Large Attack Surface: No longer the domain of those whose skills, interests, or habits

are varied or unspecialized, but rather a complex collaboration between multiple

healthcare professionals working for different organizations and interacting using vastly

differing IT systems. services.

2. Data Breaches and Loss of Patient Data: Insiders have elevated access and know-how

to obtain our most important information – our customer data. However, it is more often

simple carelessness of well-intentioned workers who leave laptops logged in, but

unguarded, fail to lock a file cabinet when no one is around, email a spreadsheet with PHI

to the of encryption, password policies, authentication, and such like.

3. Phishing: Attacks aimed to compromise and violate sensitive information such as HIPPA

by falsifying messages that look like they are coming from a reliable source. Statistics

show that 98% of attackers use social engineering tactics with 96% of those attacks using

email; 3% come from malicious websites, and 1% from mobile devices.

4. Compromised Third-Party: If third parties have not sufficiently protected their

systems, the data we are responsible for may be compromised.

Business Sensitive

Placebo Inc.
 8

Business Sensitive

Distribution to Executive Leadership Only

5. Ransomware: Falling for ransomware traps can cost our organization lots of time and

money. If ransomware were to infect our network, critical operations and processes will

be slowed down or become inoperable until the ransom is paid.

Network Assumptions

Within our internal network, we assume that everyone with access are trusted user

(employees/contractors/approved guests) who access the network only when conducting work-

related activities and functions. We also assume, that those vetted third parties who access our

network are doing so from protected and secure endpoints via VPN when connecting externally

and not sharing their credentials at any time. Access is being monitored regularly by DLP

controls and quarterly permissions auditing. In addition to security controls, we assume those

users are adhering to our standards, policies, and procedures in place. Our data is encrypted when

at rest, in transit, or stored within the network. When these assumptions prove contrary at any

time, there are specific administrative and technical measures that will happen immediately to

maintain the integrity and homeostasis of the network.

Business Sensitive

Placebo Inc.
 9

Business Sensitive

Distribution to Executive Leadership Only

Other Factors

The yearly hidden costs of managing vendor risk are $3.8 million per healthcare provider,

far surpassing the $2.9 million that each data breach costs providers, the research shows. The

cost across the healthcare industry is $23.7 billion per year. The inability to adequately assess

and understand the risks that vendors pose is becoming incredibly costly to healthcare providers,

according to a new report released today by Censinet and the Ponemon Institute (Lagasse, 2019).

Another major factor to consider in the recommendation of cryptographic controls is the cost

tradeoff vs. the risk associated. As mentioned previously, this industry is filled with various

risks, and the cost associated with helping to mitigate these is not a small feat. However, the

consequence of not spending the additional funds to do so will be far worse. Aside from the

obvious chief risks, others could result in lawsuits, leak of PHI and PII, patient sickness, or even

death.

Business Sensitive

Placebo Inc.
 10

Business Sensitive

Distribution to Executive Leadership Only

Cryptographic Algorithms

According to the NIST SP 800-175B, Revision 1 (Barker, 2020), there are three types of

cryptographic algorithms: cryptographic hash functions, symmetric-key algorithms, and

asymmetric-key algorithms. FIPS 180 specifies the SHA-1 hash function and the SHA-2 family

of hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA- 512/256.

Symmetric-key algorithms (sometimes called secret-key algorithms) use a single key to both

apply for cryptographic protection and to remove or check the protection (i.e., the same key is

used for a cryptographic operation and its inverse). Asymmetric-key algorithms (often called

public-key algorithms) use a pair of keys (i.e., a key pair): a public key and a private key that are

mathematically related to each other.

Business Sensitive

Placebo Inc.
 11

Business Sensitive

Distribution to Executive Leadership Only

(Olenski, 2015)

Business Sensitive

Placebo Inc.
 12

Business Sensitive

Distribution to Executive Leadership Only

Enclosure 1: Network Architecture Diagram & Components Table

Business Sensitive

Placebo Inc.
 13

Business Sensitive

Distribution to Executive Leadership Only

Business Sensitive

Placebo Inc.
 14

Business Sensitive

Distribution to Executive Leadership Only

Enclosure 2: Encryption Key Lengths

NIST 2020 Recommendations for RSA key bit-length (Factoring Modulus) (Kontsevoy, 2022)

Business Sensitive

Placebo Inc.
 15

Business Sensitive

Distribution to Executive Leadership Only

Enclosure 3. Encryption Options Quick Look

RSA DSA ECDSA EDDSA

Popularity Most widely implemented Its notorious security history Fairly new but not as Fairly new but favored by

and supported. makes it less popular. popular as EdDSA. most modern cryptographic

libraries.

Performance Larger keys require more Faster for signature generation Public keys are twice the EdDSA is the fastest-

time to generate. but slower for validation. length of the desired bit of performing algorithm across

security. all metrics.

Security Specialized algorithms like DSA requires the use of a Vulnerable if pseudo- EdDSA provides the highest

Quadratic Sieves and randomly generated random numbers aren't security level compared to the

General Number Field unpredictable and secret value cryptographically strong. key length. It also improves

Sieves exist to factor integers that, if discovered, can reveal the insecurities found in

with specific qualities. the private key. ECDSA.

Common differences between RSA, DSA, ECDSA, and EdDSA algorithms (Kontsevoy, 2022)

Business Sensitive

Placebo Inc.
 16

Business Sensitive

Distribution to Executive Leadership Only

References

Barker, E. (2020, March). Guideline for Using Cryptographic Standards in the Federal
Government: Cryptographic Mechanisms. Retrieved April 13, 2022, from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175Br1.pdf

Gruhn, D., & Probst, J. (2021, June 24). What is cryptography and why is it important? Entrust
Blog. Retrieved April 18, 2022, from https://www.entrust.com/blog/2021/06/why-is-
cryptography-so-important-heres-what-you-need-to-know/

HHS. (2013, July 26). Summary of the HIPAA Security Rule. Health Information Privacy.
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

HIMSS. (2022). Cybersecurity in Healthcare. HIMSS.

https://www.himss.org/resources/cybersecurity-healthcare

IBM. (2022, March 31). Identification and Authentication. Retrieved April 12, 2022, from
https://www.ibm.com/docs/en/ibm-mq/7.5?topic=mechanisms-identification-authentication

Kontsevoy, E. V. (2022, April 7). Comparing SSH keys - RSA, DSA, ECDSA, or EDDSA?
Retrieved April 14, 2022, from https://goteleport.com/blog/comparing-ssh-keys/

Lagasse, J. (2019, July 10). Third-party risk costs the healthcare industry $23.7 billion per year,
the report finds. Healthcare Finance News. Retrieved April 18, 2022, from
https://www.healthcarefinancenews.com/news/third-party-risk-costs-healthcare-industry-237-
billion-year-report-finds

Olenski, J. (2015, May 29). Elliptic Curve Cryptography. GlobalSign GMO Internet, Inc.
Retrieved April 14, 2022, from https://www.globalsign.com/en/blog/elliptic-curve-cryptography

Business Sensitive

Placebo Inc.
 17

Business Sensitive

Distribution to Executive Leadership Only

Paulsen, C., & Toth, P. (2016, November). Small Business Information Security - NIST.
Retrieved April 13, 2022, from https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

Tunggal, A, T. (2021, August 25). What is Protected Health Information (PHI)? UpGuard.
https://www.upguard.com/blog/protected-health-information-phi#:~:text=For%20cyber
%20criminals%2C%20PHI%20is,or%20held%20hostage%20through%20ransomware.

Business Sensitive

Placebo Inc.
 18

Business Sensitive

Distribution to Executive Leadership Only

Glossary

Acceptable Use Policy (AUP) Agreement document from a business to an

employee on practices when using a corporate
network.

Access Control Lists (ACL) A list of permissions associated with a system

resource. An ACL specifies which users or system
processes are granted access to objects, as well as
what operations are allowed on given objects.

Advanced Encryption Standard (AES) Established by NIST, this encryption is a

symmetric block cipher used for most sensitive
data.

Distributed Denial of Service (DDoS) An attacker sends multiple connections to cause

traffic onto a system causing an overload of
services to shut down the targeted device.

Health Insurance Portability and Accountability Established in 1996, it is a federal law to protect
Act (HIPAA) patient health records from tampering or misuse.

Internet Service Provider (ISP) An organization that provides services for

accessing, using, or participating in the internet (or
web)

Local Area Network (LAN) Located in a specific geographic location, it is a

group of computers and devices that share
communications within the same line.

Personally Identifiable Information (PII) Data that can identify and distinguish a specific

Business Sensitive

Placebo Inc.
 19

Business Sensitive

Distribution to Executive Leadership Only

person.

Protected Health Information (PHI) Works alongside HIPAA, to protect personal

health data and give the rights to patients.

Service Set Identifier (SSID) A specific name of a wireless network. Also

known as a Network ID.

Transport Layer Security (TLS) The encryption protocol is an improved version of

SSL that aims to protect data while moving
through a network.

Virtual Private Network (VPN)
Extends a private network across a public network
and enables users to send and receive data across
shared or public networks as if their computing
devices were directly connected to the private
network

Wired Equivalent Privacy (WEP) A standard wireless protocol that utilizes

authentication encryption that carries a master key
to be manually entered on wireless devices.

Wi-Fi Protected Access 2 (WPA2) Second-generation wireless protocol is used to

secure and protect Wi-Fi networks using the AES
algorithm.

Business Sensitive

Placebo Inc.