Keaton Brummer

Host Security

9/10/2020

Security Plan Outline

Reducing Successful Phishing Scams:

The first step to decreasing the amount of successful phishing scams is to deploy training

on how to avoid falling for scams to employees. One way to determine who is most in need of

training is to send a test or fake phishing email to employees and see who falls for it. If someone

were to fall for it and fail this test, then it is known that they must be put through security

awareness training. An important thing to consider when training employees is to make sure that

their training is relevant to them and their field This is to ensure that each employee actually

engages in training and pays attention more-so than they would if the training seemed irrelevant

or if it seemed like it was punishment (Greenlee, 2019).

Another thing that can be done is email/spam filtering. This will block incoming emails

from suspicious senders, therefore eliminating the human error of opening a spam email and

clicking a bad link. Along with this, utilizing website filtering could reduce the number of

successful attacks as well. Website filtering is a useful backup to email/spam filtering because if

a suspicious email were to get through to an employee and the employee clicks a harmful link,

then the website filtering can kick in. If the link is to a suspicious website, or one that is already

blocked then it will deny the employee access to it and prevent any damage that could be done.
Protecting HIPPA Data:

An important and somewhat obvious thing that can be done to help protect HIPPA data

and other confidential information is through encryption. It is vital to encrypt this type of data so

that employees that do not have authorization cannot read the information or spread it. In

addition, if attackers were to get access to HIPPA information, it is not just sitting there available

for them to read and do as they please with it. One form of encryption that may be suitable is the

Advanced Encryption Standard (AES). This form of encryption is a symmetric block cipher and

is utilized by the U.S. government. It is known to only really be vulnerable to brute force attacks

(National Institute of Standards and Technology, 2001). Other than encryption, managing data

access must be done as well. This is necessary so all employees do not have access to any data

they would like. This is useful to prevent the spread of information and to keep confidential data

safe. Simple things can be done to manage data access such as two-factor (or more depending on

how sensitive the data is) authentication (University of Delaware, 2018). This makes it so more

than just a password is needed to access information, such as receiving a text with an

authorization code, or something similar. Along with managing data access, making sure data is

utilized properly is just as vital. This means only allowing access to confidential data under the

right circumstances and only as needed (University of Delaware, 2018). This ensures that data is

only being accessed when needed and prevents employees from unnecessary access to the data.

If an employee can access confidential data whenever they please or whenever they see fit, it

greatly increases the chance of the data being misused or spread.

Ensuring the Security of Vital Healthcare Systems:

To ensure the security of vital healthcare systems, utilizing the layered security
defense strategy could be most beneficial. The first tool to utilize are firewalls and Unified

Threat Management (UTM). Firewalls act as a barrier between your system/network and things

trying to get into or out of your network/system. Firewalls can be used to prevent attackers from

intruding into your network and system. More sophisticated firewalls can be set-up for intrusion

detection and do things like website filtering as previously talked about. Some may also include

anti-virus, anti-spyware, anti-spam, and others that if utilized properly can help prevent and

mitigate attacks. Other things that can be done to healthcare systems to make them more secure

is OS hardening. This includes getting rid of unnecessary programs and data to minimize your

attack surface. Things that you can get rid of are preinstalled programs like games and other

things that will not be utilized in the healthcare system. Another important thing is to patch and

hot-fix systems. This is important to keep up to date on known vulnerabilities and to prevent

them from being exploited. Another thing that can be done is to utilize blacklisting. This will

deny the executing of certain known harmful or easy to exploit programs. It can also block

access to certain websites or block emails from certain senders if they are blacklisted. Other

things that have been pointed out earlier can be done to increase the security of healthcare

systems as well. This includes website-filtering and spam-filtering, as well as multi-factor

authentication, and encryption.

References

Greenlee, M. (2019, November 12). How to Protect Your Organization From Evolving Phishing

Attacks. Retrieved September 10, 2020, from https://securityintelligence.com/articles/how-

to-protect-your-organization-from-evolving-phishing-attacks/
National Institute of Standards and Technology. (2001). Announcing the ADVANCED

ENCRYPTION STANDARD (AES) [PDF]. Boulder: National Institution of Standards and

Technology Publications.

University of Delaware. (2018). Managing data confidentiality. Retrieved September 11, 2020,

from https://www1.udel.edu/security/data/confidentiality.html