Need Someone to create a (Narrated Presentation) for me from my given PowerPoint. Also, technical and lab Reports are provided for better understanding. (I need this to be done in 6 hours).
(Your job is to look at the given PowerPoint and create narrated presentation as your presenting from those PowerPoint.Also, added stuff during your narration from those technical and lab reports) You don’t have to speak or (Narrate) on those PowerPoint slides, just write it down below every slide instead. I will do the recording from your created notes. (Once again I need this back in 6 hours.)Once again, I have completed my PowerPoint from the attached technical report and lab report. Now I just need someone to develop a narrated presentation for the members of the hospital board as well as the CIO and other managers from my given PowerPoint and those two technical and lab reports. My technical report provides an analysis of the infrastructure and the threats, based on the incident that first brought the organization’s security issues to my team’s attention. Technical and lab reports have to be the basis of a presentation that I will have to provide for the hospital board. The board will make decisions concerning what actions are taken and how much money will be allocated for cybersecurity. Therefore, I have created a slide deck that captures the salient points of My research, the results of the lab tests of the password-cracking tools, and the team’s proposals to tighten information security practices. You have to consider the suggestions in the table below to focus your efforts on this narrated presentation.
( Topics to Address in the Narrated Presentation
Keep the primary goals of your presentation in mind as you build your presentation to the board: be credible, be clear, and provide reasoned solution recommendations.
- Present your technical findings succinctly to a non-technical audience. Avoid acronyms or slang; opt for clear language and clear explanations.
- Provide a high-level summary of the infrastructure, the vulnerabilities that may have enabled the breach, and recommended actions. Explain what happened, the impact on the organization, and your proposed actions with rationale and costs.
- You are limited to 12 slides, excluding the cover and references slides. You will choose your best narrator to narrate the presentation for wider distribution. The format should be professional and free from typos or grammatical errors. This is the board’s impression of your team’s performance!)
MedStar
Group 3
March 3, 2021
MANAGING CYBER THREATS FOR MedStar system
1
Agenda
About MedStar
Our Story
Our Product and Services
Cyber Challenges
Mission
Technical Paper Summary
Lab Report Results Review
Vulnerabilities
Unauthorize Access
Ransomware
Denial of Services
Key project updates
2021 Plan
Recommendation
Executive Team
Kenneth A. Samet
Susan K. Nelson
Scott MacLean
Closing
Summary
Questions and Answers
Our Story
Highlights
MedStar Health is a not-for-profits health system dedicated to caring for people in Maryland and the Washington DC
MedStar’s 30,000 associates, 6,000 affiliated physicians, 10 hospitals ambulatory, and urgent care center
MedStar Health research institute are recognized regionally and nationally for excellence in medical care
MedStar trains more than 1,100 medical residents annually
Highlights
MedStar treated more than 6,000 patients, handled 2,400 ER patients, and performed 782 surgeries.
MedStar judged top among 70 nominees in the category recognizing “best use of storage technology to drive performance gains
3
Our Products and Services
ephi
phi
Hipaa/hitech
Cyber Threats Challenges
The health system was forced to shut down its computers and email during the March 28 attack
The healthy system lost access to more than 370 computer programs
New employee didn’t know how to operate without computer system
Cyber attacks represent the greatest threats to protecting healthcare data
The attack forced the organization to power down critical process and infrastructure
The attackers used ransomware
The attack slowed down operations with majority of services taken offline
5
Mission Best Practices
Email Projection
Endpoint Protection
Asset Management
Network Management
Medical Device Security
Policies and Procedures
6
Technical Paper Summary
7
Organization Overview
Technology Used
Vulnerabilities and Mitigation
Conclusion
LAP REPORT REVIEW
APOLLO
(ophcrack)
(BRUTE FORCE) Batman
(ophcrack)
(BRUTE FORCE)) CHEKOV
(ophcrack)
(BRUTE FORCE CSADMIN
(ophcrack)
(BRUTE FORCE)
Ophcrack recovered the password the quickest. Ophcrack recovered the password the quickest. Ophcrack recovered the password the quickest. Ophcrack recovered the password the quickest.
Using Brute Force, the predefined field and the password length has to be adjusted properly to recover a password in the reasonable time. Using Brute Force, the predefined field and the password length has to be adjusted properly to recover a password in the reasonable time. Using Brute Force, the predefined field and the password length has to be adjusted properly to recover a password in the reasonable time. Using Brute Force, the predefined field and the password length has to be adjusted properly to recover a password in the reasonable time.
Apollo password could take 2 years to recover Apollo password could take 2 years to recover Apollo password could take 2 years to recover Apollo password could take 2 years to recover
8
BRUTE FORCE
an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found
Dictionary Attack
is a form of brute force attack technique for defeating a cipher or authentication mechanism by trying to determine its decryption key
Ophcrack
is a free open-source program that cracks Windows log-in passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of
Vulnerabilities
12
Unauthorize Access
Ransomware
Denial of Services
Key Project Updates
Implementing preventive measures by working to educate employees and staff on how to mitigate and prevent further attacks on the systems infrastructure.
Ethical decisions regarding protected patient information should be made in timely manner
Maintaining communication with stakeholders, acting in a timely manner, protecting confidentiality, ensuring professional competence, and collaborating with appropriate agencies to solve the issue.
Most cyber security breach are due to compromised passwords, MedStar should taken a strong view that all external/internal access requires two factor authentication to prevent comprising our systems
Lesson Learned
13
Recommendation
What are our keys plans for the coming years of 2021?
MedStar need to implement both key technologies and process to protect against Cyber Threats as well as defining organizational process to manage risk
Network Segmentation diving the network into manageable parts and monitoring communications between each of the part provides early detection of potential cyber threats while limiting organization risk
Most cyber security breach are due to compromised passwords, MedStar should taken a strong view that all external/internal access requires two factor authentication to prevent comprising our systems
14
Our People Executive Team
Scott T. MacLean
CEO
Susan K. Nelson
CFO
Scott T. MacLean
CIO
15
Thank you
Questions?
.MsftOfcThm_Accent2_lumOff_2_Fill {
fill:#28C4CC;
}
.MsftOfcThm_Accent2_Fill {
fill:#2683C6;
}
.MsftOfcThm_Accent2_lumOff_0_Fill {
fill:#2693C8;
}
.MsftOfcThm_Accent2_lumOff_1_Fill {
fill:#27A3C9;
}
.MsftOfcThm_Accent2_lumOff_1_Fill {
fill:#27B3CB;
}
(Executive Summary)
MedStar Health Inc, a leader in the healthcare industry regionally and nation-wide, is a constant target of the malicious attempts of cyber criminals. Over the past 6 years MedStar Health Inc. has faced several instances of data breach most notably, the 2016 breach that compromised 370 computer systems and halted its operations. As the organization continues to digitize and broaden the use of electronic medical records across its facilities, the threat of cyber-attack remains even more pervasive. The purpose of this report is to provide an overview of MedStar Health Inc cybersecurity vulnerabilities, examine the overall causes and impact of the breaches and explore solutions to meet the organization’s cybersecurity challenges.
With a focal point on MedStar Health breaches, a literature-based study was conducted, and various news articles, academic journals and company publications were analyzed. It was found that the 2016 and 2020 data breaches were attacks on the organization’s internet servers. The 2020 hack compromised the records of 668 patients, whereas the 2016 hack was a result of a ransomware infection that compromised 7500 individuals’ records and halted the organizations’ operations. The cost of the virus infection was greater than the $19,000 ransom requested due to additional recovery and remediation costs. It was also revealed that the 2019 breach was due to human error.
To best combat the efforts of cyber criminals, it is recommended that MedStar Health Inc. place greater emphasis on cyber awareness training for employees/professionals, implementing multiple factor authentications and a strong password and identity management system to reinforce its IT infrastructure against future hacks. Failure to effectuate these measures pose significant risk to MedStar Health Inc., its affiliates and patients that extend beyond ransom payments, fines, imprisonment, lawsuits and costs incurred for subsequent identity theft protection services. The damage caused by data security breaches may prove fatal for patients, the company’s most valued asset, compromising public perception and the company’s mission to provide the highest quality of medical care and build long-term relationships with the patients they serve.)
Actual Technical Report
MedStar Medical Vs. Cybercrime
In the health sector, experts “see persistent cyber-attacks as the single greatest threat to the protection of healthcare data” (Moffith & Steffen, 2017). To the world at large, this is not the most absurd news or revelation. Healthcare data embodies some of the most marketable information, and for the black market this is Eldorado – the fictional tale of the city of gold. Healthcare organizations are tasked with fighting the uphill battle of providing quality medical care to their number one stakeholder – patients – while also ensuring that their valuable information is kept safe and secure. Despite their efforts, healthcare organizations sometimes fail in their attempts to provide adequate security. In 2016, MedStar Health – a not-for-profit healthcare organization – suffered a data breach that left thousands of residences of the Washington DC and the Maryland area distraught. This paper highlights the concerns faced by MedStar Health and the damage caused by these cyber-attacks. It also analyses various vulnerabilities seen in the healthcare sector and highlights needed comprehensive security perspectives and industry-proven security systems to provide recommendations on how MedStar Health can potentially face these challenges.
MedStar Health’s Bio
MedStar Health offers “the highest quality care for people in Maryland, Virginia, and Washington, D.C.,” solidifying its reputation as a leader in the healthcare industry both regionally and nationally (MedstarHealth, 2021). The organization operates ten hospitals and over twenty health-related businesses, including ambulatory care, urgent care centers, and a research institute across the Washington, DC, and Maryland area. It also currently employs 30,000 associates, 6,000 affiliated physicians and has one of the largest graduate medical programs in the country, where more than 1,100 medical residents are trained annually (MedStar Health, 2021). Also, MedStar Health is the medical education and clinical partner of Georgetown University.
The 2016 Breach
On March 28, 2016, MedStar Health was a victim of a data breach that brought the medical “behemoth” to a standstill (Cox et al., 2016). This attack forced the institution to power down critical infrastructure and processes for several days to slow the virus’s spread. Specifically, the cybercriminals used a ransomware attack to encrypt the organization’s data and infected critical systems. The Washington Post describes this crime as being “financially motivated, [where] the hackers make demands that put their victims in a difficult spot…, [targeting] critical data — such as patient records — then ask for a ransom” in exchange for decrypting the compromised data (Cox et al., 2016).
Consequently, as a result of this attack, ten hospitals and over twenty medical centers were pushed back to the primitive means of operation, slowing down overall productivity and affecting thousands of patients. NBC News reported that thousands of MedStar’s patients with appointments were greeted with the voice message, “Our computer systems are still down, so we need you to bring a list of current medications and a list of allergies” (Williams, 2016). The impact of this ransomware attack was truly daunting, as it denied health care professionals access to information and resources needed to perform their duties–it ultimately hindered the organization’s ability to fulfill its mission of providing quality healthcare to its patients.
The 2019 Accidental Data Leak
On July 22, 2019, MedStar Health’s Privacy Director, Mutanu Mutuvi-Thomas, reported to the Attorney General that their organization experienced an accidental data leak on June 19, 2019, where confidential information was shared. In an email describing the incident, the Privacy Director explained the accident and the course of action taken to remediate the issue. When the mistake was realized, strict instructions were immediately issued to the recipients of the accidental email to securely delete the document from their emails and trash receptacles. To prevent further disclosure of the sensitive information, legal documents were then issued to the recipients to sign confirming the deletion (MedStar Health, 2019). Additionally, the affected residents were “offered one year of complimentary credit monitoring and identity theft protection services through Experian” (MedStar Health, 2019). This was a valiant effort on MedStar Health’s part, in protecting not only their patients, but also the care providers in light of this exposed vulnerability. Although this incident was reported in the 2019 End of Year Data Breach Report by ITRC (Identity Theft Resource Center), there was no additional information available, as it was discreetly handled internally.
The Healthcare and Cybersecurity
Healthcare information is precious, as it encompasses a holistic view of a person’s health, and thus, the health of the wider community. This information is used to determine medical treatment and policies that ultimately influence the standard of living at large. Not too long-ago medical information was stored as physical files and was accessed through manual processes. This of course posed unique challenges regarding data communication, efficiency, accuracy, and security – demonstrating a need for the digitization of health files (Touro College Illinois, 2021).
“Today, healthcare information is widely collected, stored, accessed and transmitted digitally, thanks in part to the Health Information Technology for Economic and Clinical Health (HITECH) Act” (Touro College Illinois, 2021). This act promoted the widespread use of electronic health records (EHR) and health information exchange (HIE) to share and store healthcare information. This shift in handling medical data created, without question, overall improvements to healthcare, as health records are updated in real-time and patients are treated with more efficiency. “As healthcare information …migrated to the digital environment, it [became] highly valuable and therefore vulnerable to cybercriminals on the dark web” (Touro College Illinois, 2021). Healthcare cybersecurity laws were then introduced with guidelines to follow set forth by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect patients’ information.
Findings
Cyber threats to the healthcare industry continue to be a major problem. Organizations have reported more instances of data breach with the increasing use of EHR. While the scope of the threats remains unknown, the industry in most recent years have taken more steps than ever before to close the gap. In this section, the researchers aim to provide an overview of the health sector’s cyber concerns and the various data breaches experienced by MedStar Health
How Serious is the Cyber Concern?
Between 2009 and 2016, there were 1,798 data breaches reported; of which 1,225 were reported by health care providers. Also, of 257 reported breaches 216 were hospitals, and at least 33 of those facilities were involved in multiple cyber incidents (Schmeelk et al., 2021). Within 2010 and 2013, studying a dataset of 949 breaches recorded by the Office of Civil Rights (OCR), there were more than 29 million compromised health records (Schmeelk et al., 2021). Figure 1 below highlights the five categories of breaches recorded by OCR between June 2019 to June 2020: “Hacking/I.T. Incident reports totaling 264 breaches, Improper Disposal totaling 12 breaches, Loss totaling 11 breaches, Theft totaling 27 breaches, and Unauthorized Access/Disclosure totaling 102 breaches” (Schmeelk et al., 2021).
Figure 1
Breach Types between June 2019 to June 2020 (Schmeelk et al., 2021).
Moreover, within the exact timestamp of June 2019 to June 2020, there were three significant data breaches within the healthcare sector. On July 1 of 2019, Optum360 LLC. reported a breach affecting 11,500,000 individuals and days later, July 15 of 2019, Clinical Pathology Laboratories Inc. also reported a breach that affected 1,733,836 individuals. Both breaches were the result of an attack/ hack of their IT Network Servers. Additionally, on February 5 of 2020, Health Share of Oregon declared a data breach that affected 654,362 individuals due to a laptop theft (Schmeelk et al., 2021).
The seriousness of these concerns is seen in figure 2, which highlights the number of U.S. residents affected by healthcare data breaches between 2014 to 2019. As reflected, 113.2 million U.S. residents were affected by cyberattacks in 2015. In 2020, surprisingly, only 23.5 million affected U.S. residents were impacted by cybercriminals’ acts, despite the Covid 19 pandemic (Johnson, 2021). Nevertheless, this is still a substantially large number of individuals affected as result of data breaches in the healthcare sector.
Figure 2
The number of U.S. residents affected by health data breaches from 2014 to 2019, in millions (Johnson, 2021).
MedStar Health’s Data Breaches
Over the last six years, MedStar Health faced three major data breaches that have heightened concerns surrounding the organization’s cybersecurity posture. The data breach of 2016 left 10 MedStar Health hospitals and 250 outpatient centers in the Washington DC and the Maryland area at a standstill. Their entire infrastructure was victim to the ransomware attack. According to the Indian Health Services (IHS), 7,500 individuals were affected by this 2016 data breach, and a ransom of USD 19,000 was requested –which was not paid. The 2019 cyber threat came from an internal error that leaked “sensitive personal information of residents to a class of new intern physicians” (MedStar Health, 2019). This case was handled internally, and there are no reports of any further damage caused by this internal threat. Finally, according to OCR, on September 25, 2020, 668 individuals were affected by a network data breach, categorized as an I.T./ Hacking incident, at MedStar Health. Unfortunately, there was no additional information posted online concerning this breach, as it is currently filed under the OCR section of presently under investigation.
Discussion
In the age of technological advancements, preparedness is vital when facing the daunting reality of the capabilities embodied by cybercriminals. MedStar, along with many other medical facilities, learned this truth the hard way with the implementation of electronic health records. Craig DeAtley, the organization’s director of emergency management, commented on the need for better preparations in light of the 2016 data breach in an interview. He said, “[w]e were practiced at individual workarounds, but we had never really rehearsed losing everything, much less all at once, … [Y]ou need to exceed your comfort level to prepare for a problem this vast” (Hall, 2016). MedStar Health and healthcare providers need to keep up with modern cybersecurity practices, regular cyber awareness training, and up-to-date system infrastructures to embody this readiness.
In the 2016 cyberattack, several infrastructure resources were rendered useless because of the virus. The Ransomware that crippled the hospital’s systems restricted access to essential EHR, leaving thousands of patients without sufficient care. In the realm of cybersecurity, the CIA triad are core principles of information security that assist in the discussion and implementation of measures to turn the tides of this uphill battle. In essence, these principles help with the needed preparedness. The CIA triad’s core principles ensure that data remains confidential, maintains its integrity, and access to required information is always available. These principles will guide the proposed recommendations for MedStar Health on ways to improve their I.T. systems.
Insider Threats
MedStar Health suffered an external attack in 2016, and the damage was substantial. However, this gateway was made possible by human error, and thus cyber harm can be done from within any organization, whether it be malicious or through careless actions. This act is referred to as an Insider Threat. Through these thoughtless or malevolent actions, health records are compromised, and in turn, patients suffer. More so, these actions often, more times than not, expose the vulnerabilities in the CIA triads, endangering “confidentiality, integrity, [and] or availability of the organization’s information or information systems” (Mazzarolo & Jurcut, 2019). In the case of MedStar Health, in 2016, employees’ access to their systems was restricted, removing the availability of needed PHI, and the integrity of the data was potentially compromised. Understanding the seriousness of the insider threat can ultimately help protect MedStar Health against these vulnerabilities.
Typically, when a breach is revealed on the news or reported to the OCR, it is usually due to an outsider. However, thoughtless action can prove more lethal. The 2019 data leak at MedStar Health of residents’ confidential information is an example of insider threat, as this was a careless act that exposed PHI. “The hazards that originate from inside [an organization are more] difficult to prevent and detect because insiders pose a serious danger as they are familiar with the organization’s… systems…, and policies, and they have access to confidential information” (Mazzarolo & Jurcut, 2019). Although the 2019 incident was accidental, it doesn’t take away from the potential threats mistakes can cause. A lesson that MedStar Health is fully aware of, as seen in their actions to resolve this incident quickly.
Intrusion Motives
At this point, it is understood how valuable medical information is, and not just to healthcare facilities, but also to the cyber black market. In fighting this unavoidable circumstance, healthcare management needs to understand the driving factors behind cybercriminals. There is the common saying that resonates with the benefit of knowing your enemy, and it holds true in these challenging circumstances. The intrusive motives of cyber criminals may be opportunistic for monetary gain, political exposure and change, ideological activism, disruption of services or access, and/or just simply to cause physical harm.
In MedStar Health’s 2016 case, the motive was monetary and to disrupt service and access of their systems. This action, in turn, caused harm to the patients and the care they required. Ablon (2018) describes this type of attacker as a Cybercriminal. “Cybercriminals are motivated by financial gain—they care about making money. They want access to our personal, financial, or health data—in order to monetize them on underground black markets” (Ablon, 2018). The motives behind the breach of 2016 preyed on the vulnerability in patient data confidentiality and electronic records’ availability to MedStar Health staff. Thus, understanding the enemy can prove beneficial in MedStar Health’s pursuit of curbing these vulnerabilities.
Hacker psychology
Like intrusion motives, the hacker’s psychology is tied to the cybercriminal’s mindset and begs the question of what ultimately motivates them to hack. This goes for both cybercriminals and cybersecurity professionals. The difference is the motivating factor. As briefly mentioned, some hackers will conduct their actions with the sole purpose of making money, while others perform the same steps because of curiosity. In the case of cybersecurity professionals, these actions are done to protect everyday civilians who cannot defend themselves from cyber-attacks. Understanding the hacker’s psychology will help cyber professionals make better decisions regarding keeping EHR confidential, maintaining all records’ integrity, and ensuring that the data remains accessible to the right employees. “[W]hen analyzing threats and attacks, it is important to focus on the psychological aspect of an intruder, their motives and intentions and their way of thinking, planning and performing attacks” (Pleskonjic, 2006). This mindfulness will help cybersecurity professionals in their task of creating sound vulnerability assessments.
More so, understanding the fundamentals of insider threats, intrusion motives, and hacker psychology provides an excellent foundation for guiding the conversation surrounding the CIA triad’s principles. This understanding, alongside sound security systems, will aid MedStar Health in its concerns regarding the confidentiality, integrity, and availability of PHI and ePHI.
Identity Management System
Identity management is an important tool in securing information systems and if properly applied it would aid in the reinforcement of MedStar Health security posture. It is essentially the process by which users’ identities are defined and managed in an enterprise environment and encompasses two vital concepts, “Access” and “User”. “Access refers to actions permitted to be done by a user (… view, create, or [edit] a file), [while users refer to] employees, partners, suppliers, contractors, or customers” (De Groot, 2019). Implementing an Identity Management System provides the ability to segment employees based on their roles. This system will ensure that access is given to the proper personnel at MedStar, and access will be managed when those employees transition roles and or leave the company. This type of access management and control aids the fight against cyber concerns and can ultimately help reduce the risks of vulnerabilities in MedStar Health’s framework; as it corrects issues surrounding authorization, as access is controlled based on job description and role.
The Identity Management System is designed to address three critical security tasks: identity, authenticate, and authorize. “Meaning, only the right persons should have access to computers, hardware, software apps, any I.T. resources, or perform specific tasks” (De Groot, 2019). At MedStar Health, as of 2017, OnCore, a clinical management system, was implemented to work in conjunction with PowerTrials, a module within the MedStar electronic medical record (MedStar Health, 2017). OnCore holds records of patient’s progress, and to some degree, billing intimation, while PowerTrials stores these patients’ medical records. “These two systems both serve a different purpose within [MedStar] but work with each other to serve study and subject information to the appropriate users” (MedStar Health, 2017). With a proper Identity Management System in place, access to these systems will remain secure. The system controls the users’ access (their unique passwords) to each platform, ensuring no unauthorized person gains access to this confidential information.
In considering an Identity Management System for MedStar Health, the following components are needed:
a scalable, secure, and standards-compliant directory service for storing and managing user information; a provisioning framework that can either be linked to the enterprise provisioning system, such as a human resources application, or operated in standalone mode; a directory integration platform that enables the enterprise to connect the identity management directory to legacy or application-specific directories; a system to create and manage public key infrastructure (PKI) certificates; a run time model for user authentication; and a delegated administration model and application that enables the administrator of the identity management system to selectively delegate access rights to an administrator of an individual application or directly to a user (Oracle, 2010).
Figure 3
An Identity Management System Model (Oracle, 2010).
In the realm of Identity Management, there are various ways one may access information and resources, and this system assists in navigating this dialogue of access. At the basic level of an Identity Management System is Role-Based Access Control (RBAC). “Under this approach, there are predefined job roles with specific sets of access privileges” (De Groot, 2019). For instance, at MedStar Health there is no reason why a security guard should have the same access as someone on Payroll. Their individual roles separate their access. The second approach is Single Sign On (SSO). In this model of the Identity Management System, users only need to verify themselves once. The user is “given access to all systems without the need to log separately into each system” (De Groot, 2019). Finally, there is the Multi-Factor Authentication (MFA). In this Identity Management approach, the “authentication process combines something the user knows (like a password) with something the user has (like a security token or [One Time Password] OTP) or something that’s part of the user’s body (like biometrics)” (De Groot, 2019). When used independently, these Identity Management approaches are not sufficient to secure an organization given the tools currently available to cybercriminals. However, when these approaches are used simultaneously to manage and control access along with passwords, and user identity, there is a greater probability of securing PHI and ePHI.
In regards to passwords, the Identity Management System allows for total control over the policies governing passwords, their requirements and their expiry date. As such, in implementing a thorough Identity Management System MedStar Health is taking the most critical steps in securing their infrastructure and sensitive information, ensuring that passwords are changed frequently and are complex enough to safeguard PHIs.. Strong passwords paired with multilevel authentications will create a defense that is reputable in this cyber driven world.
Example of an Identity Management System at MedStar Health
When attending to patients at the health care facilities, while using a laptop, Doctor X will enter their set login credentials (their username and password). Their identity will then be checked against a database to verify if the correct credentials were entered and match the ones stored. If correct, Doctor X will gain access to the laptop. Once logged in, Doctor X will attempt to visit the needed web service that holds MedStar Health’s PHI. Again, Doctor X will be prompted for their username and password. The system will also check the user’s credentials against their database. However, at this point, there is an additional layer of security requiring another form of authentication for access, an MFA. The website creates a unique authentication key for the user based on their previously entered credentials. This identification key is then sent to Doctor X for confirmation. This MFA may be in the form of an app on a mobile device linked to the doctor’s login credentials. The identification key is generated on Doctor X’s mobile device and prompts for confirmation. Once confirmed, maybe within a set time limit, and both forms of authentication match the database managing credentials, Doctor X will gain access to the database that holds the patient’s health information.
The example above highlights how a simple Identity Management System may work within MedStar Health, where only specific users in the organization are allowed to access and handle sensitive information. The Identity Management System does a fantastic job at provisioning access across organizations; however, safe computer etiquette needs to complement these systems to address significant vulnerabilities.
Figure 4
Example of MFA in the Identity Management System (Papaspirou et al., 2021).
The importance of safe computer etiquette
In the case of MedStar Health, in the 2016 ransomware attack, if personnel were adequately trained to identify phishing emails or malicious hyperlinks, this incident could have been avoided and their records could have been protected. The same can be said for the 2019 accident. “IBM’s 2015 Cyber Security Intelligence Index stated that 45 percent of all breaches were due to insiders and that 95 percent of those breaches were due to human error” (Perez, 2016). The report also stated that 42.75 percent of all cyberattacks are caused by inadequately or improperly trained staff. Thus, with the proper tools and safe computer etiquette, MedStar and all healthcare providers can better protect their number one stakeholder’s information, their patients.
In an interview with SCMagazine, a cybersecurity magazine in the UK, Jacob Ginsberg, a senior director at Echoworx, said it best. He compares the basic things an individual learns growing up, not touching a hot oven – to the education needed in the digital workplace. He said, “[there] should probably have similar lessons like that which would educate the digital workforce on the basic things you can do to stay safe at work” (Perez, 2016). This fundamental educational gap must be filled to ensure that the average MedStar employee knows how to protect their data and not fall prey to crafty phishing emails and other avoidable mistakes seen in 2019.
Figure 5
The frequency of cybersecurity awareness training in the U.S. Healthcare Sector as of 2018 (Stewart, 2019).
Conclusion
The numbers reflected in the chart above should be significantly higher, given that millions of individuals are affected yearly by cyberattacks in healthcare. Overall, the current situation society faces is dire however, the technology and training are available to aid in protecting PHIs and addressing these concerns. “Patient First is the heart of quality care at MedStar Health. Part of “Patient First” is [MedStar Health’s] promise to keep patient information private” (MedStar Health, 2014). Thus, implementing the recommendations highlighted in this paper is critical to MedStar Health’s promise to their patients. With proper cyber awareness training, a robust Identity Management System, a better understanding of insider threats, and the motives and psychological mindset of their potential intruders, MedStar Health is armed with the appropriate tools needed in this uphill fight. This approach ultimately protects their number one stakeholder, their patients.
References
Ablon, L. (2018, March 15). The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data. The RAND Corp.
https://www.rand.org/content/dam/rand/pubs/testimonies/CT400/CT490/RAND_CT490
Cox, J., Turner, K. & Zapotosky, M. (2016, March 28). Virus infects MedStar Health system’s computers, forcing an online shutdown. Washington Post.
https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html
De Groot, J. (2019, December 19). What is identity and access management (IAM)? Data Insider.
https://digitalguardian.com/blog/what-identity-and-access-management-iam
Hall, S. (2016, June 30). Lessons from the MedStar Health ransomware attack. Fierce Healthcare.
https://www.fiercehealthcare.com/privacy-security/lessons-from-medstar-ransomware-attack
Johnson, J. (2021, March 10). Number of U.S. residents affected by health data breaches from 2014 to 2019, in millions. Statista.
https://www-statista-com.lehman.ezproxy.cuny.edu/statistics/798564/number-of-us-residents-affected-by-data-breaches/
Mazzarolo, G., & Jurcut, A. D. (2019). Insider threats in Cyber Security: The enemy within the gates.
https://arxiv.org/pdf/1911.09575
MedStar Health Inc. (2021). Graduate medical education.
https://www.medstarhealth.org/education/graduate-medical-education/
MedStar Health Inc. (2019, July 22). Security Breach Notification.
https://www.marylandattorneygeneral.gov/ID%20Theft%20Breach%20Notices/2019/itu-315436 #
MedStar Health Inc. (2014, October). Protecting Patient Privacy.
https://ct1.medstarhealth.org/content/uploads/sites/8/2014/10/MGUH-Volunteer-Protecting-Patient-Privacy-Policy
Moffit, R. & Steffen, B. (2017). Health care data breaches: a changing landscape. Maryland Health Care Commission.
https://mhcc.maryland.gov/mhcc/pages/hit/hit/documents/HIT_DataBreachesBrief_Brf_Rpt_090717
Oracle. (2010, January 2). Identity Management Concepts and Deployment Planning Guide.
https://docs.oracle.com/cd/B14099_19/idmanage.1012/b14084/intro.htm#:~:text=A%20complete%20identity%20management%20system,storing%20and%20managing%20user%20information.&text=A%20system%20to%20create%20and,time%20model%20for%20user%20authentication
.
Papaspirou, V., Maglaras, L., Amine Ferrag, M., Kantzavelou, I., Janicke, H., & Douligeris, C. (2021, January 20). A novel two-factor honeytoken authentication mechanism.
https://arxiv.org/pdf/2012.08782
Perez, R. (2016). Cyber-security awareness. S.C. Magazine: For I.T. Security Professionals (U.K. Edition), 18–21.
https://eds-a-ebscohost-com.ezproxy.umgc.edu/eds/pdfviewer/pdfviewer?vid=7&sid=d5194e8a-a6ee-4c2c-84e2-c0bb5899bbb7%40sessionmgr4008
Pleskonjic, D., Milutinovic, V., Maček, N., Djordjevic, B. & Caric, M. (2006). Psychological profile of network intruder.
https://www.researchgate.net/profile/Dragan-Pleskonjic-2/publication/325810196_Psychological_profile_of_network_intruder/links/5b2648c1458515270fd4a3f6/Psychological-profile-of-network-intruder
Schmeelk, S., Dragos, D. & DeBello, J. (2021). What can we learn about healthcare I.T. risk from HITECH? Risk lessons learned from the US HHS OCR breach portal. Proceedings of the 54th Hawaii International Conference on System Sciences. 3993-3999.
https://scholarspace.manoa.hawaii.edu/bitstream/10125/71101/0393
Stewart, C. (2019, May 20). Frequency of security awareness training in healthcare organizations U.S. 2018.
https://www-statista-com.lehman.ezproxy.cuny.edu/statistics/736704/security-awareness-training-frequency-in-healthcare-organization-in-us/
Touro College Illinois. (2021, March 4). How is healthcare information kept safe?
https://illinois.touro.edu/news/how-is-healthcare-information-kept-safe.php
Tutorials Point. (n.d.). What are web services?
https://www.tutorialspoint.com/webservices/what_are_web_services.htm
Williams. P. (2016, March 31). Medstar hospitals recovering after ‘ransomware’ hack. NBC news.
https://www.nbcnews.com/news/us-news/medstar-hospitals-recovering-after-ransomware-hack-n548121
Lab Report
In the lab, there were two tools used for password cracking, Cain & Abel and Ophcrack. Brute Force attacks and Dictionary attacks recovered the passwords by using NTLM Hashes. Passwords recovered in Ophcrack imported users username, LM hash, and NT hash into rainbow tables to crack the users password. This report will provide the results of using each attack on three separate users.
Using Brute Force, Apollo and Batman passwords were recovered within 10 seconds. User Csadmin password was never recovered. Dictionary provides more options to define the password, Apollo and Batman were found in 5 seconds. Csadmin password was never recovered. Lastly, Ophcrack recovered Apollo and Batman passwords immediately. However, Csadmin password was never recovered.
Ophcrack recovered the password the quickest. When using Brute Force, the predefined field and the password length has to be adjusted properly to recover a password in a reasonable amount of time. For example, Apollo password could take 2 years to recover using Brute Force when the predefined field is set on just letters and the length set to a max of 16 characters. When the predefined field is set to uppercase and lowercase letters and numbers the password was recovered within 10 seconds. Ophcrack recovered the password within 1 second. Please review screenshots below for the results of the lab conducted.
There are four types of character sets when creating a strong password. The four types of character sets are password length, using uppercase and lowercase letters, including numbers and symbols, and creating a unique password. You should use all four types of character sets to create a secure password. The general rule for password lengths are no less than 8 characters. Passwords should be reset every 90 days.
Penetration testing is very important to do to ensure the security of a system. Penetration testing reveals system vulnerabilities, help develop security strategies for a real attack, and expose any poor security practices. Penetration testing can be a learning experience for MedStar’s IT Security team to learn different methods hackers use to penetrate a system. The team could also learn how to conduct incident reports and a remediation plan to apply a permanent fix.