Site Loader

695.601 Foundations of Information Assurance
Final Exam
Introduction and Interpretation of the Question
The goal of this paper is to create a NIST standards-based approach to attribute-based access control (ABAC) for NIST SP 1800-1b, Figure 3: Architecture for the Second Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization using NIST Cybersecurity Practice Guide SP 1800-3b: Attribute Based Access Control: Second Draft, September 2017. The focus is primarily on securing remote access for:
The Radiology Department,
Dr. Jones Orthopedics, and
VPN (Virtual Private Network) external access point for remote users.

Analysis will be done on two EpicCare healthcare cases. These will go into some of the commercially available and installed healthcare technology that include some cybersecurity features. Additionally, risk management will also be discussed.

Table of Contents
Introduction and Interpretation of the Question1
Table of Contents1
Context1
NIST Level 1: Organization1
NIST Level 2: Mission/Business Processes2
NIST Level 3: System3
NIST Security Control Maps and Architectures3
NIST Cybersecurity Framework: Seven-Step Gap Analysis5
Analysis and Conclusions#
Matters for Consideration#
References#
Context
The following documents have provided an authoritative context for this case within the NIST three-level enterprise security architecture:
NIST Level 1: Organization:
NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, January 10, 2017 provides the basis for:
cybersecurity governance and risk management for the critical infrastructure, and
NIST Security Control Maps
Cybersecurity Governance and Risk Management
The National Institute of Standards and Technology (NIST) is taking a lead in cybersecurity governance and risk management for the critical infrastructure. This lead is supported in part by Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.”
NIST Security Control Maps
One of NIST’s framework programs that illustrates its national lead for security is:
Cybersecurity Framework for the Healthcare and Public Health Sector: The CSF is a voluntary Cybersecurity Framework for the sixteen critical infrastructure sectors. We are focusing on a case in the Healthcare and Public Health Sector.

The NIST Framework Core Structure
We will highlight the five iterative functions from the Cybersecurity Framework Core. They are: Identify, Protect, Detect, Respond, and Recover (see Figure 1).

Figure 1: NIST Security Control Map: Function and Category Unique Identifiers
NIST Level 2: Mission/Business Processes:
NIST Special Publication 800-53, Rev. 5: Security and Privacy Controls for Federal Information Systems and Organizations, August 2017.

NIST Special Publication 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, November 2016/January 3, 2018.

NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations, January 2014.

NIST Level 3: System:
NIST Special Publication 800-95: Guide to Secure Web Services, August 2007.

Executive Summary
Section 3.6: Confidentiality and Integrity of Service to Service Interchanges
NIST Special Publication 800-123: Guide to General Server Security, July 2008.

Section 2: Background.

NIST Security Control Maps and Architectures
The figure below describes the necessary steps for a user and device to gain access to he electronic health record server.

Figure 2: The Steps Necessary for a User and Device to Gain Access to the Electronic Health Record Server
First, the user must log into the device using a username and password. This triggers the start of communication between the mobile device and the electronic health record (EHR) server in the Data Center through access points (APs). A proper challenge and response with a media access control (MAC) address is required to connect to the AP. For identity and access control, MAC filtering is a first layer of defense because a MAC address cannot be changed on the physical device, but can be changed in the operating system. The point of the challenge is because the AP is looking for a properly signed and trusted certificate. If one is not found, then the user is not allowed access on the local network to get to the web-based OpenEMR. Either a hard certification or physical authentication device could be used or a separately trust certificate authority (CA) could be used for both the AP and the OpenEMR tool. Utilizing both of these practices will add an additional layer of security to prevent an attacker from gaining access to both the AP and the OpenEMR tool if they get ahold of a lost or stolen device. In that situation, a hard certification device for each would be used. At this point, once the device has been challenge, a compliance check is done by the mobile device manager (MDM) based on the policy that was assigned. Failure of the compliance check results in denial of access to the network. Configurations such as mutual authentication for establishing encrypted connections prevent access of any device without a valid certification and revoking the certificates of devices that have been reported lost or stolen add additional layers of security. At this point in the process, the provided username and password is challenged by the OpenEMR tool for authenticity. Security measures at in place at this step to prevent and detect brute force attacks by limited the number of failed attempts to log in and keeping a log of all activities. Finally, if the user has valid credentials, they are allowed access to the OpenEMR tool.

The figure below illustrates an example of the process for determining which tests to include in the security assessment.

Figure 3: An Example of the Process for Determining Which Tests to Include in the Security Assessment
The NIST Cybersecurity Framework categories and subcategories were used to determine which tests to include in the security assessment by consulting the specific sections of each standard that were cited in reference to that subcategory. The security standards that are mapped to the NIST Cybersecurity Framework Subcategories provided additional validation points. By systematically developing tests based on the NIST Cybersecurity Framework Subcategories, we generated a set of reasonably comprehensive tests for the security characteristic requirements we identified when we first identified this challenge.

NIST Cybersecurity Framework: Improving a Cybersecurity Program: Seven-Step Gap Analysis
Healthcare records have become one of the most sought-after types of information when it comes to targeted attackers. A stolen medical record contains personal data that gives thieves access to a patient’s medical information and other personally identifiable information, and to a healthcare organization’s services. Theft of health information raises the cost of healthcare and could potentially result in physical harm: if a person’s healthcare record is altered, it is possible for a situation to occur where they are given the wrong medication and an unsafe drug interaction might result; if the record cannot be trusted, a patient might experience a delay in care, which depending on their health status could be life threatening.

All parts of a healthcare organization, specifically in the scope of this paper, the Radiology Department, Dr. Jones Orthopedics, and VPN external access point for remote users all share the same goal to protect the healthcare records for their patients. The focus on this paper will be on how a healthcare organization can increase the security of health information as it is collected, stored, processed, and transmitted on mobile devices when reviewing, updating, and exchanging EHRs. Some potential security concerns when dealing with mobile devices are:
If a healthcare worker loses or misplaces a mobile device containing patient health information or becomes a victim of exploitation or theft.

If a mobile device is compromised, enabling a hacker to access the healthcare organization’s network.

Untrusted networks using a man-in-the-middle strategy to obtain credentials to access the enterprise network.

Increased risk of compromising routing operations such as data synchronization and storage which stems from interacting with other systems.

Demonstrated in this paper is an approach to better secure the electronic exchange of important health and other personal data contained and stored in electronic health records including the following three configuration options:
organizations that provide wireless connections for mobile devices
organizations with outsourced support for system access (e.g., using the cloud for systems access)
organizations that provide access via an external access point (e.g., virtual private network, or VPN)
A risk assessment was conducted to evaluate the challenges faced by healthcare organizations; initially evaluating of the current and planned uses of EHRs. Currently mobile devices a) provide advances in speed and accuracy in the exchange and use of medical records, and b) involves significant threats to the confidentiality and integrity of those records. Exploitation of these threats can result in severe patient health and safety, litigation, and regulatory issues. The results of the risk assessment shows that availability when using mobile devices is more of a critical feature rather than a convenience.

Based on the finding that use of mobile devices to exchange patient health records is needed but carries high risk in the absence of improved security and privacy measures, we:
derived requirements that support effective and efficient exchange of health records while maintaining the security and privacy of those records and complying with applicable regulations
explored the availability of components to address the derived requirements
generated a use case description of the problem, the derived requirements, and a security platform composed of available components that could be demonstrated in a laboratory environment to address the requirements
assembled a team of voluntary industry collaborators
composed and demonstrated the security platform
documents the requirements and example solution, and how the example solution may be used to address the requirements
The following description of our approach includes:
the scope of the descriptive and instructive documentation
a brief summary of our risk management approach and findings
use case scenarios addressed in the context of a high-level architecture
the security characteristics that needed to be demonstrated to meet our derived requirements
the technical components we identified for laboratory demonstration of the necessary security characteristics
Security characteristics that are high-level requirements are:
access control – selective restriction of access to an individual or device
audit controls and monitoring – controls recording information about events occurring within the system
device integrity – the absence of corruption in the hardware, firmware, and software of a device. A device has integrity if its software, firmware, and hardware configurations are in a state that is trusted by a relying party
person or entity authorization – the function of specifying access rights to people or entities
transmission security – the process of securing data transmissions from being infiltrated, exploited, or intercepted by an individual, application, or device
security incidents – the process of identifying and responding to suspected or known security incidents
recovery – planning and executing data backup and disaster recovery
The table below shows the relationship between the security characteristics and the NIST Cybersecurity Framework for critical infrastructure functions and categories and HIPAA requirements. Application security was implicit in device integrity.

Table SEQ Table * ARABIC 1: Mapping Security Characteristics to the NIST Cybersecurity Framework and HIPAA
We mapped components to the NIST Cybersecurity Framework, relevant NIST standards, industry standards, and best practices to establish a set of architectural boundaries for the use case. From this, the next step was to identify the set of security characteristics that the sample solution would address. By mapping each of the more general security characteristics to specific and multiple security controls, we can define each characteristic more granularly and understand safeguards necessary to implement the characteristic. Another benefit of doing so is traceability from a security characteristic to the evaluation of its security control.

Table 2: Security Characteristics Mapped to Cybersecurity Standards and Best Practices, and HIPAA
The Healthcare Organization that was evaluated is described as shown in the figure below. It is composed of the following main parts:
Data Center
Radiology Department
Dr. Jones’ Orthopedics (specialty practice)
Virtual private network
Third-party cloud service providers
The Data Center is the main data center for the organization and provides access to the Internet; the organizations and VPN are areas of the architecture where mobile devices are used internal or external to the healthcare organization; and the third-party cloud services providers represent applications used in the cloud through the Internet. The overall architecture shows how health service providers access the IT enterprise.

Figure 4: Architecture for the Security Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization
The Data Center represents the central computing facility for a healthcare organization. It typically performs the following services:
HER web portal – provides the HER server (i.e., OpenEMR service) (#1)
identify and access services – provide identity assurances and access to patient health information for users with a need to know through use of root certificate authorities, authentication, and authorization services (#2)
DNS services – provide authoritative name resolution for the Data Center, Radiology Department, and Dr. Jones’ Orthopedics (#3 and #5)
firewalls – provide perimeter and local system protection to ports and protocols both locally and for each health organization as a service, if needed (#22 is the main firewall)
wireless access point (AP) policy decision point services – provide remote enforcement and management of user access to Aps (#16 and #17)
mobile device management – provides remote cloud-based mobile device policy management (#20)
host-based security – provides enterprise management of virus and malware protection (#8)
remote VPN connectivity – provides strong identity and access controls, in addition to confidentiality of patent health information, using network encryption for transmissions. Facilitates secure and confidential communications among patients, doctors, and healthcare administrators who are not on premises (#11)
configuration manager – facilitates creating secure system configurations (#4)
online backup manager – creates logical offsite backup for continuity of operations (#12)
IDS – monitors network for known intrusions to the Data Center network, Radiology Department, and Dr. Jones’ Orthopedics (#6)
remote mobile NAC – remotely manages, authenticates, and authorizes identities and access for OpenEMR and wireless Aps (#7)
vulnerability scanner – scans all server systems for known vulnerabilities and risks (#9)
risk manager – determines risk factors by using Risk Management Framework, NIST controls, HIPAA guidance, and physical device security posture (#10)
The Radiology Department currently implements domain, role-based access, file sharing, and printing services. They locally manage:
identity and access services (#15)
firewall (#16)
wireless access points (#16)
They seek consultants or use cloud services for:
mobile device management (MDM; #20)
mobile device policy creation (#20)
certificate authority (#2)
virus and malware scanning (#8)
remote connectivity to OpenEMR (#1)
For Dr. Jones’ Orthopedics, the services and servers managed by the Data Center are:
identity and access services (#7)
firewall (#17 and #22)
wireless access points (#17)
mobile device policy creation (#20)
certificate authority (#2)
virus and malware scanning (#8)
remote connectivity to OpenEMR (#1)
The VPN allows access from a public network to a private network by using a client server technology to extend the private network. The services and servers that are managed by the Data Center are:
identity and access services (#7)
firewall (#22)
mobile device policy creation (#20)
certificate authority (#2)
virus and malware scanning (#8)
remote VPN (#11) connectivity to OpenEMR (#1)
A risk assessment was done by executing the following tasks:
Identifying threat sources and events.

Identifying vulnerabilities and predisposing conditions.

Determining the likelihood of occurrence.

Determining magnitude of impact.

Determining the risk.

Based on the risk assessment, the major threats to confidentiality, integrity, and availability are:
a lost or stolen mobile device
a user who
walks away from a logged-on mobile device
downloads viruses or other malware
uses an insecure Wi-Fi network
inadequate
access control and/or enforcement
change management
configuration management
data retention, backup, and recovery
For the target security profile of the organization, focus will be put on keeping the confidentiality and integrity of the medical records. Credentials will have to be entered every time a user wants to access the records on a mobile device, with a timeout period to ensure that users are not signing in and doing other things keeping the records exposed. Additionally if a mobile device is lost or stolen, then the attacker would need to have knowledge of the credentials in order to gain access. Two-factor authentication should also be used, so that if one device or token is compromised then the attacker still cannot automatically gain access.
In terms of integrity, regular checks should be done on the information to determine if a major change happens. For example, medicine prescriptions or removal, allergy information, etc. Extensive logs should be could and put in a secure database with information regarding who made the change, what time the change occurred, and what the change was. Therefore, if there are any discrepancies there is a trail to follow.

Additional security features should be placed within the network such as intrusion detection and protection systems. Ports for connecting through VPN should be monitored as well as any database servers or other data servers should be monitored closely as well. A baseline should be determined for patients, so that appointment frequency or health issue types and/or frequencies are noted, therefore allowing data protection systems can determine when a possible anomaly occurs.

Analysis and Conclusions
Matters for Consideration
Information in regards to Artificial Intelligence in Healthcare.

References
O’Brien, G., Lesser, N., Pleasant, B., Wang, S., Zheng, K., Bowers, C., & Kamke, K. (2018, July). NIST Special Publication 1800-1B Securing Electronic Health Records on Mobile Devices: Approach, Architecture, and Security Characteristics PDF. Retrieved August 20, 2018 from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-1.pdf
O’Brien, G., Lesser, N., Pleasant, B., Wang, S., Zheng, K., Bowers, C., ; Kamke, K. (2018, July). NIST Special Publication 1800-1D Securing Electronic Health Records on Mobile Devices: Standards and Controls Mapping PDF. Retrieved August 20, 2018 from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-1.pdf
O’Brien, G., Lesser, N., Pleasant, B., Wang, S., Zheng, K., Bowers, C., & Kamke, K. (2018, July). NIST Special Publication 1800-1E Securing Electronic Health Records on Mobile Devices: Risk Assessment and Outcomes PDF. Retrieved August 20, 2018 from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-1.pdf
About Us. (n.d.). Retrieved from https://www.bjc.org/about-us/purpose-goal-and-shared-principles

Post Author: admin