Cryptography PurposeThe purpose of this report is to inform leadership about Bluebird hospital IT systems architecture and the potential threats we may be facing using cryptographic protection technologies. Our organization are facing threats such as data hiding technologies or steganography. These technologies go undetected and could compromise the CIA of our data. The implementation of smart card strategies and email security could lead us to the right path of secure data.IT Systems In order for leadership to understand the potential threats and vulnerabilities our organization may be facing an understanding of our IT systems is mandatory. Bluebirds IT system consist of each department having computers that are connected to our Windows software. Each computer has a CAC authentication to verify the identity of the user. Patient Administration System (PAS) is installed on all our computers. PAS is our electric health system that stores all our patients health information. We also, use our wide area network to share PHI with other hospitals or facilities. Our IT system is protected by firewall protection. In Figure 1 it shows Bluebirds network architecture when sharing PHI with other organizations.Figure 1. Bluebird Hospitals wide area networks (WANs) with other healthcare facilities (Scutaru, Toev, Romanca, Alexandru, 2008)If not protected Bluebirds information system can be vulnerable to several attacks. Some of the attacks our system could be threatened by are insider threats, cyber-attacks, and natural disasters. The types of insider threats that we need to protect ourselves from are employees working for our organization, former employees, and potential or current business partners. These threats have inside information that can be used to harm and compromise the CIA of our data. Cyber-attacks such Ddos attacks and cache poisoning could cause our organization to crumble. Damages to our organization could cause financial loss up to millions of dollars and loss of customers. During natural disasters this is a prime time for cyber-attackers to take advantage of our organization. At that time we are very weak and do not have enough resources to properly protect ourselves.To protect our information and assets from these types of attacks security mechanisms have been put in place. The security mechanisms our organization will use to protect our system is LAN security, physical security, identity management, personal security, availability, and privacy. LAN security would be the protection of our local area network. In order for us to have protection we need to update our IT security policy and implement web site blocks to stop potential viruses from infiltrating our system. Also, having automated updates of security installations on all company computerized software.Physical security is also an important aspect in the protection of data. Security guards could stop potential criminals from stealing data. Identity management is an important part of our security system. Every employee has an identification card that includes their name, employee id, and picture. A CAC is also distributed to every employee to control access to the computer system. The CAC card controls the privacy and availabity of patients information. For example, a doctor and janitor with have different accessibility distributed to them on their CAC. In Figure 2 the threat and vulnerability table shows the IT systems assets in organization and the threats and security mechanism we use to address these vulnerabilities.IT System AssetsThreats and VulnerabilitiesSecurity Mechanisms to Address Threats and VulnerabilitiesSmart cards (CAC)Employee passwordsComputer system cryptographic keysVirtual private network systemCustomer medical recordsNetwork infrastructure designServer application softwareFigure 2. Network security threat and vulnerability tableProtection MechanismsInformation protection is the top priority of our organization. The identity, access, authorization, and non-repudiation of our patients confidential information is important because if not protected they could vulnerable to several attacks. Our organization could be exposed to data hiding technologies or steganography. Steganography is the act of malicious that goes undetected and can bypass firewalls and malware.Our organization needs to develop a plan to protect the confidentiality, integrity and availability of information. The identity of our organizations assets and information needs protection from potential attacks because that could lead to a serious security breach. To protect the identity of our organization information we plan to assign each individual with specific credentials that allows them detailed access levels to different areas of the organization. To prevent the unauthorization of disclosed information access control must be protected. Access control must have secure access methods to protect all confidential information. For all patients who want to access confidential information a virtual private network will be created by our organization that has anti malware to protect from steganographic technologies. A multi factor authentication process needs to be implemented to protect the authorization process of our patients. When logging in our VPN or other authorized systems users must use a CAC card and secured password login to access the system.The non-repudiation measures our organization will take to protect the CIA of information assets including data files, databases and emails will be to use cryptographic hashes to keep the integrity of emails being sent. Also, implementing digital signatures to secure the validity of any digital transmissions.Cryptographic ProtectionThere are various ways to protect our information. Cryptographic protection methods is rime key to protection our information and assets. The use of cryptographic protection methods such as Caesar cipher, polyalphabetic cipher, one time pad cipher, block ciphers, triple DES, RSA, Advanced encryption standard (AES), Symmetric encryption, and text block coding can protect us from potential threats that can be undetected by basic malware. Caesar cipher is a simple cipher that incorporates an alphabetic shifting of plain text to create a secret message. The risks with this cipher is that it with provide minimal security. Cyber-attackers could easily decipher the hidden text. Polyalphabetic cipher is the use of multiple cipher in an encryption. This cipher is more complex than the Caesar cipher, but still not ideal for the high level of security we need to protect our assets. The one time pad cipher is a cipher encryption of long letters combined with lain text to create a message. This cipher has be proven to be unbreakable. This cipher would be ideal to protect our information, unless the one time pad information is leaked to an unknown source. Block ciphers are encryption methods that uses algorithms and symmetric keys to create to encrypt a block of text. This cipher is known to have issues with adding problems, but when faced with cyber-attacks the block cipher is very beneficial. Triple DES is a data encryption algorithm. It was reported by the National Institute of Standards and Technology that this method is no longer being used. RSA is an algorithm that uses public and private keys to encrypt messages. This public key is known to everyone, but that could cause a security issue due to so many people having that information. AES (advanced encryption standard) is an algorithm that that encrypts data by converting cipher text into data. AESs security protocol is used on both hardware and software, but it is a very simple method and that makes us more accessible to cyber-attacks. Symmetric encryption uses cryptographic keys to decrypt and encrypt plaintext and cipher text. The advantage of symmetric encryption is that it is very secure due to the length of bit key length it has, but sharing the key transportation can be easily compromised. Text block coding is an algorithm used on media files.After reviewing the different types of cryptographic protection methods our team believes that one time ad ciphers would be the best for our organization. This protection method id best because it has been proven to be unbreakable. When it comes to the CIA of our data we need unbreakable ciphers to protect our information.Common Access Cards Deployment Strategy The Common access card deployment strategy of our organization has been updated to protect the CIA of our information. Our team has taken a look inside our access control policy to make sure each section of our physical and network security is covered. The physical and technical policy of our access controls include security guards and badge systems. Each employee, patient, visitor must show the security your employee ID card, patient identification band, or visitors pass. The technical policy multi factor authentication and encryption measures to protect accessibility through computer systems and entry ways. Each secured entry door will require each employee to have an individualized access code and finger print scanning. Each employee will also have a CAC. The CAC (common access card) is a smart card that is used to identify the authentication of users. In our organization we will use CAC as a way to control the access to the network system and access to buildings. For example, our upper management and IT teams CAC will be given them to access to parts of the building that our receptionist will not have access to. Each users card will also have their personal information installed. Our CAC system will be have encryption protection to guard everyones data. This encryption protection will be through public key infrastructure (PKI). PKI provides and extra layer of security for CAC. PKI has encryption security and digital signatures when using CAC.Email Security StrategyEmail security is important because the organization could fall victim to potential attacks if not properly protected. Sensitive information is communicated over emails and emails are a direct entry way for cyber attackers to gain control of our network. Users need to be properly trained to the different types of threats that could come through emails. Phishing emails is the top way employees allow malware to enter a network. Phishing emails are false emails that contain malware. In order to protect our system we need to have the proper email encryption.The email encryption technologies that we need to consider as possible protection are PKI, GNU Privacy Guard, digital signature, and mobile device encryption. PKI (Public key infrastructure) is using public and private keys to send encrypted emails. User use a public key to send encrypted emails and when the recipient wants to read the email they will use an individualized private key to decrypt the email. There are risks in using PKI. For instance if cyber hacker finds out your private key information.GNU privacy guard is a tool that encrypts messages through documentation and emails. Public and private keys are used to encrypt messages across a database. With this method there are potential risk that have been reported. When an encrypted message contains multiple documents the GnuPG does not check all signatures accurately. It weakens the method drastically and allows attackers access to modify the encrypted messages without anyone knowing.Digital signatures are becoming the new full proof way to sign documents and accept terms and agreements. Digital signatures provides our organization with a convenience way to communicate and get information from our customers. All digital signatures will be secured through password protection. The risk with this method is that there is a high chance of fraud. A potential attackers could falsely sign a digital signature using a customers information.Mobile device encryption are encryption through apple and android devices used both hardware and software. Several employees from our organizations are given apple work phones and laptops. We also use several ale products in our hospital that holds medical records and other important information pertaining to our organization.Conclusion Referenceshttps://www.nap.edu/read/1581/chapter/4#51https://arxiv.org/ftp/arxiv/papers/1801/1801.00694.pdfhttp://www.uobabylon.edu.iq/eprints/paper_1_2264_649.pdfScutaru, M., Toev, R., Romanca, M., Alexandru, M. (2008). A new health approach for a healthcare network architecture and security. Found at: https://pdfs.semanticscholar.org/6407/b49e3a6c954ac1cec34f189a4f6b9f96d69e.pdfhttps://content.umuc.edu/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://content.umuc.edu/file/fc80011a-4063-45fd-b22c-2d3cd06c273c/1/AccessControlDomains.pdfhttps://digitalguardian.com/blog/what-email-security-data-protection-101https://digitalguardian.com/blog/what-email-encryptionhttps://www.cvedetails.com/cve/CVE-2000-0974/https://rouselawyers.com.au/intellectual-property/electronic-signatures-risks-and-benefits-explained/https://pdfs.semanticscholar.org/1a0a/895aa4abc182645f6e770b4a206ff65e6472.pdf
Recent Comments