Organizational Profile and Access Management Case

Project 6: Organizational Profile and Access Management Case

Javon Davis, Isaac Fedah, Angel Greene, Julius Oguntayo II

December 10, 2019

CBR 600

Executive Summary

This paper documents the reasons why it is crucial to invest in the information technology of the hospital continually. In today’s fast-paced culture information must be readily and easily accessible. A hospital is a place where change can happen within the blink of an eye so it’s imperative to have a network that can handle change without missing a step.

This paper details the disastrous invasion of the MedStar hospital network, which forced MedStar to shut its system down. Doctors, nurses and everyone working for MedStar were left scrambling to figure out how to continue to provide the same level of service that their patients have grown to expect from the hospital. The MedStar hacking also showed how the hospital tried to protect their name and portray themselves to the public as if everything was ok when in fact, it wasn’t. Statements and interviews from MedStar employees also illustrate differences in what MedStar said and what was happening inside their hospitals and clinics. MedStar hacking is just one example of the many hackings that have affected the hospital industry due to inferior technology.

This paper will also highlight vulnerabilities that hospitals have in their IT infrastructure only due to a lack of knowledge. After discussing the weaknesses, this paper will give an analysis of solutions that can assist the hospital and ensuring that it does not fall into this unfortunate situation. Finally, this paper will discuss business requirements that will assist in protecting the safety and confidentiality of patients and providers within this hospital.

Information Technology Healthcare Overview

In the health care industry, information technology plays a crucial role in the day to day operations. Information technology controls how physicians pass notes to each other, update medical records, store and access medical records and a multitude of other activities as well. It is virtually impossible to find anything that takes place today in the hospital that does not rely on some information technology component. Being that there is no way to operate a hospital efficiently without using technology, we must ensure the hospital’s information technology security is top-notch and as us to date as possible so the hospital can avoid any issues.

The hospital industry is viewed as having poor computer security. The Federal Health and Human Services Department regularly publishes a list of health care providers that have been hacked and patient information that has been stolen. Although hospitals are considered critical infrastructure, there is no requirement to disclose hackings unless patient data is compromised. Becker’s Hospital Review reports that data breaches cost the health care industry about $5.6 billion every year. In 2016 alone, these breaches affected more than 27 million patient records. (Cox, Turner, & Zapotosky, 2016)

Before discussing steps to ensure that we are doing everything within our control to protect the system, we first will look at what could happen if we were to be hacked. To explain this, we are going to discuss the hack of Medstar hospitals in 2016. MedStar hospitals operate ten hospitals and 250 clinics in the Washington DC area and when they were hacked, it crippled their ability to run their hospitals and clinics successfully.

How MedStar Got Hacked:

Similarly, too many other large hospitals, MedStar, had to keep up with technological advances such as electronic record keeping. Thanks to electronic records keeping many benefits have been created. For example, now, electronic medical records can help patients to avoid unnecessary tests. Electronic records keeping also allows doctors to have tailored treatment plans even when meeting their patients for the first time (McDaniels & Duncan, 2016). In the medical profession having the correct information readily available is a crucial element to success. The major con to having an electronic record-keeping system is the potential of a hack. MedStar, unfortunately, was utterly crippled by the hack on their servers. Anonymous Ransomware hackers breached MedStar’s systems. Ransomware is a virus that holds network systems hostage until the victims pay for a key or access code to regain access to their operations. They achieved this by encrypting the hospital data, as well as staff members' data. That breach led to major panic and confusion. Patients and family members reported to staff there had been delays in service and difficulty in treatment. With all the complications brought forth by this hack, one can even suggest that this hack could have resulted in individuals losing their lives. It was noted that many cancer patients didn’t receive their radiation treatment for several days only due to the system being taken over (McDaniels & Duncan, 2016).

As a result of this, hacked employees are now forced to revert to using paper charts and records. This caused a huge backlog of items that needed to be completed. As a result of not using the system, the hospitals had to delay surgeries and appointments. Also, lab results were delayed, as well. (Cox, Turner, & Zapotosky, 2016)

MedStar Statements/Interviews:

Many high staffers of the hospital chose to either decline interviews and declined to make a statement about the attack on MedStar. A spokeswoman for the hospital named Ann Nickels put out one statement saying, "Our electronic medical records system is working, individual workstations may not be working"(John Woodrow Cox, .2016). Originally MedStar’s officials were reluctant to make a statement but once MedStar noticed an increased demand from the public for them to speak the company put this statement out "The three main clinical information systems supporting patient care are moving to full restoration, and enhanced functionality continues to be added to other systems" (John Woodrow Cox.2016). A union representative for the National Nurses United named Stephen Frum, who works closely with MedStar for over 15 years, had this to say, "In the inpatient units that I'm aware of, everything is off. The computers are off, the system may be working, but if no one can access it, what use is that?" (John Woodrow Cox.2016).

Of the staff members that did decide to give comments, an emergency room nurse that works at the MedStar in Washington stated that “By Wednesday afternoon, her department was almost fully functional but that other floors still have no access to any systems" (John Woodrow Cox.2016), which did not coincide with the MedStar official when they decided to make this statement that MedStar has “Continued to provide care approximating our normal volume levels" (John Woodrow Cox.2016). A doctor who works at the Washington DC location had this to say, "It's really a very difficult situation to deal with, it's a serious warning to other health-care systems" (John Woodrow Cox.2016).

Even with all the statements being made, officials at Medstar decided to come out with the reports refusing to characterize the cyberattack as ransomware. Yet through all the characteristics were met to be classified as ransomware, the first characteristic was many of MedStar employees reported to the media as well as management that they would see pop-up messages on their computer screens seeking payment in bitcoins. To make matters worse for the conflicting inaccuracies between what Medstar was saying and what employees were saying. A staff member who works at MedStar at the Southern Maryland Hospital Center went a step further and decided to take a picture of her screen and send the image to all major news outlets of the ransom note. The ransomware note which was published by the news outlet showed that the hackers demanded that MedStar pay 45 bitcoins, which is equivalent to about $19,000. Once MedStar sends the payment the hackers will then send a digital key that would release the inaccessible data. This message was posted by the hackers "You just have ten days to send us the Bitcoin; after ten days, we will remove your private key and it's impossible to recover your files" (John Woodrow Cox, .2016).

MedStar’s hack was a terrible learning experience for the healthcare industry. Unfortunately, Medstar was not the only hospital to be attacked through its computer network. To protect our system, we will need to stay proactive through our identity management process.

Vulnerabilities in the Information Systems Infrastructure

1. Ransomware

Just like we previously discussed, ransomware is still a considerable threat to the health care industry. Ransomware is a type of malware that threatens the victim’s data and blocks access unless a ransom is paid. The most common ways hospitals have found themselves to be attacked by ransomware is clicking on bad weblinks or checking emails on computers that are connected to the server. This serves as the gateway for the hacker to access parts of the system or the entire system.

2. People

Unfortunately, individuals with access to the system are a huge vulnerability to the system. You may often see someone with access to the system or someone that has a device that is connected to the system has been affected. Some doctors have personal devices that they may use for work, and they may have their work and personal emails on those devices and you see where a doctor’s personal email was hacked and since their device has access to their work email, the hacker has now been able to hack the system as well.

3. Theft of IT or Corporate Data

This can include anything such as someone that has a company laptop with sensitive information losing or even having the laptop stolen. This can also spread to company cell phones or even personal cell phones that have company email sent directly to this phone. You may even notice that someone has used a USB drive to save company information to view later and that USB drive is missing or may have been stolen.

4. Loss Of PHI/PII

No one is perfect, and as much as we strive to be, there will always be an aspect of human error. Unfortunately, this extends to only losing personally identifiable information or protected health information. Healthcare data is valued higher than any other industry. Information gets lost and it’s our responsibility to either find the information or have it backed up so we don’t lose it permanently.

5. Distributed Denial of Service (DDoS) Attacks

DDoS attacks occur when more than one system flood the bandwidth or resources of a targeted system. This type of attack is commonly used by cybercriminals to try and overwhelm a network until it stops functioning. (Kleyman, 2018)

6. Investments in systems that have poor design

Unfortunately, some software has poor designs, and their designs allow hackers to access your network with little to no effort. A great example of this is the JBoss software and its design flaw that allows a backdoor to gain administrative access to the system. The government and security researchers flagged this design flaw in February 2007 and March 2010. This design flaw is fixable by installing a patch to the system. If the default state was not configured correctly, the JMX console could be accessed remotely over port 8080. Hackers will not need any tools like Nmap, Metasploit etc.. to access the server. All hackers need is a JSP shell and a browser. JBoss servers use default authentication. The default configuration does not restrict access to the console and web management interfaces. This allows remote hackers to bypass authentication and gain administrative access. This is one example of poor software, but this software isn’t the only poor one. (Talekar, 2019)

Identity Management

Identity management is the process for identifying, authenticating, and authorizing individual(s) to have access to applications, systems or networks by associating user rights and restrictions with established identities. In the healthcare industry, this is extremely important because providers cannot have unauthorized users accessing personal data for patients. The Health Insurance Portability and Accountability Act (HIPAA) security rule requires that physicians protect patients’ electronically stored health information by using appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity and security of their information.

The identity management security safety measures will be broken down into various components to ensure that information is safeguarded. The first step is authorization. The second step is authentication. The third step is passwords. The fourth step is multi-factor authentication.

Authorization is a security measure that is used to determine user/client privileges or access levels related to system resources. When dealing with authorization, you will notice that you must have the authorized credentials to access certain information. By restricting access based on credentials, you are better protecting the system. In a hospital, there will be specific information that a doctor will need access to that someone in billing would not need access to and vice versa so the doctor would not be able to access a customer’s billing information and someone in billing would not be able to access medical records for a patient that a doctor would be able to access. Although both individuals quite possibly can be working on the same client, their privileges to certain client information would be restricted to specific items.

Authentication is the act of proving identity through a computer system. Authentication is enormous in the healthcare industry. HIPAA laws regulate who can have access to specific files, so ensuring only those individuals are accessing those files are of the utmost importance.

Passwords are a unique word that is used to gain access. Passwords have many restrictions and are intended to be kept private. Every individual user will have a password and under no circumstance should it be shared with anyone else.

Each user will create a password that has a minimum of 8 characters. Each password must have one capital letter. Also, each password must use one unique key. An example of special keys is: (!@#$%&*). Passwords must be changed every 30 calendar days. The system will not allow you to access anything if your password has not been changed. Also, you will not be permitted to use the same password within the same calendar year. Enforcing everyone to change their password is a safeguard to protect the system.

Solutions to the Vulnerabilities

The first solution will be ensuring that the hospital has next-generation firewalls. Next-generation firewalls will act as a line of defense for the hospital's systems by combining traditional firewalls with other network device filtering functionalities. They will perform an in-depth inspection of everything that comes into the system to ensure that the system is being protected. The investment in these firewalls is imperative. The second solution is web security gateways, which will prevent unsecured traffic from entering the internal network. The third is email security. This will have the system check any emails that are sent to the email address listed to the hospital for any virus. Any email that cannot be confirmed as clean with no virus or malware detected will be rejected. The fourth solution is ensuring that all staff is adequately trained about safe and acceptable computer use. Regardless of if the team uses the computer, they will need to complete this training annually.

Business Requirements

The healthcare industry has requirements for information technology for compliance purposes. The first is identity verification and management for all individual providers based on their roles. Being able to ensure that all providers are identified will ensure that they are accessing the information that they need to access and that no one else has access to that same information. The second is identity verification for different organizations within the hospital. No department within the hospital should have access to another department’s data. There may be some instances where a patient needs to meet with multiple organizations within the hospital, and pertinent information needs to be shared across departments but in those one-off instances, the information will be shared amongst individuals with higher clearances. The third is verifying the identities of patients. Patients will need access to their medical records and the hospital will need to ensure that all patient's records are safe and secure and only the correct patient has access to those documents. The fourth is using the company’s computer and phones for only authorized work. Often company property is used for personal use, such as opening personal email on company computers. Whenever this occurs, any phishing attempt that someone has made against your personal information has now been opened towards the company.

With everything that has been stated, it is evident that investing in information technology is of the utmost importance and is crucial to ensuring the success of the hospital moving forward.

REFERENCES

Cox, J. W., Turner, K., & Zapotosky, M. (2016, March 28). Virus infects MedStar Health

system's computers, forcing an online shutdown. Retrieved December 8, 2019, from https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html.

Donovan, F. (2019, August 15). Reports of Healthcare IT Infrastructure Vulnerabilities

Surge 341%. Retrieved December 8, 2019, from https://hitinfrastructure.com/new

s/reports-of-healthcare-it-infrastructure-vulnerabilities-surge-341.

John Woodrow, Cox. (3AD 2016). Pain of MedStar hack lingers. Washington Post, The.

Retrieved fromhttp://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=

true&db=bwh&AN=wapo.a82c9fa8-f687-11e5-8b23-538270a1ca31&site=eds-live&scope=site

Kleyman, B. (2019, August 9). Top 5 Healthcare Data Security, Infrastructure Threats.

Retrieved December 7, 2019, from https://healthitsecurity.com/news/top-5-healthcare-data-security-infrastructure-threats.

Talekar, N. (2019). JBoss Exploitation: www.SecurityXploded.com. Retrieved December

11, 2019, from https://securityxploded.com/jboss-exploitation.php.