1. Cybersecurity
Assessment for
Soft Touch Dentistry
Perry Escamilla, Kevin Jones, Jim Patterson,
Leon Slack, Jason Smith & Robert Valdez
National University, Capstone
Professor Bane
2. Summary
• Project Overview
• Project Schedule
• HIPAA
• HIPAA Auditing, Wireless Audit
• Vulnerability Assessment
• DRP/BCP
• Security Plan Development
• Cost Avoidance
• Conclusion
National University2 Jason
3. Organization Chart
Jason Smith
Project Manager
Kevin Jones
Vulnerability
Assessor
Leon Slack
Disaster
Recovery
Robert Valdez
HIPAA Auditor
Perry Escamilla
Remediation
Planner
Jim Patterson
Security Planner
3 National University Jason
5. Project Overview
• Soft Touch Dentistry is a small dental office in Murrieta, CA. Team
Ruby, comprised of six students from National University, proposed to
the dentistry a project to conduct a cybersecurity assessment of their
medical practice.
• The assessment consisted of a vulnerability assessment, wireless
audit and a HIPAA inspection.
• Furthermore, Team Ruby put together a Business Continuity Plan,
Disaster Recovery plan and a Security Plan for the dentistry to assist
them with those items as well.
• Lastly, Team Ruby performed a cost avoidance analysis to
demonstrate how their project benefited the dentistry and how the
dentistry was able to now avoid some future costs because of the
project being performed for them.
5 National University Jason
12. Purpose
HIPAA is the Health Insurance Portability and Accountability
Act. There are thousands of organizations that must comply
with the HIPAA Security Rule. The Security Rule is just one part
of the federal legislation that was passed into law in August
1996.
The purpose the Security Rule:
• To allow better access to health insurance
• Reduce fraud and abuse
• Lower the overall cost of health care
12 National University Robert
13. Administrative Safeguards
Compliance with the Administrative Safeguards portion must include
implementation of the following:
• Conduct a risk analysis
• Implement risk management controls
• Develop a security plan
• Conduct periodic information system reviews and training
13 National University Robert
14. Physical Safeguards
Compliance with the Physical Safeguards portion must include
implementation of the following:
• Contingency operations
• Limit facility access and restricting levels of access
• Proper management of organization's computer systems and network
• Appropriate device and media controls
14 National University Robert
15. Technical Safeguards
Compliance with the Technical Safeguards portion must include
implementation of the following:
• Appropriate access controls such as unique user IDs and permissions
• Automatic logoff procedures
• Encryption and decryption procedures
• Measures to ensure integrity of ePHI
15 National University Robert
16. Key Elements of Compliance
• Senior Management Support is essential
• Conduct and maintain inventory of ePHI
• Conduct regular and detailed risk analysis
• Determine what is appropriate and reasonable
• Develop and implement security policies
• Prepare for ongoing compliance
• Maintain a security-minded culture within workplace
16 National University Robert
17. Penalties
Civil penalties vary from $100 to $50,000 per violation with annual max
penalty of $1.5 million depending on depth of negligence
Criminal penalties and imprisonment could also be sentenced in
additional to civil penalties
Additional Negatives:
• Negative publicity
• Loss of customers
• Loss of business
• Legal liability
17 National University Robert
19. Soft Touch Dentistry Initial Assessment
Safeguards Security Standards
Assessment Percentage
Assessment
Compliance Rating
Administrative Safeguards §164.308(a)(1)(i) Security Management Process 25% Partial
§164.308(a)(2) Assigned Security Responsibility 25% Partial
§164.308(a)(3)(i) Workforce Security 4% Partial
§164.308(a)(4)(i) Information Access Management 20% Partial
§164.308(a)(5)(i) Security Awareness and Training 13% Partial
§164.308(a)(6)(i) Security Incident Procedures 0% Non-Compliant
§164.308(a)(7)(i) Contingency Plan 0% Non-Compliant
§164.308(a)(8) Evaluation 25% Partial
§164.308(b)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant
Physical Safeguards §164.310(a)(1) Facility Access Controls 0% Non-Compliant
§164.310(b) Workstation Use 0% Non-Compliant
§164.310(c) Workstation Security 0% Non-Compliant
§164.310(d)(1) Device and Media Controls 0% Non-Compliant
Technical Safeguards §164.312(a)(1) Access Control 0% Non-Compliant
§164.312(b) Audit Controls 0% Non-Compliant
§164.312(c)(1) Integrity 0% Non-Compliant
§164.312(d) Person or Entity Authentication 0% Non-Compliant
§164.312(e)(1) Transmission Security 0% Non-Compliant
Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant
§164.314(b)(1) Requirements for Group Health Plans 0% Non-Compliant
Policy, Procedures, and
Documentation
§164.316(a) Policy and Procedures 0% Non-Compliant
§164.316(b)(1) Documentation 0% Non-Compliant
19 National University Robert
20. Soft Touch Dentistry Post Team Ruby
Safeguards Security Standards
Assessment Percentage
Assessment Compliance
Rating
Administrative Safeguards §164.308(a)(1)(i) Security Management Process 88% Partial
§164.308(a)(2) Assigned Security Responsibility 100% Compliant
§164.308(a)(3)(i) Workforce Security 68% Partial
§164.308(a)(4)(i) Information Access Management 60% Partial
§164.308(a)(5)(i) Security Awareness and Training 38% Partial
§164.308(a)(6)(i) Security Incident Procedures 100% Compliant
§164.308(a)(7)(i) Contingency Plan 42% Partial
§164.308(a)(8) Evaluation 75% Partial
§164.308(b)(1) Business Associate Contracts and Other Arrangements 100% Compliant
Physical Safeguards §164.310(a)(1) Facility Access Controls 93% Partial
§164.310(b) Workstation Use 100% Compliant
§164.310(c) Workstation Security 100% Compliant
§164.310(d)(1) Device and Media Controls 56% Partial
Technical Safeguards §164.312(a)(1) Access Control 41% Partial
§164.312(b) Audit Controls 0% Non-Compliant
§164.312(c)(1) Integrity 0% Non-Compliant
§164.312(d) Person or Entity Authentication 0% Non-Compliant
§164.312(e)(1) Transmission Security 0% Non-Compliant
Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 100% Compliant
§164.314(b)(1) Requirements for Group Health Plans 0% Not Applicable
Policy, Procedures, and
Documentation
§164.316(a) Policy and Procedures 100% Compliant
§164.316(b)(1) Documentation 100% Compliant
20 National University Robert
21. New Soft Touch Dentistry Policies
• Access, Use and Disclosure
• Request for Accounting of Disclosures
• Disclosure of Patient Information to the Public
• Release of Information to Media and Public
• Network, and E-mail Usage (Acceptable Use)
• Facsimile of Information
• Notice of Privacy Practices
• Information Security Program
• Information Security Incident Reporting and Response
• Soft Touch Dentistry Compliance Program
• Credit Card and Payment Card Information Protection
21 National University Robert
24. What Was Found
• Password was all numbers, 129458866.
• Password was protected by WEP (Wired Equivalent Privacy),.
• Password was available for anyone to use.
• Wireless network was connected to the physical business network.
National University24 Kevin
26. SANS Institute Case Study
• Study performed by Daniel O’Dorisio
• Submitted 12/23/2003
• Singled out five regulations in 164.312
that pertain to wireless
communication.
• Expressed the language of the HIPAA
safeguards in regular terms and how
they could be breached by wireless
vulnerabilities.
National University26 Kevin
27. HIPAA Safeguards
• 164.312 Person Authentication
• A covered entity must, in accordance with Sec. 164.306: (d) Standard: Person
or entity authentication. Implement procedures to verify that a person or
entity seeking access to electronic protected health information is the one
claimed.
• 164.312 Access Control
• A covered entity must, in accordance with Sec. 164.306: (a)(1) Standard:
Access control. Implement technical policies and procedures for electronic
information systems that maintain electronic protected health information to
allow access only to those persons or software programs that have been
granted access rights as specified in Sec. 164.308(a)(4).
27 National University Kevin
28. HIPAA Safeguards
28
• 164.312 Integrity
• A covered entity must, in accordance with Sec. 164.306: (c)(1) Standard:
Integrity. Implement policies and procedures to protect electronic protected
health information from improper alteration or destruction.
• 164.312 Transmission Security
• A covered entity must, in accordance with Sec. 164.306: (e)(1) Standard:
Transmission security. Implement technical security measures to guard
against unauthorized access to electronic protected health information that is
being transmitted over an electronic communications network.
National University Kevin
30. Vulnerability Assessment Defined & Tool
• “A vulnerability assessment is a search for these
weaknesses/exposures in order to apply a patch or fix to prevent a
compromise” (SANS, 2001).
• Retina
• Ease of use
• Free Trials (Savings of $1,700 Dollars)
• Industry Accepted Tool
• Fast Local Scans (3 – 10 minutes per machine)
30 National University Jason
31. High, Medium & Low
31 National University Jason
May result in the high costly loss of assets; risks that
significantly violate, harm or impede operations
May result in the costly loss of assets; risks that violate,
harm, or impede operations
May result in the loss of some assets or may affect
operations
32. Vulnerabilities Found
Total Findings – 1,137
32 National University Jason
76%
Findings Fixed 862
High Not Fixed 3
High False Positive 1
Medium Not Fixed 29
Medium False Positives 24
Low Not Fixed 218
33. Vulnerabilities Found (Continued)
High & Medium Findings Fixed - 862
33 National University Jason
94%
Findings Fixed 862
High Not Fixed 3
High False Positive 1
Medium Not Fixed 29
Medium False Positives 24
34. Plan of Action & Milestones (Open)
34 National University Jason
35. Plan of Action & Milestones (Closed)
35 National University Jason
37. Initial Findings
Physical Description of the Site
• Located at 25395 Hancock Ave. and is zoned as Office Research Park (ORP) by
the city of Murrieta
• The site is between two major freeways, approximately 1 mile east of the I-15
and 0.4 miles west of the I-215 and approximately 0.3 miles north of Murrieta
Hot Springs Rd.
• Parcel Map (PM) 26610 and Assessor’s Parcel Number (APN) 910-250-007
• Building construction is Type V–N (also known as V–B); wood framed building
with no fire protection for the exterior walls
• Unarmed security guard onsite between 8:00 AM and 5:00 PM during the
week and contains a general announcing system
38 National University Leon
38. Initial Findings (cont.)
Physical Description of the Site (cont.)
• Soft Touch Dental office itself does not have an alarm system or enhanced
locks
• The site is approximately 2.2 miles or 6 minutes south of the Murrieta City
Police Department at 2 Town Center
• Chances of being a victim of a violent crime are 1 in 1505 in Murrieta as
compared to 1 in 252 for the state of California
39 National University Leon
39. Initial Findings (cont.)
• Physical Description of the Site (cont.)
• Risk to the Physical Property
• Fire
• Greatest risk overall
• Building construction is TYPE V-B, offers no protection for the external walls
• Proprietor states that they have insurance
• Flood
• The site is not in danger of flooding or other related incidents
• Earthquake
• Less than 10% chance of major structural damage
• Building is located on a sandstone formation
• No major active faults nearby
40 National University Leon
40. • Office Description
• The office is located on the 2nd floor and totals less than 800 sq. ft.
• Contains two entry points
• Exam room, private office, rest rooms, employee break area, utility/wiring
closet and X-ray area
Initial Findings (cont.)
41 National University Leon
41. Initial Findings (cont.)
• Office Description (cont.)
• Door between the patient waiting area and exam
area is unsecured
• Utility/Wiring closet is unlocked
• Water heater risk
PBX Switch
Patch Panel
UPS Units
Network Switch
DSL Router
42 National University Leon
42. Initial Findings (cont.)
• Office Description (cont.)
• One of the ports is not mounted to the break out box and thus exposes the
wiring to possible damage
43 National University Leon
Exposed wiring
43. Initial Findings (cont.)
• Office Description (cont.)
• There are no network connections in the private office space. The connection
for the server and office workstation are ran along the floor out into hallway
and then into the x-ray area
44 National University Leon
Office Server
Office Workstation
Hallway
Workstation &
Server Cable
Office Exit
44. • Office Risks
• Networking and communications equipment at risk from a water heater leak
• Poor wiring may be leading to some spotty network performance
• There are no protections in place on the network. It is recommended that the
network be segmented and a firewall put in place.
Initial Findings (cont.)
45 National University Leon
45. Initial Findings (cont.)
• Administration
• Mutual Aid and Assistance Memorandum of Understanding is a verbal
commitment
• Policies and Procedures do not exist for any IT operations
• Staff performs a manual copy of the server’s D: drive on a daily basis to one
of two 300 GB external hard drives
• Administrative Risks
• The current saves process is inadequate and is not saving any of the Dentrix
data.
• The Mutual Aid and Assistance MOU needs to be formalized
• Written policies and procedures for IT operations need to be developed
46 National University Leon
46. Asset Inventory and Replacement
• Current Inventory
• 7 desktop workstations w/ monitors
• 3 laptop workstations
• 2 MFC printers
• 1 server
• 1 24-port switch
• 2 5-port switches
• Replacement List and Costs
• Costs do not reflect any taxes or shipping fees
• The list assumes that all telecommunication and internet connectivity are in
place and functional
47 National University Leon
47. Estimated cost to replace would be: $9,435.74
Asset Inventory and Replacement (cont.)
Item Source Quantity Unit Cost Total Cost
Desktop Workstation Dell Corp 7 $679.00 $4,753.00
Laptop Workstation Dell Corp 3 $479.00 $1,437.00
Server Dell Corp 1 $1,914.44 $1,914.44
MFC Printer Canon 2 $148.98 $297.96
24 Port Network Switch Linksys 1 $177.99 $177.99
Wireless Access Point Amped Wireless 1 $71.99 $71.99
5 Port Network Switch Linksys 2 $39.97 $79.94
KVM Switch Office Depot 1 $73.49 $73.49
Monitors Walmart 7 $89.99 $629.93
Total Estimated Costs $9,435.74
48 National University Leon
48. DRP/BCP Development Approach
• Small Office with Limited Resources
• Key Personnel
• The Owner
• The Office Manager
• Mutual Aid and Assistance Memorandum of Understanding
• Developed one based off of an MOU between the California Emergency
Management Agency and the California Dental Identification Team
• Critical Data Sources
• Dentrix Database
• Critical Office Correspondence
49 National University Leon
49. • Critical Services
• Access to an alternative site
• Procurement and installation of replacement equipment
• Restoration of Dentrix data and Dentrix operations
• Restoration of critical office correspondence data
• Recovery Process
• In the case of the loss of the office spaces, a 5 day plan has been described in
the Disaster Recovery Plan
• Plan can be tailored down for loss of critical infrastructure
DRP/BCP Development Approach (cont.)
50 National University Leon
50. • Data Backup and Recovery Plan
• Continue to use the external hard disk drives
• Need to run Dentrix back-up process from the Server Administration Utility
• Need to test encryption of the back-up drives
• No data restoration procedures have been written at this time
• Dentrix restoration requires the removal of all database files
• The office does not have a second server system to use for the restoration check
• Restoration procedures have been added to the POA&M
• Equipment Restoration Plan
• Cost was a driving concern
• Chose business class hardware for server and workstations
DRP/BCP Development Approach (cont.)
51 National University Leon
52. Managing Enterprise Risk
• Key activities in managing enterprise-level risk—risk resulting
from the operation of an information system:
• Categorize the information system
• Select set of minimum (baseline) security controls
• Refine the security control set based on risk assessment
• Document security controls in system security plan
• Implement the security controls in the information system
• Assess the security controls
• Determine agency-level risk and risk acceptability
• Authorize information system operation
• Monitor security controls on a continuous basis
53 National University Jim
53. Publication Overview
• NIST Special Publication 800-18 (Security Planning)
• FIPS Publication 199 (Security Categorization)
• NIST Special Publication 800-60 Vol 1 & 2 (Security Category Mapping)
• FIPS Publication 200 (Minimum Security Requirements)
• NIST Special Publication 800-53R4 (Recommended
• Security Controls)
• NIST Special Publication 800-30 (Risk Assessment)
• NIST Special Publication 800-66R1 (Guide for Implementing HIPAA)
• ISO/IEC 27000 (Establishing an Information Security Management System
(ISMS)
• ISO/IEC 27002 (Code of practice for information security controls)
• NIST Special Publication 800-53A (Security Control Assessment)
• NIST Special Publication 800-37 (Certification & Accreditation)
Source: NIST SP 800-18 Pg 11
54 National University Jim
54. Categorizing Information and
Information Systems
(Source: FIPS 199 Table 1 Pg 6)
Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law.
55 National University Jim
Purpose
• Enabled Soft Touch Dentistry to implement appropriate controls in a cost effective manner based on potential impact to
defined security objectives.
Objectives
• CONFIDENTIALITY: The loss of confidentiality is the unauthorized disclosure of information (EX. ePHI)
• INGERITY: The loss of integrity is the unauthorized modification or destruction of information (EX. Payment
Modifications)
• AVAILABILITY: The loss of availability is the disrupt of use or access to information or the information system (EX.
Ransomware)
Impacts
• A categorization of LOW is defined as having a limited adverse effect on organization mission
• A categorization of MODERATE is defined as having a serious effect on organization mission
• A categorization of HIGH is defined as having a serious/catastrophic impact on organization mission
55. Categorizing Information Types
Identification of Information Types
Information is categorized according to its information type. An information type is a specific category of information;
Soft Touch Dentistry Critical Information
• Personally Identifiable Information (PII)
• Patient health information (ePHI)
• Patient credit card and insurance billing information.
Source: NIST SP 800-60 Vol 1 Pg 16
56 Jim
• Privacy
• Proprietary
• Medical
• Financial
56. D.14.4 Health Care Delivery Services Information Type
Supports the delivery of health care, planning of health services and the managing of clinical information and
documentation. The recommended provisional security categorization for health care delivery services
information is as follows:
Security Category = {(confidentiality, Low), (integrity, High), (availability, Low)}
Confidentiality
The confidentiality impact level is the effect of unauthorized disclosure of health care delivery services on the
ability of responsible agencies to provide and support the delivery of health care to its beneficiaries will have
only a limited adverse effect on agency operations, assets, or individuals.
Special Factors Affecting Confidentiality Impact Determination: In some cases, unauthorized disclosure of this
information such as privacy-protected medical records can have serious consequences for agency operations.
In such cases, the confidentiality impact level may be moderate.
Categorizing Information Types
Source: NIST SP 800-60 Vol 2 Pg 171
57. System Categorization
Recommended Integrity Impact Level: Because of the potential for the loss of human life, the provisional
integrity impact level recommended for health care delivery services information is high.
Organizations should: (i) review the appropriateness of the provisional impact levels based on the
organization, environment, mission, use, and data sharing; (ii) adjust the security objective impact levels as
necessary using the special factors guidance found in Volume II, Appendices C and D; and (iii) document all
adjustments to the impact levels and provide the rationale or justification for the adjustments.
Provisional Impact Levels
Review and Adjust Impact Levels
Final Information System Categorization was Evaluated as Moderate58
(Source: NIST SP 800-60 Vol 2 Pg 172)
(NIST SP 800-60 Vol 1 Pg 23)
58. NIST Security Control Selection
FIPS 200 – Provides the minimum security requirements covering seventeen (17) security-related areas.
• States that selected set of controls must include at least one baseline
• Must include all controls in the baseline unless exceptions based on tailoring
NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
• 18 Control Families
• Seventeen control families for an information system
• One control family focusing on organization-wide requirements (Program Management)
• Provides tailored set of baseline security controls based on overall system categorization
• 159 Controls based on an information system categorized at the Moderate impact level
• Tailoring Controls
• Provides a cost-effective, risk-based security approach that supports organizational mission/business
needs.
• Identifying Common Security Controls
• Apply Scoping Considerations
• Select Compensating Controls
• Supplement with Control Enhancements
• Documentation
59 National University Jim
59. ISO 27002 Security Control Selection
ISO 27002 Security Techniques, Code of Practice for Information Security Controls
• International standard intended to be used as guidance for organizations implementing commonly accepted
information security controls
• States that security controls from any or all clauses could be important, therefore each organization applying this
standard should identify applicable controls based on how important they are to the specific application
• Contains the actual “best practices” details of what goes into building a comprehensive IT security program
• The selection of controls is dependent upon organizational decisions based on organizational risk acceptance
• May be regarded as a starting point for developing organization-specific guidelines
• 14 Security Clauses (Policies, Human Resource Security, Access Control etc.)
• 35 Security Control Categories (Policies for Information Security, Review of Policies)
• Objective
• 114 Controls
• Implementation Guidance
• Other Information
60 National University Jim
61. Implementing Controls
• Developed Policies
• Patched Software
• Developed Training
• Implemented Access Controls
• Unique user accounts
• Strong passwords
• Group Policy Objects
• Changed Default Passwords
• Made recommendations in POA&M
62 National University Jim
64. HIPAA Fine Breakdown
• Covered entity was not aware of
the violation
• $100 per violation
• Not to exceed $25,000
• Violation occurred due to
“reasonable cause”
• $1,000 per violation
• Not to exceed $100,000
• Due to willful neglect
• $10,000 per violation
• Not to exceed $250,000
• Due to willful neglect, Violation
is not corrected
• $50,000 per incident
• Not to exceed $1,500,000
65 National University Perry
67. Lessons Learned
• Project Management is the key to completing these assessments.
Conducting this training while doing the project resulted in lessons
learned that were too late to implement
• Small businesses are challenged to maintain compliance with federal
regulations
• Understanding the current environment, personnel, equipment etc..,
is important prior to finalizing project scope and statement of work
• Creating a work breakdown eliminates confusion for task assignments
68 National University Jim
68. Conclusion
• Project Overview
• Project Schedule
• HIPAA
• HIPAA Wireless Audit
Project Value
• Provided a no-cost vulnerability and HIPAA assessment that resulted in the
implementation of controls that significantly hardened from attack the Soft
Touch Dentistry information system. Policies and training were also
developed that position the organization to take control of their cybersecurity
posture in the future.
National University69 Jim
• Vulnerability Assessment
• DRP/BCP
• Security Plan Development
• Cost Avoidance