Executive Summary

You are a systems administrator in the IT department of a major metropolitan hospital. Your duties are to ensure the confidentiality, availability, and integrity of patient records, as well as the other files and databases used throughout the hospital. Your work affects several departments, including Human Resources, Finance, Billing, Accounting, and Scheduling. You also apply security controls on passwords for user accounts. Just before clocking out for the day, you notice something strange in the hospital’s computer system. Some person, or group, has accessed user accounts and conducted unauthorized activities. Recently, the hospital experienced intrusion into one of its patient’s billing accounts. After validating user profiles in Active Directory and matching them with user credentials, you suspect several user’s passwords have been compromised to gain access to the hospital’s computer network. You schedule an emergency meeting with the director of IT and the hospital board. In light of this security breach, they ask you to examine the security posture of the hospital’s information systems infrastructure and implement defense techniques. This must be done quickly, your director says. The hospital board is less knowledgeable about information system security. The board makes it clear that it has a limited cybersecurity budget. However, if you can make a strong case to the board, it is likely that they will increase your budget and implement your recommended tool company­wide. You will share your findings on the hospital’s security posture. Your findings will be brought to the director of IT in a technical report. You will also provide a non­technical assessment of the overall identity management system of the hospital and define practices to restrict and permit access to information. You will share this assessment with the hospital board in the form of a narrated slide show presentation. You know that identity management will increase the security of the overall information system’s infrastructure for the hospital. You also know that, with a good identity management system, the security and productivity benefits will outweigh costs incurred. This is the argument you must make to those stakeholders.

Executive summary: This will be a single double-spaced page, and in the same document as the technical report, located immediately following the cover sheet and before the text of the report.

Florida Orthopedic Institute Cyberattack Technical Report

Cyberattacks are a rising epidemic that is plaguing the world today. One of the most used and dangerous types of cyberattacks is a Malware (Malicious Software) attack called Ransomware[J!1] . Many industries are targets of cyberattacks, with the medical field being in the top three victims of such attacks. Florida Orthopedic Institute is one such organization that unfortunately has become a victim of a Ransomware attack. This report intends to investigate the Ransomware attack against Florida Orthopedic Institute, unveiling the details of what happened, the possibilities of how the attack occurred, and why—leading to a conclusive analysis of any mitigation factors that could have been implemented to prevent such an occurrence.[J!2]

Organization

The Chief Executive Officer (CEO) for the Florida Orthopedic Institute is Joseph R. Gordon, FACHE. Media consultant Elizabeth Domenech (2018) states the following:

Founded in 1989, Florida Orthopaedic Institute is one of Florida’s largest orthopedic groups, providing expertise and treatment of orthopedic-related injuries and conditions, including adult reconstruction and arthritis, anesthesiology, chiropractic services, foot and ankle, general orthopedics, hand and wrist, interventional spine, musculoskeletal oncology, orthopedic trauma, physical medicine and rehabilitation, physical and occupational therapy, sports medicine, shoulder and elbow, spine, urgent care, and weight management, among others. The organization treats patients throughout its surgery centers in North Tampa and Citrus Park, an urgent care center in South Tampa, and 10 office locations in Bloomingdale, Brandon, Brooksville, Citrus Park, North Tampa, Northdale, Palm Harbor, South Tampa, Sun City Center and Wesley Chapel.

The technology that Florida Orthopedic Institute uses includes Kiosks stations located in each providers’ office waiting area and an established web page-based portal. These tools allow patients to create user accounts to access and manage records, schedule appointments and make medical care based payments, all from the privacy of their homes or during visits to the care facility. The IT department manages all of these accounts through the use of Windows Server 2012 software.

The doctors and staff of Florida Orthopedic Institute handle the provisions of care, management of medical records, and other treatment based information through the use of an Electronic Medical Record (EMR) network-based software. This system allows doctors to share patient data from site to site between doctors when patients have referrals for other treatments or procedures.

These critical software systems and network components are under the management of Chris Patterson, the IT Director for Florida Orthopedic Institute, and his IT personnel team. The entire Florida Orthopedic Institute network received an update in 2017, consisting of, but not limited to, the following components or software:

CISCO (Cisco, n.d.)

– ASR 1001-X and ISR-4451 routers are in place to control the classified and non-classified wide area network (WAN) between sites.

– ASA 5525-X firewalls are in place to provide security filtering of inbound and outbound traffic.

– WS-C3850-24XU-E (distribution), WS-C3850-48U-L, and WS-C3850-24P-L (classified) access switches are in place at each site to manage the local area networks and all connected devices.

– UCS B200 M4 Blade Server to manage Florida Orthopedic Institute databases (health records, finance, human resources, etc.).

– AIR-CT2504-25-K9 (wireless access controller) and Aironet 1852i (wireless access point) provide wireless access to specified systems for staff and provide internet access to staff and patients/visitors.

– Unified Communications Manager and Unified Contact Center Enterprise are the call manager software programs used to establish the voice over internet protocol (VOIP) phone network in and between sites.

– Unified IP Phone 7965G and Unified IP Conference Phone 8831 allow daily office or conference telecommunications.

– Desktop and laptop computers, printers, cell phones, and tablet devices provide access to manage records, payments, and communications.

Windows (Microsoft, 2012)

– Server 2012

Security (Norton, n.d)

– Norton 360

Electronic Health Record (Capterra, n.d)

– iPatientCare EHR

All of the resources above work together, allowing the Florida Orthopedic Institute to provide the Confidentiality, Integrity, and Availability (CIA) of patient information within the network. Commonly referred to as the CIA Triad or Triangle, these are the security measures that information technology (IT) directors implement within their networks. As Fruhlinger (2020) explains, the definition of CIA is:

Confidentiality: Only authorized users and processes should be able to access or modify data
Integrity: Data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously
Availability: Authorized users should be able to access data whenever they need to do so

Incident

On or about April 9, 2020, the Florida Orthopedic Institute became the victim of a ransomware cyberattack. Hackers targeted the central network servers of Florida Orthopedic Institute, infiltrating the network and obtaining access to stored Protected Health Information (PHI) and Personally Identifiable Information (PII) of potentially more than 250,000 (Morgan & Morgan, 2020, para. 2) patients.

The security breach of the Florida Orthopedic Institute’s network allows hackers to access patient personal identifying data. This data includes, but is not limited to, social security numbers (SSN), date of birth (DOB), official state or government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer-identification number. If known, hackers can use these patient identifiers to commit identity theft. Identity theft is a Federal crime of fraud that causes individuals to spend countless hours, up to many years, to recover their name.

Personal identification factors are not the only breach of information involved in this situation. Patient’s payment account and heath record data; employees’ pay and other human resource maintained data has the potential of compromise. These are other areas of liability that the Florida Orthopedic Institute needs to take into consideration. This single incident of a ransomware cyberattack violates the Florida Orthopedic Institute’s duty to maintain Confidentiality, Integrity, and Availability (CIA) of all patient Personal Health Information (PHI) and Personal Identifiable Information (PII).[J!3]

(WHAT and WHY) As previously mentioned, the Florida Orthopedic Institute fell victim to a ransomware cyberattack. The cyberattack is given this name due to the hacker taking control of the files on the target computer system and encrypting the files, blocking the user’s access to the data. The hacker(s) will then send a ransom note to the user, demanding an unknown currency amount by a specified deadline. If the user pays the ransom, they will receive the decryption key.

If the user does not pay the ransom, the hacker threatens to destroy the data, which in most cases is valuable and non-reproducible; expose the data to the general public, or sell the data on the dark web to other hackers. Either choice is a risk for the user because the hackers do not have to abide by the rules they outlined in the ransom, the payment received, or not.[J!4]

Infiltration Vectors

(HOW) How did Florida Orthopedic Institute’s network server become infiltrated? Hackers have many avenues of attack to introduce Ransomware to a system. Buffer overflow attacks can attack program data by looking for weaknesses in the code. Password cracking tools such as Cain & Abel or Orphcrack can run scripts on a network system to uncover passwords that do not satisfy established security criteria. Brute Force attacks use tabulated information to attempt multiple combinations of common passwords to gain user accounts access.

A Buffer Overflow Attack is when an error in the data entry code programming exists. For example, a user name field (buffer) may have a set number of authorized entry characters. Hackers can exploit this by flooding the information field with a string of characters that exceeds authorization. Posey (2019) defines a buffer overflow as:

A buffer overflow is an exploit that takes advantage of a program that accepts input from a client or other software process. It occurs when a program or process attempts to write more data to a fixed-length block of memory, or buffer, than the buffer is allocated to hold. (para. 2)

That exceeding characters usually will be some additional execution code. If the original data coding has errors, it will allow the extra code to bypass security checks, allowing the system to execute the maliciously entered commands. That inevitably give hackers access to the network through code failure.

(HOW) Another avenue of approach is one that no organization wishes to find, an Insider Threat. Insider threat comes in the form of an employee with access to the internal network, regardless of the position. Motives of insider threat actions range from revenge against management within the organization or as a part of gathering information to sell to competitors due to financial hardship. Regardless, an employee with access to network terminals can introduce Ransomware to the network by measures such as a Buffer Overflow attack or using threat tools such as a password cracker. If the insider threat has admin-level access to any system on the network, their chance of initiating a successful insider attack has just multiplied.

As discussed above, attacks can be initiated entirely outside of the organization by attacking the web application (.com page) established for patients to access and manage their accounts. They also can be undertaken by an employee experiencing some feelings against the organization by being an insider threat. Let’s not forget, though, in this world of “ease of access to data and services,” organizations like to use Kiosk, typically located in a lobby of the organization, to allow access to directory services or even to create a customer (patient) user account for future use. Organizations must remember that these Kiosks are directly attached to the internal network, thus posing an additional attack vector similar to having access to an employee terminal. For all of these access points, internal or external, Florida Orthopedic Institute is responsible for having security protocols established and operating to protect patient data and thwart any network attacks.

Investigation[J!5]

After investigating the network infrastructure within Florida Orthopedic Institute, it became clear that many vulnerabilities exist in their system. Some of the problems found during the investigation included:

– Outdated operating systems

– Outdated security software

– Equipment that is out of life expectancy

– Outdated patches to individual systems

– Software that is not compliant with HIPPA regulations.

– No use of multi-factor authentication

– No exact Role-Based Access Control (RBAC)

– Server rooms with low-quality access control

(WHY) The primary reason hackers use a ransomware attack is to gain financial advantage through new digital thievery means. They could also be doing it to prove a point or for revenge.

Conclusion

With the continually growing number of malware cyberattacks initiated against the education system, there is now, more than ever, a strong need for increased protection measures. Procedures such as having a plan to conduct regularly scheduled backups of databases and security software providing virus protection, malware scanning, and anti-ransomware tools. Education for employees and students is also a must. Investing the time and effort into these measures will have an initial expense, but it will likely save thousands or more by thwarting the effects of a ransomware attack. With this plan in place, you will be protecting valuable personal data that falls under all educational institutions’ responsibility.

[J!1]Should all instances be capatilized or just the first one? Not a proper noun since it doesn’t state the exact on used.

[J!2]GOOD TO GO, SIMPLE AND EXPANATIVE. WAITING ON REVIEW

[J!3]GOOD TO GO. WAITING ON REVIEW

[J!4]GOOD TO GO SO FAR, WATIING ON REVIEW

[J!5]Looking at how to add this if needed.

Security Protocols and RBAC Access Controls