Victory Health Incorporated Technical Report
Information Systems and Identity Management
Healthcare organizations house various sources of valuable information, such as financial accounts, addresses and the identities of individuals working for and being treated by said healthcare organization. This report is dedicated to informing the reader of the increase of data breaches over the last 7 years and the breach Victory Health Incorporated (Fictitious) suffered in 2016. In this report, the Information Systems infrastructure of Victory Health Incorporated will be examined and detailed as well as the structure of the organization and systems most critical to completing the organization’s mission. Most importantly, the mission of this report is to observe the severity of cyber breaches orchestrated in today’s data landscape and study the solution Victory Health Incorporated enacted when they dealt with this same threat in 2016.
Defining the Information System Infrastructure
Victory Health Incorporated is a healthcare organization that is dedicated to providing reasonably priced health insurance to those that enroll in their services while also protecting subsidiaries of those insured. This healthcare organization consists of 24 U.S. companies throughout the country that cooperatively function as one to provide health insurance to more than 107 million Americans. To provide health insurance for firefighters and paramedics alike, Don C. Arnold founded Victory Plus in 1953. Around the same time, employees of the HealthOne Incorporated hospital in Greensboro, North Carolina needed health insurance for not only their families but for their loved ones at home as well. They were supported by HealthOne’s insurance policy, an insurance company in which workers would make monthly payments to physicians for in exchange for protection. The two companies would ultimately merge in 1991 and officially become known as Victory Health Incorporated from there on out (Hunt, 2018).
Organization Structure and Business Units
Like many healthcare organizations, Victory Health Incorporated adopted a business structure which collaborated within the basic four boundaries of many healthcare units, IT, Financial, Clinical and Health Operations (Shukia, 2019). In the past many healthcare organizations primarily used its support services, such as IT and Financial, to supplement mission critical factors of the business. Healthcare models such as these typically hinder the effectiveness of its business units in terms of running analytics on cost data through its entire duration of care within the organization’s system (Shukia, 2019). With this being known, Victory Health, implements a structural system that can communicate its business data with stakeholders to realize optimal clinical and financial performance.
Mission Critical Systems
Victory Health Incorporated implements an operating model which enacts an active scope for a wide array of patients within a certain area size by differentiating through quality control and improved experience to receive maximum reimbursement for its efforts, this is known as the Innovator model (Shukia, 2019). The Innovator model consists of two service lines which intersect at a main hospital, known as Acute Care Hospital A, and its clinical services. Both service lines operate with an Inter-Disciplinary Clinical Team and clinical and non-clinical support services set in place as well. This model can be observed below.
However, the main issue with this model of operating is that the focus on innovative resources could leave the organization at risk with negative consequences on the horizon. With the increase in data breaches targeting healthcare organizations over the last 7 years, it is imperative that organizations such as Victory Health Incorporated operate under a least-privileged access model to provide information only to users who are required to interact with this data and shield other valuable sources of information away from said individual (Wilking, 2018). It is central to the mission of this healthcare organization to protect every patient’s healthcare record or PHI. PHI is data that could potentially be used to identify a singular patient and extract financial or physical whereabouts from the file (Dissent, 2018). In order to achieve this goal, Victory Health Incorporated has implemented a Full-Disk Encryption, or FDE, style of protection. The Full-Disk Encryption is a cheap and productive method of securing PHI from potential attacks (Dissent, 2018). This organization primarily deals with electronic PHI rather than physical so a method such as FDE is much more effective. Old-fashioned methods of storing patient information, such as physical PHI, are more at-risk for being hacked and absconded with. Such a case occurred when the Medicaid system of the Arizona Health Care Cost Containment System saw a misdirection of 3,146 IRS 1095-B forms to the incorrect addresses of patients under the insurance policy of this healthcare organization (Innes, 2019).
Due to the mishandling of physical documents, these errors are prevalent in the healthcare industry and thus a push for moving to ePHI is becoming a more suitable business strategy. Oher forms of preventative measures that many healthcare organizations should take heed to include wariness of ransomware attacks. Ransomware essentially holds PHI from healthcare organizations hostage while usually demanding a costly financial reward (Dissent, 2018). These attacks are typically orchestrated through malicious e-mail phishing, a method many organizations whether healthcare or other, suffer from as well (Dissent, 2018). E-Mail attacks take the form of seemingly regular e-mail attachments which spread through company databases like wildfire once accessed. Victory Health Incorporated instructs its employees to avoid contact with unfamiliar e-mail addresses and never open attachments as a countermeasure to phishing attacks.
Due to the prevalence of attacks against more traditional forms of computing, Victory Health Incorporated has adopted a cloud-based architectural system which relocates forms of ePHI into cloud storage, transcending the previous limitations computer hardware would typically pose (Zissies, 2010). However, this does not render the traditional OSI model completely irrelevant as the application layer, or layer 7, is vital to application developers working with IP addresses and port numbers. Only being concentrated on layer 7 provides a degree of uncertainty in terms of the first couple layers in the OSI model, particularly layers 2 and 3, leaving a bit of faith to be put in the professionals working with said layers before our application developers (Targett & Reynolds, 2018). This separation of duties results in quicker communication and maximum effectiveness in the computing process. Network engineers working at layers 3 and 4 can work with less pressure in a cloud-based architectural system and focus on sending packets to the TCP host to transport said packets to the end user. This model is improved upon in a cloud-based system due to network engineers being able to solely focus on one area of the OSI model while another user focuses on their own layer. Traditional OSI models increase the amount of responsibility for each level of layering and can potentially slow down entire processes, a direct result of blatantly ignoring innovation (Targett & Reynolds, 2018). Victory Health’s cloud computing system requires a large number of processors, network devices and hard drives to work in succession with each other in our private datacenters (Zissies, 2010). The exact geographic location of these datacenters is widely irrelevant as encrypted data is stored and processed for efficiency purposes. However, the most vital element to our cloud computing system is the software which utilizes a virtualization layer. With virtualization, the rate of elasticity with our data is increased as well as resource pooling and geographic independence (Zissies, 2010). Thanks to elements such as these, the same issues outdated client-server topologies struggle with, such as traffic congestion, are never felt with a cloud computing system. There are several cloud computing service models that Victory Health Incorporated could have decided to work with, however, this healthcare organization has decided to utilize the Platform as a Service, or PaaS, service model (Zissies, 2010). This decision was made due the organization’s commitment to keeping important PHI documents secure from user who do not warrant access to such information. The PaaS service model allows users to install applications, whether acquired by the providing system or created by consumers and shields the infrastructure of the cloud such as servers, network, operating systems and storage. The only mechanism users are in control of are applications gathered by said user or using items supported by the provider (Zissies, 2010). Among the several deployment models available for use, Victory Health Incorporated has decided to use the Hybrid Cloud infrastructure. This is an infrastructure model based on private, public and community clouds working cohesively together in order to provide the user with required data and most importantly to protect data from being handled by unauthorized users (Zissies, 2010). Unfortunately, this innovative method of infrastructure comes with its own special set of issues as one might expect.
Threats and Remediation
Although Victory Health incorporated has adopted a cloud-based infrastructure security system, that does not eliminate the possibility of threats against this healthcare organization in the least bit. As preventative measures for protecting PHI advance, so does the ingenuity of potential hackers. Across the world, hackers are actively either working in groups or as lone wolves to break into confidential documents and reap the benefits for themselves. Many hackers have entirely vain reasons for committing such an illegal act such as experiencing strong adrenaline rushes or retrieving information they are not authorized to access (Beaver, 2016). As previously stated before, many cybersecurity threats in the healthcare business resort to ransomware technology, technology which captures important PHI and demands a hefty price in exchange for hackers to cooperate and cease and desist. Hackers are motivated by the concept of being a step ahead of big-name corporations and outsmarting their IT departments all in the name of what they would considered good-natured fun. Though the benefit from hacking into a large-scale organization could lead to huge sums of money, rarely do hackers consider the consequences of the illegal crime they commit. There is undeniably a sense of arrogance that can be observed when diving into the psychology of a hacker. Many hackers believe information stored in any database is considered information that anyone with a computer should have access to (Beaver, 2016). It can be quite unsettling for companies, especially in the healthcare business, to learn that many hackers simply want access to private information for reasons as petty as exacting revenge on a former employer to positioning themselves in a better situation than their own personal competition to simply entertaining themselves. Hackers often do not have individuals or circumstances in their lives that result in having a healthy self-esteem, this void leads to hacking to gain instant gratification for shortcomings these hackers have not come to terms with (Beaver, 2016). Hackers not only look to attack organizations they formerly worked for, there are cases in which current employees have attacked organizations they are currently working at. These hackers, due to being within the company, either already have access to confidential data or are aware of the means to gain access. Within a cloud-style infrastructure system, the means to gaining private data can be of some ease due to the number of cooperating systems interacting with each other (Zissies, 2010). User authentication can be accomplished through mandating access to objects within the cloud such as devices, software and memory. Without a strong authentication system in place, it is possible for users to unknowingly gain unauthorized access on the cloud and thus lead to a breach in privacy. Hackers within the company whom also pose as a malicious threat could attack the infrastructure from within and remain undetected if this breach is executed with exceptional stealth. Illegal access within the infrastructure can also be committed due to hackers taking advantage of the software confidentiality implemented by cloud-security protocol (Zissies, 2010). Software confidentiality determines that users will delegate the responsibility of maintaining personal date to the applications provided by the organization. It is important to restrict access to unauthorized users with complex applications paired with strong identification. With personal data being stored in multiple servers, potentially in countries overseas, protecting personal data can be a significant challenge. Passwords can be managed through the cooperation of Trusted Third Parties. A Trusted Third Party (or TTP) is essentially a unit which serves as a reliable middle man, instituting secure interactions between two working parties (Zissies, 2010). The TTP overlooks critical modes of communication between the two parties which in this case would be our healthcare organization and the server location. TTP’s are especially adept in terms of spotting fraudulent digital content, such content could literally be a trojan method of gaining access to private documents. TTP’s create a secured realm consisting of origin and target sites within various active servers within the infrastructure of the cloud. Certificate paths are avenues in which the TTP is connected allowing the party to form a functional Public Key Infrastructure (Zissies, 2010).
The PKI allows the cloud computing infrastructure to make up for its short comings with authority of authentication, allowing for examining transactions or information sent through the system by electronic means. Authorization is also implemented through validating access to the organization’s database and informative systems based on a user’s access privileges. Data confidentiality and integrity are also among the special services implemented by a PKI in addition to confirming electronic transactions and the date they occurred, a process known as Non-Repudiation (Zissies, 2010). PKI’s can be paired with a directory tool in order to accomplish the distribution of Certificate-Status Information, otherwise known as CRLs, certificates, in which encrypted messages are sent only after receiving end-user credentials and private keys which allow users the portability to continue working on several machines, computer tower or laptop, in order to increase flexibility. Another important method of flexibility is the implementation of Single-Sign-On’s or SSOs. This tool allows a user to log in once using a password, tech card or an authentication mechanism of sorts to gain access to various resources immediately. Combined with PKI’s SSO’s allow the system to maintain legitimate authentication throughout the infrastructure’s physical components. This provides measures for low/high-level confidentiality, cryptographic separation of data, server and client authentication, creation of security domains and certificate-based authorization (Zissies, 2010).
Password Cracking Tools
Benefits in utilizing these password cracking tools is the experience in gaining an understanding how easily it can be for some of these hackers around the world to gain access to confidential information with the simplicity of a tool such as the ones I had at my disposal in the lab. However, that same simplicity can result in a major risk for a person looking to gain illegal access to confidential information as an attempt made against secured databases could potentially be recorded and traced back to the user in a form of end-user application. With the tool “Cain” I was able to gain almost immediate access to Windows Mail Passwords and LSA secrets while Wireless Passwords and the majority of databases I was allowed to tamper with would not allow me any access. Ophcrack allowed me the quickest access to any of the databases I was provided but was seemingly only able to crack a small number of passwords for the system. The passwords recovered in Ophcrack were in comparison much less complex than those found in Cain and this factor was likely the reason why I was able to crack this database in such a short amount of time. The passwords discovered in Cain were much more complicated and undeterminable which is ideal when created passwords for any system whether personal or professional. When forming a password, it is imperative to use numerical, alphabetical, capitalization and special characters such as an underscore. For maximum effectiveness, policies should require users to change their password every 30-60 days. When discussing the pros and cons of keeping familiar usernames and passwords there are more cons than pros unfortunately. While it may be easier for said user to access their account more quickly and set a considerably strong password one time and one time only, the cons are once that password is recovered the hacker has access to multiple accounts much to the user’s detriment. Ethical uses for using tools such as a password cracker are the ability to gain foresight against potential cyber-attacks. While offices and grade schools may incorporate a fire drill to practice for potentially dangerous occurrences, it’s important that organizations run password hacking agents on their own systems to test their fortitude and gain insight on how to protect themselves for the future. If a home-owner were to run these same password hacking agents on their own home devices, this would only prepare the owner for malicious activity they would inevitably encounter on the internet. However, if this homeowner had roommates, family or a spouse, they would be invading the privacy of parties involved who have not given consent to having their own personal accounts hacked into. It would be imperative for the individual considering using the password cracking tools to speak with all parties involved as to avoid a potential conflict. If I were to conduct these same tests under the supervision of a sponsor I would allow this sponsor of mine to set the parameters of which databases are off limits and which ones are deemed acceptable to freely tamper with. If a user were to administrate these same password cracking tools on a neighbor’s network without their knowledge they may be subject to a federal offense and receive swift punishment for their actions. It is important to establish approval or notify the owner of said network before starting these tools and testing the security of the related accounts. Without having approval, the intentions of one utilizing these password cracking tools can be understandably called into question.
Ultimately, after conducting password-cracking exercises with the tools provided to me in the lab and reviewing the strength and weaknesses of a cloud-security system, I can conclude that innovation is the major driving force in the information technology business. Without constantly advancing the parameters of one’s data, potential hackers are given the opportunity to catch up to organizations housing viable information which could lead to millions of dollars in lost wages. Information Technology departments in every major corporation with PHI to protect should institute routine tests on their own systems while in conjunction with TTP’s to improve upon their security measures. With permission from parties involved and preventative measures being instructed throughout an organization’s employees, potential threats are much more avoidable.
McGee, M. K. (2015, May 20). Healthcare Data Breach Statistics. Retrieved April 11, 2019, from https://www.hipaajournal.com/healthcare-data-breach-statistics/
Hunt, J. (2018, December 10). Company Overview: Blue Cross Blue Shield Insurance Company. Retrieved April 11, 2019, from https://www.thebalance.com/blue-cross-blue-shield-insurance-company-review-1969885
Shukia, M. (2019, February 07). The health plan of tomorrow. Retrieved April 12, 2019, from https://www2.deloitte.com/insights/us/en/industry/health-care/health-care-business-model-transformation.html
Wilking, M. (2018, July 10). 5 Ways healthcare organizations can improve data security: It's no secret that healthcare is a lucrative target for hackers around the world, with increasing levels of cyber-attacks on healthcare organizations, despite greater awareness and tighter security measures. Retrieved April 13, 2019, from https://www.beckershospitalreview.com/healthcare-information-technology/5-ways-healthcare-organizations-can-improve-data-security.html
Dissent. (2018, March 2). Verizon 2018 Protected Health Information Data Breach Report. Retrieved from https://www.databreaches.net/verizon-2018-protected-health-information-data-breach-report/
Innes, S. (2019, March 11). Arizona's Medicaid program warns 3,100 enrollees about privacy breach. Retrieved April 13, 2019, from https://www.azcentral.com/story/news/local/arizona-health/2019/03/11/arizona-medicaid-program-ahcccs-warns-breach-personal-health-information/3130904002/
Zissies, D. (2010, December 22). Addressing cloud computing security issues. Retrieved April 13, 2019, from https://www.sciencedirect.com/science/article/pii/S0167739X10002554
Targett, E., & Reynolds, C. (2018, January 10). Is 7-Layer OSI Still Relevant in a Cloud World? - CBR. Retrieved April 13, 2019, from https://www.cbronline.com/in-depth/7-layer-osi-still-relevant-cloud-world
(Targett & Reynolds, 2018)
Beaver, K. (2016, July 8). Why Hackers Hack. Retrieved April 15, 2019, from https://www.dummies.com/programming/networking/why-hackers-hack/