RUNNING HEAD: HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 1

Hypothetical Health, an Insurance Company

Cryptographic Controls Report

Dave Greenly
Kevin Splittgerber
G. Logan Gombar
USD CSOL510

Executive Summary
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 2

This report details the cryptographic controls, security policies, applicable laws, and
regulations for Hypothetical Health, an Insurance Company (HHIC). HHIC transmits, stores, and
processes Protected Health Information (PHI), and as a result, is a regulated corporation that
must follow certain laws and regulations that define how to properly secure this type of
information. By implementing these security measures, HHIC will lower the risk profile of a
security incident which would be potentially detrimental to the corporation, its employees,
customers, and providers.
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 3

HHIC Security Goals

HHIC has an ethical and legal responsibility to protect all of our customer's PHI and

Personally Identifiable Information (PII) from unlawful and unauthorized access. Our goal at

HHIC is that we execute the proper security policies and security controls that will enable us to

effectively protect all of our customer's PII and PHI. HHIC also has an ethical and legal

responsibility to protect the PII of our employees and investors. By implementing the correct

security controls and policies, it will lower the risk of any legal ramifications should a data

breach occur.

The laws and regulations in which HHIC must comply contain penalties and fines.

Compliance violations or incidents involving a breach of PHI exposes HHIC to these steep fines

and penalties. There are four tiers of culpability, each with increasing per-violation penalty

amounts with a maximum annual limit of $1,785,651 for each tier (HIPAASecuritySuite.com,

2020). For clarification, each record exposed constitutes a single violation. It is certainly

conceivable that a single error in configuration or an omission of a security control could result

in instantaneously reaching the maximum annual limit. For example, in 2010 RiteAid

improperly disposed of physical materials that contained PHI, resulting in a $1M settlement

(Secretary & (OCR), 2017). It is in the following sections and tables that contain the security

measures to be implemented to ensure compliance and reduce the risk of exposure.

Relevant Laws & Regulations

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA contains the following rules, which are the regulations for the protection of PHI.
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 4

1) Privacy Rule
a. Establishes national standards to protect individuals’ medical records and
other personal health information (HHS, 2017)
2) Security Rule
a. Requires appropriate administrative, physical, and technical safeguards to
ensure the confidentiality, integrity, and security of electronic protected
health information (HHS, 2017)
3) Breach Notification Rule
a. Requires HIPAA covered entities and their business associates to provide
notification following a breach of unsecured protected health
information. (HHS, 2017)

Health Information Technology for Economic and Clinical Health (HITECH) Act

The HITECH Act facilitates the use of Electronic Health Records (EHRs), so the

information could more easily be shared between the consumers, doctors, and hospitals, etc.,

therefore, reducing the overall costs of health care. Encryption and breach notification are also

the main tenets of HITECH final rules.

Colorado Privacy Law HB 18-1128

HB 18-1128 focuses on protecting consumer data privacy. The following list is the key

topics in the new law:

1) Definition and protection of Personal Identifying Information (PII)

2) Disposal of PII
3) Notification of Security Breach

Assumptions:

1) HHIC does not interact with Credit Card Payments so no PCI

2) HHIC is headquartered in Colorado
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 5

Security Policies

Corporate & Network Component Policies

Appendix A details the Administrative, Physical and Technical safeguards that need to be
put in place for compliance, and Appendix A maps directly to the HHIC security policies that are,
or need to be drafted for compliance.

Cybersecurity Threats and Risks

The customers, providers, and HHIC workers are susceptible to social engineering

threats, from phishing attacks to tailgating.

The Internet, Firewalls, and Web Servers are threatened by myriad bad actors including

Nation-State Actors, Cyber Criminals, Script Kiddies, Hacktivists, and any nefarious entity that

has access to the internet. If these components are breached, the corporate data and corporate

LAN become susceptible to the attacker navigating throughout the system by gaining access to

administrative credentials, private keys, and different user roles within the network.

All of these threats put HHIC at risk of financial loss, negative public opinion, loss of

customers, and legal ramifications. The following list highlights some of the events that could

occur from the threats discussed.

1) Data Breaches
2) Malware/Ransomware Attacks
3) Data Loss or Manipulation
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 6

HHIC Network Diagram & Controls

Figure 1 HHIC Network Diagram

Network Component Security Measures

#1, #2, #3 Customers, Providers & Remote Workers

Security Justification Version/Encry

Measure ption
TLS Strongest internet cryptographic 1.3

protocol
Strong NIST 800-63B password standards N/A

Password

Requirements
2-Factor The traditional login process with N/A

Authentication a username and password is insufficient in an

increasingly hostile healthcare data

environment (Puranik 2019).

 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 7

Email NIST SP 800-45 Guidance. HIPAA AES-128 &

Encryption Requirement Digital Certificates

VPN – Taylor (2020) describes how VPNs help See VPN

Remote Workers ensure HIPAA compliance by encrypting Control Section

Only network traffic.

End-User NIST SP 800-111 Guidance Full Disk

Device Encryption Encryption

Remote Workers

Only

#4 Off-Site Backup

Security Justification Version/Encryp

Measure tion
Data at “HIPAA Encryption requirements? Not AES-128

Rest Encryption really! To be sure, encryption may not always

be directly required, but it is often best

practice.” (The Fox Group, 2019)

#5 Outer Firewall

Security Justification Rule Examples

Measure
Firewall Internet traffic to our internal Close unused ports

Rules network must be limited to only friendly Block all traffic by

network traffic default

 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 8

Automated Software

Updates

Configure Security

Logs/Audits
Intrusion Barney (2015) discusses the Configure and

Detection System difficulty in protecting patient's data, and Monitor Alerts

(IDS) that an IDS is the most important item

for protecting data.

#6, #17 Web Servers, Web Servers to Inner Firewall

Security Justification Versions/Rules

Measure
Public Key Industry-standard public-key TLS 1.3

Infrastructure encryption. encryption protocol

(PKI) Data transmissions need to be

encrypted
Public/Priv Part of the PKI configuration RSA Crypto Key

ate Key Pair (Private key generates signatures, Pairs

Public key verifies signatures) AES-128

encryption algorithm
Data Prevent unauthorized: Network traffic

Transmission ● traffic to web servers denied by default.

Security ● transmission of PHR Access to web servers

Log access of PHR must be explicitly

 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 9

allowed through

internal firewall to web

servers

#7, #18 VPN, VPN to Inner Firewall

Security Justification Versions

Measure
Virtual “With a Virtual Private Network (VPN), SSL Tunnel

Private Network organizations can easily protect data VPN

(VPN) transmission, secure data with strong encryption TLS End-to-

and meet other compliance requirements to End Encryption

secure electronic Protected Health Information” Guidance

(Mesoznik, 2020). provided by NIST SP

800-113

#8, #19, #20 Inner Firewall, Inner Firewall to Corporate LAN, User and Provider Data

Security Measure Justification Rule Examples

Firewall Rules Internet traffic to our internal network Close unused ports
must be limited to only friendly network Block all traffic by default
traffic Automated Software Updates
Configure Security
Logs/Audits
Intrusion Barney (2015) discusses the difficulty in Configure and Monitor
Detection System protecting patient's data, and that an IDS Alerts
(IDS) is the most important item for protecting
data. This additional IDS is to prevent
pivots from the web server and through
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 10

the VPN.
Transmission Prevent unauthorized traffic to Access Control Lists
Security Network Log Monitoring and
corporate LAN and Provider Data. Alerts

Prevent unauthorized access and

transmission of PHR

Log access of PHR and Provider

Data

#9 User and Provider Data

Security Measure Justification Version / Encryption /

Rules
Data at Rest “HIPAA Encryption requirements? Not AES-128
Encryption
really! To be sure, encryption may not always

be directly required, but it is often best

practice.” (The Fox Group, 2019)

Implements RBAC to prevent unauthorized

access attempts.
Administrative Training for employees, providers Only authorized
Safeguards personnel with
when access to PHR is authorized, as required legitimate business
reasons may access
by HIPAA privacy rules. PHR

#10, #21, #23 Corporate LAN, Corporate LAN to User and Provider Data, Corporate Data

Security Measure Justification Examples

Principle of Least Ensure each role has the minimal permissions Finance personnel
Privilege as needed per their job requirements to don’t have admin
prevent unauthorized access. perms
RBAC RBAC is a way to ensure the implementation Admin roles can do
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 11

of the Principle of Least Privilege things X, Y, Z and

people are assigned the
Admin role, versus the
permissions directly.

#11, #22 Wireless Access Point, Wireless Access Point to Corporate LAN

Security Measure Justification Version / Encryption /

Rule
Data In Transit Encryption is needed for data in transit to WPA2-PSK
Encryption prevent eavesdropping, packet sniffing.
Access Control Prevent access from WAP to servers with Segmented networks
sensitive info. Isolated guest network Restrict access by MAC
address

#12 Corporate Data

Security Measure Justification Version/Encryption

Data at Rest “HIPAA Encryption requirements? Not really! AES-128
Encryption To be sure, encryption may not always
be directly required, but it is often best
practice.” (The Fox Group, 2019)
Implements RBAC to prevent unauthorized
access attempts.
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 12

#13, #14, #15 Customers, Providers, and Remote Worker VPN to Outer Firewall

Security Measure Justification Version/Encryption

TLS Strongest internet cryptographic protocol 1.3
Strong Password NIST 800-63B password standards N/A
Requirements
2-Factor The traditional login process with N/A
Authentication a username and password is insufficient in an
increasingly hostile healthcare data
environment (Puranik 2019).
Email Encryption NIST SP 800-45 Guidance. HIPAA Requirement AES-128 & Digital
Certificates
VPN – Remote Taylor (2020) describes how VPNs help ensure See VPN Control
Workers Only HIPAA compliance by encrypting network Section
traffic.
End-User Device NIST SP 800-111 Guidance Full Disk Encryption
Encryption
Remote Workers
Only
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 13

References 

Barney, B. (2015, December 7). Intrusion Detection System: What's Missing in HIPAA Security.
Retrieved from https://www.securitymetrics.com/blog/intrusion-detection-system-
whats-missing-hipaa-security

Boeckl, K. (2020, March 19). NIST SP 800-113. Retrieved from https://www.nist.gov/privacy-

framework/nist-sp-800-113

Health Insurance Reform: Security Standards. (2003, February 20). Retrieved from
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/
securityrulepdf.pdf?language=es

HHS Office of the Secretary,Office for Civil Rights, & Ocr. (2017, June 16). HIPAA for
Professionals. Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html

HIPAASecuritySuite.com. (2020, March 26). HIPAA Violation Fines and Penalties: What Are They
in 2020?, Your Key To HIPAA Compliance®. Retrieved October 27, 2020, from
https://hipaasecuritysuite.com/hipaa-violation-fines-and-penalties-what-are-they-in-
2020/

Mesoznik, K. (2020, June 21). How a VPN Can Help with HIPAA Compliance. Retrieved from
https://www.perimeter81.com/blog/cloud/hipaa-compliance-vpn/

Puranik, M. (2019, February 20). Two-Factor Authentication: A Top Priority for HIPAA
Compliance. Retrieved from https://www.techopedia.com/two-factor-authentication-a-
top-priority-for-hipaa-compliance/2/33761

Secretary, H., & (OCR), O. (2017, June 07). Rite Aid Agrees to Pay $1 Million to Settle HIPAA
Privacy Case. Retrieved October 27, 2020, from https://www.hhs.gov/hipaa/for-
professionals/compliance-enforcement/examples/rite-aid/index.html

Taylor, S. (2020, March 18). Benefits of VPN for HIPAA Compliance. Retrieved from
https://www.totalhipaa.com/benefits-vpn/

The Fox Group. (2019, May 02). HIPAA Encryption Requirements or Best Practices. Retrieved
from https://www.foxgrp.com/hipaa-compliance/hipaa-encryption-requirements/

Tracy, M., Jansen, W., Scarfone, K., & Butterfield, J. (2007, February 20). Guidelines on
Electronic Mail Security. Retrieved from
https://csrc.nist.gov/publications/detail/sp/800-45/version-2/final
HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 14

Glossary

AES-128 Advanced Encryption System 128-bit

key length secure encryption algorithm

End-To-End Encryption (E2EE) The encrypted data in transit is never

decrypted at any of the nodes along the way.

Only the receiver decrypts the data

Firewall A device used to stop unauthorized

access to private networks

MAC Address Media Access Control (MAC) address

is a unique identifier assigned to a network

interface card.
NIST National Institute of Standards and

Technology. Department of Commerce

organization that defines technology

standards.
Phishing A social engineering attack that is

administered via email attempting to get an

employee to click on a malicious link, or

provide confidential information.

PHR Protected Health Records
RBAC Role Based Access Control (RBAC)

defines roles used for accessing resources on

a network. Individual users are assigned

these roles for accessing only what is

HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 15

necessary for them to do their jobs.

RSA Rivest-Shamir-Adleman cryptosystem

used to generate keys, one to encrypt and

the other to decrypt securing data

transmissions
TLS 1.3 Transport Layer Security version 1.3 is

the latest and most secure cryptographic

protocol for internet communications

Virtual Private Network (VPN) A device that establishes a secure,

encrypted “tunnel” from a public network

such as the internet, through the corporate

outer firewall.
 HYPOTHETICAL HEALTH CRYPTOGRAPHIC CONTROLS 16

Appendix A. HIPAA Security Standards Matrix

Table 1 HIPAA Security Standards Matrix (Health Insurance Reform: Security Standards 2003)