Page 1
June 4, 2014
ABC Company
Proposed revision of Information Security Policy
Anthony Ronning: Information Security Manager

OBJECTIVE:
Due to the recent breach of our electronic health record (EHR) systems, it is necessary that policies pertaining to access and control mechanisms of health records be reviewed and/or modified to mitigate future incidents

SPECIFIC GOALS: 1.) Implement a standard based on Attribute Based Access Control (ABAC) to ensure that electronic health records (EHR) are protected from unauthorized entities 2.) Implement a standard for the use of remote access methods to information systems 3.) Implement a standard that ensures that access to electronic health records (EHR) is audited and backed up without changes or over writing
INFORMATION SECURITY POLICY GOALS: * Confidentiality = data or information is not made available or disclosed to unauthorized persons or processes * Unauthorized access = the INABILITY of unauthorized persons to read, write, modify, or communicate data/information or otherwise use any system resource * Integrity = data or information has not been altered or destroyed in an unauthorized manner * Availability = data or information is made accessible and usable upon demand by authorized users * Legislative and Regulatory Requirements = policies comply with Federal and HIPAA regulatory standards * Business continuity plan integration = policy revisions fall within the business continuity plan of protecting the organization from exposure to internal and external threats
ADHERANCE TO SECURITY POLICY GOALS: * Information Security Training = new users will be required to complete information security training modules as a requirement for employment * Receipt of Information Security Policy = new users will be supplied with, and must sign for, a copy of the organizations information security policy

Page 2

* Management approval = Information Security Policy has been reviewed and approved by all upper management and security personnel * Suspected security breaches = any person who suspects a security breach is responsible for reporting that breach to the Information Security Manager * Preventive and Contingency Plan = end point security, virus protection, access control and backup and storage plans are in place *
PROPOSED REVISIONS/ADDITIONS
Attribute Based Access Control (ABAC) Standard
Change justification: The audit revealed that undocumented standard user accounts had been set up and then escalated to full access. This may or may not have been an inside operation and for the point of this proposal it is immaterial if these new standards are adopted. It is obvious that the escalated privileges obtained were a result of poor practices. A stronger, more granular method of access control must be adopted. Attribute Based Access Control (ABAC) is a logical access control method that controls access to objects; in this specific case, health records, by evaluating rules against attributes. Attributes are characteristics of the requestor (subject) such as name, date of birth, home address, training, and job function. Objects (resources) also have attributes such as specific kinds of health records and not necessarily all health records (NIST Publication 800-162). The advantage of using attribute based access control is the ability to be more granular and limit only specific subject’s access to specific objects. A subject is assigned a set of subject attributes, and those attributes are matched to a set of object attributes, such as a folder containing specific health records. The administrator is the owner of the object and creates the access control rules based upon the attributes of the subject and the object.
Developmental Steps: (NIST 800-162 section 3.1.3) * Identify objects (specific records) that will be shared and protected by ABAC * Define the rules or policies that will govern their protection * Identify and define the subject and object attributes, along with their associated authorities, in coordination of access control rule developers (administrator/owners) * Develop processes regarding how the access control policies are written, validated and managed * Determine how the Access Control Mechanism (ACM) will be segmented or distributed throughout the organization and how attribute, policy, and decision requests and responses will be rendered.
Notes of interest: Attribute based access control can be more costly to develop depending on how complex the implementation. The advantage is that it can implement an existing role based method and migrate into a more granular policy based upon the characteristics (attributes) of the individual requestor. The extra costs associated with implementation can be insignificant when Page 3

weighed against the damage of liabilities associated with compromised health data and personal information. In addition, the adoption of ABAC will limit the amount of records that are accessed in a given time period, because the administrator can include attribute rules pertaining to the number of times an object can be accessed and rules as to how many objects a subject can access at a time and in a given time period.
Remote Access Standard
Change Justification: The audit revealed that the unauthorized accounts that were created happened to be remote access accounts. If these accounts were indeed created by remote access there is a dangerous weakness in the organization’s information systems. There is an immediate need for the implementation of a strict standard for remote users. Sensitive information that is sent to or from external network devices needs to be protected so that malicious parties can neither alter nor access that information. An unauthorized release of sensitive information could damage the public’s trust in the organization (NIST Publication 800-114).
Securing a teleworkers PC: (NIST Publication 800-114)

* Using a combination of security software, such as antivirus and antispyware software, personal firewalls, spam and Web content filtering, and popup blocking, to stop most attacks, particularly malware * Restricting who can use the PC by having a separate standard user account for each person, assigning a password to each user account, using the standard user accounts for daily use, and protecting user sessions from unauthorized physical access * Ensuring that updates are regularly applied to the operating system and primary applications, such as Web browsers, email clients, instant messaging clients, and security software * Disabling unneeded networking features on the PC and configuring wireless networking securely * Configuring primary applications to filter content and stop other activity that is likely to be malicious * Installing and using only known and trusted software * Configuring remote access software based on the organization’s requirements and recommendations * Maintaining the PC’s security on an ongoing basis, such as changing passwords regularly and checking the status of security software periodically.

Remote access method: The proposed remote access method is a Virtual Private Network (VPN) with IP Security (IPsec). A VPN is a secure tunnel that connects the teleworker with the
Page 4

organization’s resources. Using IPsec requires the IPsec client software to be installed and configured on the teleworker’s device. Some applications that the user needs to use such as office productivity software requires remote desktop software to also be installed. IPsec also adds the capability of encrypting the traffic between the teleworker and the organization’s resources (NIST Publication 800-114). Wired Home Networks Precautions: Teleworkers should secure their wired home networks to help protect their telework devices. If a teleworker device connects directly to the teleworker’s ISP, such as plugging the device directly into a cable modem, then the device becomes directly accessible from the Internet and is at very high risk of being attacked. To prevent this from occurring, the home network should have a security device between the ISP and the telework device. This is most commonly accomplished by using a broadband router (e.g., cable modem router, DSL router) or a firewall appliance (NIST Publication 800-114). The following steps should be taken when setting up the router:

* Changing default passwords on the device so that attackers cannot use them to gain access to the device * Configuring the device so that it cannot be administered from outside the home network, preventing external attackers from taking control of the device * Configuring the device to silently ignore unsolicited requests sent to it, which hides the device from malicious parties. * Checking for updates and applying them periodically, as explained in the manufacturer’s documentation—either automatically (typically daily or weekly) or manually (to be performed by the teleworker at least monthly) * For broadband routers, turning off or disabling built-in wireless access points (AP) that are not used.

Wireless Home Networks Precautions:

Wireless networking transfers information through the air between a telework device and a wireless AP. If improperly configured, a wireless home network will transmit sensitive information without adequate protection, exposing it to other wireless devices in close proximity. Teleworkers should secure their wireless home networks so that their remote access communications are protected. They should follow the security recommendations from the documentation for the home network’s wireless AP (NIST Publication 800-114).

* Use a WPA2, WPA, or WEP key. This key is a series of characters (either a password composed of letters, digits, and punctuation, or a hexadecimal number) that is used to
Page 5

limit access to a wireless network. A wireless AP can be configured to require each device to provide the same key as the one stored in the AP. Devices that do not know the key cannot use the wireless network. The key should be long and complex, making it difficult for others to guess. * Permit access for only particular wireless network cards. Some APs can be configured to allow only specific devices to use the wireless network. This is accomplished by identifying the media access control (MAC) address of each device’s wireless network card and entering theMAC address into a list on the AP * Change the default service set identifier (SSID). An SSID is a name assigned to a wireless AP. The SSID allows people and devices to distinguish one wireless network from another. Most APs have a default SSID—often the manufacturer or product’s name. If this default SSID is not changed, and another nearby wireless network has the same default SSID, then the teleworker’s device might accidentally attempt to join the wrong wireless network. * Disable SSID broadcasts from the wireless AP. Many wireless APs broadcast the SSID, which essentially advertises the existence of the AP to any computers in the vicinity.

Notes of interest: Adopting this remote access standard will mitigate the possibility of unauthorized users from entering the organization’s private network. A very important point is that users will be subject to the same ABAC rules when accessing network resources as they would if they were physically at the office. The added security features of the VPN tunnel and encrypting capabilities of IPsec along with the common sense precautions listed in the bullet points above will lessen the chance of a penetration by unauthorized entities.

Auditing Standard to comply with HIPAA

Change Justification: The audit revealed that the audit logs were overwritten. Whether this was the standard policy, an inside job, or the work of a smart attacker that was familiar with the rule of always covering your tracks, the logs should have been backed up; not overwritten or erased. Computer system logs have increased over the years because different systems within the whole network log different events. Many of these logs pertain to computer or network security. In this case, the logs were overwritten. This is a clear violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA includes standards for certain health information.
Section 4.1 of NIST Publication 800-66 relates to HIPAA-related log management describing the need to perform regular reviews of audit logs and access reports. Section 4.2 specifies that documentation of actions and activities need to be retained for at least six years (NIST Publication 800-66). Had the logs not been overwritten, the breach might have been discovered before any data was compromised. It is recommended that the following two storage features of NIST
Publication 800-92 be implemented along with the HIPAA requirements covered in NIST Publication 800-66 to mitigate any further compliance failures.

Page 6

Storage of logs:

Log rotation: Log rotation is closing a log file and opening a new log file when the first log file is considered to be complete. Rotation is usually performed according to a predetermined schedule (hourly, daily, weekly etc.), or when it reaches a certain size. During rotation, the log can be compressed to save space as well as scripts run to analyze the old log for malicious activity and filtering to preserve characteristics and transfer to storage (NIST Publication 800-92),

Log archival: Log archival is retaining logs for extended periods of time on removable media, servers, or stored on Storage Area Network (SAN). There are two types of log archival: Retention is archiving logs on a regular basis as part of a standard operational activity. Preservation is keeping logs that would normally be discarded because they contain records of activity of particular interest. Preservation is typically performed in support of incident handling and investigations (NIST Publication 800-92).

CONCLUSION

Had these three standards been in place before the incident, unauthorized people would not have been able to access the network using remote access nor would they have been able to bypass the Attribute Based Access Control rules. Also, the logs would have recorded their attempts to penetrate the network and would not have been overwritten. Their attempts to create unauthorized user accounts would have failed. I trust these recommendations will be given careful consideration and, if they are adopted, ABC Company will be compliant and secure from further incidents.

Page 7

References

National Institute of Standards and Technology. Guide to Attribute Based Access Control (ABAC). Definitions and Considerations. NIST Special Publication 800-162

National Institute of Standards and Technology. Users Guide to Securing External Devices for Telework and Remote Access. NIST Special Publication 800-114

National Institute of Standards and Technology. Guide to Security Log Management. NIST Special Publication 800-92 and 800-66

