FINAL PROJECT

Cryptographic Controls
Sigma Health Insurance Company

CSOL510 - ASSIGNMENT 7
BENJAMIN PALERMO, CHIRAG SHAH & JULIAN BENNETT

OCTOBER 26, 2020

1.0 Executive Summary ........................................................................................................................... 2
2.0 Security Compliance.......................................................................................................................... 2
3.0 Policy ................................................................................................................................................. 2
4.0 Cryptography Diagram: 4 User Types ............................................................................................... 5
5.0 Trust Framework ............................................................................................................................... 5
6.0 CONFIDENTIALITY POLICY .................................................................. Error! Bookmark not defined.
6.1 HASH & MAC FUNCTIONS ............................................................................................................. 6
7.0 Understanding Healthcare Ecosystem .............................................................................................. 7
8.0 Network Architecture ....................................................................................................................... 7
9.0 Components ...................................................................................................................................... 8
Appendix I: Authentication by LDAP, Kerberos, or Certificate .................................................................. 12
Glossary of Terms........................................................................................................................................ 12
Sources ........................................................................................................................................................ 13

1
1.0 Executive Summary

Information (company internal and customer data) is an essential asset and is vitally important to the
business operations and long-term viability of Sigma Health. The Sigma Health Company must ensure
that its information assets are protected in a manner that is cost-effective and that reduces the risk of
unauthorized information disclosure, modification, or destruction. Sigma Health’s Information Security
Program will adopt a risk management approach to security. The risk management approach requires
the identification, assessment, and mitigation of threats, access and vulnerabilities that can impact
Sigma Health and its customer’s information. Sigma Health must develop and enforce Information
Security policies that define Information Security objectives in topical areas and Information Security
standards that provide measurable guidance in each policy area. Network architecture and security
enforcement in networks to protect Sigma Health and its customer data is vitally important for the
company.

2.0 Security Compliance

It is important to note that Sigma Health is in the health insurance business and has multiple compliance
and regulation needs including:

PCI DSS HIPAA/HITECH State data breach notification laws

Sarbanes-Oxley GLBA Data Residency/Data Sovereignty

This document presents a network diagram for Sigma Health Company. The cryptographic techniques
and programs outlined in this plan secure electronic protected health information (ePHI) for customers
and payments to and from business partners. The ePHI stored and transmitted is regulated by the U.S.
Health Insurance Portability and Accountability Act (HIPAA). The recommended cryptography standards
for HIPAA are set by NIST (National Institute of Standards and Technology). Most encryption processes
and programs set forth in this plan follow NIST standards are listed in Section 3.1 titled “Data Protection
Policy”

3.0 Security Policy

The cryptographic architecture first begins with a written policy to outline encryp�on strategies to
protect consumer data. Second, this policy is endorsed by management to ensure policy has support
from the highest levels. Third, the policy for consumer protec�ons is communicated to the end-users,
payors, providers, cloud services, and all other third par�es.
Below is the recommended Data Protec�on Policy which will be enforced with Network Architecture,
Security prac�ces and Cryptographic technologies.

2
3.1 Data Protection Policy

ENCRYPTION DATA
SPEC SELECTION GUIDANCE
COMPONENT TYPE
Transport Layer TLS 1.2 Special Publica�on 800-52 Revision 1 TRANSIT
Encryp�on Guidelines for the Selec�on, Configura�on, and Use of Transport Layer
Security (TLS) Implementa�ons
Block Cipher for Web GCM in TLS 1.2 NIST SP 800-38D Recommenda�on for Block Cipher Modes of Opera�on: TRANSIT
Server Galois/Counter Mode (GCM) and GMAC
Block Cipher for CBC random IV for NIST Special Publica�on 800-38A 2001 Edi�on STORAGE
Customer/Provider TwoFish Recommenda�on for Block Cipher Modes of Opera�on: Methods and
Data in Storage Techniques
Block Cipher for CBC for AES RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec STORAGE
Bitlocker BitLocker:
htps://cryptoservices.github.io/fde/2014/12/08/code-execu�on-in-
spite-of-bitlocker.html
Hash for Short-term BitLocker SHA-256 FIPS 180-4 Secure Hash Standard (SHS) STORAGE
(BitLocker)
htps://technet.microso�.com/en-us/security/ff690553.aspx
Hash for Long-term SHA-3 FIPS PUB 202 STORAGE
(years) SHA-3 Standard: Permuta�on-Based Hash and Extendable-Output
Func�ons
Hash for Server SHA-256 FIPS 180-4 Secure Hash Standard (SHS) TRANSIT
Connec�on
MAC for LAN & VPN HMAC-SHA256 RFC 4868 for HMAC IP Sec TRANSIT
FIPS PUB 198-1 The Keyed-Hash Message Authen�ca�on Code (HMAC)
Guide to IPsec VPNs, 800–113, Guide to SSL VPNs
Key Protocol for RSA 2048 (at NIST Special Publica�on 800-57 Part 3 Revision 1 STORAGE
BitLocker / Internet least) Part 3: Applica�on Specific Key Management Guidance /TRANSIT
Key Protocol for Web ECDH RFC 5480 Ellip�c Curve Cryptography Subject Public Key Informa�on TRANSIT
Server
NIST Special Publica�on 800-56A Revision 2 Recommenda�on for Pair-
Wise Key Establishment Schemes Using Discrete Logarithm
Cryptography
Key Management / Kerberos NIST Best Prac�ces for Privileged User PIV Authen�ca�on STORAGE
Authen�ca�on for Kerberos Configura�on /
users of CompanyX htps://technet.microso�.com/en-us/library/cc749438(v=ws.10).aspx TRANSIT
database
Key Management / RSA based (“SSL”) NIST Special Publica�on 800-57 Part 3 Revision 1 TRANSIT
Authen�ca�on for cer�ficates Part 3: Applica�on Specific Key Management Guidance
Communica�ons with
Providers/partners
Employee Devices FDE App to NIST Special Publica�on 800–111, Guide to Storage Encryp�on STORAGE
encrypt boot Technologies for End User Devices
sequence
AES 256, CBC,
HMAC SHA256
Data Disposal Alterec: NIST Special Publica�on 800-88 DISPOSAL
Destruc�on Revision 1: Guidelines for Media Sani�za�on

3
4.0 Security Risks & Threats
Sigma Health is in business of management of very sensitive data that may belong to customers or/and
employees. The security risks and threats against the company are at all levels, ranging from data
management and storage level, transport layer, application layer, network layer, and physical layer. The
company should always keep an eye on how data moves and who has authorization to review/touch
data. There should be change management practice enforced to authorize individuals who only should
have access to sensitive data. Data manipulation and corruption, business continuity, and data
availability (disaster recovery) are very important items to review and keep up to date. On corporate
side company should think of protection against malware such as ransomware and continue to teach its
employees about security and protection of data. GDPR and CCPA privacy requirements should always
be met to protect privacy of customer and employee information. Below is one of the main laws that
the company should focus to meet at all times – HIPAA law.

The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity
had of the violation. The Department of Health and Human Services’ Office for Civil Rights (OCR) sets the
penalty based on many “general factors” and the seriousness of the HIPAA violation (HIPAA Journal,
2015).

CATEGORY VIOLATION DESCRIPTION FINE AMOUNT

CATEGORY 1 A viola�on that the covered en�ty Minimum $100 per viola�on up
was unaware of and could not to $50,000
have realis�cally avoided, had a
reasonable amount of care had
been taken to abide by HIPAA
Rules
CATEGORY 2 A viola�on that the covered en�ty Minimum $1,000 per viola�on
should have been aware of but up to $50,000
could not have avoided even with
a reasonable amount of care. (but
falling short of willful neglect of
HIPAA Rules)
CATEGORY 3 A viola�on suffered as a direct Minimum $10,000 per viola�on
result of “willful neglect” of HIPAA up to $50,000
Rules, in cases where an atempt
has been made to correct the
viola�on
CATEGORY 4 A viola�on of HIPAA Rules Minimum fine of $50,000 per
cons�tu�ng willful neglect, where viola�on

4
CATEGORY VIOLATION DESCRIPTION FINE AMOUNT
no atempt has been made to
correct the viola�on

TIER PENALTY
Tier I Reasonable cause or no knowledge of viola�on – Up to 1 year in
jail
Tier II Obtaining PHI under false pretenses – Up to 5 years in jail
Tier III Obtaining PHI for personal gain or with malicious intent – Up to
10 years in jail

Estimated Costs of Violations

The average breach cost is $355.00 per stolen record in the healthcare arena (Snell, 2016). This is over
twice the average cost of stolen records for all industries (See appendix I). The Anthem data breach of
78.8 million consumers and a lawsuit costing the insurance firm $115 million (Snell, 2017). Other costs
may involve the hospitals desperate act to receive information encrypted by ransomware.

5.0 Cryptography Diagram: 4 User Types

The diagram accounts for the four types of users: customers (buyers of medical insurance), providers
(medical organiza�ons providing services to customers), workers on-site (corporate), and off-site
(remote loca�on). Sigma Health Insurance workers are on worksta�ons connected directly to the
corporate local area network (LAN), and remote workers connected to corporate LAN via a virtual
private network (VPN). Corporate worksta�ons are connected to servers behind an inner firewall,
where a wireless access point (WAP) is used by guests only. See Appendix I for a full outline of
components and interfaces associated with the architecture.

5.1 Trust Framework

The project has determined which hosts using Sigma Health applica�ons, and the network the host is
running on, are secure. The �ers of hosts are divided into customers, providers/partners, corporate
workers on-site, and corporate workers off-site using VPN.
The connec�ons to Sigma Health will be authen�cated with the Kerberos server, LDAP, or PKI and is
displayed graphically in Appendix I.

TRUST MODEL
TRUSTED HOST? TRUSTED AUTHENTICATION
USER NETWORK?
Kerberos Realm 1 – Records Access
Customers NO NO 2FA – Message sent to email/phone to
help secure host
5
 TRUST MODEL
TRUSTED HOST? TRUSTED AUTHENTICATION
USER NETWORK?

Providers / Partners Kerberos Realm 2 – Database Access

YES NO PKI / Cert – Communica�ons / Payment /
EDI to CompanyX Insurance
LDAP – Database Access
Corporate Workers
YES YES PKI / Cert – Communica�ons / Payment /
on Site
EDI from Providers
Corporate Workers Kerberos Realm 3– Database Access
YES NO
on VPN PKI / Cert – Access to Local network

5.2 Cryptographic Functions

Cryptographic hashes safeguard data by providing a secure checksum. The current attributes of a good
hash function include the following: 1. Speed, 2. Changing one-bit should change entire hash, 3. Avoid
hash collisions (Scott, 2013). Currently, many IT associations like NIST and the OWASP foundation, an
open community dedicated to application security, recommends at least SHA-256 or higher for the hash
function (OWASP, 2017). Therefore, most of the hashes used will be SHA-256 for simplicity and
efficiency. SHA is designed to be used with 128-,192-,256-bit key sizes of AES (one of the main
algorithms we will be using) (SHA-256, n.d.). As for MACs, it is recommended by security professionals in
the community, and recommended by both NIST and HIPAA to use HMAC SHA-256. HMAC avoids key
recovery attacks that reveal K to the attacker and avoids attacks that can be done by the attacker
without interaction with the system (Ferguson, 2010).

DATA TRANSFERS AND COMMUNICATIONS HASH/MAC USED

• Patient billing and administrative APPLICATION MESSAGES MACED- HMAC-SHA256
information exchanged with payers and
health plans.
• Utilization and case management data,
including authorizations and referrals that
are exchanged with payers, hospitals and
utilization management organizations.
• Lab and other clinical data electronically
sent to and received from outside labs.
• Patient billing and administrative
information exchanged with payers and
health plans
• E-mails between physicians and patients,
and between attending and referring
6
 physicians and their offices
• Patient health information gathered from FILES HASHED SHA256 FROM WEB OR ON DISK
or displayed on a Web site or portal.
• Word-processing files used in transcription
and other kinds of patient reports that are
transferred electronically
• Stored Emails, Lab Information, Patient
billing information
(Kibbe, 2005)

6.0 Understanding Healthcare Ecosystem

(Reference: Csulak & Meadows, 2017)

7.0 Network Architecture

The image below represents the architecture for the health insurance company mentioned in the
assignment. Each component and interface are labeled with a corresponding number. In the form
below, enter the appropriate security measure for each component/interface (if any are appropriate).

7
8.0 Components
Below are important aspects of security best practices, enforcement, and technologies that should be
utilized and operationalized company wide. It is important for Sigma Health’s IT and security teams to
continue to mature all the components in alignment with sensitivity of the data and local and
international laws, regulations, and security certifications.

1. Customers: User security awareness training & HIPAA policies reading for all users connecting to
company LAN remote or on site. Also have the sign an NDA to protect any proprietary internal
security countermeasures.

2. Providers: Must sign SLAs and NDAs to protect company internal security and data protection
mechanisms. SLAs should have language reminding them of laws SB 327 & AB 375 protecting
user data, company information privacy of businesses. A VPN agreement MOA should also be in
place to additionally protect company interests.

3. Remote Workers: Remote workers required before connecting to remote LAN: pass security
awareness training, and be aware of HIPAA policies, must always use a VPN, and work laptops
always have PKI tokens for connections.

4. Off-Site Backup: Offsite backups need either a hot site, cold site system restoration as part of
their back up plan in case of a disaster. A custodian needs to be in place to maintain and
monitor retention policies along with security of who can and can’t access backups. A disaster
recovery plan needs to be in place as well as a security plan for access and recovery in case of a
disaster. Offsite back up location must be kept secret only to appropriate personnel on a need
know basis.

5. Outer Firewall: Outer firewall needs to be a bastion host type set up. This device should only be
allowing access to port and protocols necessary to conduct business. This device should have no
capability ports that allow use of chat, Facebook, social media access, torrent download, multi-
player games, & etc. Longest username and password possible on router, username password
gets changed monthly, and physical location of device is in a locked cabinet. 802.1x sticky MAC
address needs to be implemented on this device as to only allow connection to devices signed
off by IT staff of the company. Maintain an internal CA to prevent MAC spoofing via MAC
whitelisting/blacklisting, and never allow new MAC addresses on network without prior
approval upon setup and install.

6. Web Servers: RDP gateway should not be allowed as SSL is broken. This device needs to be
patched weekly with the IT staff having a VM copy to test patches before implementation as not
to break functionality. As this device is highly sought after by the hacking community many
things need to be secure: word press needs to be patched or protected, all data needs to be
encrypted (in transit, at rest, and in use).

7. VPN: A corporate VPN needs to be used as to segment traffic from common users as their traffic
is the most insecure. An MOA/SLA/NDA needs to be signed prior to use as this is one of the front
lines of connectivity to the company. Have legal review documents for additional protections as
the language can complicated if VPN gets compromised to limit risk.

8
8. Inner Firewall: Inner as to outer is defined like a DMZ. Outer FW is for public traffic while inner
FW is for internal network only. This would be a Trihomed DMZ configuration setup.

9. User and Provider Data: A MOA/SLA/NDA needs to be signed prior to use as this is one of the
front lines of user privacy to the company. Have legal review documents for additional
protections as the language can be complicated in case of users becoming compromised to limit
risk. Cyber insurance can also be added here to help with cost of risk and apply risk
transference.

10. Corporate LAN: All workstations in this enclave need to be patched weekly. Configure a
combination of anti-virus/anti-malware, HBSS or other variations of end point security. Consider
root kit remover, IDS, IPS for network monitoring.

11. Wireless Access Pont: The access point must at a minimum of WPA3. Include strong password
that must be changed monthly and disallow repeat use. Employ MAC filtering, static IP
assignment, and disallow the broadcast of SSID. Limit the use to 2.5 GHz and monitor for
firmware updates. Enable network encryption, turn off guest networking, and disable port
forwarding.

12. Corporate Data: If in California, the company can use AB 375 to protect user data similar to
GDPR. All corporate data need to be encrypted.

13. Customers to Outer Firewall: Customers are to complete NDAs, user awareness training
document, and HIPPA acknowledgement document. Additionally, outer firewall needs to be a
bastion host type set up. This device should only be allowing access to port and protocols
necessary to conduct business. This device should have no capability ports that allow use of
chat, Facebook, social media access, torrent download, multi-player games, & etc. Longest
username and password possible on router, username password gets changed monthly, and
physical location of device is in a locked cabinet. 802.1x sticky MAC address needs to be
implemented on this device as to only allow connection to devices signed off by IT staff of the
company. Maintain an internal CA to prevent MAC spoofing via MAC whitelisting/blacklisting,
and never allow new MAC addresses on network without prior approval upon setup and install.

14. Providers to Outer Firewall: Have providers sign SLA and NDA to protect company internal
security and Data protection mechanisms. SLA should have language reminding them of laws SB
327 & AB 375 protecting user data, company information privacy of businesses. A VPN
agreement MOA should also be in place to additionally protect company interests. Inner to
outer is defined like a DMZ. Outer FW is for public traffic, inner FW is for internal network only.
This would be a Trihomed DMZ configuration setup.

15. Remote Workers to VPN: Remote workers required before connecting to remote LAN: pass
security awareness training, and be aware of HIPAA policies, must use a VPN at all times, and
work laptops have PKI tokens for connections at all times. A corporate VPN needs to be used
here as to segment traffic from common users as their traffic is the most insecure. A
MOA/SLA/NDA needs to be signed prior to use as this is one of the front lines of connectivity to

9
 the company. Have legal review documents for additional protections as the language can
complicated if VPN gets compromised to limit risk.

16. Outer Firewall to Web Servers: Outer firewall needs to be a bastion host type set up. This device
should only be allowing access to port and protocols necessary to conduct business. This device
should have no capability ports that allow use of chat, Facebook, social media access, torrent
download, multi-player games, & etc. Longest username and password possible on router,
username password gets changed monthly, physical location of device is in a locked cabinet.
802.1x Sticky MAC address needs to be implemented on this device to only allow connection to
devices signed off by IT staff of the company. Maintain an internal CA to prevent MAC spoofing
via MAC whitelisting/blacklisting. Disallow new MAC addresses on network without prior
approval upon set up and install. Additionally, RDP gateway should not be allowed as SSL is
broken. This device needs to patched weekly with the IT staff having a VM copy of this to test
patches before implementation to prevent breaking functionality. As this device is highly sought
after by the hacking community many things need to be secure: word press needs to be patched
or protected and all data needs to be encrypted.

17. Web Servers to Inner Firewall: RDP gate way should not be allowed as SSL is broken. This device
needs to patched weekly with the IT staff having a VM copy of this to test patches before
implementation to prevent breaking functionality. As this device is highly sought after by the
hacking community many things need to be secure: word press needs to be patched or
protected and all data needs to be encrypted. Inner as to outer is defined like a DMZ. Outer FW
is for public traffic, Inner FW is for internal network only. This would be a Trihomed DMZ
configuration setup.

18. VPN to Inner Firewall: A corporate VPN needs to be used here as to segment traffic from
common users as their traffic is the most insecure already. A MOA/SLA/NDA needs to be signed
prior to use as this is one of the front lines of connectivity to the company. Possibly have
company lawyer review documents for additional protections as the language can complicated if
VPN gets compromised as to limit risk. Inner as to outer is defined like a DMZ. Outer FW is for
public traffic, Inner FW is for internal network only. This would be a Trihomed DMZ
configuration setup.

19. Inner Firewall to Corporate LAN: All workstations in this enclave needs to be patched weekly.
Configure a combination of anti-virus/anti-malware, HBSS or other variations of end point
security. Consider root kit remover, IDS, IPS for network monitoring.

20. Inner Firewall to User and Provider Data: A MOA/SLA/NDA needs to be signed prior to use as
this is one of the front lines of user privacy to the company. Possibly have company lawyer
review documents for additional protections as the language can complicated in case of users
becoming compromised as to limit risk. Cyber insurance can also be added here to help with
cost of risk and apply risk transference.

21. Corporate LAN to User and Provider Data: A MOA/SLA/NDA needs to be signed prior to use as
this is one of the front lines of user privacy to the company. Possibly have company lawyer
review documents for additional protections as the language can complicated in case of users

10
 becoming compromised as to limit risk. Cyber insurance can also be added here to help with
cost of risk and apply risk transference.

22. Wireless Access Point to Corporate LAN: Recommend shutting down or limiting access to only
executives. If use had to occur, then all workstations in this enclave need to be patched weekly.
Load on this LAN, anti-virus, anti-malware, HBSS or some sort of end point security, root kit
remover, IDS, IPS to monitor the LAN as well.

23. Corporate LAN to Corporate Data: If in California can use AB 375 to protect user data similar to
GDPR. All data must be encrypted in transit, at rest, and in use. All workstations in this enclave
need to be patched weekly. Employ anti-virus/anti-malware tools, HBSS or other end point
security and utilize IDS/IPS to monitor LAN.

Also employ a third-party penetration test once security is in place to test threat surface on an annual
basis. Utilize virtualization to create segmentation between devices as well. VMs also allow for easy
backup and restoration.

Additionally, recommend on all devices the below STIGs be applied:

Firewall STIG
Windows Server 2016 STIG (assuming brand)
Windows 10 STIG
Wireless STIG
Cisco Switch STIG (assuming brand)
Multi-Function Device STIG
Windows Defender STIG
Pay for a Third-Party Pentest once security in place to test threat surface yearly
Dotnet Framework STIG
Active Directory STIG
Application Gateway STIG
Database STIG
Linux STIG
Microsoft Office STIG (All products in use)
Network Infrastructure Policy STIG
VPN STIG

11
Appendix I: Authentication by LDAP, Kerberos, or Certificate

Glossary of Terms

ACCRONYM DEFINITION
AB 375 Privacy: personal information: businesses
CA Certificate Authority
DDOS Distributed Denial of Service
DMZ Demilitarized Zone
DNS Domain Name Service
DOS Denial of Service
GDPR General Data Protection Regulation
HIPAA Health Insurance Portability Accountability Act
IDS Intrusion Detection System
IPS Intrusion Prevention System
HBSS Host Based System Security
LAN Local Area Network
MAC Media Access Control
MOA Memorandum of Agreement
NDA Non-Disclosure Agreement
RDP Remote Desktop Protocol
12
 SB 327 Information privacy: connected devices
SLA Service Level Agreement
SSID Service Set Identifier
SSL Secure Socket Layer
STIG Security Technical Implementation Guide
VM Virtual Machine
WPA 3 Wi-Fi Protected Access 3

Sources
Axonius, D. (2019) California IoT security Law: What it means and why it matters. Retrieved from
https://www.helpnetsecurity.com/2019/11/20/california-iot-security-law/

No Author. (2020) Center for Disease Control - Health Insurance Portability and Accountability Act of
1996 (HIPAA). Retrieved from https://www.cdc.gov/phlp/publications/topic/hipaa.html

No Author. (2018). California Legislative Information – Assembly Bill No. 375 – Privacy: Personal
Information: Business. Retrieved from
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

No Author. (2018). California Legislative Information – Assembly Bill No. 327 – Information Privacy:
connected devices. Retrieved from
https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

No Author. (2020). Department of Defense Cyber Exchange – Security Content Automation Protocol
(SCAP). Retrieved from https://public.cyber.mil/stigs/scap/

No Author. (2020). Fing Box. Retrieved from https://www.fing.com/products/fingbox/

No Author. (2020). Intersoft Consulting - General Data Protection Regulation (GDPR). Retrieved from
https://gdpr-info.eu/
Ross, W. (2020). NIST 800-53 Revision 5 - Security and Privacy Controls for Information Systems and
Organizations. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
53r5.pdf

Shinder, D. (2020). Defense Plan 1: The Trihomed DMZ. Retrieved from

https://www.globalspec.com/reference/29260/203279/chapter-2-defense-plan-1-the-trihomed-dmz

13