Risk Assessment Report of Hospital

Executive Summary

This brief discusses takes an inside look of Bluebird hospitals infrastructure with a Risk Assessment Report (RAR). Information is provided to leadership on the potential threats our network could fall prey to if action is not taken. A system characterization was given to give in sight on Bluebird’s information system as a whole. A breakdown of the hardware, software, system interfaces, users, and databases used to protect the system. There were 4 observations that was discovered when conducting the assessment. Each observation will be reviewed through description, existing mitigating controls, vulnerability, and recommendation. The report measures vulnerabilities using a risk level matrix. Each vulnerability is measured on a scale of low to high risk level.

Purpose

 The purpose of this Risk Assessment Report (RAR) is to inform Bluebird Hospital’s board of directors about the security assessment that was performed on the organization network system. The organization network system was scanned by using Wireshark-network protocol analyzer and Nmap-security scanner tools. These tools exposed several vulnerabilities in our system. The vulnerabilities identified by these tools could make our information system infrastructure target to multiple cyber-attacks if not fixed.

Scope

The scope of this risk assessment assessed the use of controls to eliminate vulnerabilities that were exploited by potential threats internally and externally. If exploited, these vulnerabilities could result in unauthorized disclosure of data, denial of service, significant financial loss, and web defacement.

Threats

Cyber security experts around the world has predicted that due to the lack of security control measures that many organizations have security breaches will be at an all-time high (Dobran, 2018). Due to the continued advancement of technology cyber-attacks will grow if Bluebird’s information network is not updated.  Threats to our system are expected if Bluebird’s IT management does not educate themselves on potential cyber-attacks. Spoofing/ cache poisoning exploits vulnerabilities in the system by distracting internet domain name system by diverting internet traffic to a fake server system (Hoffman, 2016). Packet Analysis/Sniffing is a tool that is used by cyber criminals to spy on the network of potential suspects and collect their passwords (O’Donnel, 2018). A DDoS attack is when the network system is compromised and users are not able to get access to the system. The distributed denial of service is used by attackers as blackmail (Florentino, 2018). Insider threats can range from to a disgruntled employee or an employee not being properly trained and falling victim to email phishing attacks. For example a Bluebird employee’s email was infected with a malware virus known to infect users via phishing emails containing malicious links. Over 1,000 patients PHI was compromised in the breach.

System Characterization

In assessing an information technology system, the first step is to characterize your system. Bluebird hospital is composed of several components to make it a whole. Policy and procedures are put in place as guideline rules for all personnel and patients at Bluebird Hospital. In Figure 1 gives a system characterization of Bluebird’s system.

Figure 1. System Characterization of Bluebird Hospital

In Figure 2 a flow chart is provided of the scope of the risk assessment efforts that were made during this risk assessment report.

Figure 2. Input and Output flowchart of the scope of the risk level assessment effort

Risk Assessment Approach

The approach Bluebird’s management takes to protect our system is detrimental to our information network. The participants that were involved in the risk assessment were the database administrator, IT department, security administrator, network manager, and system custodian. The techniques that were used to gather the information were operating systems such as MBSA and OpenVAS and network monitoring tools such as wireshark and Nmap. In the risk assessment matrix table in Figure 3 our IT team has compiled information that shows the risk level each vulnerability has on our system.

Severity

Likelihood

Figure 3. Risk Assessment Matrix of likelihood of Bluebird’s system be susceptible to vulnerabilities (MVROS, 2004)

In Figure 4 there is a description of the risk level matrix scale.

Figure 4. The risk level scale description (MVROS, 2004)

Risk Assessment Results

As technology continues to advance it is imperative for organizations take the necessary steps to ensure the systems are secure. If there are weaknesses our system to be susceptible to data exfiltration. Our organization could suffer from a major financial impact and cause trust issues for customers in the future. After scanning Bluebird’s network several observations were identified using the multiple vulnerability tools such as wireshark, Nmap, OpenVAS, identity management and MBSA. Evaluating the vulnerabilities to get a better understanding of their level of impact is important for upper management to understand. In Figure 5 the risk assessment results of observation that were identified from running scans on our network are identified and rated according the risk level matrix displayed in Figure 3:

Figure 5. Risk Assessment results identified through vulnerability tools (MVROS, 2004)

Summary

There were 4 observations that were identified in this risk assessment report. Observation 1 was multiple user accounts on one computer. This was given a level 6 on the risk level matrix because this is one of the ways our system could be exposed to insider threats. The recommendation for this observation would be to have individualized common access cards that only allows one user on a computer at a time. Observation 2 user having non expiring passwords. This observation was given an 8 on the risk level matrix because hackers could easily guess the users password and infiltrate the system. The recommendation would be for employees to change their passwords every 30 days. The information system will have automatic updates that will require user to update their passwords before moving forward. Observation 3 was fire wall connections were turned off. This was given a 21 on the risk level matrix because firewalls are one of Bluebird’s first line of defense against cyber-attacks. It is recommended that all firewalls connections be turned on at all times and constant updates of the firewall system so the system is constantly protected. Observation 4 is port 3306 is method exploited by nemog and W32.Spybot. This was given a 25 on the risk level matrix because nemog is a backdoor trojan horse virus. Our system could be fully comprised and all access could be lost. It was recommended that an update of malware protection be installed to prevent and remove any viruses.

Conclusion

In conclusion, technology will continue to be updated and therefore threats to any organization network infrastructure needs to be in the fore front of leadership concerns. Using the information provided in this risk assessment report should provide leadership on the areas of concern in our network. Understanding the cost consequence and damage that could possibly be done to the information infrastructure is detrimental. Improving on multi factor authentication and outsourcing a cyber-security company is heavily advised.

References

• Dobran, B. (2018) Cybersecurity Trends 2018: 32 Experts Make Predictions. Found at: https://phoenixnap.com/blog/cybersecurity-experts-threats-trends
• Florentino, N., (2018) Impact of cyber security incidents on financial institutions. Found at: https://static1.squarespace.com/static/555f9696e4b0767a7f0769b3/t/5ab1ae2d8a922dca86e30ee8/1521593911874/The+Impact+of+Cybersecurity+Incidents+on+Financial+Institutions+WHITE+PAPER.pdf
• O’Donnell, A. (2018). What are Packet Sniffers and How Do They Work? Found at:
• https://www.lifewire.com/what-is-a-packet-sniffer-2487312
• Hoffman, C. (2016). What is DNS Cache poisoning? Found at: https://www.howtogeek.com/161808/htg-explains-what-is-dns-cache-poisoning/
• MVROS. (2004). Detailed risk assessment report. Found at: https://itsecurity.uiowa.edu/sites/itsecurity.uiowa.edu/files/sampleriskassessmentreport.pdf