Cybersecurity: A Manufacturers Guide by Clearnetwork
FMEA Final Project
1. University
of
Washington,
Information
Security
&
Risk
Management
IMT
553
Final
Project:
Evaluation
of
Preventive
Technologies
Date:
June
2,
2015
Authors:
Larry
DeBellis
Carlos
Cabello
Mary
Marks
Steve
Morehouse
Steve
Vincent
Mike
Whaley
2. 2
Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
Table
of
Contents
Executive
Summary
......................................................................................................................................
3
Risk
Assessment
Key
......................................................................................................................................................
3
Top
5
Risks
.....................................................................................................................................................................
3
Company
Overview
.......................................................................................................................................
3
I.
Failure
Modes
............................................................................................................................................
4
TOP
Failure
Modes
and
Effects
Analysis
(FMEA)
.......................................................................................................
4
II. Measures
to
reduce
the
named
residual
risks
............................................................................................
8
Patching
...................................................................................................................................................................
8
Change
Control
Risk
.......................................................................................................................................................
8
Antiquated
firewall
........................................................................................................................................................
8
Employee
Turnover
.......................................................................................................................................................
8
Microsoft
Exchange
Server
............................................................................................................................................
9
Bring
Your
Own
Device
(BYOD)
......................................................................................................................................
9
Backup
...........................................................................................................................................................................
9
Physical
security
............................................................................................................................................................
9
Connectivity
...................................................................................................................................................................
9
Availability
...................................................................................................................................................................
10
Non-‐segmented
Network
............................................................................................................................................
10
Business
Risks
..............................................................................................................................................................
10
Patient
Tracking/Medical
Records/Claims
Management
and
Customer
Billing
Risks
.................................................
10
III. Residual
Risks
........................................................................................................................................
12
IV. Plan
of
Action
and
Milestones
(POA&M)
................................................................................................
13
Acronyms
....................................................................................................................................................
14
Team
..........................................................................................................................................................
14
ANNEX
1:
Severity,
Probability,
&
Hazard
Score
Key
....................................................................................
15
ANNEX
2:
Risk
Evaluation
............................................................................................................................18
ANNEX
3:
Recommended
Control
Measures
...............................................................................................
24
ANNEX
4:
Residual
Risk
Assessment
............................................................................................................28
ANNEX
5:
Plan
of
Action
and
Milestones
(POA&M)
.....................................................................................31
ANNEX
6:
Bibliography
................................................................................................................................34
3. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
3
Executive Summary
We are undertaking an identification of the known hazards and making a list of associated risks. We can weigh the risk
with their control measures, and identify the residual risk that remains based on our wherewithal to adopt the controls
based on how well they minimize risk.
Risks can be divided into technical and business risks. Technical risks are risks that support operations and are do not
directly face the customer. Business risks are customer-facing risks that affect business continuity and company growth.
Risk Assessment Key
The current Risk Assessment describes 4 High, 11 Medium, and 6 Low. If the recommended actions are taken
expeditiously, we anticipate Residual Risk of zero High, 2 Medium, and 19 Low - which we recommend the officers find
acceptable given the controls to be implemented.
Risk Low Medium High
Current Risk 6 11 4
Residual Risk 19 2 0
Top 5 Risks
1. Patching
2. Hardware
3. BYOD
4. Data Backups
5. Change Control
Company Overview
Kangaroo Inc. is a Seattle, Washington based provider of dental practice management and imaging software solutions.
The company offers digital imaging equipment, dental supplies, and software/hardware technical support services and
recently launched cloud-based practice management solution for its clients.
The company’s main servers in Seattle are connected via the Internet to its clients throughout the United States.
Our customers depend on our services to support their business and we provide services that organize their day-to-day
activities and host their data. We want to make sure our customers have full confidence in our ability to protect their data
in terms of confidentiality, integrity, and availability.
.
4. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
4
I. Failure Modes
TOP Failure Modes and Effects Analysis (FMEA)
Preventive
Technologies
How
They
Fail
Causes
Effects
Patching
Unpatched
vulnerabilities
allow
attack
or
other
server
software
failure.
High
turnover
in
IT
department.
Insufficient
documentation
and
tracking
of
updates.
Heterogeneous
systems
=
high
patch
diversity
and
pace.
Unexpected
datacenter
downtimes
resulting
from
poor
patch
management.
Impacts
regional
offices
servers,
connections
to
HQ
services,
potential
loss
of
data.
Affects
customers
during
biz
hours
if
servers
down
for
patching.
Comments:
Software
patching
and
updates
are
an
on-‐going,
organization-‐wide
problem.
We
face
challenges
keeping
our
software
suite
up
to
date
and
applying
patches
in
a
timely
manner.
Critical
patches
must
be
patched
during
regular
business
hours
and
this
creates
an
on-‐going
problem
for
the
company
and
our
customers.
Our
clients
experience
downtime
when
we
apply
critical
software
patches
during
business
hours.
This
places
our
ability
to
meet
SLAs
at
risk.
Antiquated
firewall
with
expired
support
Expired
IDS/IPS
in
regional
offices
High
turnover
within
IT
Department
IT
budget
re-‐allocated
to
business
projects
HQ
caught
an
average
of
801
malware
events
on
their
perimeter
devices
a
week
DOS
Attacks
are
becoming
a
common
event
Comments:
We
only
have
a
single
firewall
device
that
protects
our
data
that
places
data
availability
and
our
ability
to
maintain
SLAs
at
risk.
We
have
an
immediate
problem
with
vendor
support
that
has
expired.
To
address,
staff
will
be
assigned
to
track
and
manage
software
support
contracts
to
avoid
a
lapse.
Running
MSFT
Exchange
Server
2007.
Have
not
upgraded
to
2010
Spam
filter
for
Exchange
server
not
reliable.
Exchange
Server
management
is
a
mess
Microsoft
has
halted
support
for
Exchange
2007
Increased
attack
risk
23%
of
users
click
on
Phishing
links
and
11%
of
those
are
clicking
on
the
attachments
Comments:
Our
company
uses
Microsoft
Exchange
Server
2007
and
has
not
upgraded
to
the
Exchange
Server
2010.
The
spam
filter
is
not
reliable
and
our
users
are
receiving
an
increasing
number
of
spam
messages.
Microsoft
is
sun-‐setting
support
for
our
aging
release
of
Exchange
Server.
Without
Microsoft
support,
we
are
at
increased
risk
of
defending
ourselves
from
cyber-‐tacks
and
new
defenses
from
emerging
threats.
BYOD
Employee
devices
introduce
malware
onto
network
No
malware
detection
implemented
on
BYOD
(e.g.
employee
phones)
Malware
present
on
network
is
a
threat
and
requires
funding
and
staff
resources
to
combat,
determine
extent
of
damage
and
potential
loss
of
data
Fnetwork
(non-‐segmented)
allows
devices
on
same
LAN
as
corporate
devices
Malware
"jumps"
from
BYOD
devices
to
corporate
devices
on
same
LAN
Comments:
The
Bring
Your
Own
Device
(BYOD)
risk
manifests
itself
in
various
means,
and
requires
as
many
controls.
The
first
control
is
the
design
of
a
BYOD
policy
to
include
controls
to
reduce
cost
and
risks
introduced
by
BYO.
Our
BYOD
policy
must
be
well
thought
out
and
address
our
changing
environment
and
updated
regularly.
The
second
BYOD
control
identified
is
to
implement
VLAN
or
other
form
of
network
segregation
with
a
separate
WiFi
signal
supported
by
most
high-‐end
small
office/home
office
(SOHO)
and
nearly
all
enterprise
WiFi
access
points
/
routers.
The
separate
WiFi
network
would
be
for
non-‐company
personal
and
business
use,
and
based
on
5. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
5
demand,
could
be
even
split
further
for
increased
separation.
As
an
added
note,
we
do
have
to
ensure
our
access
points/routers
support
this
network
segregation.
Data
Backups
Corrupted
Backup
Hardware
Fails
If
full-‐backup,
then
impact
is
one-‐week
data
loss
If
incremental,
then
impact
is
"n-‐days"
data
loss
Same-‐Location
Disaster
Lack
of
Offsite
store
Current
lack
of
an
offsite-‐store
means
a
disaster
affecting
the
datacenter
may
destroy
all
backups
Recovery-‐Fails
Hardware
Fails
Assumes
good
copy
of
data,
recovery
attempt
fails,
but
replacing
hardware
will
allow
another
recovery
attempt.
We
have
three
different
risk
mitigations
for
data
backups.
1.
Test
each
backup
immediately
after
copy
to
ensure
non-‐corruption
and
to
allow
time
to
repair
of
backup
system
and
make
new
copies.
2.
Transfer
backup
copies
to
offsite
storage
vault
outside
of
regional
disaster
impact
zone.
We
would
also
keep
an
additional
copy
of
our
most
recent
backup
locally
for
recovery.
3.
Keep
spare
hardware
onsite
including
replacement
drives,
blades,
and
ensure
technicians
are
trained
to
swap
out
failed
parts.
Change
Control
Management
Patch-‐management
delayed
Maintenance
window
scheduling
adversely
impacted
by
insufficient
coordination
with
customers
and/or
SLA
Delayed
patching
results
in
potentially
vulnerable
systems
in
the
datacenter
The
risks
associated
with
Software
Change
Management
are
similar
to
software
patching
issues.
Apply
to
software
configuration
management
and
its
supported
hardware.
Issues
occur
when
software
fixes
are
not
tested
against
prior
software
releases
and
hardware
configurations.
We
must
implement
controls
to
ensure
that
current
software
fixes
are
thoroughly
tested
to
ensure
they
fix
the
problem
and
do
not
affect
prior
fixes.
Business
Continuity
Planning
Earthquake
destroys
datacenter
HQ
Office
building
is
in
a
level4
earthquake
zone,
3-‐story,
brick
that
is
not
seismically
retrofitted
with
no
plans
to
retrofit.
All
hosted
services
offline,
all
hardware
damaged,
all
data
backups
destroyed
(assuming
current
status
of
no
offsite
backups)
Thieves
destroy
or
damage
servers
Server
not
secured
in
a
proper
manner
Stolen
sensitive
information
can
be
used
against
our
clients
and
damage
reputation.
Business
Continuity
of
operations
after
a
disaster
is
a
concern.
• Our
headquarters,
regional
infrastructure,
and
remote
employee
access
are
at
risk
in
case
of
a
disaster
• These
risks
potentially
inhibit
our
ability
to
perform
day-‐to-‐day
operations.
Connectivity
Datacenter
to
ISP
link
goes
down
Datacenter
is
only
connected
upstream
via
a
single
ISP
All
hosted
services
offline
Availability
Hardware
failure
(firewall
or
server)
Architecture
of
datacenter;
multiple
single
points
of
failure
(e.g.
single
firewall
device,
single
blade-‐chassis)
Hosted
services
offline.
Firewall
or
server
chassis
failure
means
services
are
offline
until
manual
intervention.
Service
agreement;
datacenter
staff
is
not
authorized
to
enter
Kangaroo
cabinet;
repairs
require
Kangaroo
staff
to
travel
to
datacenter.
Hosted
services
offline.
Any
failure
within
the
cabinet
requires
Kangaroo
staff
to
travel
to
site.
Regional
network
not
segmented,
phones
on
same
network
as
workstations
Allows
malicious
traffic
to
mask
itself
as
VOIP
traffic
and
infect
workstations.
Infrastructure
grew
fast
at
regional
locations
and
lack
of
segmentation
was
an
oversight
Potential
downtime
at
regional
office
if
workstations
infected.
6. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
6
Patient
tracking
Patient
database
unavailable
Tracking
system
software
not
properly
exchanging
data
between
database
and
customer
system
Servers
are
segmented
from
each
other
and
unable
to
communicate
with
each
other
Customers
(Providers)
unable
to
conduct
patient
monitoring
because
medical
records
not
available.
Medical
files
and
billing
and
insurance
records
contain
the
most
valuable
patient
data.
Most
often
and
successfully
targeted
(55%
successfully
targeted)
Providers
at
risk
of
malpractice
due
lack
visibility
into
patient
information
Company
at
risk
of
liability
for
a
breach
of
personal
financial
and
health
information
belonging
to
our
customers
and
their
patients.
We
are
at
risk
of
business
disruption
which
adversely
affects
our
company,
our
customer
providers,
and
their
patients
Adverse
impact
on
future
financial
results
due
to
the
theft,
destruction,
loss,
misappropriation
or
release
of
confidential
data
or
IP
Insurance
eligibility
verification
Kangaroo
system
offline
Unauthorized
access
to
patients
records
due
to
employee
negligence,
criminal
activity,
service
disruptions,
network
failure
Customers
(HC
Providers)
unable
to
determine
insurance
eligibility
of
patients
Appointment
scheduling
Kangaroo
system
offline
* Antiquated
Operating
Systems
is
outdated
and
no
longer
supported
by
the
manufacturer
*Patient
kept
on
hold,
lost
call,
unanswered
phone
Customers
unable
to
schedule
new
appointments
or
modify
existing
appointments.
Loss
of
revenue
risk
due
to
operational
and
business
delays
Negative
publicity
resulting
in
reputation
or
brand
damage
with
our
customers,
suppliers
or
industry
peers
Adverse
impact
on
future
financial
results
due
to
the
theft,
destruction,
loss,
misappropriation
or
release
of
confidential
data
or
IP
7. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
7
Claims
management
Kangaroo
system
offline
Antiquated
Operating
Systems
is
no
longer
supported
by
the
manufacturer
Company
unable
to
process
medical
claims.
* Liability
risk
due
to
provider
customer
loss
of
revenue
due
to
operational
and
business
delays
* Negative
publicity
resulting
in
reputation
or
brand
damage
with
our
customers,
suppliers
or
industry
peers
* Operational
or
business
delays
resulting
from
the
disruption
of
IS
and
subsequent
cleanup
and
mitigation
activities
Customer
billing
Kangaroo
system
offline
• Antiquated
Operating
Systems
is
no
longer
supported
by
the
manufacturer
• *Inadequate
or
incomplete
documentation.
Company
unable
to
process
customer
billing
for
claims.
Billing
and
insurance
records
contains
some
of
the
most
valuable
patient
data
and
targeted
(46%
successfully
targeted)
Liability
risk
for
a
breach
of
personal
financial
and
health
information
belonging
to
our
customers
and
their
patients.
Business
disruption
risk
adversely
affects
our
company,
our
customer
providers,
and
their
patients
Adverse
impact
on
future
financial
results
due
to
the
theft,
destruction,
loss,
misappropriation
or
release
of
confidential
data
or
IP
Prescription
drug
management
Kangaroo
system
offline
Legacy
systems
unable
to
support
minimum
requirements
Providers
are
unable
to
enter
new
prescriptions
for
patients,
unable
to
conduct
drug
interaction
checking
for
new
prescriptions.
8. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
8
II. Measures to reduce the named residual risks
We applied the FMEA issue tracking to focus on the “what” rather than the “how” or “why”. This approach allowed for
thorough application of controls.
The following are actions to address the identified risks mentioned above. Each risk is addressed below
Patching
• Establish clear policy and procedures for systems maintenance.
• Ensure recommended patches are tested first in a development environment, then in a production environment to
simulate the real environment as close as possible.
o When concerned and conscientious testers adequately test the code, it will be patched in a timely
manner.
• Employ knowledgeable configuration management staff that carefully monitor and control our releases, and not
only will we know exactly what is in the software fixes, but we can create these fixes later for failure diagnostics
and analysis. More importantly, the software generation process will be deterministic and controlled to minimize
error into our software generation process.
• Ensure effective staff communication and work in tandem to ensure fixes work together and with targeted
hardware to ensure fixes or patches that are pushed out are pushed out once without hot fixes or overlay
releases.
• Carefully document release notes to ensure our own development and test staff are aware of the changes and
can buy off on the fixes.
o The release notes will be informative to the user, and they will be aware and confident of our fixes, that
they have been thoroughly and comprehensively tested and rework by hot fixes or overlay releases is
minimized.
• Apply patches to our headquarters and regional offices.
• Ensure that our regional offices get the attention they need too and not be overlooked.
Change Control Risk
The previous controls for patching also apply to change control risk.
• We will also ensure recommended patches are tested like other software fixes, namely in a thoughtful, deliberate,
and consistent manner
• Establish clear policies and procedures for systems maintenance, similar to software patching.
Antiquated firewall
Concerning our antiquated firewall, we have an immediate problem with vendor support that has expired.
• Assign staff to closely manage and track software support contracts and coverage to ensure support does not
lapse.
• Submit a follow up request for coverage in time for the next financial cycle to ensure our coverage does not lapse.
As a result, our software support personnel must be tied in budgeting.
• Deploy new Network Intrusion Prevention System (NIPS) hardware in regional offices.
Employee Turnover
We also have a problem with turnover in our IT department, which manifests itself in infrastructure issues.
• Provide necessary leadership, i.e. management to recruit and retain talented personnel.
9. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
9
• Work with Human Resources (HR) to ensure compensation is commensurate with similar outside staff.
• Develop an IT personnel lifecycle that can support continued operations in the following years without disruption.
• Include a plan for a career of growth for our employees to
o Minimize bottlenecks
o Provide opportunities to either specialize in an area in IT or generalize in areas that support the customer
and our company, while complementing their own careers.
• Implement training plan to support the education of our IT staff so they can intelligently plan and deploy solutions
to minimize our firewall risk.
Microsoft Exchange Server
We are still running Microsoft Exchange Server 2007 and have not upgraded to the most recent version.
• Our solution is to upgrade from Microsoft Exchange Server 2007 to 2010 or higher.
• Establish a contingency plan ready if our main server is taken over by an attacker.
o To mitigate this, our IT staff would keep up-to-date with current attack trends, and design monitoring rules
as new attacks are found in the wild, this ties in with our IT staff recommendations as mentioned before.
• Secure the email server by using well-established guidelines, such as the National Vulnerability Database (ref
https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=186) to reduce our exposure significantly.
Bring Your Own Device (BYOD)
The Bring Your Own Device (BYOD) risk, although not as high a risk as others, still manifests itself in various means, and
requires as many controls.
• Design a BYOD policy including controls to reduce cost and risks introduced by BYOD. This policy must be well
thought out and address our changing environment; it must be updated regularly as with our other policies.
• Implement a VLAN or other form of network segregation with a separate WiFi signal supported by most high-end
small office/home office (SOHO) and nearly all enterprise WiFi access points / routers.
o The separate WiFi network would be for non-company personal and business use, and based on
demand, could be even split further for increased separation.
o As an added note, we do have to ensure our access points/routers support this network segregation.
Backup
We have three different ways of mitigating our risks.
• Test each backup immediately after copy to ensure non-corruption and to allow for time for repair of backup
system and the making of new copies.
• Transfer backup copies to offsite storage vault outside of regional disaster impact zone.
o We would also keep an additional copy of our most recent backup locally for recovery.
• Keep spare hardware onsite including replacement drives, blades and ensure technicians are trained to swap out
failed parts.
Physical security
Physical security of our main datacenter is also an identified risk. We mitigate this by
• Implement a continuity plan includes a cloud backup of data servers to a third party vendor in Salt Lake City, UT.
• Set up a failover data server to bring data back online within minutes of ISP DNS load balancing.
o Failover data servers hosted in third party facility with similar security controls as the Duwamish based
facility.
Connectivity
Connectivity is also a risk when the data center to ISP link goes down.
• Engage a service, e.g. Cloudflare to provide always-online presence as a control.
10. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
10
o Cloudflare caches static pages and serves them to visitors to maintain general site availability during
outage or DDoS attack.
Availability
Availability, as far as a hardware failure, e.g. firewall or server is a risk that needs a control. We have identified two
controls.
• Deploy redundant architecture.
o If using single device for a function, e.g. firewall, ensure it has redundancy built in for power, connectivity,
and compute function. Also, ensure it "fails-open" which assumes a layered defense.
• Provision replacement parts as appropriate, and train staff in replacement and re-configuration procedures.
Non-segmented Network
Another risk is that our regional network is not segmented. VOIP phone are on the same network as our workstations that
present a potential risk.
• Place VLANS on managed switches to separate VOIP traffic from workstation traffic.
Business Risks
The following are some of our business risks that directly affect our clients. These risks are particularly suited towards our
medical based business.
Patient Tracking/Medical Records/Claims Management and Customer Billing Risks
The first and most significant business risks to the business are Patient Tracking/Medical Records, Claims Management,
and Customer Billing. These risks are lumped together in our analysis since their controls are similar and intertwined:
The following controls apply to each of these three risks.
Policies and Procedures
● Establish clear policies and procedures for systems maintenance.
● Communicate with customers regarding scheduled downtime maintenance windows, and preferably in a window
that affects them the least.
● Ensure recommended patches are tested first in a development environment, then in a production environment to
simulate the real environment as close as possible.
Business Continuity Plan
● Build, test, and maintain a business continuity plan that includes a cloud backup of data servers to an offsite
location in a different geography, e.g. location not in the same geographical region, e.g. to a third party vendor in
Salt Lake City, UT.
● Set up failover data servers to bring data back online within minutes of ISP DNS load balancing. Failover data
servers can be hosted in a third party facility with similar security controls as the Duwamish based facility.
Always-Online Service
● Engage a service, e.g. Cloudflare to provide an always-online presence. Cloudflare caches static pages and
serves them to visitors to maintain general site availability during outage or DDoS attack.
11. 11
Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley Insurance
Eligibility Verification
• Ensure that our customers can generate revenue from people they interact with, and determine what payments
are available and at what price, based on varying conditions.
o While a complex issue, we can use software as a service (Saas) solution to enable our customers’
administrative staff to improve insurance eligibility verification and meet criteria such as the Health
Information Exchanged Accreditation Program (HIEAP).
Appointment Scheduling
Since appointments are the first step in which our customers interact with “their” customers, the integrity of that system
must remain intact, even when disconnected.
• Implement integrated communication solutions that works directly with the Patient Customer Relationship
Manager (CRM) can address this risk.
Prescription Drug Management
The last risk to be addressed is Prescription Drug Management to ensure that he risk is the prescription of the wrong drug
or dosage, or a lethal or harmful reaction of the drugs being prescribed.
• Use software as a service (Saas) solution for this risk that meets criteria such as the Health Information
Exchanged Accreditation Program (HIEAP).
o This solution takes into consideration all medication the patient is on, and all known side effects. Knowing
all known adverse drug interactions would also lower negative reactions from multiple medications.
12. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
12
III. Residual Risks
We still have some high areas of concern that remain after our controls are in place. We still need to verify the
effectiveness of our controls, but at first glance, there are no high probability, high severity risks.
We do have some high severity, medium probability risks. They can be grouped in the following categories.
• Software patching and overall software development is our first high severity, medium probability risk.
o This falls in the technical side and affects our customers in terms of minimizing the defense of their data
thru the firewall and other patch support.
There are obvious risks, but underlying causes. Utilizing a Root Cause, Corrective Analysis, we can trace this problem
down to the support staff, namely our IT department, which is used to develop, maintain, and update this software.
While it is a software problem, it is really a people problem. There are Band-Aid fixes we can apply for temporary
application, but a longer-term fix is needed, namely a good IT department, which is outside of the scope of this paper.
We have a high severity, low probability risk, which is another software problem, but it is keeping updated with the latest
Microsoft Exchange Server software, but this can apply to other older software. The software needs to be updated to
minimize risk, and a combination of time, money to upgrade is needed to remedy this issue.
13. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
13
IV. Plan of Action and Milestones (POA&M)
A Plan Of Action and Milestones (POA&M) is an effective tool for prioritizing and tracking issues to ensure they are
resolved in a time and sequence that supports the overall strategic intent. We used this tool to track risks, identify
solutions, assign responsibility, and then have a clear picture of what we had either been unable to resolve in time or did
not have an effective solution to address. This helped determine our residual risk.
Outstanding medium and high risks still outstanding, not able to close and we must accept.
The attached Plan of Action and Milestones (POAM) maintains the outstanding issues with POCs and status of remediation. Any
deviation from the plan must be approved by management, including delayed fixes or modifications of planned controls.
Item#
Effect
Process
Function
Failure Modes Causes
Current
Risk
Actions to Reduce Failure
Mode
(Recommended
Additional Controls)
Residual Risk
1 Patching Unpatched
vulnerabilities
allow attack or
other server
software failure.
High turnover in IT
department. Insufficient
documentation and
tracking of updates.
Heterogeneous systems =
high patch diversity and
pace.
High Establish clear policy and
procedures for systems
maintenance. Ensure
recommended patches are
tested in a development
environ and applied to
production systems in a
timely manner.
Low
4 BYOD Employee devices
introduce malware
onto network
No malware detection
implemented on BYOD
(e.g. employee phones)
Med Discussion and design of a
BYOD policy, as well as the
possible controls and their
costs to reduce the
increased risk introduced by
BYOD.
Med
10 Change
Control
Patch-
management
delayed
Maintenance window
scheduling adversely
impacted by insufficient
coordination with
customers and/or SLA
language not supportive
High Establish clear policy and
procedures for systems
maintenance. Communicate
with customers regarding
scheduled downtime
maintenance windows.
Ensure recommended
patches are tested in
development environment
and applied to production
systems in a timely manner.
Med
16 Patient
Tracking
Patient database
unavailable.
Tracking system
software not
properly
exchanging data
between database
and customer
system
Servers are segmented
from each other and
unable to communicate
with each other
High Implement backup and
failover controls specified in
items 12-14
Low
20 Customer
Billing
Kangaroo system
offline
The manufacturer no
longer supports the
antiquated operating
system. Inadequate or
incomplete documentation.
High Implement backup and
failover controls specified in
items 12-14
Low
14. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
14
Acronyms
BYOD Bring Your Own Device
CRM Customer Relationship Manager
DDoS Directed Denial of Service
DNS Domain Network Server
HIEAP Health Information Exchanged Accreditation Program
HR Human Resources
IT Information Technology
NIPS Network Intrusion Prevention Software.
ISP Internet Service Provider
SaaS Software as a Service
SOHO Small Office Home Office
VOIP Voice of Internet Protocol
VLAN Virtual Local Area Network.
WIFI Wireless network, a play on “Hi-Fi”
Team
Larry DeBellis - Project Manager
Carlos Cabello - Company Structure / Research Analyst
Jordan Hanna - Technical Analysis / Control Measures
Mary Marks - Business Analysis/ Research Analyst / Type Editor
David L. Morse - Propose Controls / Research Analyst
Mike Whaley - Company Structure / Research Analyst
Steve Vincent - Report Documents / Business Continuity
Steve Morehouse - Final Report Documents / Research Analyst
15. Effect SEVERITY of Effect Ranking Ranking
Hazardous without warning Very high severity ranking when a potential
failure mode affects business operations
without warning
10
Hazardous with warning Very high severity ranking when a potential
failure mode affects business operations
with warning
9
Very High System inoperable with destructive failure
without compromising safety
8
High System inoperable with network damage 7
Moderate System inoperable with minor damage 6
Low System inoperable without damage 5
Very Low System operable with significant degradation
of performance
4
Minor System operable with some degradation of
performance
3
Very Minor System operable with minimal interference 2
None No effect 1
High
Med
Low
Annex 1: Severity, Probability, & Hazard Score Key
Annex 1: Severity Key
15
16. PROBABILITY of Failure Failure Prob Ranking Ranking
Very High: Failure is almost inevit >1 in 2 10
1 in 3 9
High: Repeated failures 1 in 8 8
1 in 20 7
Moderate: Occasional failures 1 in 80 6
1 in 400 5
1 in 2,000 4
Low: Relatively few failures 1 in 15,000 3
1 in 150,000 2
Remote: Failure is unlikely <1 in 1,500,000 1
High
Med
Low
Annex 1: Probability Key
Severity, Probability, & Hazard Score Key
16
17. Hazard Severity of Hazard Ranking Ranking
Absolute
Uncertainty
Design control cannot detect potential cause/mechanism and
subsequent failure mode
10
Very Remote Very remote chance the design control will detect potential
cause/mechanism and subsequent failure mode
9
Remote Remote chance the design control will detect potential
cause/mechanism and subsequent failure mode
8
Very Low Very low chance the design control will detect potential
cause/mechanism and subsequent failure mode
7
Low Low chance the design control will detect potential
cause/mechanism and subsequent failure mode
6
Moderate Moderate chance the design control will detect potential
cause/mechanism and subsequent failure mode
5
Moderately High Moderately High chance the design control will detect
potential cause/mechanism and subsequent failure mode
4
High High chance the design control will detect potential
cause/mechanism and subsequent failure mode
3
Very High Very high chance the design control will detect potential
cause/mechanism and subsequent failure mode
2
Almost Certain Design control will detect potential cause/mechanism and
subsequent failure mode
1
High
Med
Low
Annex 1: Hazard Key
Severity, Probability, & Hazard Score Key
17
18. Item#
(Effect)
Process Function
1 Patching
2
Antiquated
firewall with
expired support
3
Customer runs
Microsoft
Exchange Server
2007 and has not
upgraded to
Microsoft
Exchange Server
2010
4
5
6
7
8
9
Annex 2 Risk Evaluation
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Effects Severity Probability Hazard Score
Unpatched vulnerabilities
allow attack or other server
software failure.
High turnover in IT
department.
Insufficient
documentation and
tracking of updates.
Heterogeneous
systems = high patch
diversity and pace.
Impact to clients via Datacenter
unexpected downtimes resulting
from poor patch management.
Impacts to regional offices
servers or connections to HQ
services, potential loss of data.
High High [1] High
ExpiredIDS/IPS in regional
offices
High turnover within IT
Dept.
Funds used for
reinvestement in IT are
reallocated for
Marketing & Sales
Events
HQ caught an average of 801
malware events on their
perimeter devices a
week
DOS Attacks are becoming a
common event
High High Low
Spam filter for Exchange
server not reliable and
management of Exchange
is a mess
Microsoft has halted support
for Exchange 2007
Increased attack risk
23% of users click on Phishing
links and 11% of those are
clicking on the attachments
High [2] High [3] med
BYOD
Employee devices introduce
malware onto network
No malware detection
implemented on BYOD
(eg. employee phones)
malware present on network - is
a threat and requires expending
resources to combat, including
determining extent of damage
and potential loss of data
med
high med
[4]
Flat network
(non-segmented)
allows BYOD devices
on same LAN as
corporate devices
Malware "jumps" from BYOD
devices to corporate devices on
same LAN
med med [5] med [6]
Data Backups
Corrupted Backup Hardware Fails
If full-backup, then impact is
one-week data loss med low med
If incremental, then impact is low low low
Same-Location Disaster Lack of Offsite store
Current lack of an offsite-store
means a disaster affecting the
datacenter may destroy all
backups
high low low
Recovery-Fails Hardware Fails
Assumes good copy of data,
recovery attempt fails, but
replacing hardware will allow
another recovery attempt.
low low low
18
19. Item#
(Effect)
Process Function
10 Change Control
12 Connectivity
13
14
15
Regional network
not segmented.
Phones on same
network as
workstations
Annex 2 Risk Evaluation
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Effects Severity Probability Hazard Score
Patch-management delayed
maint. window
scheduling adversely
impacted by insufficient
coordination with
customers and/or SLA
language not
supportive
delayed patching results in
potentially vulnerable systems in
the datacenter
high [7] high high
11
Physical Security
(datacenter)
earthquake destroys
datacenter
building is in a level4
earthquake zone,
3-story, brick, not
seismic retrofitted
all hosted services offline, all
hardware damaged, all
databackups destroyed
(assuming current status of no
offsite backups)
high low med
Thieves destroy or damage
servers
Server not secured in a
proper manner
stolen sensitive information can
be used against our clients
resulting in repuation damage
high low med
datacenter to ISP link goes
down
datacenter is only
connected upstream via all hosted services offline high low med
Availability
hardware failure (firewall or
server)
architecture of
datacenter; multiple
single points of failure
(eg. single firewall
device, single
blade-chassi)
hosted services offline. failure
of the firewall or the server
chassi means services are
offline until manual intervention.
high low low
service agreement;
datacenter staff is not
authorized to enter
Kangaroo cabinet,
repairs require
Kangaroo staff to travel
to datacenter.
hosted services offline. any
failure within the cabinet
requires Kangaroo staff to travel
to site.
high low med [8]
Allows malicious traffic to
mask itself as VOIP traffic
and infect workstations.
Infrastructure grew fast
at regional locations
and lack of
segmentation was an
oversite
Potential downtime at regional
office if workstations infected. Med Med Med [9]
19
20. Item#
(Effect)
Process Function
16 Patient tracking
17
Insurance
eligibility
verification
Annex 2 Risk Evaluation
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Effects Severity Probability Hazard Score
Patient database
unavailable Tracking
system software not
properly exchanging data
between database and
customer system
Servers are segmented
from each other and
unable to communicate
with each other
Customers (Providers) unable
to conduct patient monitoring
because medical records not
available. Medical files and
billing and insurance records
contain the most valuable
patient data. Most often and
successfully targeted (55%
successfully targeted)
* Providers at risk of malpractice
due lack lack visibility into
patient information
* Company at risk of liability for
a breach of personal financial
and health information
belonging to our customers and
their patients.
* We are at risk of business
disruption which adversely
affects our company, our
customer providers, and their
patients
* Adverse impact on future
financial results due to the theft,
destruction, loss,
misappropriation or release of
confidential data or IP
High High High
Kangaroo system offline
Unauthorized access to
patients records due to
employee negligence,
criminal activity, service
disruptions, network
failure
Customers (HC Providers)
unable to determine insurance
eligibility of patients
High Med Med
20
21. Item#
(Effect)
Process Function
18
Appointment
scheduling
19
Claims
management
Annex 2 Risk Evaluation
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Effects Severity Probability Hazard Score
Kangaroo system offline
* Antiquated Operating
Systems is outdated
and no longer
supported by the
nanufacturer *Patient
kept on hold, lost call,
unanswered phone
Customers unable to schedule
new appointments or modify
existing appointments.
* Company at risk of loss of
revenue due to operational and
business delays
* Company at risk of negative
publicity resulting in reputation
or brand damage with our
customers, suppliers or industry
peers
* Adverse impact on future
financial results due to the theft,
destruction, loss,
misappropriation or release of
confidential data or IP
Med Med Low
Kangaroo system offline
Antiquated Operating
Systems is no longer
supported by the
nanufacturer
Company unable to process
medical claims.
* Company at risk of liability due
to provider customer loss of
revenue due to operational and
business delays
* Company at risk of negative
publicity resulting in reputation
or brand damage with our
customers, suppliers or industry
peers
* Company at risk of operational
or business delays resulting
from the disruption of IS and
subsequent clean-up and
mitigation activities
High med med
21
22. Item#
(Effect)
Process Function
20 Customer billing
21
Prescription drug
management
Annex 2 Risk Evaluation
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Effects Severity Probability Hazard Score
Kangaroo system offline
* Antiquated Operating
Systems is no longer
supported by the
manufacturer
*Inadequate or
incomplete
documentation.
Company unable to process
customer billing for claims.
Billing and insurance records
contains some of the most
valuable patient data and
targeted (46% successfully
targeted)
* Company at risk of liability for
a breach of personal financial
and health information
belonging to our customers and
their patients.
* We are at risk of business
disruption which adversely
affects our company, our
customer providers, and their
patients
* Adverse impact on future
financial results due to the theft,
destruction, loss,
misappropriation or release of
confidential data or IP
High high high
Kangaroo system offline
Legacy systems unable
to support minimum
requirements
Provider are unable to enter
new prescriptions for patients;
unable to conduct drug
interaction checking for new
prescriptions.
high med med
22
23. [1] "average time between vulnerability discovery and the release of exploit code is less than one week"
"99% of intrusions result from exploitation of known vulnerabilities or
configuration errors where countermeasures were available"
http://www.sans.org/reading-room/whitepapers/application/reducing-organizational-risk-virtual-patching-33589
[2] http://www.theemailadmin.com/2011/05/5-repercussions-of-a-hacked-exchange-server-account/
[3] Very high probability of compromise. This is like having windows XP and having it face the web. Since the mail server is public
facing (assuming in a DMZ at least), it is very vulnerable to attackers as an initial attack vector, and in its current state is one of the
lowest hanging fruits.
[4] Depends on the current policy and Network Security Monitoring (NSM) in place, but a phone with malware is generally not used as
a network pivot, and worms / viruses will usually alert on an IPS / IDS.
[5] Phone with malware is generally not used as a network pivot, and worms / viruses will usually alert on an IPS / IDS.
[6] Higher hazard than just BYOD because now we are considering it connected to the entire network, rather than just general BYOD.
[7] "average time between vulnerability discovery and the release of exploit code is less than one week"
"99% of intrusions result from exploitation of known vulnerabilities or
configuration errors where countermeasures were available"
http://www.sans.org/reading-room/whitepapers/application/reducing-organizational-risk-virtual-patching-33589
[8] I scored this higher as it requires staff to physically travel to the site to determine full extent. This means the "control" does not
quickly or fully detect the issue.
[9] ( industry standard AV actively monitoring workstations)
23
24. Item#
(Effect)
Process Function
1 Patching
2
Antiquated firewall
with expired
support
3
Customer runs
Microsoft
Exchange Server
2007 and has not
upgraded to
Microsoft
Exchange Server
2010
4
5
6
7
8
9
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Actions to Reduce Failure Mode (Recommended Additional Controls)
Unpatched vulnerabilities
allow attack or other server
software failure.
High turnover in IT
department.
Insufficient
documentation and
tracking of updates.
Heterogeneous
systems = high
patch diversity and
pace.
Establish clear policy and procedures for systems maint. Ensure recomended patches are
tested in dev environ and applied to production systems in a timely manner.
ExpiredIDS/IPS in regional
offices
High turnover
within IT
Dept.
Funds used for
reinvestement in IT
are reallocated for
Marketing & Sales
Events
Deploy new NIPS hardware in regional offices. Establish clear policy and procedures for
systems maint. Ensure recomended patches are tested in dev environ and applied to
production systems in a timely manner.
Spam filter for Exchange
server not reliable and
management of Exchange
is a mess
Increased attack
risk
Upgrade Microsoft Exchange Server 2007 to 2010 or higher. If this is not a very near-future
task, then consider designing monitoring rules specifically to watch the email server. Have
contigency plan ready if server is taken over by an attacker. Keep up-to-date with current
attack trends, and design monitoring rules as new attacks are found in the wild. If 2007 will
be kept for a reasonable amount of time (e.g. 6+ months), then it should be locked down as
well as possible using well-established guidelines, such as
https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=186
BYOD
Employee devices introduce
malware onto network
No malware
detection
implemented on
BYOD (eg.
employee phones)
Discussion and design of a BYOD policy, as well as the possible controls and their costs to
reduce the increased risk introduced by BYOD.
Flat network
(non-segmented)
allows BYOD
devices on same
LAN as corporate
devices
VLAN or other form of network segregation with separate WIFI signal (supported by most
high-end SOHO and nearly all enterprise WIFI access points / routers)
Data Backups
Corrupted Backup Hardware Fails
Test each backup immediately after copy to ensure non-corrupted and to allow for time for
repair of backup system and making new copies.
Test each backup immediately after copy to ensure non-corrupted and to allow for time for
repair of backup system and making new copies.
Same-Location Disaster
Lack of Offsite
store
Transfer backup copies to offsite storage vault outside of regional disaster impact zone.
Note: keep additional copy of most recent set locally for recovery.
Recovery-Fails Hardware Fails
Have spare hardware onsite - replacement drives, blades - and ensure technicians are
trained to swap out failed parts.
Annex 3: Recommended Control Measures
24
25. Item#
(Effect)
Process Function
10 Change Control
11
Physical Security
(datacenter)
12 Connectivity
13
14
15
Regional network
not segmented.
Phones on same
network as
workstations
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Actions to Reduce Failure Mode (Recommended Additional Controls)
Patch-management delayed
maint. window
scheduling
adversely impacted
by insufficient
coordination with
customers and/or
SLA language not
supportive
Establish clear policy and procedures for systems maint. Communicate with customers re.
scheduled downtime maint. windows. Ensure recomended patches are tested in dev
environ and applied to production systems in a timely manner.
earthquake destroys
datacenter
building is in a
level4 earthquake
zone, 3-story, brick,
not seismic
retrofitted
Continuity plan to include a cloud backup of data servers to Salt Lake City, UT. Failover
data servers set up in facility in Salt Lake City, UT. Failover data server set up to bring data
back on line within minutes of ISP DNS loadbalancing. Failover data servers hosted in 3rd
party facility with similar security controls as the Duamish based facility.
datacenter to ISP link goes
down
datacenter is only
connected
upstream via a
single ISP
Engage a service (eg. Cloudflare) to provide always-online presence. (Cloudflare caches
static pages and serves them to visitors to maintain general site availablility during outage
or DDoS attack).
Availability
hardware failure (firewall or
server)
architecture of
datacenter; multiple
single points of
failure (eg. single
firewall device,
single
bladeserver-chasis)
Deploy redundant architecture - if using single device for a function (eg. firewall) ensure it
has redundancy built in for power, connectivity and compute function. Also ensure it
"fails-open" (this assumes layered defense).
service agreement;
datacenter staff is
not authorized to
enter Kangaroo
cabinet, repairs
require Kangaroo
staff to travel to
datacenter.
Position replacement parts as appropriate, and train staff in replacement and
re-configuration proceedures.
Allows malicious traffic to
mask itself as VOIP traffic
and infect workstations.
Infrastructure grew
fast at regional
locations and lack
of segmentation
was an oversite
VLANS on managed switches to seperate VIOP traffic from workstation traffic
Annex 3: Recommended Control Measures
25
26. Item#
(Effect)
Process Function
16 Patient tracking
17
Insurance eligibility
verification
18
Appointment
scheduling
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Actions to Reduce Failure Mode (Recommended Additional Controls)
Patient database
unavailable. Tracking
system software not
properly exchanging data
between database and
customer system.
Undetected breach,
unauthorized
access to patient
data, employee
negligence,
criminal activity,
service disruptions,
network failure
-Backup and automatic failover in the event of systems failure to avoid interruption in service
-Automatically detect malware including email attachments and unauthorized access to patient
medical records.
- Implement SIEM technology to effectively detect unauthorized access to patient tinformation.
- Hire infosec experts (direct or consulting) and train internal IT and end user staff. The Poneman
2015 Benchmark Study on Privacy & Security of Healthcare Data (PonemanHC), report found most
health care providers and business partners lack software tools, staff, and expertise to detect and
prevent loss or theft of patient data)
(Source:https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-in cidents-of-
healthcare-data
- Audit existing policies and procedures and implement policy changes to address gaps that include
evise policy to address security gaps. Poneman HC found more data breaches are discovered
through audits and assessments followed by employee detections.
- Implement and enforce security policies and conduct employee security awareness training to
address employee negligence, the #1 security threat facing HC organizations
(Source Poneman HC).
- Implement, strengthen, and enforce BYOD policies to reduce compromise from Smartphones and
tablets. PonemanHC found this is the first year that smartphones and tablets are the types of devices
most commonly compromised or stolen. Before 2015, the primary sources of compromise were
desktop and laptop computers.
-Assign top priority to protecting electronic health records. PonemanHC research found medical
records are the in the top 2 types patient data most frequently lost or stolen.. More data breaches are
discovered through audits and assessments followed by employee detections.
- Invest in information security technologies and engage security experts to harden systems to deter
hackers.
- Offer credit monitoring for patients. Despite the risks to patients who have had their records lost or
stolen, 65 percent of respondents do not offer protection services. Only 19 percent offer credit
monitoring (Poneman HC) percent offer other identity monitoring
Kangaroo system offline
Unauthorized
access to patience
records due to
employee
negligence,
criminal activity,
service disruptions,
network failure
-Backup and automatic failover in the event of systems failure to avoid interruption in
service. - Automatically detect malware including email attachments and unauthorized
access
Kangaroo system offline
Unauthorized
access to patience
records due to
employee
negligence,
criminal activity,
service disruptions,
network failure
Same actions as item #18
Annex 3: Recommended Control Measures
26
27. Item#
(Effect)
Process Function
19
Claims
management
20 Customer billing
21
Prescription drug
management
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Failure Modes Causes Actions to Reduce Failure Mode (Recommended Additional Controls)
Kangaroo system offline
Unauthorized
access to patience
records due to
employee
negligence,
criminal activity,
service disruptions,
network failure
Same actions as item #18
Kangaroo system offline
* Antiquated
Operating Systems
is no longer
supported by the
manufacturer
*Inadequate or
incomplete
documentation.
Customer billing records breach is the #1 target for HC InfoSec Breach (Poneman HC)
Same actions as item #17
Kangaroo system offline
Legacy systems
unable to support
minimum
requirements
Same actions as item #18
Annex 3: Recommended Control Measures
27
28. Item#
(Effect)
Process
Function
Actions to Reduce Failure Mode (Recommended Additional Controls)
Severity Probability Hazard Score
1 Patching
Establish clear policy and procedures for systems maint. Ensure
recomended patches are tested in dev environ and applied to
production systems in a timely manner.
High med Low
2
Antiquated
firewall with
expired
support
Deploy new NIPS hardware in regional offices. Establish clear policy
and procedures for systems maint. Ensure recomended patches are
tested in dev environ and applied to production systems in a timely
manner.(what is NIPS hardware, can we spell out the
acronym?....Network Intrusion Prevention Solution)
High
med
Low
3
Customer runs
Microsoft
Exchange
Server 2007
and has not
upgraded to
Microsoft
Exchange
Server 2010
Upgrade Microsoft Exchange Server 2007 to 2010 or higher. Have
contigency plan ready if server is taken over by an attacker. Keep up-to-
date with current attack trends, and design monitoring rules as new
attacks are found in the wild. Secure the email server by using well-
established guidelines, such as
https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=186 to
reduce probability significantly.
High Low Low
4
Discussion and design of a BYOD policy, as well as the possible
controls and their costs to reduce the increased risk introduced by
BYOD.
med med med
5
VLAN or other form of network segregation with separate WIFI signal
(supported by most high-end SOHO and nearly all enterprise WIFI
access points / routers)
med low low
6
Test each backup immediately after copy to ensure non-corrupted and
to allow for time for repair of backup system and making new copies.
med low low
7
Test each backup immediately after copy to ensure non-corrupted and
to allow for time for repair of backup system and making new copies. low low low
8
Transfer backup copies to offsite storage vault outside of regional
disaster impact zone. Note: keep additional copy of most recent set
locally for recovery.
high low low
9
Have spare hardware onsite - replacement drives, blades - and ensure
technicians are trained to swap out failed parts. low low low
10
Change
Control
Establish clear policy and procedures for systems maint. Communicate
with customers re. scheduled downtime maint. windows. Ensure
recomended patches are tested in dev environ and applied to
production systems in a timely manner.
med med med
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Residual Risk (after Recommended
Controls)
Failure Modes Causes
Unpatched vulnerabilities
allow attack or other server
software failure.
High turnover in IT
department.
Insufficient
documentation and
tracking of updates.
Heterogeneous
systems = high
patch diversity and
ExpiredIDS/IPS in regional
offices
High turnover
within IT Dept.
Spam filter for Exchange
server not reliable and
management of Exchange
is a mess
Increased attack
risk
BYOD
Employee devices introduce
malware onto network
No malware
detection
implemented on
BYOD (eg.
Flat network
(non-segmented)
allows BYOD
devices on same
LAN as corporate
Data Backups
Corrupted Backup Hardware Fails
Same-Location Disaster Lack of Offsite
store
Recovery-Fails Hardware Fails
Patch-management delayed
maint. window
scheduling
adversely impacted
by insufficient
coordination with
customers and/or
SLA language not
Annex 4: Residual Risk Assessment
28
29. Item#
(Effect)
Process
Function
Actions to Reduce Failure Mode (Recommended Additional Controls)
Severity Probability Hazard Score
11
Physical
Security
(datacenter)
Continuity plan to include a cloud backup of data servers to Salt Lake
City, UT. Failover data servers set up in facility in Salt Lake City, UT.
Failover data server set up to bring data back on line within minutes of
ISP DNS loadbalancing. Failover data servers hosted in 3rd party facility
with similar security controls as the Duamish based facility.
high low low
12 Connectivity
Engage a service (eg. Cloudflare) to provide always-online presence.
(Cloudflare caches static pages and serves them to visitors to maintain
general site availablility during outage or DDoS attack).
high low low
13
Deploy redundant architecture - if using single device for a function (eg.
firewall) ensure it has redundancy built in for power, connectivity and
compute function. Also ensure it "fails-open" (this assumes layered
defense).
high low low
14
Position replacement parts as appropriate, and train staff in replacement
and re-configuration proceedures. high low low
15
Regional
network not
segmented.
Phones on
same network
as
workstations
VLANS on managed switches to seperate VIOP traffic from workstation
traffic
low low low
16 Patient
Tracking
Implement backup and failover controls specified in items 12-14 high low low
17
Insurance
Eligibility
Verification
Use a software as a service (Saas) solution to enable administrative
staff to improve insurance eligibility verification and meets criteria such
as the Health Information Exchanged Accreditation Program (HIEAP)
med med low
18
Apointment
Scheduling
Integrated comunication solutions that works directly with the Patien
Customer Relationship Manager (CRM) med low low
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Residual Risk (after Recommended
Controls)
Failure Modes Causes
earthquake destroys
datacenter
building is in a
level4 earthquake
zone, 3-story, brick,
not seismic
datacenter to ISP link goes
down
datacenter is only
connected
upstream via a
single ISP
Availability hardware failure (firewall or
server)
architecture of
datacenter; multiple
single points of
failure (eg. single
firewall device,
single
service agreement;
datacenter staff is
not authorized to
enter Kangaroo
cabinet, repairs
require Kangaroo
staff to travel to
Allows malicious traffic to
mask itself as VOIP traffic
and infect workstations.
Infrastructure grew
fast at regional
locations and lack
of segmentation
was an oversite
Patient database
unavailable Tracking
system software not
properly exchanging data
between database and
Servers are
segmented from
each other and
unable to
communicate with
Kangaroo system offline
Unauthorized
access to patients
records due to
employee
negligence,
criminal activity,
service disruptions,
Kangaroo system offline
* Antiquated
Operating Systems
is outdated and no
longer supported
by the nanufacturer
*Patient kept on
hold, lost call,
Annex 4: Residual Risk Assessment
29
30. Item#
(Effect)
Process
Function
Actions to Reduce Failure Mode (Recommended Additional Controls)
Severity Probability Hazard Score
19
Claims
Management
Implement backup and failover controls specified in items 12-14 med low low
20 Customer
Billing
Implement backup and failover controls specified in items 12-14 high low low
21
Prescription
Drug
Management
Use a software as a service (Saas) solution for prescription drug
management that meets criteria such as Health Information Exchanged
Accreditation Program (HIEAP) which takes into consideration all
medication the patient is on; prohibiting negative adverse reactions from
multiple medications
med low low
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
Residual Risk (after Recommended
Controls)
Failure Modes Causes
Kangaroo system offline
Antiquated
Operating Systems
is no longer
supported by the
Kangaroo system offline
* Antiquated
Operating Systems
is no longer
supported by the
manufacturer
*Inadequate or
incomplete
Kangaroo system offline
Legacy systems
unable to support
minimum
requirements
Annex 4: Residual Risk Assessment
30
31. Item#
(Effect) Process Function POC Resources
Required
Scheduled
Completion
Actions to Reduce Failure Mode
(Recommended Additional Controls) Progress
Residual Risk
1 Patching
Change
Management
Board
Inter-
departmental,
80 HRS
30 days
Establish clear policy and procedures for systems maint. Ensure
recomended patches are tested in dev environ and applied to
production systems in a timely manner.
Low
2
Antiquated
firewall with
expired support
CISO
Inter-
departmental,
300 HRS
90 days
Deploy new NIPS hardware in regional offices. Establish clear
policy and procedures for systems maint. Ensure recomended
patches are tested in dev environ and applied to production
systems in a timely manner.(what is NIPS hardware, can we spell
out the acronym?....Network Intrusion Prevention Solution)
Low
3 Mail Server
Outdated CIO IT, 120 HRS 60 days
Upgrade Microsoft Exchange Server 2007 to 2010 or higher. Have
contigency plan ready if server is taken over by an attacker. Keep
up-to-date with current attack trends, and design monitoring rules
as new attacks are found in the wild. Secure the email server by
using well-established guidelines, such as
https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=18
6 to reduce probability significantly.
Low
4 CISO
Inter-
departmental,
80 HRS
60 days
Discussion and design of a BYOD policy, as well as the possible
controls and their costs to reduce the increased risk introduced by
BYOD. med
5 CIO
Inter-
departmental,
600 HRS
120 days
VLAN or other form of network segregation with separate WIFI
signal (supported by most high-end SOHO and nearly all
enterprise WIFI access points / routers)
low
6 CIO IT, 20 HRS 30 days
Test each backup immediately after copy to ensure non-corrupted
and to allow for time for repair of backup system and making new
copies.
low
7 CIO IT, 20 HRS 30 days
Test each backup immediately after copy to ensure non-corrupted
and to allow for time for repair of backup system and making new
copies.
8 DR Team IT, 20 HRS 30 days
Transfer backup copies to offsite storage vault outside of regional
disaster impact zone. Note: keep additional copy of most recent
set locally for recovery.
low
9 DR Team IT, 60 HRS 60 days Have spare hardware onsite - replacement drives, blades - and
ensure technicians are trained to swap out failed parts. low
10 Change Control
Change
Management
Board
Inter-
departmental,
80 HRS
30 days
Establish clear policy and procedures for systems maint.
Communicate with customers re. scheduled downtime maint.
windows. Ensure recomended patches are tested in dev environ
and applied to production systems in a timely manner.
med
11 Physical Security
(datacenter) DR Team
Inter-
departmental,
80 HRS
60 days
Continuity plan to include a cloud backup of data servers to Salt
Lake City, UT. Failover data servers set up in facility in Salt Lake
City, UT. Failover data server set up to bring data back on line
within minutes of ISP DNS loadbalancing. Failover data servers
hosted in 3rd party facility with similar security controls as the
Duamish based facility.
low
12 Connectivity CIO IT 40 HRS 15 days
Engage a service (eg. Cloudflare) to provide always-online
presence. (Cloudflare caches static pages and serves them to
visitors to maintain general site availablility during outage or DDoS
attack).
low
13 CIO IT 20 HRS 60 days
Deploy redundant architecture - if using single device for a
function (eg. firewall) ensure it has redundancy built in for power,
connectivity and compute function. Also ensure it "fails-open"
(this assumes layered defense).
low
14 CIO IT 200 HRS 90 days Position replacement parts as appropriate, and train staff in
replacement and re-configuration proceedures.
low
POAM
Failure Modes Current Risk
Unpatched
vulnerabilities allow
attack or other server High
ExpiredIDS/IPS in
regional offices Low
Spam filter for
Exchange server not
reliable and
management of
Exchange is a mess
med
BYOD
Employee devices
introduce malware
onto network
med
[1]
med [2]
Data Backups
Corrupted Backup
med
low
Same-Location
Disaster low
Recovery-Fails low
Patch-management
delayed high
earthquake destroys
datacenter med
datacenter to ISP link
goes down med
Availability hardware failure
(firewall or server)
low
med
Annex 5: POAM
31
32. Item#
(Effect) Process Function POC Resources
Required
Scheduled
Completion
Actions to Reduce Failure Mode
(Recommended Additional Controls) Progress
Residual Risk
15 Regional network
not segmented CIO
Inter-
departmental,
600 HRS
120 days VLANS on managed switches to seperate VIOP traffic from
workstation traffic low
16 Patient Tracking CIO see items 12 -
14
see items 12
- 14 Implement backup and failover controls specified in items 12-14 low
17
Insurance
Eligibility
Verification
CEO / HR Interdepartme
ntal, 300 HRS 120 days
Use a software as a service (Saas) solution to enable
administrative staff to improve insurance eligibility verification and
meets criteria such as the Health Information Exchanged
Accreditation Program (HIEAP)
low
18 Apointment
Scheduling
CTO + BZ
Mngr
Interdepartme
ntal, 300 HRS 120 days Integrated comunication solutions that works directly with the
Patien Customer Relationship Manager (CRM) low
19 Claims
Management
CTO + BZ
Mngr
see items 12 -
14
see items 12
- 14 Implement backup and failover controls specified in items 12-14 low
20 Customer Billing CTO + BZ
Mngr
see items 12 -
14
see items 12
- 14 Implement backup and failover controls specified in items 12-14 low
21 Prescription Drug
Management
CTO + BZ
Mngr
Interdepartme
ntal, 300 HRS 120 days
Use a software as a service (Saas) solution for prescription drug
management that meets criteria such as Health Information
Exchanged Accreditation Program (HIEAP) which takes into
consideration all medication the patient is on; prohibiting negative
adverse reactions from multiple medications
low
POAM
Failure Modes Current Risk
Allows malicious
traffic to mask itself
as VOIP traffic and Med [3]
Patient database
unavailable Tracking
system software not
properly exchanging
data between
high
Kangaroo system
offline med
Kangaroo system low
Kangaroo system med
Kangaroo system high
Kangaroo system
offline med
Annex 5: POAM
32
33. [1] Depends on the current policy and Network Security Monitoring (NSM) in place, but a phone with malware is generally not used as
a network pivot, and worms / viruses will usually alert on an IPS / IDS.
[2] Higher hazard than just BYOD because now we are considering it connected to the entire network, rather than just general BYOD.
[3] ( industry standard AV actively monitoring workstations)
Annex 5: POAM
33
34. Spring 2015 IMT 553 Final Report DeBellis, Cabello, Marks, Morehouse, Vincent, Whaley
34
Annex 6Bibliography
2015 Data Breach Investigations Report, Verizon http://www.verizonenterprise.com/DBIR/2015/
2015 Second Annual Data Breach Industry Forecast, Experian
http://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast-
experian.pdf?_ga=1.172114915.1943093614.1418003182
Deloitte COSO Guide, Risk Assessment in Practice, October 2012
http://www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFrmwrk%20-
%20for%20merge_files/COSO-
ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf
Failure Mode Effects Analysis, Create a Simple Framework To Validate FMEA Performance, Steve Pollock,
Six Sigma Forum Magazine, August 2005 http://rube.asq.org/sixsigma/create-a-simple-framework-to-validate-
fmea-performance.pdf
Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data Ponemon Institute, May 2015
https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data
iSixSigma Quick Guide to Failure Mode and Effects Analysis http://www.isixsigma.com/tools-
templates/fmea/quick-guide-failure-mode-and-effects-analysis/
Institute for Safe Medication Practices Example of a Health Care Failure Mode and Effects Analysis for IV
Patient Controlled Analgesia (PCA) FMEA http://www.ismp.org/Tools/FMEAofPCA.pdf
https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data
Planning For Failure, by John Kindervag, Rick Holland, and Heidi Shey, February 11, 2015 Forrester
Research https://www.forrester.com/Planning+For+Failure/fulltext/-/E-RES60564
Tips for Creating an Information Security Assessment Report, Lenny Zeltser https://zeltser.com/security-
assessment-report-cheat-sheet/