Discuss Healthcare data breaches caused by human factors.
Data Analysis
The data analysis is presented in three distinct sections that progress from a problem scoping data to problem data to mitigation data. Problem scoping data expounds on the systematic review and rating process identified in the methodology. Next, the problem data section presents information pertinent to the refined problem scope as a result of the systematic review and rating process. Finally, mitigation data relevant to the problem’s refined scope and subsequent analysis is presented. Problem scoping data is the first section to be presented and is examined next.
Problem Scoping Data
Problem scoping data consists of a brief overview of the methodology rating process as is relates to problem scope refinement. Additionally, detailed findings from the problem relevancy scoring process are tabulated. Lastly, a plot area displays problem relevancy scoring by topic from 2014 to 2018, as taken from peer-reviewed publication dates. The first overview is represented in Figure 3, which illustrates and reiterates the process taken to better understand the scope of the problem, while limiting bias.
Figure 3. Overview of Systematic Review to Determine Problem Relevancy.
Table 2 is a detailed report that includes individual resources with their relevancy type. The relevancy type served as a codifying mechanism. The table also includes problem relevancy scores at the bottom that were previously summarized in the methodology via Table 1.
Search Words (T = Title, F = Featured, M = Mentioned) | |||||
Title of Peer-Reviewed Resource | Ponzi | Exchange | Wallet | ICO | Pump |
An analysis of the cryptocurrency industry | M | M | F | ||
Analyzing the Bitcoin Ponzi scheme ecosystem | T | ||||
Bitcoin: benefit or curse? | M | ||||
Cryptocurrency and the Myth of the Trustless Transaction | F | F | F | F | |
Data mining for detecting Bitcoin Ponzi schemes | T | ||||
Dynamic topic modelling for cryptocurrency community forums | M | M | |||
Finding cryptocurrency attack indicators using temporal logic and darkweb data | M | M | |||
Global cryptocurrency benchmarking study | F | F | |||
Icorating: A deep-learning system for scam ico identification | T | M | |||
Legal Issues in Cryptocurrency | F | M | |||
PRC regulator blames fraud for ICO ban | T | ||||
Price manipulation in the Bitcoin ecosystem | M | M | M | ||
The ICO Gold Rush: It’s a scam, it’s a bubble, it’s a super challenge for regulators | M | M | T | M | |
The other side of the coin: User experiences with bitcoin security and privacy | F | F | |||
Theoretical and legal perspective on certain types of legal liability in cryptocurrency relations | M | F | |||
There’s no free lunch, even using Bitcoin: Tracking the popularity and profits of virtual currency scams | F | F | F | ||
To the moon: defining and detecting cryptocurrency pump-and-dumps | F | T | |||
Where is current research on blockchain technology?—a systematic review | F | F | F | ||
Relevancy Score (T=5, F=3, & M=1) | 20 | 26 | 25 | 18 | 10 |
Table 2. Findings from Problem Relevancy Scoring Process.
Figure 4 is a plot area visualization that augments the ‘cryptocurrency fraud and scam relevancy scoring’ by showing a type distribution over a five-year period (none of the selected papers were published in 2019).
Figure 4. Problem Relevancy Score by Year.
Understanding how we refined the scope of the problem leads to an examination of problem data, which is covered next.
Problem Data
The problem data section covers a variety of charts and figures that highlight fraud mitigation as it pertains to Ponzi schemes, exchange scams, and scam wallets. Due to the array of data from various years, figures may generalize the aforementioned fraud topics as ‘scams’. Additionally, cyber-attack and fraud campaigns shed light on the significant losses over the past 10 years.
Figure 5. Growth in Bitcoin Threads/Scams from 2015 to 2018.
Marie Vasek and Tyler Moore conducted in-depth studies on Bitcoin scams in both 2015 and 2018. In both studies, they collected data from bitcointalk.org in search of potential scams. In 2015, they were able to pull 192 scams (to include Ponzi schemes, exchange scams, scam wallets, and more) from 349 threads. In their 2018 study, 1,780 scams were narrowed down from 11,424 different threads. Figure 5 portrays this data, which reveals how drastically Bitcoin scams in particular have grown in just a three-year span. The number of scams analyzed in 2015 grew over nine times when re-analyzed in 2018. This highlights a seemingly obvious blockchain technology challenge for which mitigation is arguably needed.
Figure 6. Major Cryptocurrency Attacks from the Darkweb/Deepweb (D2web).
The data in Figure 6 was extracted from a group studying at Arizona State University. This team was able to use an application-programming interface (API) to uncover major incidents of cyberattacks and fraud campaigns targeting various virtual currencies and trading platforms (Almukaynizi, Paliath, Shah, Shah, & Shakarian, 2018). By scanning Darkweb/ Deepweb (D2web) sites associated with hacking-related content, the group was able to query over 400 hacker forums to uncover 50 major incidents. Additionally, they documented four of the largest cryptocurrency attacks, which are: Mt. Gox Hack, NiceHash Hack, Parity Wallet Hacks, and Tether Torken Hack (Almukaynizi et al., 2018). Figure 6 represents these four attacks, which have totaled over $700 million in losses to virtual currency owners. Studying the algorithms used in conjunction with D2web could shed light on thousands of scamming attempts across various cryptocurrency platforms.
It’s clear to see that fraud mitigation is needed within blockchain technology and various virtual currency platforms. As previously mentioned, there are many victims, a substantial amount of money is being lost, and these scams undermine the trust of cryptocurrency ecosystems (Vasek & Moore, 2015). If scams continue to grow at an exponential rate, it’s plausible to assume that virtual currency usage could collapse. Mitigation data is analyzed next.
Mitigation Data
Mitigation data is presented in a manner that does not specifically adhere to the way in which individual cryptocurrency fraud categories were structured in the literature review. Instead, data sets are first presented individually in order to highlight relevant concepts or patterns. Next, data regarding administrative, technical, and physical mitigation control categories are examined. Finally, data is aligned to mitigation types, i.e., traditional, tailored, or mixed, to best address the research question.
INDIVIDUAL DATA SETS
The individual data sets are presented loosely following the order in which they were addressed in the ‘mitigation information’ section of the literature review. The first data set, represented in Figure 7, provides a visualization of global cryptocurrency regulation statuses. The raw data was sourced from The Law Library of Congress (2018).
Figure 7. Number of Countries that have Implemented Displayed (y axis) Mitigation Methods.
Research indicates that the United States currently lacks cryptocurrency legislation (Crowley, 2018). Further, a current search via www.congress.gov, for ‘cryptocurrency’ or ‘virtual currency,’ reveals that although bills have been introduced, none of them have been signed into law (2019). However, individual States have introduced or passed legislation regarding cryptocurrencies.
Figure 8. U.S. State Cryptocurrency Legislation Status via LegiScan Keyword Search.
Figure 8 represents a data set sourced by LegiScan for the current biennium and compiled via a keyword search (2019). It is important to note that Figure 8 captures legislative actions over the previous two years only, which means legislative actions that occurred prior to this time, are not reflected. The following keywords were used: 1) cryptocurrency, 2) cryptocurrencies, 3) virtual currency, and 4) virtual currencies. The individual context of individual pieces of legislation was not examined further. Therefore, specific mitigation impact of U.S. state legislation is an area that may require further research.
Figure 9. Bitcoin Improvement Proposal (BIP) Landscape Status.
The Bitcoin Improvement Proposal (BIPs) process is another area in which individual data sets are examined. Figure 9 displays the current status of all existing BIPs, 123 in total. Although mitigating measures may be indicated in ‘Draft’ and ‘Proposed’ BIPs, current mitigating measures are only represented in ‘Final’ and ‘Active’ categories, which contain 37 BIPs in total. It is important to understand that not every BIP from these latter categories contain mitigating measures pertinent to fraud categories. However, it is arguably important to recognize the status of the overall BIP landscape.
Figure 10. Active and Final Bitcoin Improvement Proposal Type Category Allocation.
Similarly, Figure 10 presents the three types of BIPs that exist, coupled with the ‘Final’ and ‘Active’ categories to which 37 total BIPs belong. Standard BIPs represent changes that affect all or most of the Bitcoin implementations (Taaki, 2011). These implementations may be protocol, block validity rule, or interoperability related and can be represented in the technical control category regarding mitigation. Process BIPs include tool changes, procedures, guidelines, or decision-making processes that, once adopted, cannot be ignored by those in the Bitcoin community (Taaki, 2011). Informational BIPs are similar to Process BIPS but they can be ignored if those in the community so choose (Taaki, 2011). Process and Informational BIPs can be represented in the administrative control category regarding mitigation.
RFC# | RFC Title |
1794 | DNS Support for Load Balancing |
1945 | Hypertext Transfer Protocol – HTTP/1.0 |
2046 | Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types |
2616 | Hypertext Transfer Protocol – HTTP/1.1 |
2782 | A DNS RR for specifying the location of services (DNS SRV) |
2822 | Internet Message Format |
3548 | The Base16, Base32, and Base64 Data Encodings |
3986 | Uniform Resource Identifier (URI): Generic Syntax |
4231 | Identifiers and Test Vectors for HMAC-SHA-224/256/384/512 |
5280 | Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile |
7282 | On consensus and Humming in the IETF |
Table 3. Requests for Comments (RFCs) that Appear in Current Active and Final BIPs.
The last category regarding potential BIP mitigation, which is also the last individual data set, pertains to RFC references. This aspect is important because BIPs that ‘borrow’ best practices or standards from RFCs can represent tailored mitigation that has been informed by traditional mitigation, a category that will be examined later in the mitigation data analysis. Table 3 includes information regarding RFCs that are referenced in the aforementioned ‘Active’ and ‘Final’ BIP categories. Data sets regarding control categories are examined next.
CONTROL CATEGORIES
This section focuses on presenting an inclusive view of all mitigating controls identified via the meta-analysis. All mitigating controls are grouped into administrative, technical, and physical categories. During instances where ambiguity existed regarding to which control category a particular mitigating measure belonged, multiple control categories were selected. Findings are presented in Table 4. Following Table 4, type categories are examined.
Mitigation Control Categories | |||
Mitigation Method | Administrative | Technical | Physical |
Laws | | ||
Regulations | | ||
Frameworks | | ||
Government Notices | | ||
BIPs (Informational / Process) | | ||
Individual Awareness | | ||
Insurance | | ||
Training | | ||
SEC Halts | | | |
Official Application Usage | | | |
Safe / Secure Web Browser Usage | | | |
Bookmark Usage | | | |
Smart Contracts | | | |
BIPs (Standard) | | ||
Device Permissions | | ||
Website Shutdown | | ||
Spoof Email Blocking | | ||
Firewalls | | ||
Intrusion Prevention Detection Systems | | ||
Blacklists / Whitelists | | ||
Transaction Filtering | | ||
Malware Prevention | | ||
Virus Scanning | | ||
Device Updates | | ||
End-to-End Encryption | | ||
Second-Factor Authentication | | ||
Encrypted Hardware | | ||
Encrypted Media | | ||
Hardware Protection | | ||
Media Protection | | ||
Paper Protection | |
Table 4. Mitigation Methods Aligned to Mitigation Control Categories.
TYPE CATEGORIES
Type categories were first introduced in the ‘Framing’ section of the methodology. They included traditional mitigation, tailored mitigation, and instances where tailored mitigation is informed or augmented by traditional mitigation. Figure 11 highlights the applicability of these mitigation types regarding cryptocurrency fraud. A heat map format is used for these particular findings due to potential ambiguity regarding direct mitigation, implied mitigation, and future mitigation. Traditional mitigation methods were the most prevalent of those recorded (represented by ‘A’). Tailored mitigation, informed or augmented by traditional mitigation, was the second most prevalent method recorded (represented by ‘C’). Lastly, tailored mitigation methods were the least prevalent mitigation type recorded (Represented by ‘B’).
Figure 11. Cryptocurrency Fraud Mitigation Types and Relationships.
This data analysis included problem scoping data, problem data, and mitigation data. The intent was to present findings in a progressive and logical manner, while objectively addressing the research question. Understanding data analysis findings leads to the discussion portion of this research.
Discussion
This section is comprised of four distinct segments. First, a discussion regarding problems is examined to address the first research question, which is “How did blockchain, a technology widely known for innovative security, become the target of fraud?” Secondly, mitigation is examined to address the second research question, which is “How can cryptocurrency Ponzi schemes, exchange scams, and scam wallets be mitigated?” Next, the future scale to which this research may apply is explored via an examination of significant recent events. Finally, limitations regarding this qualitative meta-analysis are discussed.
The scope of the first research question was outlined in the literature review and supported, when applicable, in the data analysis. Ecosystem participant awareness, third-party service legitimacy, lack of regulations, anonymity, and decentralization have contributed to the creation of an ideal environment in which fraud can be perpetrated. Vasek & Moore’s studies examined the growth of this fraud, which validates the need for continued fraud detection studies (2015, 2018). Additionally, research showed that a majority of scams could be identified via analyzing source coding (Chen et al., 2018). Thus, further research aimed at refining these fraud detection methods, as well as devising new methods is suggested.
With regard to the second research question, this research detailed multiple ways in which to mitigate cryptocurrency fraud. Further, future innovative solutions via blockchain may also serve to mitigate fraud. Ultimately, information garnered during this meta-analysis has arguably revealed four strategic paths toward cryptocurrency fraud mitigation. These paths include: 1) restrictive state level actions, 2) third-party regulation, 3) continued blockchain innovation, and 4) a holistic approach. Restrictive state level actions include the aforementioned bans, implicit bans, or issuance and regulation of state cryptocurrencies. Third-party regulation involves an alignment of the cryptocurrency industry to existing financial industries. This path implies a certain level of state involvement and takes advantage of established regulatory frameworks that are used to mitigate fraud today.
Continued blockchain innovation, leading to mitigation, is a unique path in that it can serve to meet the original intent of cryptocurrencies, which includes anonymity and decentralization. Within this path, two options are suggested, one mentioned previously in this research and one not. Smart Contracts were previously mentioned and represent the first option. As the previous segment of this discussion addressed, most of the fraud perpetrated within cryptocurrency ecosystems involves third-parties. Since Smart Contracts represent an opportunity to leverage blockchain technology to perform third-party type services without third-party intervention, cryptocurrency improvement processes should consider their future utility. However, it can be argued that since there is a human element involved with regard to Smart Contract generation, fraud may persist, albeit in a different manner. Therefore, further research into how to prevent Smart Contract fraud is arguably needed prior to leveraging its utility to prevent fraud elsewhere.
The second option within the continued blockchain innovation path is decentralized applications (dApps). Although definitions vary, dApps are suggested to be completely open source, operate autonomously, and have their data and records-of-operation cryptographically stored in a decentralized public blockchain (Johnston, Yilmaz, Kandah, Bentenitis, Hashemi, Gross, Wilkinson, & Mason, 2014). Attempts to locate research regarding dApps’ utility being used for fraud prevention was unsuccessful. Therefore, further research into its potential for fraud prevention, individually and in concert with Smart Contracts, is suggested.
The fourth path toward cryptocurrency fraud mitigation is a holistic solution, which attempts to combine the pros from the aforementioned paths to collectively reduce the cons. Nation state adoption of cryptocurrencies, aligned with financial industry regulations and best practices, via blockchain technology innovation may not only mitigate fraud in the cryptocurrency ecosystem, it may have a reciprocal effect on state fiat currency systems. This path assumes that some form of governance will continue to be a reality. One step above nation state implementation is a global holistic system aligned with treaties. However, this arguably represents a distant future solution, one in which further research is also suggested.
A significant recent event related to this research occurred in June, 2019. Facebook announced a plan to launch its own form of cryptocurrency called Libra in 2020. This plan incorporates letting platform users make purchases or send money to others—either online or at local exchange points, like a grocery store. Libra customers could spend the currency using interoperable third-party wallet applications or Facebook’s Calibra wallet, which is planned to be integrated with WhatsApp and Facebook Messenger (DelCastillo, 2019). With approximately 2.38 billion monthly users, 1.56 billion of which login to the site daily, the use of Libra could surpass Bitcoin (DelCastillo, 2019).
The Libra Association, Facebook’s partner hub for the Libra blockchain, is a non-profit membership organization headquartered in Geneva, Switzerland. The Libra Association currently has 28 founding members to include Visa, MasterCard, PayPal, Spotify, and Uber, to name a few. These organizations are responsible for recruiting additional members to act as validator nodes for blockchain fundraising, which is intended to jumpstart the ecosystem and design incentives (Constine, 2019). To prevent fraudulent transactions, a user’s identity will not be tied to publicly visible transactions. This allows Libra to be used securely on websites and applications such as eBay, Uber, and Spotify. Libra’s value is intended to be tied to bank deposits and short-term government securities to make its currency stable, with 100 percent of its value always in circulation (Constine, 2019). Since Libra is still in developmental stages, released information is limited. Further research should investigate Libra’s blockchain security and anticipated ecosystem as fraud prevention may be enhance with such an ambition effort.
Limitations of this research are primarily associated with the potential for selection bias and inaccuracies. Selection bias applies to the methods and criteria used to select publications. Ways in which to limit this bias were addressed in the methodology, but were not infallible. Inaccuracy with regard to data extraction and potential misclassification was also addressed during this research and further mitigated by the review and concurrence of three authors. However, similar to selection bias, efforts to limit inaccuracies were not infallible. Due to these limitations, future research, to include qualitative analyses of new research or quantitative analyses via innovative data collection methods, is recommended. The conclusion of this research is presented next.
Conclusion
Blockchain’s innovative technology requires mitigation as a result of the unintended methods in which to interact with it. Due to these methods, effective applications of cryptography are essentially bypassed in favor ‘ease of use’ and familiarity, analogous to today’s online interactions with financial institutions. Findings indicate that this new ecosystem is an ideal environment for monetary gain via cryptocurrency fraud. This fraud was almost unavoidable as all fraudsters have to do is apply known and effective techniques, against naive targets, in an unregulated ecosystem designed to make their actions anonymous. Basically, fraudsters are taking advantage of a low risk, high reward environment. Therefore, traditional and tailored mitigation methods identified in this research should be adhered to by those who opt to participate in cryptocurrency ecosystems. Moving forward, strategic paths similar to those outlined in the discussion should be considered as future solutions or research opportunities. Due to recent outlined events, cryptocurrency fraud mitigation affecting relatively small ecosystems today, may have a profound impact on one-third of the global population, or approximately 2.7 billion ecosystem participants in the near future.
I made few changes to the background research question.
Background
Hospitals worldwide are connected to the Internet, which often serves both as a medium for services such as e-mail and Web, and as a transport infrastructure for secure services, such as exchange of patient health information or access to a regional electronic health record (Eichelberg et al, 2020). The negative side effect of the Internet is the dramatic increase in cybersecurity incidents. A hospital is one of the most complex organizations, where patient information has not only legal and economic implications but an impact on the patient’s health (Gutierrez-Martinez et al, 2015). Imaging studies include medical images, patient identification data, and proprietary information of the study; these data are contained in the storage device of a Picture Archiving and Communications System (PACS). The PACS is a digital medical imaging management system which is used for acquiring, storing, transmitting, archiving, and accessing medical images electronically(Gutierrez-Martinez et al, 2015). Health imaging data such as ultrasounds, mammograms, MRIs and PACS information is highly vulnerable to cybersecurity criminals, according to a recent McAfee security report. PACS has contributed to improved patient care by increasing efficiency and accessibility to data and has led to fewer delays in the clinical management of patients (Mahlaola & Van Dyk, 2016). A disadvantage of PACS is that the patient’s data is archived on the internet and it is thus possible for unauthorized users or hackers to gain access to the data. It is also possible for data to be duplicated and exported without the patient’s knowledge and consent. The Digital Imaging and Communications in Medicine (DICOM) standard and the requirements of the Health Insurance Portability and Accountability Act (HIPAA) regulations are used to protect the patient clinical data. However, these techniques are not systematically applied to the picture and archiving and communication system (PACS) in most cases and are not sufficient to ensure the integrity of the images and associated data during transmission (Gutierrez-Martinez et al, 2015).
Problem Statement
In 2019, several attacks have been published that specifically aim at medical network protocols and file formats, in particular digital imaging and communications in medicine (Eichelberg et al., 2020). Those attacks specifically occurred on the Picture Archiving and Communication System (PACS) used within the healthcare radiology department due to a complete lack of necessary IT security measures. This is a problem within the PACS in which it does not provide security, integrity, and confidentiality to protect a patient’s information (Gutierrez-Martinez et al., 2015). The majority of healthcare organizations use PACS servers to archive medical images and share images with other providers. But most organizations have not ensured the security of that data.
Research Question
what are the major causes of a patient data breach in healthcare settings? Besides, what role does the healthcare organization has to play in facilitating patient data security.
RQ1: How can healthcare organizations or the manufacturer ensure the security, integrity, and
confidentiality of the PACS/images and associated data during transmission?
On Thu, Jun 18, 2020 at 7:17 AM George maina <georgemain.gg@gmail.com> wrote:Choose a cyber-security topic which interests and challenges you.
Picked Topic: Healthcare data breaches caused by human factors.
1. Data Analysis2. Discussion
3 . Conclusion
word limit:1500