Attacking a System

For this assignment, you job is to figure out how best to attack a system. I leave it up to you to figure out which component to attack and what the goals of the attack should be—the goal or goals merely have to be plausible.

The (hypothetical) system in question is a nationwide medical records and billing system. Many entities participate:

Doctor's offices, which may be small or large. Any licensed physician is entitlted to participate and hence receive appropriate credentials to connect to various sites. Some offices will be very small; some will have tens of doctors, a moderately complex network, and a full-time IT person.
A central medical records site—it holds medical records on every patient of every participating physician. Note that many people will see more than one doctor; all of their records have be grouped together. This site is of course quite large, with many full-time IT people.
Health insurance companies. This is the U.S., so of course there are many of them; they all have complex rules, etc.
A central clearing house for serious medical conditions, similar to the Medical Information Bureau (https://www.nytimes.com/2014/01/15/your-money/consumers-can-check-on-data-beyond-their-credit-reports.html — a web page you probably need to read). Briefly, the clearinghouse holds a record of significant conditions, so that someone can't apply to a second insurance company without disclosing these conditions after being turned down by a first insurance company.
Individuals. They see doctors, of course; they can also use web browsers to check their medical records, deal with their health insurers, and view and perhaps dispute the information that the clearing house has on file for them. Each individual has a unique identifying number; how this is assigned and verified is out of scope, but assume that it will always be genuine.

Each of these entities has its own structure.

Doctor's office:	A doctor's office has one or more doctor's computers, one or more administrative computers, and one or more serves, for local medical records and local billing records. Those latter two functions may be done on a single computer in a small office. The doctors use a browser to enter medical records. The administrative staff looks at medical records and updates the billing records with a price and a "significant condition" record. They then trigger uploads. The medical records go to the medical record server (indexed by the patient's ID number); this is a specialized, non-web protocol. The bill goes to the proper insurance company, along with a "procedure code", i.e., what the doctor did, and any serious medical conditions. Again, this is a non-web protocol.
Medical Records	The medical records site is used to have all patients' records available in one place. Both individuals and doctors log in via web browsers and HTTPS, using their own credentials, to view records. Individuals can only see their own records; doctors can see records of any of their patients once they know the patients' ID numbers. Again, the records are updated via a non-web, server-to-server protocol.
Health Insurance	Health insurance companies receive bills from doctors' offices via a non-web protocol. Consumers can log in to their insurance company to see their claims and bills and do other administrative things, including paying bills via credit card. There are also financial transactions originating from this site: patients are billed, doctors are paid, etc. Financial transactions to the doctor and interactions between the insurance companies and banks are out of scope. Insurance companies send significant conditions to the clearinghouse, using a non-web protocol; however, employees of these companies can use a browser to query an individual's pre-existing conditions.
Clearinghouse	The clearinghouse receives records from insurance companies, via a non-web protocol. Insurance company employees can use the web to view records; individuals can use a browser to view their own records.
Individuals	Individuals can use web browsers to interact with the medical record server, their health insurance company, and the clearinghouse. They can only see their own records.

There are a number of aspects I've deliberately left unspecified. Make any reasonable assumptions you like, but document them. If there is a more secure option than the one you choose, explain why your choice is better under the circumstances, given the usual tradeoffs of cost, usability, etc.

Here are two possibly-useful diagrams. The first is an overall system flow; the second is the flow with a doctor's office.

Be certain to see the two diagrams linked to from the Assignments page: https://www.cs.columbia.edu/~smb/classes/s20/assignments.html