Threat modeling - Programming
A new medium-sized health care facility just opened, and you are hired as the CIO, the CEO is somewhat technical and has tasked you with creating a threat model. The CEO needs to decide from 3 selected models but needs your recommendation as well to make sound decisions. The concern is user authentication and credentials with third-party applications which is common in the health care industry. You will research several threat models as it applies to the health care industry, summarize three models and choose one as a recommendation to the CEO in a summary with a model using UML Diagrams (Do not copy and paste images from the Internet). In your document be sure to discuss the security risks and assign a label of low, medium or high risks and the CEO will make the determination to accept the risks or mitigate them).The CEO has provided the attached article as a reference.Task:Explain why the other threat models are not ideal (compare and contrast)Provide one recommendation with summary and UML diagramMust be in full APA3-page minimum not including the title page, abstract and references. threat_modeling_mobile6.pdf Unformatted Attachment Preview See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/323167742 Threat Modeling for Mobile Health Systems Conference Paper · April 2018 DOI: 10.1109/WCNCW.2018.8369033 CITATIONS READS 3 477 4 authors: Matteo Große-Kampmann geb. Cagnazzo Norbert Pohlmann Westfälische Hochschule Westphalia University of Applied Sciences, Gelsenkirchen 16 PUBLICATIONS 14 CITATIONS 113 PUBLICATIONS 386 CITATIONS SEE PROFILE SEE PROFILE Markus Hertlein Thorsten Holz XignSys GmbH Ruhr-Universität Bochum 7 PUBLICATIONS 15 CITATIONS 198 PUBLICATIONS 7,399 CITATIONS SEE PROFILE Some of the authors of this publication are also working on these related projects: Botnet Detection View project Medical Security View project All content following this page was uploaded by Matteo Große-Kampmann geb. Cagnazzo on 03 July 2018. The user has requested enhancement of the downloaded file. SEE PROFILE Threat Modeling for Mobile Health Systems Matteo Cagnazzo1 and Markus Hertlein3 and Thorsten Holz2 and Norbert Pohlmann1 Abstract— Mobile Health (mHealth) is on the rise and it is likely to reduce costs and improve the quality of healthcare. It tightly intersects with the Internet of Things (IoT) and comes with special challenges in terms of interoperability and security. This paper focuses on security challenges and offers a mitigation solution especially with a focus on authentication and encryption for resource constrained devices. It identifies assets in a prototyped mHealth ecosystem and classifies threats with the STRIDE methodology. Furthermore the paper identifies associated risk levels using DREAD and outlines possible mitigation strategies to provide a reasonable trustworthy environment. I. INTRODUCTION Advances in mobile health (mHealth), respectively IoTHealth, are likely to reduce costs and improve the quality of healthcare. Especially with the paradigm shift from inpatient care towards ambulant and home care, mobile and ubiquitous technologies are an inevitable step. The shift is due to increasing cost pressure, ageing society and shortage of skilled professionals[24]. Mobile health applications can increase access to healthcare, encourage self-management and maintain treatment. Internet of Things (IoT) devices are used within healthcare systems and form mHealth environments. Wearables with various sensors, for example gyroscopic-, heart rate- or bioimpedance sensors are often deployed in the Body Area Network (BAN) of the patient. These devices come with a lot of challenges in terms of interoperability and security which need to be considered and treated seriously [23]. ENISA identifies ”asset and configuration management as a relevant technical measure” to prevent attacks [7]. Furthermore, this paper addresses a key recommendation from [7] because it conducts risk and vulnerability assessment for a mHealth architecture which is deployed in a clinical context. This paper discusses most recent related work in chapter II. Afterwards it introduces current developments and background knowledge for mHealth in chapter III-A and threat modeling in chapter III-B. After this we model the threats and define assets in chapter IV. We use a STRIDEbased approach to model threats[22]. To assess the associated risks for specific threats we use the DREAD model [25]. At the end of the paper possible mitigation strategies are discussed in chapter V and conclusions are drawn in chapter VI. *This work is partly funded by the Federal Ministry of Education and Research in Germany (Grant.Nr: 16SV7775) 1 M. Cagnazzo and N. Pohlmann are with the Institute for InternetSecurity, Westphalian University of Applied Sciences, 45876 Gelsenkirchen, Germany {lastname} at internet-sicherheit.net 2 T. Holz is with the Horst Gortz Institute for IT-Security (HGI), RuhrUniversity Bochum, Germany thorsten.holz at rub.de 3 M. Hertlein is with XignSys GmbH, Gelsenkirchen, Germany hertlein at xignsys.de II. RELATED WORK Several papers on future research direction indicate that privacy and security are key issues to the successful deployment of mHealth[16][3]. [16] defines one research challenge as: ”clarify threats and develop security and privacy protections for smartphone apps that handle medical and health data”. This paper aims to give an overview of threats and mitigation strategies for current and future mHealth applications. Current work on threat modeling in healthcare is focusing on telehealth and is not paying attention to mHealth specific threats, especially if data is stored in a cloud environment[1]. Works like [19] are defining and mitigating threats for smart home systems and consider parenthetically how mHealth systems and threats interact with it. [5],[21] and others try to solve the authentication, usability and confidentiality problem within the IoT in general. They do not use standardized approaches to identify threats and mitigate them as well. Stationary care telehealth service terminals, as described in [8] and [20] are likely reduce mobile application scenarios for doctors and medical personnel. This stationary approach is something a mHealth ecosystem is aiming to overcome in the future, to empower mobility to doctors and other caregivers. Common legacy protocols used in medical environments often lack security and privacy aspects. [11] shows that the often used ”HL7” protocol has no security or privacy mechanisms specified especially in version two, which is the most deployed solution in production systems. Figure 1 shows a prototypical mHealth system. It is derived from an architecture which is used in the MITASSIST project. The project is funded by the German Federal Ministry of Education and Research. Figure 2 shows a more detailed view of the components, which data has to pass in the architecture. The wearable on which the sensors are deployed will produce huge amounts of data. Analyzing big amounts of data quickly becomes impracticable for humans, therefore an artificial intelligence(AI) is trained during the research project. Current research shows, that the used models can be exploited by an attacker as well, therefore we include the artificial intelligence into our threat model[9][17]. III. BACKGROUND This section will give a brief definition and introduction of mHealth as well as an architectural overview of an mHealth system. Furthermore threat modeling and the used methodology is introduced. B. Threat Modeling A. mHealth mHealth is the combination of computing and internet technologies, with information and communication systems. In addition with sensors it can form a wearable body area network (BAN) with the patients smartphone[15]. Patients as well as health- and careproviders can benefit from mHealth solutions. mHealth applications that run on information systems like smartphones are used by patients and doctors to access data within the health platform as shown in figure 1. Doctors, caretakers and patients access the platform via an application which can either be deployed to a mobile or stationary device. The patient environment consists of devices and applications in personal patient environment, like wearables and smartphones. These are needed to collect measurements of sensor data, support self reporting as well as feedback or intervention from the caretaker. Most sensors that are deployed are also modules in the IoT, therefore mHealth and IoT components intersect each other. The patients send data via mobile or WLAN networks to the health service cloud. The data is stored in an electronic or personal health record systems(EHR/PHR) which is integrated in the hospital cloud service. The most used protocol is HL7[11]. The data can be crawled by monitoring services or an artificial intelligence, which support the doctor in his decision making, offer more granular insights for patient and doctor, as well as providing suggestions how the patient can improve his health. Other health and care providers could get access to the data as well. This yields privacy concerns which are out of scope of our paper, therefore we neglect third party scenarios. Patients benefit from mHealth applications around the world, since the deployment of mHealth applications can be done in a cost effective way. Especially developing countries can benefit from the widespread deployment of mHealth solutions[10]. ”Respectively, 50 \% and 70 \% of the interventions were effective in promoting physical activity and healthy diets” says[18]. Threat modeling is an important aspect of the security development lifecycle, which is a process aiming to build better and more secure software[13]. It is a technique, which aims to find assets, analyze potential threats and mitigate them. This provides defenders with important insights: • The most likely attack vectors • Assets an attacker is attracted to. • Attack vectors that otherwise would have gone unnoticed The threats which are found during the threat modeling phase will be associated with a security risk to rank them and prioritize certain assets. An asset is defined by ENISA as ”anything that has value to the organization, its business operations and their continuity, including information resources that support the organization’s mission”. TABLE I C ONNECTION BETWEEN STRIDE AND M H EALTH ENVIRONMENT Threat Categories mHealth Security Perspective Spoofing: attacker poses as an authorized user or entity Attacker using user authentication information to access sensitive medical data Tampering: Modifying data maliciously Attacker modifying data in transit (e.g. from BAN to LAN) or at rest Repudiation: Filtering malicious actions if proof is missing Authorized user performs illegal operations and system cannot trace it, other parties cannot prove this Information disclosure: Exposing information to any unauthorized entity Leaking raw data or medical records Denial of Service: Denying service to valid users Attacker jamming BAN or DoS’ing hospital environment Elevation of Privilege: User gains privilege rights and manipulates the system Attacker gains access to security systems as a trusted entity The threat modeling technique used in this paper is STRIDE by Microsoft which is an abbreviation for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege [22]. There are more threat modeling frameworks, for example PASTA or OCTAVE [2][25]. To rank threats we use the DREAD model, which is described in the next section. Fig. 1. mHealth Prototype Architecture Table I defines each threat category and relates it to a specific mHealth attack scenario. After the STRIDE threats are addressed, a metric for the risk of an actual attack needs to be calculated. We will use the DREAD model to evaluate the likelihood of an attack by exploiting a particular threat[14]. The DREAD model consists of Damage potential, TABLE II A SSETS AND I MPACT Reproducibility, Exploitability, Affected Users and Discoverability. The DREAD risk can be calculated as follows: RiskD = (DAM AGE + REP RODU CIBILIT Y + EXP LOIT ABILIT Y + AF F ECT EDU SERS + DISCOV ERABILIT Y ) (1) Values from 1 (low) to 3 (high) are assigned to each addend of equation 1. The sum is calculated and the result can fall in the range of 5-15. Afterwards one can rank threats with overall ratings of 12-15 as high risk, 8-11 as medium risk, and 5-7 as low risk. IV. STRIDE THREATS The process of threat modeling according to STRIDE can be broken down into three blocks: • Identifying assets • Listing potential threats • Mitigating threats To define threats and get a more detailed overview of our architecture, a graphical representation of the data flows and critical points are illustrated with Microsofts Threat Modeling Tool 2017 in figure 2. Data is acquired Asset Impact Network components connecting the user to the service No Availability Loss of information Network components connecting the sensor to the Application No Availability Loss of information Identity management for access control and authentication User specific information cannot be stored or retrieved Database and Storage Components Loss of Availability Loss of Data Integrity Loss of feedback Eavesdropping on Communication Confidentiality Violation Table II shows identified assets and the impact, which a failure of the respective asset would have. Loss of Availability is the most common impact the alteration of an asset could have. Since the mHealth solution should provide close to realtime feedback or intervention to the patient, a loss of availability could be harmful for patient safety not just for security reasons. Depending on the health or monitoring scenario in which the solution is used, close to realtime can range from a few seconds (cardiac monitoring) to 15 minutes (depression monitoring). Other important impacts are confidentiality violation and loss of information. Since the data is considered medical it is highly personal and must be protected carefully. The mHealth platform should be trustworthy, therefore it should provide and maintain confidentiality wherever possible. Fig. 2. Data Flow and critical points from one or more sensors on a wearable and pushed to a central sensor controller. The data is collected and persisted. After a configurable time-interval the data is pushed to the application over a Bluetooth LE connection. The application can send configuration data to the sensor controller and acknowledges received and stored sensor data. Configuration data could be, for example the sampling rate of a specific sensor. The patient authenticates himself and gets access to the application. Sensor data is transmitted from the device to the service platform over a https connection. This data gets acknowledged, after it is stored successfully. If medical personnel wants to check on a patients condition it authenticates itself on its application and sees selected vital data of the patient. If the medical supervisor wants to send interventions to the patients, these are sent to the patient over the cloud infrastructure and gets an acknowledgement after the patient read the intervention. From the flow of data over the respective components a threat model is generated. Table III shows threats towards patient or personnel authentication. It focuses on the loss and misuse of credentials, as well as spoofing of sensors. Generally threats are more severe, if an admin or health personnel is compromised because this would alter the whole integrity of the platform whilst an attack against a single user would only put that specific user at risk. If an attacker or user gains unauthorized access to the platform the threats are elevation of privilege, data tampering and disclosure. Table IV shows this in the STRIDE column. A user could try to elevate his privileges and gain admin access to the service component or the PHR. This elevation could lead to disclosure of private data from other users. The associated risks by an authorization threat are at least medium but most of the times high, because gaining administrator or system privileges, even if they are only local, can cause damage to patients as well as healthcare providers. Furthermore spoofed sensors or smartphones can be used to flood the architecture with requests, forcing a denial of service TABLE III AUTHENTICATION T HREATS information from a PHR is exposed. Description STRIDE DREAD Patient identity sharing or loss S Medium TABLE V P RIVACY T HREATS Description STRIDE DREAD Patient Data Disclosure I High Low Administration Data Disclosure I High E Medium Lost Smartphone I Medium Lost Wearable I Low Sysadmin Identity Theft S High Stolen Smartphone I Medium Sensor Spoofing S,D Medium Stolen Sensor I Low Smartphone Spoofing S,D Medium EHR/PHR Spoofing S High Weak access control smartphone I Medium Weak access control wearable I Low Personnel identity sharing or loss S High Identity spoofing S Patient and Personnel Identity Theft because the service or smartphone cannot respond. Privacy is of huge importance for patients, especially if TABLE IV AUTHORIZATION AND ACCESS T HREATS Description STRIDE DREAD Unauthorized Access to system data E High Unauthorized Access beyond authorized privileges E Medium Tampering to modify access control T Medium Impersonation of a Patient E,D Medium Impersonation of Personnel E,D High Unauthorized access to admin functionality E,T High they suffer from a mental disease. A disclosure of their illness can either be beneficial or hinder the healing process but for most patients it is a dilemma whether they should disclose or conceal it[4]. Nonetheless individuals suffering from any illness should choose for themselves, if they want to disclose their illness, therefore patient data disclosure by an adversary should be prevented at all costs. Lost or stolen devices, especially lost wearables only pose a low risk to private data disclosure, because an attacker cannot read sensitive data from it. Only the last few sensor measurements are stored on the wearable, therefore the information gain is minor. If the smartphone is lost or stolen the information leakage is bigger, but no The last threat category are threats that target artificial intelligences. Table VI shows that these threats are at least of medium importance since an altering of the AI would alter the integrity of the whole platform. Someone could try to change the training data which would mean that every decision the AI does is made from false assumptions, therefore this is the main threat and has a high risk, for now. A non targeted adversarial attack has the goal of forcing the classifier to return an incorrect result. If for example heart rate is monitored an attacker could try to make the classifier return the result cardiac disease, even though the patient is healthy. A targeted attack would try to yield a whole class of the AI and make it return this class regardless of the input. A targeted attack could be that every patient where the data looks like a cardiac arrhythmia will be diagnosed with an infarction. Both attacks imply, that an attacker has successfully gained access to the smartphone or is an active adversary in the same network, because he needs to manipulate the data sent to the mHealth service. TABLE VI A DVERSARY T HREATS Description STRIDE DREAD Potential altering of training data T High Non-targeted adversarial attack T Medium Targeted adversarial attack T Medium V. POSSIBLE MITIGATION STRATEGIES The assets can be grouped by the different kinds of the underlying technologies and processes. This leads to different mitigation strategies for each scenario. Even though security and privacy are the main factors in the healthcare environment to focus on, the interoperability between systems and devices is gaining more and more importance, since sensors and smart devices are spreading faster. Therefore, this paper presents a holistic approach as the mitigation strategy covering all parts of the mHealth system. A distributed system like the presented prototypical mHealth system (Fig. 1) can be harmed by two independent classes of attacks. The first class is physical attacks, for example the physical destruction of a sensor or the disturbing of the interconnection of the sensors, smart devices and cloud services. That kind of attacks cannot be prevented with IT-Security mechanisms. The second threat class is virtual attacks, like data manipulation. We are only focusing on attacks of the second class. In reverse that means, that Denial of Services through connection jamming or physical destruction is not part of this research. A Denial of Service could also be achieved if an attacker is able to conquer a connection, for example through connection hijacking. That kind of DoS is p ... Purchase answer to see full attachment
CATEGORIES
Economics Nursing Applied Sciences Psychology Science Management Computer Science Human Resource Management Accounting Information Systems English Anatomy Operations Management Sociology Literature Education Business & Finance Marketing Engineering Statistics Biology Political Science Reading History Financial markets Philosophy Mathematics Law Criminal Architecture and Design Government Social Science World history Chemistry Humanities Business Finance Writing Programming Telecommunications Engineering Geography Physics Spanish ach e. Embedded Entrepreneurship f. Three Social Entrepreneurship Models g. Social-Founder Identity h. Micros-enterprise Development Outcomes Subset 2. Indigenous Entrepreneurship Approaches (Outside of Canada) a. Indigenous Australian Entrepreneurs Exami Calculus (people influence of  others) processes that you perceived occurs in this specific Institution Select one of the forms of stratification highlighted (focus on inter the intersectionalities  of these three) to reflect and analyze the potential ways these ( American history Pharmacology Ancient history . Also Numerical analysis Environmental science Electrical Engineering Precalculus Physiology Civil Engineering Electronic Engineering ness Horizons Algebra Geology Physical chemistry nt When considering both O lassrooms Civil Probability ions Identify a specific consumer product that you or your family have used for quite some time. This might be a branded smartphone (if you have used several versions over the years) or the court to consider in its deliberations. Locard’s exchange principle argues that during the commission of a crime Chemical Engineering Ecology aragraphs (meaning 25 sentences or more). Your assignment may be more than 5 paragraphs but not less. INSTRUCTIONS:  To access the FNU Online Library for journals and articles you can go the FNU library link here:  https://www.fnu.edu/library/ In order to n that draws upon the theoretical reading to explain and contextualize the design choices. Be sure to directly quote or paraphrase the reading ce to the vaccine. Your campaign must educate and inform the audience on the benefits but also create for safe and open dialogue. A key metric of your campaign will be the direct increase in numbers.  Key outcomes: The approach that you take must be clear Mechanical Engineering Organic chemistry Geometry nment Topic You will need to pick one topic for your project (5 pts) Literature search You will need to perform a literature search for your topic Geophysics you been involved with a company doing a redesign of business processes Communication on Customer Relations. Discuss how two-way communication on social media channels impacts businesses both positively and negatively. Provide any personal examples from your experience od pressure and hypertension via a community-wide intervention that targets the problem across the lifespan (i.e. includes all ages). Develop a community-wide intervention to reduce elevated blood pressure and hypertension in the State of Alabama that in in body of the report Conclusions References (8 References Minimum) *** Words count = 2000 words. *** In-Text Citations and References using Harvard style. *** In Task section I’ve chose (Economic issues in overseas contracting)" Electromagnetism w or quality improvement; it was just all part of good nursing care.  The goal for quality improvement is to monitor patient outcomes using statistics for comparison to standards of care for different diseases e a 1 to 2 slide Microsoft PowerPoint presentation on the different models of case management.  Include speaker notes... .....Describe three different models of case management. visual representations of information. They can include numbers SSAY ame workbook for all 3 milestones. You do not need to download a new copy for Milestones 2 or 3. When you submit Milestone 3 pages): Provide a description of an existing intervention in Canada making the appropriate buying decisions in an ethical and professional manner. Topic: Purchasing and Technology You read about blockchain ledger technology. Now do some additional research out on the Internet and share your URL with the rest of the class be aware of which features their competitors are opting to include so the product development teams can design similar or enhanced features to attract more of the market. The more unique low (The Top Health Industry Trends to Watch in 2015) to assist you with this discussion.         https://youtu.be/fRym_jyuBc0 Next year the $2.8 trillion U.S. healthcare industry will   finally begin to look and feel more like the rest of the business wo evidence-based primary care curriculum. Throughout your nurse practitioner program Vignette Understanding Gender Fluidity Providing Inclusive Quality Care Affirming Clinical Encounters Conclusion References Nurse Practitioner Knowledge Mechanics and word limit is unit as a guide only. The assessment may be re-attempted on two further occasions (maximum three attempts in total). All assessments must be resubmitted 3 days within receiving your unsatisfactory grade. You must clearly indicate “Re-su Trigonometry Article writing Other 5. June 29 After the components sending to the manufacturing house 1. In 1972 the Furman v. Georgia case resulted in a decision that would put action into motion. Furman was originally sentenced to death because of a murder he committed in Georgia but the court debated whether or not this was a violation of his 8th amend One of the first conflicts that would need to be investigated would be whether the human service professional followed the responsibility to client ethical standard.  While developing a relationship with client it is important to clarify that if danger or Ethical behavior is a critical topic in the workplace because the impact of it can make or break a business No matter which type of health care organization With a direct sale During the pandemic Computers are being used to monitor the spread of outbreaks in different areas of the world and with this record 3. Furman v. Georgia is a U.S Supreme Court case that resolves around the Eighth Amendments ban on cruel and unsual punishment in death penalty cases. The Furman v. Georgia case was based on Furman being convicted of murder in Georgia. Furman was caught i One major ethical conflict that may arise in my investigation is the Responsibility to Client in both Standard 3 and Standard 4 of the Ethical Standards for Human Service Professionals (2015).  Making sure we do not disclose information without consent ev 4. Identify two examples of real world problems that you have observed in your personal Summary & Evaluation: Reference & 188. Academic Search Ultimate Ethics We can mention at least one example of how the violation of ethical standards can be prevented. Many organizations promote ethical self-regulation by creating moral codes to help direct their business activities *DDB is used for the first three years For example The inbound logistics for William Instrument refer to purchase components from various electronic firms. During the purchase process William need to consider the quality and price of the components. In this case 4. A U.S. Supreme Court case known as Furman v. Georgia (1972) is a landmark case that involved Eighth Amendment’s ban of unusual and cruel punishment in death penalty cases (Furman v. Georgia (1972) With covid coming into place In my opinion with Not necessarily all home buyers are the same! When you choose to work with we buy ugly houses Baltimore & nationwide USA The ability to view ourselves from an unbiased perspective allows us to critically assess our personal strengths and weaknesses. This is an important step in the process of finding the right resources for our personal learning style. Ego and pride can be · By Day 1 of this week While you must form your answers to the questions below from our assigned reading material CliftonLarsonAllen LLP (2013) 5 The family dynamic is awkward at first since the most outgoing and straight forward person in the family in Linda Urien The most important benefit of my statistical analysis would be the accuracy with which I interpret the data. The greatest obstacle From a similar but larger point of view 4 In order to get the entire family to come back for another session I would suggest coming in on a day the restaurant is not open When seeking to identify a patient’s health condition After viewing the you tube videos on prayer Your paper must be at least two pages in length (not counting the title and reference pages) The word assimilate is negative to me. I believe everyone should learn about a country that they are going to live in. It doesnt mean that they have to believe that everything in America is better than where they came from. It means that they care enough Data collection Single Subject Chris is a social worker in a geriatric case management program located in a midsize Northeastern town. She has an MSW and is part of a team of case managers that likes to continuously improve on its practice. The team is currently using an I would start off with Linda on repeating her options for the child and going over what she is feeling with each option.  I would want to find out what she is afraid of.  I would avoid asking her any “why” questions because I want her to be in the here an Summarize the advantages and disadvantages of using an Internet site as means of collecting data for psychological research (Comp 2.1) 25.0\% Summarization of the advantages and disadvantages of using an Internet site as means of collecting data for psych Identify the type of research used in a chosen study Compose a 1 Optics effect relationship becomes more difficult—as the researcher cannot enact total control of another person even in an experimental environment. Social workers serve clients in highly complex real-world environments. Clients often implement recommended inte I think knowing more about you will allow you to be able to choose the right resources Be 4 pages in length soft MB-920 dumps review and documentation and high-quality listing pdf MB-920 braindumps also recommended and approved by Microsoft experts. The practical test g One thing you will need to do in college is learn how to find and use references. References support your ideas. College-level work must be supported by research. You are expected to do that for this paper. You will research Elaborate on any potential confounds or ethical concerns while participating in the psychological study 20.0\% Elaboration on any potential confounds or ethical concerns while participating in the psychological study is missing. Elaboration on any potenti 3 The first thing I would do in the family’s first session is develop a genogram of the family to get an idea of all the individuals who play a major role in Linda’s life. After establishing where each member is in relation to the family A Health in All Policies approach Note: The requirements outlined below correspond to the grading criteria in the scoring guide. At a minimum Chen Read Connecting Communities and Complexity: A Case Study in Creating the Conditions for Transformational Change Read Reflections on Cultural Humility Read A Basic Guide to ABCD Community Organizing Use the bolded black section and sub-section titles below to organize your paper. For each section Losinski forwarded the article on a priority basis to Mary Scott Losinksi wanted details on use of the ED at CGH. He asked the administrative resident