Introduction to Medical Security
in 170 minutes
Fall 2011
Summary
• We present the general concepts of
information security
– What security means
– How security is a process that must be managed
– How to protect information and assets
• We then consider security within the
medical environment, and
• Conclude with a pair of practical medical
security scenarios.
2
So What is Security??
• Responsible for protecting customers.
– Ensure confidentiality-integrity of customer information
– Maintain customer contracted service availability.
– Enforce customer access to only authorized features.
– Ensure error-free and non-malicious interaction between
customers and the system.
• Responsible for protecting the system itself.
– Maintain the confidentiality and integrity of system
information.
– Enforce operations access to those system attributes
authorized
– Providing error-free and non-malicious interaction
between operations and the system.
3
What do the words "trust" and privacy mean
Trust:
– We routinely establish a qualitative measure of trust with
those we associate/interact with regarding:
• Honesty, reliability, . . .
– Unfortunately we have yet to identify a quantitative measure
of confidence
– The best achievable is some measure of assurance that a
person or thing cannot abuse the degree of "trust" we have
that they will act as expected
Privacy:
– Privacy is actually the ability to control who has access to
information, such as:
• Location, credit card numbers, medical condition, DNA
4
Where do we start with measuring assurance
• Begins with understanding what needs protection
• We need to inventory:
– Objects (a.k.a. assets, tangible / intangible property)
– Subjects (a.k.a. actors, users)
• Also need to identify what/how each subject (class) is
allowed to interact with which objects
• These Subject – Object – Allowed Access relationships
represent the level of "trust" we grant to subjects
• For organizations, relationships referred to as policy
statements
5
Security Governance - ISO 27001
• Specifies requirements for establishing, implementing,
operating, monitoring, reviewing, maintaining and
improving a documented Information Security
Management System within the context of the
organization's overall business risks
• Specifies requirements for the implementation of security
controls customized to the needs of individual
organizations or parts thereof.
• Designed to ensure the selection of adequate and
proportionate security controls that protect information
assets and give confidence to interested parties.
• Covers all types of organizations (e.g. commercial
enterprises, government agencies, not-for profit
organizations).
6
The Role of Policy – ISO 27002
• Developed hierarchically & decomposed into fine grained
security requirements
• Identifies what assets an organization considers of value
• Captures asset value and sensitivity
– (e.g. public, proprietary, restricted, copyrighted,
Attorney-Client-Privileged)
• Identifies organizational subgroups and "need-to-know" by
group
• Specifies form of authorization required to access an asset
• Drives Security Model consideration
7
Integrity Policy Principles of Operation
Separation of duty
– If two or more steps are required to perform a critical
function then at least two different people should
perform the steps
• Separation of function
– Developers do not develop new programs on
production systems
– Developers do not process production data on
development systems
• Auditing
– Logging must be in place to enable one to determine
what actions took place when and by whom
8
Security Models
• A security model will
– Describe the entities governed by the policy
– Define the rules that instantiate the policy
• Security models
– capture policies for confidentiality and for integrity
– Can apply to static policies and where dynamic changes
of access rights are required
– Some are formal and others are informal
Threat Model
Security Policy/
Security Model
Security
Mechanisms
9
Security Models—Classification
• Multilevel Security (MLS) or Mandatory Access Control
(MAC): concerned with control of vertical information flow
– Bell-LaPadula (BLP)—classic confidentiality
– HRU (Harrison-Ruzzo-Ullman) deals with creation/deletion of files on which
BLP is silent
– Biba: BLP upside down deals with integrity ignores confidentiality
• Multilateral or Compartmented Security: concerned with
control of horizontal information flow
– Chinese Wall Model: prevent conflict of interest in professional practice
– Clark-Wilson banking, aimed at authentication rather than confidentiality
– BMA (British Medical Association)—information flow permitted by
medical ethics
TOP SECRET
A
B
C
D
E
SECRET
CONFIDENTIAL
OPEN
multilevel
shared data
multilateral
10
Vulnerabilities
There are now thousands of known vulnerabilities]
New vulnerabilities discovered every week & exposures published for anyone to
review.
Automated attack info/scripts for anyone avail almost immediately
Most of these vulnerabilities fall into the following categories.
Operating system vulnerabilities
Introduced from within an operating system design or implementation.
Protocol-specific vulnerabilities
Characteristic of a protocol & often most intractable since modification may cause loss of
interoperability.
Configuration vulnerabilities Come from a variety of sources, such as:
Hackers may introduce configuration changes that weaken security (e.g. login with a null
password). Administrators may unwittingly change the configuration to a less-secure state
(like leave tftp enabled). Users may introduce changes to facilitate tedious tasks (like
configure a .netrc file with hostname, login, and password for access to another host).
Application-specific vulnerabilities
Like operating system vulnerabilities, these are difficult to address since the vendor is
typically the only one in the position to fix security weaknesses.
[1] Internet Security Systems (http://www.iss.net).
Security Threats Vs. Attacks
• A threat is a potential violation of security.
– Thus one is dealing with probabilities
• An attack is any action that violates security.
– Active adversary (malicious intent)
– Inadvertent error (non-malicious intent)
– Passive adversary (malicious intent)
12
Security Threat Agents and Attacks
• Who are the Adversaries?
– Modern systems design based on commercial technology and open
standards.
– Today’s technology is for sale to all potential customers from a large
number of sources.
– Since the end of the Cold War, article of faith to declare that the United
States no longer faces a technologically sophisticated adversary.
– Implies that none of our potential adversaries possess the scientific and
engineering establishment of the former Soviet Union.
Insider
Adversary
Expertise
Access
3rd Party Technician
High
High
Employee
Visitor
Intelligence Agent
Cyber Criminal
Outsider
Medium
High
Medium
High
Medium
High
Medium
High
to
to
to
to
Hacker
Medium
Terrorist
Low to
Medium
High
High
Medium
Low to
Medium
Low to
Medium
Low
Backing
Medium to
High
Low
Risk
Tollerance
High
Low
Low to
Medium
Medium to
High
Medium to
High
Low to
Medium
Low
Low
Medium to
High
High
Low
High
13
Prime Security Objectives
Confidentiality: Confidentiality of stored and transferred
information,
Integrity:
Protection of stored and transferred
information,
Accountability: Accountability for all service invocations
and for all network management activities;
any entity should be responsible for any
actions initiated
Availability:
All legitimate entities should experience
correct access to services and facilities.
14
Security Attacks – In the Abstract
•
•
•
•
Interruption: This is an attack on availability
Interception: This is an attack on confidentiality
Modification: This is an attack on integrity
Fabrication: This is an attack on authenticity
15
Impact of Attacks
• Theft of confidential information
• Unauthorized use of
– Network bandwidth
– Computing resource
• Spread of false information
• Disruption of legitimate services
All attacks can be related and are dangerous!
16
Risk Analysis
Risk Analysis (a.k.a. Threat Vulnerability Analysis <TVA>) =
1.
2.
3.
Identify asset and its value (physical and logical, such as equipment, data,
services, reputation, …)
Identify vulnerability of asset = type of asset exposure (degree of
exposure), duration of asset exposure
Identify threat to asset = type of threat agent, method of attack by threat
agent, probability of attack occurring, probability of attack success,
degree of damage to targeted asset as a percentage of asset value
= probability of damage to an asset over a specified timeframe
And can be restated as:
- Asset Ax has a value of $x, exposure degree of EDx, exposure
timeframe as ETx
- Threat Tz is composed of Thread Agent TAz, an Attack Az, which
has a probability of occurrence AOz which has a probability of
success ASz resulting in percent of damage ADz
= Tz (Ax )
= Magnitude of damage in $ over timeframe
17
Security Services
18
User Authentication
• An operating system bases much of its protection on
knowing who a user of the system is
• Authentication mechanisms fall into the following
categories:
– What the user knows:
• Passwords, PINs, etc.
– What the user is:
• Biometrics, based on a physical characteristic of the user
– Fingerprint, voice, face
• Use of Passwords
– The most common authentication mechanism
– Assumed to be known only to the user and the system
– How systems behave during validation:
• Someone enters (a guessed) username
– Do not respond with the message UNKNOWN user
• Ask for both username and password and respond as FAILURE is no
match
19
Authenticating People vs. Machines
People

Based on

Something possessed

Something known

Personal attribute

Can (sometimes) remember
password;

Password should be mnemonic &
relatively easy to remember

Writing it down is less secure.

Subject Attributes (Biometrics) –
fingerprints, signatures, iris, retina,
hand geometry, voice, face, etc.
Machines

Can store high quality
secret, e.g. long random
looking number;

Can perform long and/or
complex cryptographic
computations.
20
Cryptographic Functions and Their Uses
Functions.
1.
Public key:
two keys – public key e and private (always kept secret) key d
2.
Secret key:
one key – shared secret key S
3.
Hashes:
no key or shared secret key S; and has still useful security uses!!
Uses:

Confidentiality while transmitting over insecure channels (untrusted connections).

Confidential storage on Insecure Media.

Authentication: validate that asserted identity of subject can be reasonably linked to
subject (in personal terms prove you are who you claim to be)

Peer-Entity (both human-system and inter-system

Information (Data) Origin

Information Integrity Verification: prove message not altered

Non-repudiation (Sender, Receipt, Timestamp, Notary)
21
Keyed Hash for Authentication
• Also called Message Digest, Digital Fingerprint, Digital
Authenticator
• Is an authentication mechanism that works as follows:
Digest-algorithm:
data block
of arbitrary length
plus secret key
 bit sequence
of fixed length
Properties:
- If one or several bits of data change, message digest changes too
- Forger in possession of a given message cannot construct fake
message with same message digest WITHOUT shared secret key
- Only provides "Data Origin Authentication" and integrity detection
Algorithms:
- MD5 (RFC 1321)
hash-function: X  128-bit sequence (processed in blocks of 512 bits)
- SHA-1
hash-function: X  160-bit sequence (processed in blocks of 512 bits)
- SHA-256 & SHA-515 now being discussed
22
MAC & Symmetric Encryption
Alice
Bob
Message
Authentication
via MAC &
secret key
Clear-text Message
Shared
Secret Key
MD5 or SHA1
message Digest
Algorithm
128 or 160 bit
keyed digest
Clear-text Message
128 or 160 bit
keyed digest
Shared
Secret Key
MD5 or SHA1
message Digest
Algorithm
128 or 160 bit
keyed digest
Message
Authentication via
symmetric
encryption & secret
key
= means no
modification
in transit and
sent by Alice
=
Not = means
modification in
transit or not
sent by Alice
Shared
Secret
Key
Clear- text(M)
Shared
Secret
Key
Symmetric
Encryption
Algorithm
(Encrypt)
Cipher- text
(C)
Symmetric
Encryption
Algorithm
(Decrypt )
Clear- text(M)
23
Asymmetric Encryption
Alice’s
Public
Key
Encrypting
with Alice’s
Private key
Alice
Clear-text
Message (M)
Alice’s
Public
Key
Alice
Clear-text
Message (M)
Asymmetric
Encryption
Algorithm
(Encrypt)
Asymmetric
Encryption
Algorithm
(Decrypt)
Clear-text
Message
(M)
Asymmetric
Encryption
Algorithm
(Decrypt)
Clear-text
Message
(M)
Cipher-text
Message (C)
Jerry
Bob
Alice’s
Public
Key
Alice’s
Private
Key
Asymmetric
Encryption
Algorithm
(Encrypt)
Alice’s
Private
Key
Jerry
Asymmetric
Encryption
Algorithm
(Decrypt)
Clear-text
Message
(M)
Cipher-text
Message (C)
Asymmetric
Encryption
Algorithm
(Decrypt)
Clear-text
Message
(M)
Encrypting
with Alice’s
Public key
Bob
Alice’s
Public
Key
24
Key Management
• Spans key:
– Generation, storage, possibly escrow, distribution, revocation,
destruction, archiving
• Problem:
– How do we establish and distribute keys when a new node is
added?
– Naïve - Brute Force approach:
»
–
- generate n new keys – one for each of the nodes of the
network;
- securely distribute security key to each node of network
 obviously not workable for large number of nodes
• Primary approaches are:
– Key Distribution Center (KDC)
– Public Key Infrastructures (PKI)
– Diffie-Hellman Key Negotiation Protocol
B
A
C
D
E
25
Common Security Mechanisms
•
•
•
•
•
•
•
•
IEEE 802.1X
IP Security (IPSec)
Packet Filtering (Firewalls)
Application Gateways
Deep Packet Inspection (IDS-IPS)
Transport Layer Security (TLS, SSL, DTLS, SSH)
Email Security (PGP, SMIME)
Extensible Markup Language (XML)
• Whenever security mechanisms are used, one cannot ignore
the management of these mechanisms
"these are issues that students can explore in more detail for their thesis work"
26
Security Management
• Security Event-Fault-Attack Management
– Event collection (IDS, traps, etc.), reconciliation/consolidation, Alarm
generation, attack identification, attack mitigation
• Security Configuration Management
– Packet filtering rules, cryptographic policies and parameters, security
patches, access control rules, login accounts, etc.
• Login Access Management
– Login authorization for administrative, craft, peer-carrier, law
enforcement, vendor, customer (enterprise, wholesale, retail)
• Authentication Credentials Management
– passwords, SecureID (tokens), Radius, symmetric/asymmetric
cryptographic key material
• Verification & Validation Management
– Auditing, Vulnerability Analyses, Intrusion Detection
27
10 minute break, please be prompt.
28
Healthcare—Security Examples
This health care security discussion follows the presentation
in Ross Anderson 2008 "Security Engineering" (Computer Lab, U
Cambridge, UK, http://www.cl.cam.ac.uk/~rja14/)
• Privacy of Patient Record in Hospital
Systems
• Protection of Patient Identity in Research
Studies
• Security of Web-Based Applications
• New Safety Risks in New Technologies
29
Hospitals: Privacy of Patient Record Systems
• Who should have access to patient data and for how
long?
– Obviously not all staff
– Devise and implement rules such as
"nurses in department can see record of any patient treated by the
department in the last year"
• Difficulties for traditional security systems
– Changing security roles, e.g. nurses change department.
Traditional security systems use role based models but prefer static roles
– Cross dependencies: if personnel system is used to drive access, e.g.
nurse file in personnel system includes access privileges,
 personnel system becomes critical for safety, privacy or for both.
Traditional security systems strive to define separate domains/levels with
limited cross dependencies
30
Research: Protection of Patient Identity
• How do we anonymize /de-identify data reliably?
• Difficult because removing names and encryption does not
protect from revealing identity through queries such as
"Show all records of males between 25 and 35 years
treated for tear of the anterior cruciate ligament (ACL)
in 2003".
(ACL is the most serious basketball injury, requiring
surgery, 9-12 months rehab, and potentially lasting
limitations on running and jumping.)
Protection techniques are known as inference control
31
Web-Based Applications: Safety & Security
• New Assurance Problems:
– reference books (e.g. drug directories) move online
assurance that life-critical data (e.g. dosage per body
weight), are correct as published by the relevant
authority, not mangled due to transport, storage,
interference, etc.
 data integrity becomes a safety issue
– doctors process patient records from home/laptops/PDA
need suitable authentication and encryption tools
32
New Technologies: New Risks
• New risks not well understood, e.g.
online radiology systems: X-rays go directly from
machine to server in distant town (not as previously
in an envelope to the operating theatre)
network failure can stop the surgery just as can
power failure
Difference: typically there are clear procedures for
dealing with outages of power, telephone, etc. but
how to deal with server crash or network
disruptions is rarely well documented.
33
Medical Information Systems & Security
• Younger field than defense and banking
• Healthcare spending in developed countries is a much larger
percentage of GDP than military
for the US in 2009 healthcare spending (including private) is
– $2,142 B or 17.6% of GDP
https://www.cms.gov/NationalHealthExpendData/25_NHE_Fact_sheet.asp (DHSS website)
vs.
– $640 B or 4.7% for defense http://data.worldbank.org/indicator/MS.MIL.XPND.GD.ZS
• 2006 study by Department of Health and Human Services (DHHS)
: investments in IT will be recouped in 3-13 years & will make
services safer and more efficient
• 2012 US Budget: health 22.62% defense 19.27%
http://www.whitehouse.gov/omb/budget
34
The Controversy of Medical Data Privacy
• 1995: Mark Farley, convicted child rapist working as
orthopedic technician in Newton-Wellesley Hospital, Newton,
MA, was using patient records to find targetsHIPPA cosponsored by Ed Kennedy
• UK attempt to centralize all medical record in 1995-96 led to a
confrontation with the BMA
• Late 1990s: Iceland national medical database project that
also incorporates genetic and genealogical data to track
inherited diseases across generation, caused uproar.
– 11% of population opted out
– Supreme Court decided the database should be opt-in rather than optout
– ca. half the population now participates
35
The Controversy… (continued)
• Debate on Safety vs. Privacy Tradeoff of Emergency
Medical Information in Europe
– emergency medical data should be readily available for safety
– "readily available" can mean less secure and vice versa
"secure" can mean "not readily available"
– Germany: current prescriptions and allergy on medical insurance card that
person carries—private/secure, but is it safe?
If patient falls ill in country where smart card readers are not available this
becomes a safety risk and the alternative
information in human-readable format on a bracelet is safer though less secure
– UK: government is creating a 'summary care record' of prescriptions and
allergies kept on central database, available to many health-care workers
(emergency services, out-of-hour help lines)—safe, but
not secure as it may reveal sensitive information, e.g. HIV, depression,
alcoholism.
36
HIPAA (Health Insurance Portability & Accountability Act)
1996 passed by Congress in; 2003 as HIPAA Final Security Rule; 2006 further
simplified; includes five technical security services requirements and required and
addressable implementation specs (CFR 45 § 164.312 Technical safeguards.
• Access control
– required: unique user identification (i.e. no group and generic logins),
emergency access procedure
– addressable: automatic logoff, encryption/decryption
• Audit control
– addressable: health information has not been altered or destroyed in an
unauthorized manner.
• Data Integrity
• Person or Entity Authentication
• Transmission Security
– addressable: integrity controls, encryption/decryption
Common-sense general requirements; Few implementation specifics.
37
Summary of Challenges/Requirements for Security Engineer
•
•
•
•
Dynamic Security Roles—Role Based Models
Multilateral/Compartmented Security Model
Safety vs. Security Tradeoffs
Access Control Decisions involve the
– data subject (e.g. consent to disclose health data,
religious beliefs, sexual orientation, etc.) as opposed
to by a
– central authority (defense systems) or by
– system user (discretionary)
38
The Threat Model
• main threat: access abuse by insiders
• most common threat vector (path/tool to attack target): social
engineering, e.g. the perpetrator calls the doctor's office
"Hello, this is Dr. Henderson from Mass General. Your patient, Bob
Smith, had an accident and was brought into ER unconscious. Can
you tell me….."
Most of the time Dr. Henderson gets everything he asks for…
• operational security is not part of healthcare culture; and this is good
thing: "If everybody was as unhelpful as intelligence-agency staff are
trained to be, the world would grind to a halt." (R. Anderson. Security
Engineering, p.285)
39
The Threat Model (continued)
• Lack of technical security knowledge: old PC sold with
recoverable data.
• Large centralized databases are managed more
professionally but at the same time are a more valuable
target and the abuse potentially more damaging. 
aggregation of data increases risks
– Veterans' Administration has centralized system. After Hurricane
Katrina veterans who were refugees in other states had their
records readily available in the local VA hospital at any place in
the country.
– May 2006 personal information on all 26.5 million veterans
(including names, SS, etc.) stolen from the residence of an
employee who had taken them home w/o authorization.
40
BMA Security Policy
Ross J Anderson (1996) Security in Clinical Information Systems states
the following nine principles (A Security Policy Model for Clinical
Information Systems , IEEE Symposium on Security and Privacy, in html at
http://www.cl.cam.ac.uk/~rja14/policy11/policy11.html ):
• Access control: Each identifiable clinical record shall be marked with
an access control list naming the people or groups of people who may
read it and append data to it. The system shall prevent anyone not on
the access control list from accessing the record in any way. "
• Record Opening: A clinician may open a record with herself and the
patient on the access control list. Where a patient has been referred,
she may open a record with herself, the patient and the referring
clinician(s) on the access control list.
• Control: One of the clinicians on the access control list must be
marked as being responsible. Only she may alter the access control list,
and she may only add other health care professionals to it.
41
BMA Security Policy (continued)
• Consent and notification : The responsible clinician must notify the
patient of the names on his record's access control list when it is
opened, of all subsequent additions, and whenever responsibility is
transferred. His consent must also be obtained, except in emergency or
in the case of statutory exemptions.
• Persistence: No-one shall have the ability to delete clinical information
until the appropriate time period has expired.
• Attribution: All accesses to clinical records shall be marked on the
record with the subject's name, as well as the date and time. An audit
trail must also be kept of all deletions.
• Information flow: Information derived from record A may be
appended to record B if and only if B's access control list is contained
in A's.
42
BMA Security Policy
• Aggregation control: There shall be effective measures to
prevent the aggregation of personal health information. In
particular, patients must receive special notification if any
person whom it is proposed to add to their access control
list already has access to personal health information on a
large number of people.
• Trusted Computing Base: Computer systems that handle
personal health information shall have a subsystem that
enforces the above principles in an effective way. Its
effectiveness shall be subject to evaluation by independent
experts.
43
Inference Control
• Privacy protection in secondary applications, such as databases
for research, cost controls, clinical audits is even harder then in
hospital systems:
• Standard protection is de-identification or anonymization:
remove names & addresses but well designed queries can find the
identity
• US Healthcare Finance Administration (HCFA) maintains three
sets of records: complete; beneficiary encrypted (names and SS obscured)
for trusted researchers; public-access
• HIPAA recognizes medical de-identified information as
information that has been 'properly' de-identified, i.e.
– 18 specific identifiers have been removed and operator has no knowledge
that remaining information can be used to identify the subject
– qualified statistician concludes risk is substantially limited
– If such data are inadequate for research HIPAA recognizes limited data sets
with more information available to contractually bound & qualified users
44
Inference Control Theory
• Developed by Denning and others late 1970s-early 1980s
• Objective: prevent disclosure of sensitive statistics
• Characteristic formula is expression (in some DB query
language) that selects a set, known as query set of records.
• Smallest query sets, obtained by logical AND of all its attributes
(or their negation) are known as elementary sets or cells.
• Statistics of query sets may be sensitive statistics if they meet
certain criteria, e.g. set size too small.
• D—set of statistics disclosed
• P—set of sensitive statistics
D  P
Privacy assured if
where  P is the complement of P
D  P
if
the protection is precise
45
Inference Control
• Simplest protection: limit query size
• Most important attack: Trackers—query sets that reveal
identity
– individual tracker example: there is only one female faculty in the
department; then a set of just two queries reveal her salary:
"Average salary of all faculty in the department?"
"Average salary of all male faculty?"
– general trackers—sets of formulae that can reveal any sensitive statistic.
disappointingly, they are not very difficult to construct. It was shown that
If smallest query set less than a quarter of all statistics, and
no restrictions on the type of query
Then one can find a formula that provides general trackers.
(Denning et al, 1979)
• Area of active research
46
Practical Problem #1
A Nigerian cyber crime team wants to access medical
records in a particular hospital, to create a fictitious billing
scheme so they can steal money from insurance companies.
The criminals have an accomplice who works as a
technician for a service company to deliver computer
supplies and install PCs at the hospital.
• What can hospital security personnel do to protect the
hospital and its patients from such a threat?
– Please consider what:
• the key issues are,
• vulnerabilities the delivery person could exploit
• the hospital should do when dealing with suppliers
• possible security mechanisms the hospital should
deploy
47
Practical Problem #1 Response
• Vulnerabilities:
– Technician access to hospital network and patient records
system when installing a PC.
• The threat:
– Technician eavesdrops (passive attack) on network traffic
looking for hospital employee identities & authentication
information (login IDs and passwords)
– Technician tries to access patient records system by
masquerading (active attack) as a legitimate hospital
employee
• Key issues:
– How to ensure only authorized access to hospital network
communications and patient records
– Hospital relies on company for employee background checks,
however this does not abrogate hospital from responsibility
48
Practical Problem #1 Response (continued)
• Possible hospital actions regarding 3rd party suppliers:
– Background check on supplier company to verify reputation and integrity
– Confirm company has a security program governing employee behavior
– Contract with company should include clauses on company obligations
and liabilities.
• Possible hospital deployed security mechanisms:
– Require that patient record access requires proper authentication and
access compartmentalized by hospital employee role/department
– Train/educate hospital employees about social engineering
– Deploy network access controls, such as 802.1X, to prevent unauthorized
access to network.
– Limit access to hospital systems via a role-based multilateral system. For
example, the technician would find it easiest masquerade as a floor nurse
given his/her limited time and information BUT nurses should not be
granted access to billing or insurance information.
49
Practical Problem #2
Dr. Hastings reviews the record of one of his
patients and is puzzled when he sees that the
radiologist noted a small growth in the brain three
years ago but there is no follow up exams and labs
and the latest entry gives the patient a clean bill of
health.
• What could have happened?
• How can the doctor determine what happened?
• How can hospital system security have prevented
this from happening?
50
Practical Problem #2 Response
• What could have happened?
– The most likely cause would be by accident (as in a mistake by a
nurse or other hospital employee who is authorized access to the
record
• How can Doctor determine what happened?
– If all changes to patient records are recorded in a log/audit file then
Doctor can request examination of the log entries to identify who
accessed the record, when access occurred and what was done
when record was accessed (Attribution)
• How could hospital system security have prevented this
from happening?
– Not allow deletions of information to patient records prior to the
expiration of a specified time period (Persistence)
– Not allow modification of information in patient records without
confirmation by second employee (Separation of Duties)
51
Thank You
Tanya Zlateva
(zlateva@bu.edu)
Stuart Jacobs
(sjjacobs@bu.edu)
52