Health Care Workers: A Possible Insider Threat
advertisement
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
HEALTH CARE WORKERS: A POSSIBLE
INSIDER THREAT
B. Dawn Medlin
Sandra A. Vannoy
Elaine Winston
Appalachian State University
Hofstra University
medlinbd@appstate.edu vannoysa@appstate.edu elaine.r.winston@hofstra.edu
ABSTRACT
Healthcare employees generally have access and the ability to view patient data whether in
a chart or on a computer screen. With this type of accessibility comes a great deal of
responsibility, Often viewing does not require multiple layers of security actions. With this
type of accessibility, health care workers have the opportunity to view diagnosis, personal
medical histories, as well as simple demographic information like age and gender. This
information to a cybercriminal is like hitting t h e jackpot. Diagnosis could be used in
blackmailing schemes and social engineering to obtain social security numbers that can
be easily sold and used for a variety of credit and medical fraud incidents. Techniques such
as social engineering or weak password usage can provide opportunities to a wealth of
knowledge. In this paper, a presentation of social engineering techniques is explored as well
as the password practices of actual health care workers.
INTRODUCTION
One of the largest threats to a healthcare systems security can be employees. Internal employees actually
can pose the largest threat to the security and privacy of information as they can exploit the trust of their
co-workers, and they generally are the individuals who have or have had authorized access to the health
care organization’s network. As well, they are generally familiar with the internal policies and procedures
of the organization. Additionally, internal employees can exploit that knowledge to facilitate attacks and
even collude with external attackers (http://www.cert.org/insider_threat/).
A patient’s personal information, such as address, phone number, and social security number, are all
items that may be included and accessible to some or all healthcare employees. PHR (Personal Health
Care Records) are available to many who neither touch nor need access to patient’s health care
information. With the accessibility and sheer volume of patient’s data and information patient’s may be
even more vulnerable to security breaches.. If the information is not easily accessible, hackers and social
engineers have been very successful in founding ways to circumvent networked health data systems by
simply asking for the information or by finding weaknesses within the system.
Due to the number or increase to either losing or sharing information or the severity of these issues,
HITECH or the Health Information Technology for Economic and Clinical Health Act of 2009 was
enacted. Under Title XIII, HIPPA appears to remain the law that is most discussed in relation to privacy
and security within the health care industry.
One of the core aspects and a basic goal of the Health Insurance Portability and Accountability Act of 1996
(HIPAA) is to provide more electronic medical information. Unfortunately, this can also result in more
opportunities for crimes that can be committed using health care types of data and information. HIPAA
regulations were enacted to protect the privacy and security of patients and their medical records; simply
put, they make it illegal for unauthorized personnel to access or release information from someone's
medical records.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
1
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
HIPAA addresses security and privacy measures, either directly or indirectly, in the following noted
standards below (http://www.hhs.gov/news/facts/privacy.html). These standards, include management
processes, user education and training, and access control.
Security Management Process [161.308(a)(1)] Healthcare organizations must show that they have a
consistent set of internal processes, with implementation that is widespread and institutionalized.
Processes range from establishing criteria for who has access to what, and who can request certain
resources; to ensuring that access rights are revoked immediately upon employee termination.
Security Awareness and Training [161.308(a)(5)] HIPAA requires that staff members be trained and
educated concerning the proper handling of PHI. This basic-level security training should include
measures such as password management.
Access Control [161.312(a)] HIPAA security regulations require a definition of who has access to PHI
within the organization, as well as the rules determining an individual’s right of access, and the reasons
for denying access to some individuals.
Despite its legal requirements, however, HIPAA standards have been known to be difficult to implement
and are not always followed. As required by HIPAA, healthcare institutions are required to provide
security methods in order to protect patient’s information. One such method is through the authentication
of the individual requesting access. Healthcare employees are generally subjected to some type of
authentication process. Although there are different ways of authenticating employees, most systems are
based on the use of a physical token (something one has), secret knowledge (something one knows) or
biometrics (something one is) (Burnett & Kleiman, 2006).
Due to increased regulations and the increased opportunities for exploitation that exist in today’s digital
world, it is even more important for healthcare providers to keep healthcare records and the information
held within, safe and private. Governmental agencies have adopted initiatives that specifically address the
issues and rights of healthcare patients. More specifically, the security and privacy of healthcare
information is protected by the Health Insurance Portability and Accountability Act (HIPAA), requiring
healthcare agencies to do everything possible to protect their information.
There are many threats to the privacy of a patient’s information, and one of the largest threats is social
engineering. Social engineering is generally defined to include the use of trickery, personal relationships
and trust to obtain information; more specifically, it is the art of deceiving people into giving confidential,
private or privileged information or access to a hacker (Gragg, 2007).
BACKGROUND
With the availability of information comes the opportunity for more fraudulent activity such as social
engineering attacks. According to Christopher Hadnagy (2010), “social engineering is the art or better
yet, science, of skillfully maneuvering human beings to take action in some aspect of their lives,”
(Hadnagy, 2010, p. 10). For many social engineers the process of obtaining meaningful information may
lead to the insight of the organization’s security policy, the countermeasures the organization has put in
place and specifics relating to personnel and their level of security privilege.
If a social engineer is attempting to find out about one particular patient, they may target that person’s
medical health record. A patient’s medical record may include gender, race, family history, sexual history
including types of birth control, sexual activity and treatment, any history or diagnosis of substance abuse,
and diagnosis of mental illness. Other medical information, such as HIV status, may also be included. The
accessibility of this confidential information may open the door to various forms of discrimination. For
instance, chronic diseases such as HIV and AIDS may result in an increase in insurance rates or even
denial of coverage, due to the extensive medical treatment usually needed by these patients. Individuals
may even be ostracized or stigmatized because of their disease type. Patients expect the information
contained in their records to remain secure and private, to be seen only by those individuals whose access
is medically or administratively necessary.
Unfortunately, patient’s medical records are being provided in public information and very easily accessed
when a breach occurs. Table 1 represents some of the current security breaches that are occurring within
the medical community.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
2
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
Table 1. Examples of Security Breaches
DATE
ORGANIZATION
EVENT
2014
A processing error on the L.A.
Processing error could have either been No Number
Care Health Plan payment website human or machine error.
reported
allowed some members
to see the names, addresses and
identification numbers of other
members.
Source:
http://www.usatoday.com/story/
tech/2014/02/27/california-databreaches-hit-213-millionaccounts/5868191/
2013
South Carolina Department of
Former Medicaid employee
230,000
Health
and
Human
Services Christopher Lykes transferred to his patients
Columbia South Carolina SOURCE: personal
Yahoo
account
17
Excel
http://healthitsecurity.com/2013/ spreadsheets.
These
spreadsheets
07/23/healthcare-data-breachescontained social security numbers and
reviewing-the-ramifications/
other personal information.
2012
Utah Department of Health
Salt Lake City, Utah SOURCE:
http://healthitsecurity.com/2013/
07/23/healthcare-data-breachesreviewing-the-ramifications/
The default network password was not
780,000
changed on a network server creating a patients
weak password policy.
Protected
information, including social security
numbers, was exposed.
2012
Emory Health Care
Ten backup disks containing patient 315,000
information, over 17 years, were lost from a
patients
storage facility. Two-thirds of the disks
contained patient social- security numbers,
names, dates of surgery, diagnoses, medical
procedures, and related doctors. .
A non-password protected laptop was 4,503 patients
stolen from a contractor’s automobile.
These records contained patient social
security numbers.
Atlanta, Georgia SOURCE:
2012
http://healthitsecurity.com/2013/
07/23/healthcare-data-breachesreviewing-the-ramifications/
Howard University Hospital
Washington, D.C. SOURCE:
2011
RECORDS
AFFECTED
http://www.healthcarefinancene
ws.com/news/top-10-data-securitybreaches-2012
Stanford Hospital
Spreadsheets containing the names, 20,000
diagnosis
codes,
account
numbers,
Palo Alto, California SOUCE:
patients
admission and discharge dates, and billing
charges of emergency patients were posted
http://www.nytimes.com/2011/0
9/09/us/09breach.html?pagewan on a commercial website called Student of
Fortune (a website which allows students to
ted=all&_r=0
seek paid assistance on their school
assignments).
The
information
was
available online for approximately 1 year.
The spreadsheets were originally in the
possession of the hospital’s vendor
documented as Multi-Specialty
Collection Services.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
3
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
As noted above, thousands of health care information are being made very public, and sometimes
through simple carelessness or through the use of social engineering techniques. Numbers are growing as
more and more medical records are going online and becoming accessible to both patients and health
care providers. In 2013 alone, 199 data breaches were reported to the U.S. Department of Health
and Human Services, impacting more than 7 million patient records -- that's a 138 percent
increase over 2012 (Goldman, 2014).
Passwords and their effect
A second threat as an insider is the usage of a week password. The authentication method of individuals
creating their own passwords is not atypical. For healthcare organizations the password functions like
the key to a lock, anyone who has it can get in to see the patient’s information. Toward that end,
there have been recommendations from governmental agencies to hospitals on how to construct a
password. One of the first guidelines in creating good passwords was published in1985 by the
Department
of
Defense
and
is
still
relevant
today
(http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt).
Their
guidelines
recommended the following: 1) passwords must be memorized; 2) passwords must be at least six
characters long, 3) passwords must be replaced periodically, and 4) passwords must contain a mixture of
letters (both upper- and lowercase), numbers, and punctuation characters.
Essentially, there are two types of passwords – strong passwords and weak passwords. If the password is
a strong password then it can offer momentous benefits, but a weak password can only offer significant
risks. Even though most hospitals or health care agencies require a two-factor authentication system
like a badge to prove you are an employee, still , the most common authentication mechanism is simply
the use of a password (something one knows or creates). This type of authentication method can offer
to employees the ability to quickly enter into a system, but human practices such as using the same
password on different systems and writing down a password may degrade the quality of password security
(Pfleeger and Pfleeger, 2007).
Suggestions concerning strong and weak password creation are currently typified by web pages such as the
Georgetown
University
Information
Security
Office
web
site
athttp://security.georgetown.edu/passwords.html. Their password guidelines include the following:
"When selecting passwords, keep the following guidelines in mind:
Choose a password that is at least eight characters in length.
Create passwords that contain all of the following: uppercase and lowercase letters, numbers, and
punctuation and symbol characters (e.g. !@#$%^&*()_+|~-=\`{}[]:";'<>?,./ ).
Avoid using dictionary words in your passwords. This includes foreign language words, slang,
jargon, and proper names.
Avoid using passwords that contain words associated with Georgetown University, such as
georgetown, hoyas, jesuit, or healy.
Avoid common misspellings and substitutions in your passwords (e.g. replacing “e” with “3”or “i”
with “1”)
Avoid using passwords that are based on your name, userid, birthdates, addresses, phone numbers,
relatives’ names, or other personal information."
Problems
Many of the deficiencies of password authentication systems arise from the limitations of human
cognitive ability (Pond et al., 2000). If humans were not required to remember a password, a maximally
secure password would be one with maximum length that could consist of a string of numbers,
character, and symbols. In fact, the requirements to remember long and complicated passwords are
contrary to the way the human memory functions. First, the capacity of human memory in its capacity
to remember a sequence of items is temporally limited, with a short-term capacity of around seven
items plus or minus two (Kanaley, R., 2001). Second, when humans remember a sequence of items,
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
4
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
those items cannot be drawn from an arbitrary and unfamiliar rang, but must be familiar 'chunks' such
as words or familiar symbols. Third, the human memory thrives on redundancy.
In fact, studies have shown that individuals’ short term memory will retain a password for
approximately 30 seconds thereby requiring individuals to attempt to immediately memorize their
passwords. It has also been shown that if an individual is interrupted before they fully memorize the
password; it will fall out of their working memory and most likely be lost.
Also, if an individual is in a hurry when the system demands a new password, individuals must
sacrifice either the concentration of the critical task at hand or the recollection of the new password.
Related to this issue is having to create the content for this new quickly demanded password. The
pressure to choose creative and secure passwords quickly generally results in individuals failing in their
attempt to memorize this new password. For healthcare organizations this can result in reset rates at
one per reset per every four to five users per month (Brostoff and Sasse, 2001).
In order to combat the issue of having to remember so many different passwords some users have
resorted to the selecting familiar terms such as a pet or family name, their own name, their phone
number, or other common terms that could be found in a dictionary. British psychologist Helen
Petrie, Ph.D., a professor of human/computer interaction at City University in London analyzed the
passwords of 1,200 British office workers who participated in a survey funded by CentralNic, an
Internet domain-name company in 2001. She found that most individuals' passwords fell into one of four
distinct password categories which were family, fan, fantasists, and cryptic.
The first category of “family," comprised nearly half of the respondents. These individuals selected
their own name, the name of a child, partner or pet, birth date, or significant number such as a social
security number. Further, Dr. Petrie found that individuals also choose passwords that symbolized
people or events with emotional value or ties.
One third of the survey participants were identified as "fans," using the names of athletes, singers,
movie stars, fictional characters, or sports teams. Dr. Petrie also found that these individuals wanted to
align themselves with the lifestyle represented by or surrounded around a celebrity status. Two of the
most popular names were Madonna and Homer Simpson.
Fantasists made up eleven percent of survey responses. Dr. Petrie found that their passwords were
comprised of sexual terms or topics. Some examples included in this category were terms such as "sexy,"
"stud" and "goddess."
The final ten percent of participants were identified as "cryptics.” These users were seemingly the most
security-conscious, but it should also be noted that they were also the smallest of all of the four identified
categories. These individuals selected unintelligible passwords that included a random string of letters,
numerals, and symbols such as Jxa+157.
Self-created computer passwords are generally personal, and they reflect the personalities of millions of
people as they attempt to summarize their life through a few taps on the keyboard. As psychologists know,
people and personalities are often very predictable in the aggregate, as may be their choices of passwords.
Psychologists have found that humans can store only five to nine random bits of information in their shortterm memory (Andrews, 2004), making it difficult to remember long and complicated passwords.
Therefore, users have often chosen passwords with personal meanings that they can associate with
something in their long-term memory.
Most social engineers rely on employees to unknowingly help them attack company networks and systems
by simply answering a series of simple questions. Today, most healthcare agencies have intrusion
detection/prevention systems such as firewalls that can be used to alert organizations in the event of a
security breach, but these systems cannot prevent employees from inadvertently sharing information with
others. Therefore, the question still remains, “how much information might an employee provide to a
stranger or to a co-worker?”
In addition, social engineers can obtain information from the employee by pretending to innocently
ask questions about hobbies, family members and pets, or the employee’s birth location, and can then
assume the legitimate employee’s identity. Next, they are able to gain access to all of the information
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
5
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
that the employee is authorized to view. It is therefore imperative that employees be taught about the
need for strong passwords and the tactics of social engineers.
RESEARCH METHODOLOGY
Instrument
To simulate a real social engineering attack and to obtain a fair statistical representation of the
security in relation to healthcare organizations, a survey was administered to employees of five
hospitals. These hospitals consisted of varying sizes and were in different regions of the state. Hospital
administration approval was obtained before administering the instrument, but the administration did
not endorse the survey to respondents, nor did they ask them to participate.
Data was gathered to not only determine how many employees would disclose their passwords and
other personal information such as their address, phone number and email, but also simulated the
types of information individuals were willing to share with co-workers, colleagues, or friends of
colleagues. The information that employees were willing to share, including their passwords and other
personal information, would certainly make it easier to hack into a system instead of having to
“guess” at the necessary authentication information.
Data Collection
The data set was comprised of 118 responses, with respondents working in small rural areas with
approximately 5,000 people, to larger, more urban populations of 500,000. Fifty-three of the
respondents filled out entry forms for a drawing, and thus provided the researchers with additional
personal and identifiable information.
Analysis and Results
Interestingly, the findings noted in Table 2 indicate that most respondents were often required to use a
password to access systems, but rarely changed their passwords. As further indicated, most of the
respondents used the same password on multiple accounts. The practice of rarely changing passwords
and/or using the same password for multiple accounts would assist social engineers, thus allowing them
to easily attain access to one system and possibly more.
Table 2: Password Statistics
Variable
Name
Question
Pass_Freq
How often do you use a password to 1 = Very Often
access systems?
5 = Never
Pass_Change
Reuse
How often
passwords?
Answers
do
you
change
5 = Never
Most people use the same password
Characters
1 = Very Often 5 =
Never
On average, do you choose your own 1 = Choose Own 0 =
password or have one assigned?
Assigned
How many characters are in
most commonly used password?
Mean
Std
Dev
118
1.23
0.59
117
2.85
1.13
118
2.47
1.32
117
0.89
0.32
116
5.03
1.71
your 1 = Very Often
on multiple accounts. How often do you
do this?
Choose_Pass
N
your 1 = 1-3, 2 = 4, 3 = 5,
4 = 6, 5 = 7, 6 = 8,
7 = 9, 8 = 10+
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
6
Medlin, Vannoy, Winston
Numbers
Special_Char
Do your passwords
numbers?
Healthcare Workers: A Possible Insider Threat
contain
any 1 = Yes, 0 = No
Do your passwords have any special 1 = Yes, 0 = No
characters in them (@, #, %, &, etc)
Please tell us your password
Password
117
0.87
0.34
118
0.16
0.37
118
0.73
0.45
1 = Shared
0 = Did Not Share
Analyzing the results related to employees’ other password practices found that eighty-nine percent
(89%) were allowed to choose their own passwords, with the average password being about seven
characters in length. In addition, only sixteen percent (16%) of the employees included special characters,
adding to the problem of less than secure passwords.
Most interesting, of the 118 respondents, seventy-three percent (73%) of the employees shared their
passwords with a co-worker or the friend of a co-worker through this survey instrument. It should be
noted that one of the largest threats is that of the internal employee and again, the confidentiality of
the password. Internal employees can also act as social engineers to gain access to additional resources.
As seen in Table 3, half of the respondents created passwords consisting of family names, including
their own name or nickname, the name of a child, or significant other. It is obvious that a very small
percentage of employees are using most of the best practices recommended by governmental,
educational, and private organizations.
Table 3: Password Categories
The
catego
ry of
Question
Answers
N
Mean
“other
Does your password fit into this 1 = Yes, 0 =
,”
Family
category?
No
118
0.50
0.50
with
Does your password fit into this 1 = Yes, 0 =
fortyCryptic
category?
No
118
0.05
0.22
five
perce
Does your password fit into this 1 = Yes, 0 =
nt
Number
category?
No
118
0.45
0.50
(45%)
Does your password fit into this 1 = Yes, 0 =
of the
Fan
category?
No
118
0.15
0.95
respo
Does your password fit into this 1 = Yes, 0 =
ndent
Faith
category?
No
118
0.03
0.18
s
indica
Does your password fit into this 1 = Yes, 0 =
ted
School
category?
No
118
0.02
0.13
that
Does your password fit into this 1 = Yes, 0 =
their
Fantasy
category?
No
118
0.00
0.00
passw
ords
Does your password fit into this 1 = Yes, 0 =
includ
Place
category?
No
118
0.14
0.34
ed a
Does your password fit into this 1 = Yes, 0 =
numb
Other
category?
No
118
0.51
0.50
er.
The
choice to integrate a number is important, but just as important is the placement of that number and
whether or not the number relates to meaningful and informative information such as a phone number
or birth date.
Variable
Name
Std
Dev
Fifteen percent (15%) of the respondents self-reported the inclusion of “fan-based” words, which could
include names of athletes, singers, movie stars, and fictional characters or sports teams. “Place” was the
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
7
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
next highest category, with fourteen percent (14%), using another identifiable piece of information such
as the city where the employee works or lives.
The smallest of all of the self-identified password categories was “fantasy,” followed closely by the
categories of school and faith. Five percent (5%) of the employees selected the “cryptic” category,
suggesting that these employees are security-conscious since that category includes passwords that are
unintelligible or include a random string of letters, numbers, and symbols. Unfortunately, as noted
earlier, is it also the smallest of all of the eight self-reported categories.
A T-test was conducted to show see if there were significant differences between those that shared their
password versus those that did not share their password in relation to the categories established by
Petri and others. Those that used family as a part of their password were also more willing to share
their password (see Table 4). A significant difference was found between those who shared their
passwords in comparison to those who did not in relation to how often they changed their passwords.
Table 4: Employees Willing to Share or Not Share Passwords
Pass_Freq
Pass_Change
Reuse
Pass_Train
Awar_Train
Current_Train
Choose_Pass
Family
Cryptic
Number
Fan
Faith
School
Fantasy
Place
Other
Characters
Numbers
Special_Char
Shared Password
Did Not Share Password
Difference
N
86
85
86
84
83
85
85
86
86
86
86
86
86
86
86
86
86
86
86
N
32
32
32
31
30
30
32
32
32
32
32
32
32
32
32
32
30
31
32
Mean Dif
-0.33
-0.59
0.04
0.10
0.17
0.16
-0.15
0.30
-0.02
0.19
0.17
-0.04
-0.02
0.00
0.01
0.14
0.89
0.13
0.14
Mean
1.14
2.69
2.48
0.51
0.53
4.13
0.93
0.58
0.05
0.50
0.20
0.02
0.01
0.00
0.14
0.55
5.26
0.91
0.20
Std Dev
0.41
1.09
1.26
0.50
0.50
1.09
0.26
0.50
0.21
0.50
1.10
0.15
0.11
0.00
0.35
0.50
1.62
0.29
0.40
Mean
1.47
3.28
2.44
0.61
0.70
3.97
0.78
0.28
0.06
0.31
0.03
0.06
0.03
0.00
0.13
0.41
4.37
0.77
0.06
Std Dev
0.88
1.14
1.50
0.50
0.47
1.07
0.42
0.46
0.25
0.47
0.18
0.25
0.18
0.00
0.34
0.50
1.81
0.43
0.25
Sig.
0.01
0.01
0.89
0.34
0.11
0.48
0.02
0.00
0.73
0.07
0.40
0.30
0.47
NA
0.84
0.18
0.01
0.06
0.08
Several findings were significant. Sixty-three percent of those who included family as a part of their
passwords were willing to share it. Even more surprisingly, those individuals who included numbers in
their passwords were willing to share their passwords at a rate of 50%; this seems counter intuitive, as
one would assume that employees who have created stronger passwords by including numbers would
be less likely to share their passwords. As expected by most security experts, those who were more
security conscious with the inclusion of a special character were not as willing to share it.
DISCUSSION
This study reveals several interesting findings. As noted earlier, most employees used the same
passwords on multiple accounts, even though they frequently changed them. The actions of repeatedly
using the same password are contrary to suggested recommendations by most security experts,
because a hacker who gained access to one account could more easily access other systems. Requiring
individuals to maintain a new password for each system or application would obviously make systems
more secure but is in conflict with humans’ short-term human memory capabilities. Employees may
consider it necessary to include familiar names, places, and numbers in their passwords so that they can
easily recall them.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
8
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
Though most employees indicated that their employers offered password security training either very
often or often, it appears that either the types of training very not very effective or that the employees did
not take it very seriously. As noted in Table 4 and on the positive side of good password practices,
those employees offered password training were significantly more likely to NOT use a dictionary
word as their password and were more likely to have a password that was at least 6 characters in
length. On the negative side, however, those same employees were just as willing to share their
passwords even after receiving the training as those that had not received training, suggesting that
today’s training is deficient in some way.
Other interesting findings emerged in relation to sharing or not sharing passwords. Employees who
changed their password frequently were also more likely to share it. This action is contradictory in the
fact that employees on one hand appear to be very security conscious while changing their password
often and at the same time feeling secure enough to share it with others. Perhaps they were less
concerned about sharing it because they thought it would be changed soon and so they perceived less
risk.
In comparison, those individuals who were assigned passwords were less likely to share them,
which may be a question of remembrance, where they don’t share it because they don’t remember
it. Another possibility may be that if assigned a password, they considered it mores sensitive and not
to be shared. It may also be that those that are assigned passwords treat them with more respect due to
the care the organization gives in giving it to them.
Last, those respondents who had longer passwords were more likely to share them, giving credence to
the idea that, because most individuals do not retain information for more than 30 seconds, they
would not remember a long password even if told to them by another. Whether or not this is the case, it
is inconsistency that on one hand the employee has the awareness of good security practices to create a
long password, but on the other hand offers it freely to others.
CONCLUSION
Findings of the present study indicate that employees are willing to share personal information with
co-workers and friends of co-workers. Seventy-three percent (73%) of the employees shared
information that a social engineer could use to create a profile of an employee and gain access to the
employer’s network and other confidential patient information. It is imperative that employees
understand the consequences of sharing information, as well as the importance of creating and
maintaining strong passwords.
The simulation that was carried out during this study demonstrated that many employees may currently
be in violation of HIPAA and HITECH regulations due to their willingness to share their information
and their practice of creating weak passwords, thus allowing for easy access into a system.
Hospitals and other healthcare agencies must identify ways to educate employees regarding HIPAA and
HITECH regulations to protect patients and prevent penalties for sharing or misusing information.
REFERENCES
Andrews, L. W. (2004). Passwords reveal your personality. Retrieved March 13, 2007, from
http://cms.psychologytoday.com/articles/pto- 20020101-000006.html.
Brostoff, S., & Sasse, M. A. (2001). Safe and sound: A safety-critical approach to security. Position paper
presented at the New Security Paradigms Workshop 2001, Cloudcroft, New Mexico.
Burnett, M., & Kleiman, D. (2006). Perfect passwords. Selection, protection, authentication.Syngress.
CERT.
(2013).
Insider
threat
http://www.cert.org/insider_threat,
research.
Retrieved
December
1,
2013
from
Department of Defense. (1985). Password management guideline. Retrieved September 2004, from
http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
9
Medlin, Vannoy, Winston
Healthcare Workers: A Possible Insider Threat
Emory Health Care, Atlanta, Georgia, Retrieved from http://healthitsecurity.com/2013/07/23/healthcaredata-breaches-reviewing-the-ramifications/ on August 4, 2013.Georgetown University. (2009).
Information security. Retrieved November 12, 2013, from http://security.georgetown.edu/passwords.html.
Goldman, J., (2014). 30 Million Americans Affected by Medical Data Breaches Since 2009. Retrieved
February 19, 2014 from http://www.esecurityplanet.com/network-security/30-million- americansaffected-by-medical-data-breaches-since-2009.htm.
Gostin, L. O. (2000). Public health law: Power, duty, restraint. (pp. 132-134). Berkeley, CA:
University of California Press.
Gragg, D. (2007). A multi-level defense against social engineering. SANS. Retrieved July 1, 2009, from
http://www.sans.org/reading_room/whitepapers/engineering/920.php.
Howard
University
Hospital,
Washington,
D.C.
Retrieved
July
http://www.healthcarefinancenews.com/news/top-10-data-security-breaches-2012.
21,
2013
from
ID Analytics. (2007). Data breach harm analysis from ID Analytics uncovers new patterns of misuse
arising
from
breaches
of
identity
data.
Retrieved
November
12,
2013,
from
http://www.idanalytics.com/news_and_events/20071107.html.
Intelegen, Inc. (2008). Human memory. Retrieved December 1, 2009 from http://brain.webus.com/memory/human_memory.htm.
Kanaley, R. (2001). Login error trouble keeping track of all your sign-ons? Here’s a place to keep your
electronic keys, but you better remember the password. San Jose Mercury News, 3G
Medical Data Breaches. A Source of Chronic Pain. Retrieved August 15, 2013 from
http://www.experian.com/blogs/data-breach/2013/05/01/medical-data-breaches-a-source-of-chronicpain.
Nixon
Peabody.
(2009).
Health
law
alert.
Retrieved
http://www.nixonpeabody.com/publications_detail3.asp?ID=2621.
November
15,
2009
from
Pfleeger, C. P., & Pfleeger, S. L. (2007). Security in computing, 4th ed. Prentice Hall.
Pond, R., Podd, J., Bunnell, J., & Henderson, R. (2000). Word association computer passwords: The effect
of formulation techniques on recall and guessing rates. Computers & Security, 19, 645-656.
South Carolina Department of Health and Human Services, Columbia South Carolina. Retrieved
August
5,
2013
from
http://healthitsecurity.com/2013/07/23/healthcare-data-breaches-reviewing-theramifications/ on.
Simpson, R. L. (2002). Chicago. Nursing Management, 33(12), 46-48.
Stanford
Hospital,
Palo
Alto,
California.
Retrieved
August
3,
http://www.nytimes.com/2011/09/09/us/09breach.html?pagewanted=all&_r=0 on.
2013
from
Thompson, S.T. (2006). Helping the Hacker? Library Information, Security, and Social Engineering.
Information Technology and Libraries, 25(4), 222-226.
st
Thornburgh, T. (2004). Social engineering: The dark art. Proceedings of the 1 Annual Conference on
Information Security Curriculum Development, Kennesaw State University, Kennesaw, GA, September
2004.
US Department of Health and Human Services. (2009). Protecting the privacy of patients' health
information. Retrieved December 12, 2013 from http://www.hhs.gov/news/facts/privacy.html.
Utah Department of Health, Salt Lake City, Utah, Retrieved from
Utimaco. (2009). Health IT data breaches: No harm, no foul. Retrieved November 12, 2013 from
http://compliance.utimaco.com/na/tag/hitech-act.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 10
