agents consist of authorized system users who abuse their privileges by accessing information for inappropriate reasons or uses, whether to view records of friends, neighbors, or coworkers or to leak information to the press. External agents consist of outsiders who are not authorized to use an information system or access its data, but who nevertheless attempt to access or manipulate data or to render the system inoperable. Health care organizations have long attempted to counter internal agents in their efforts to protect paper health records. They have less experience in protecting health information from technical attacks by outsiders because until recently, few health care organizations were connected to publicly accessible networks.

Scale of the Threat to Health Information Held by Individual Organizations

As yet, little evidence exists with which to gauge the vulnerability of electronic health information to outside attacks. The sites visited as part of this study reported no cases in which damaging intrusions by someone outside the site were detected,1 and no mechanisms exist in the health care industry for reporting incidents. Nevertheless, computer break-ins are known to have occurred in the health care industry. In one case, the so-called "414" group broke into a machine at the National Cancer Institute in 1982,2 although no damage was detected as a result of the intrusion.

Concerns over technical attacks by outsiders are rising in a number of other industry sectors and government. Commenting on a recent study by the Federal Bureau of Investigation and the Computer Security Institute (CSI), CSI Director Patrice Rapalus said, "The information age has already arrived, but most organizations are woefully unprepared . . . [making] it easier for perpetrators to steal, spy, or sabotage without being noticed and with little culpability if they are."3 As a result of sampling 400 sites, the study further stated that 42 percent of the sites had experienced an intrusion or unauthorized use over the past year, 20 percent of the respondents did not know if their sites had been invaded, only 17


One of the sites visited had detected the unauthorized use proprietary software by a summer student on an internal network, but no actual damage was detected. A few sites with protected connections to the Internet detected some inconsequential snooping at their points of entry, but did not consider intrusion by outsiders a significant problem .


Marbach, William D. 1983. "Beware: Hackers at Play," Newsweek, September 5, p. 4246.


Power, Richard. 1996. "1996 CSI/FBI Computer Crime and Security Survey," Computer Security Issues & Trends, Vol. II, No. 2., Spring, p. 2.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement