The following HTML text is provided to enhance online
readability. Many aspects of typography translate only awkwardly to HTML.
Please use the page image
as the authoritative form to ensure accuracy.
TABLE 3.1 Likely Combinations of Access Privileges in a Health Care Setting
Level of Access
Site and system
Worker in the billing department who has access to information systems but not to clinical information
Data and system
Vendor or consultant with remote access privileges
Site, system, and data
Care provider such as doctor or nurse
Technical Capability. The technical capability of an attacker is, in general, independent of the characteristics of access outlined above: an authorized user may be highly capable, and an unauthorized user may be computer illiterate. The technical capabilities of potential attackers can be characterized by three broad categories: aspiring attackers, script runners, and accomplished attackers.
Aspiring attackers are individuals with little or no computer expertise, but with ambitions and desires to learn more. They learn about attacks from popular literature, much of it published by organizations that cater to the survivalist and antiestablishment trade. The techniques they use are relatively unsophisticated and include the following:
Researching the target site by reading open literature and scouting the location;
Masquerading as an employee or other authorized individual to gain information or access;
Guessing passwords, locating passwords written on calendars or elsewhere, or watching users enter their passwords;
Searching trash bins for information on security practices and mechanisms; and
Gaining entry to the desired location by gaining employment as a temporary employee, dressing as a custodial or professional staff member, or using some other method.
Script runners are an Internet phenomenon. These are individuals who obtain standard, scripted attacks and run them against information systems to which they desire entry. They generally have little or no