For the Record: Protecting Electronic Health Information

Questions? Call 800-624-6242

About | Ordering | New

LoginRegister

| Items in cart [0]

HARDBACK
price:$32.95
add to cart

Rights & Permissions

Free PDF Access

Free Resources

Related Titles

For the Record: Protecting Electronic Health Information (1997)
Computer Science and Telecommunications Board (CSTB)

Citation Manager Export the bibliographic data for this book in your chosen format
Web Search Builder Use this book's key terms to search within this book, across our collection, or across the Web.
Skim This Chapter Skim this chapter and use this chapter's key terms to search within this book.
Reference Finder Paste in your own text to find books that relate to your topic.

Citation Manager

. "3 Privacy and Security Concerns Regarding Electric Health Information." For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press, 1997.

Please select a format:

Page
58


E-mail Share on facebook Facebook Share on delicious Delicious Share on stumbleupon Stumble Share on twitter Twitter More Sharing ServicesMore

The following HTML text is provided to enhance online readability. Many aspects of typography translate only awkwardly to HTML. Please use the page image as the authoritative form to ensure accuracy.

TABLE 3.1 Likely Combinations of Access Privileges in a Health Care Setting

Level of Access	Example
None	Outside attacker
Site only	Maintenance worker
Site and system	Worker in the billing department who has access to information systems but not to clinical information
Data and system	Vendor or consultant with remote access privileges
Site, system, and data	Care provider such as doctor or nurse

Technical Capability. The technical capability of an attacker is, in general, independent of the characteristics of access outlined above: an authorized user may be highly capable, and an unauthorized user may be computer illiterate. The technical capabilities of potential attackers can be characterized by three broad categories: aspiring attackers, script runners, and accomplished attackers.

Aspiring attackers are individuals with little or no computer expertise, but with ambitions and desires to learn more. They learn about attacks from popular literature, much of it published by organizations that cater to the survivalist and antiestablishment trade. The techniques they use are relatively unsophisticated and include the following:

Researching the target site by reading open literature and scouting the location;
Masquerading as an employee or other authorized individual to gain information or access;
Guessing passwords, locating passwords written on calendars or elsewhere, or watching users enter their passwords;
Searching trash bins for information on security practices and mechanisms; and
Gaining entry to the desired location by gaining employment as a temporary employee, dressing as a custodial or professional staff member, or using some other method.

Script runners are an Internet phenomenon. These are individuals who obtain standard, scripted attacks and run them against information systems to which they desire entry. They generally have little or no