TABLE 3.1 Likely Combinations of Access Privileges in a Health Care Setting

Level of Access

Example

None

Outside attacker

Site only

Maintenance worker

Site and system

Worker in the billing department who has access to information systems but not to clinical information

Data and system

Vendor or consultant with remote access privileges

Site, system, and data

Care provider such as doctor or nurse

Technical Capability. The technical capability of an attacker is, in general, independent of the characteristics of access outlined above: an authorized user may be highly capable, and an unauthorized user may be computer illiterate. The technical capabilities of potential attackers can be characterized by three broad categories: aspiring attackers, script runners, and accomplished attackers.

Aspiring attackers are individuals with little or no computer expertise, but with ambitions and desires to learn more. They learn about attacks from popular literature, much of it published by organizations that cater to the survivalist and antiestablishment trade. The techniques they use are relatively unsophisticated and include the following:

  • Researching the target site by reading open literature and scouting the location;
  • Masquerading as an employee or other authorized individual to gain information or access;
  • Guessing passwords, locating passwords written on calendars or elsewhere, or watching users enter their passwords;
  • Searching trash bins for information on security practices and mechanisms; and
  • Gaining entry to the desired location by gaining employment as a temporary employee, dressing as a custodial or professional staff member, or using some other method.

Script runners are an Internet phenomenon. These are individuals who obtain standard, scripted attacks and run them against information systems to which they desire entry. They generally have little or no



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement