introduction to medical security in 170 minutes fall 2011
TRANSCRIPT
Introduction to Medical Security in 170 minutes
Fall 2011
Summary
• We present the general concepts of information security– What security means– How security is a process that must be managed– How to protect information and assets
• We then consider security within the medical environment, and
• Conclude with a pair of practical medical security scenarios.
2
So What is Security??• Responsible for protecting customers.
– Ensure confidentiality-integrity of customer information
– Maintain customer contracted service availability.
– Enforce customer access to only authorized features.
– Ensure error-free and non-malicious interaction between customers and the system.
• Responsible for protecting the system itself.– Maintain the confidentiality and integrity of system
information.
– Enforce operations access to those system attributes authorized
– Providing error-free and non-malicious interaction between operations and the system.
3
What do the words "trust" and privacy mean
Trust:
– We routinely establish a qualitative measure of trust with those we associate/interact with regarding:• Honesty, reliability, . . .
– Unfortunately we have yet to identify a quantitative measure of confidence
– The best achievable is some measure of assurance that a person or thing cannot abuse the degree of "trust" we have that they will act as expected
Privacy:
– Privacy is actually the ability to control who has access to information, such as:• Location, credit card numbers, medical condition, DNA
4
Where do we start with measuring assurance
• Begins with understanding what needs protection• We need to inventory:
– Objects (a.k.a. assets, tangible / intangible property)– Subjects (a.k.a. actors, users)
• Also need to identify what/how each subject (class) is allowed to interact with which objects
• These Subject – Object – Allowed Access relationships represent the level of "trust" we grant to subjects
• For organizations, relationships referred to as policy statements
5
Security Governance - ISO 27001
• Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks
• Specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
• Designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.
• Covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations).
6
The Role of Policy – ISO 27002
• Developed hierarchically & decomposed into fine grained security requirements
• Identifies what assets an organization considers of value• Captures asset value and sensitivity
– (e.g. public, proprietary, restricted, copyrighted, Attorney-Client-Privileged)
• Identifies organizational subgroups and "need-to-know" by group
• Specifies form of authorization required to access an asset• Drives Security Model consideration
7
Integrity Policy Principles of Operation
Separation of duty – If two or more steps are required to perform a critical
function then at least two different people should perform the steps
• Separation of function – Developers do not develop new programs on
production systems – Developers do not process production data on
development systems
• Auditing – Logging must be in place to enable one to determine
what actions took place when and by whom
8
9
Security Models
• A security model will– Describe the entities governed by the policy– Define the rules that instantiate the policy
• Security models – capture policies for confidentiality and for integrity– Can apply to static policies and where dynamic changes
of access rights are required– Some are formal and others are informal
Threat Model Security Policy/Security Model
Security Mechanisms
9
10
Security Models—Classification
• Multilevel Security (MLS) or Mandatory Access Control (MAC): concerned with control of vertical information flow– Bell-LaPadula (BLP)—classic confidentiality– HRU (Harrison-Ruzzo-Ullman) deals with creation/deletion of files on which
BLP is silent– Biba: BLP upside down deals with integrity ignores confidentiality
• Multilateral or Compartmented Security: concerned with control of horizontal information flow– Chinese Wall Model: prevent conflict of interest in professional practice– Clark-Wilson banking, aimed at authentication rather than confidentiality– BMA (British Medical Association)—information flow permitted by
medical ethics
TOP SECRET
SECRET
CONFIDENTIAL
OPEN
A B C D E
shared data
multilevel multilateral10
Vulnerabilities
There are now thousands of known vulnerabilities]
New vulnerabilities discovered every week & exposures published for anyone to review.
Automated attack info/scripts for anyone avail almost immediately
Most of these vulnerabilities fall into the following categories.
Operating system vulnerabilitiesIntroduced from within an operating system design or implementation.
Protocol-specific vulnerabilitiesCharacteristic of a protocol & often most intractable since modification may cause loss of interoperability.
Configuration vulnerabilities Come from a variety of sources, such as:Hackers may introduce configuration changes that weaken security (e.g. login with a null password). Administrators may unwittingly change the configuration to a less-secure state (like leave tftp enabled). Users may introduce changes to facilitate tedious tasks (like configure a .netrc file with hostname, login, and password for access to another host).
Application-specific vulnerabilitiesLike operating system vulnerabilities, these are difficult to address since the vendor is typically the only one in the position to fix security weaknesses.
[1] Internet Security Systems (http://www.iss.net).
Security Threats Vs. Attacks
• A threat is a potential violation of security.– Thus one is dealing with probabilities
• An attack is any action that violates security.– Active adversary (malicious intent)– Inadvertent error (non-malicious intent)– Passive adversary (malicious intent)
12
Security Threat Agents and Attacks• Who are the Adversaries?
– Modern systems design based on commercial technology and open standards.
– Today’s technology is for sale to all potential customers from a large number of sources.
– Since the end of the Cold War, article of faith to declare that the United States no longer faces a technologically sophisticated adversary.
– Implies that none of our potential adversaries possess the scientific and engineering establishment of the former Soviet Union.
Adversary Expertise Access BackingRisk
Tollerance
3rd Party Technician High HighMedium to
HighHigh
EmployeeMedium to
HighHigh Low Low
VisitorMedium to
HighHigh
Low to Medium
Low
Intelligence AgentMedium to
HighMedium
Medium to High
High
Cyber CriminalMedium to
HighLow to
MediumMedium to
HighLow to
Medium
Hacker MediumLow to
MediumLow Low
TerroristLow to
MediumLow
Medium to High
High
Insider
Outsider
13
Prime Security Objectives
All legitimate entities should experience correct access to services and facilities.
Availability:
Accountability for all service invocations and for all network management activities; any entity should be responsible for any actions initiated
Accountability:
Protection of stored and transferred information,
Integrity:
Confidentiality of stored and transferred information,
Confidentiality:
14
Security Attacks – In the Abstract
• Interruption: This is an attack on availability• Interception: This is an attack on confidentiality• Modification: This is an attack on integrity• Fabrication: This is an attack on authenticity
15
Impact of Attacks
• Theft of confidential information• Unauthorized use of
– Network bandwidth– Computing resource
• Spread of false information• Disruption of legitimate services
All attacks can be related and are dangerous!
16
Risk AnalysisRisk Analysis (a.k.a. Threat Vulnerability Analysis <TVA>) =
1. Identify asset and its value (physical and logical, such as equipment, data, services, reputation, …)
2. Identify vulnerability of asset = type of asset exposure (degree of exposure), duration of asset exposure
3. Identify threat to asset = type of threat agent, method of attack by threat agent, probability of attack occurring, probability of attack success, degree of damage to targeted asset as a percentage of asset value
= probability of damage to an asset over a specified timeframeAnd can be restated as:
- Asset Ax has a value of $x, exposure degree of EDx, exposure timeframe as ETx
- Threat Tz is composed of Thread Agent TAz, an Attack Az, which has a probability of occurrence AOz which has a probability of success ASz resulting in percent of damage ADz
= Tz (Ax )= Magnitude of damage in $ over timeframe
17
Security ServicesApplies to
CommunicationsApplies to Computers
1 Authentication1.1 Peer entity authentication Yes1.2 Data origin authentication Yes1.3 User Authentication Yes Yes1.4 Process Authentication Yes2 Authorization - Access control2.1 Communications Access Controls Yes2.2 Computing System Access Controls Yes3 Data confidentiality3.1 Connection confidentiality Yes3.2 Connectionless confidentiality Yes3.3 Selective field confidentiality Yes Yes3.4 Traffic flow confidentiality Yes4 Integrity4.1 Information integrity Yes4.1.1 Separation of duty Yes4.1.2 Well formed transactions Yes4.1.3 Logging Yes Yes4.2 Data integrity4.2.1 Connection integrity with recovery Yes4.2.2 Connection integrity without recovery Yes4.2.3 Selective field connection integrity Yes4.2.4 Connectionless integrity Yes4.2.5 Selective field connectionless integrity Yes Yes5 Non repudiation5.1 Non-repudiation with proof of origin Yes Yes5.2 Non-repudiation with proof of delivery Yes Yes5.3 Non-repudiation of actions Yes Yes
Service
18
User Authentication
• An operating system bases much of its protection on knowing who a user of the system is
• Authentication mechanisms fall into the following categories:– What the user knows:
• Passwords, PINs, etc.– What the user is:
• Biometrics, based on a physical characteristic of the user – Fingerprint, voice, face
• Use of Passwords– The most common authentication mechanism– Assumed to be known only to the user and the system– How systems behave during validation:
• Someone enters (a guessed) username– Do not respond with the message UNKNOWN user
• Ask for both username and password and respond as FAILURE is no match
19
Authenticating People vs. Machines
People
Based on
Something possessed
Something known
Personal attribute
Can (sometimes) remember password;
Password should be mnemonic & relatively easy to remember
Writing it down is less secure.
Subject Attributes (Biometrics) – fingerprints, signatures, iris, retina, hand geometry, voice, face, etc.
Machines
Can store high quality secret, e.g. long random looking number;
Can perform long and/or complex cryptographic computations.
20
Cryptographic Functions and Their UsesFunctions.
1. Public key: two keys – public key e and private (always kept secret) key d
2. Secret key: one key – shared secret key S
3. Hashes: no key or shared secret key S; and has still useful security uses!!
Uses: Confidentiality while transmitting over insecure channels (untrusted connections). Confidential storage on Insecure Media. Authentication: validate that asserted identity of subject can be reasonably linked to
subject (in personal terms prove you are who you claim to be) Peer-Entity (both human-system and inter-system Information (Data) Origin
Information Integrity Verification: prove message not altered Non-repudiation (Sender, Receipt, Timestamp, Notary)
21
Keyed Hash for Authentication
• Also called Message Digest, Digital Fingerprint, Digital Authenticator
• Is an authentication mechanism that works as follows: Digest-algorithm: data block
bit sequence of arbitrary
length of fixed lengthplus
secret key Properties:
- If one or several bits of data change, message digest changes too- Forger in possession of a given message cannot construct fake
message with same message digest WITHOUT shared secret key- Only provides "Data Origin Authentication" and integrity detection
Algorithms: - MD5 (RFC 1321)
hash-function: X 128-bit sequence (processed in blocks of 512 bits)- SHA-1
hash-function: X 160-bit sequence (processed in blocks of 512 bits)- SHA-256 & SHA-515 now being discussed
22
MAC & Symmetric Encryption
Clear- text (M)Cipher- text
(C)
Symmetric Encryption Algorithm (Encrypt)
Shared Secret Key
Symmetric Encryption Algorithm (Decrypt )
Shared Secret Key
Clear- text (M)
Alice
Clear-text Message
MD5 or SHA1 message Digest
Algorithm
Shared Secret Key
128 or 160 bit keyed digest
Clear-text Message
MD5 or SHA1 message Digest
Algorithm
Shared Secret Key
128 or 160 bit keyed digest
128 or 160 bit keyed digest =
Bob
= means no modification in transit and sent by Alice
Not = means modification in transit or not sent by Alice
Message Authentication via MAC & secret key
Message Authentication via symmetric encryption & secret key
23
Asymmetric Encryption
Jerry
Bob
Alice
Alice’s Private
Key
Clear-text Message (M)
Asymmetric Encryption Algorithm (Encrypt)
Cipher-text Message (C)
Alice’s Public Key
Asymmetric Encryption Algorithm (Decrypt)
Clear-text Message
(M)
Alice’s Public Key
Asymmetric Encryption Algorithm (Decrypt)
Clear-text Message
(M)
Jerry
Bob
Alice
Alice’s Private
Key
Clear-text Message (M)
Asymmetric Encryption Algorithm (Encrypt)
Cipher-text Message (C)
Alice’s Public Key
Asymmetric Encryption Algorithm (Decrypt)
Clear-text Message
(M)
Alice’s Public Key
Asymmetric Encryption Algorithm (Decrypt)
Clear-text Message
(M)
Encrypting with Alice’s Private key
Encrypting with Alice’s Public key
24
Key Management
• Spans key:– Generation, storage, possibly escrow, distribution, revocation,
destruction, archiving• Problem:
– How do we establish and distribute keys when a new node is added?
– Naïve - Brute Force approach:» - generate n new keys – one for each of the nodes of the
network;– - securely distribute security key to each node of network
obviously not workable for large number of nodes• Primary approaches are:
– Key Distribution Center (KDC)– Public Key Infrastructures (PKI)– Diffie-Hellman Key Negotiation Protocol
AB
C
D
E
25
Common Security Mechanisms
• IEEE 802.1X• IP Security (IPSec)• Packet Filtering (Firewalls)• Application Gateways• Deep Packet Inspection (IDS-IPS)• Transport Layer Security (TLS, SSL, DTLS, SSH)• Email Security (PGP, SMIME)• Extensible Markup Language (XML)
• Whenever security mechanisms are used, one cannot ignore the management of these mechanisms
"these are issues that students can explore in more detail for their thesis
work" 26
Security Management
• Security Event-Fault-Attack Management– Event collection (IDS, traps, etc.), reconciliation/consolidation, Alarm
generation, attack identification, attack mitigation
• Security Configuration Management– Packet filtering rules, cryptographic policies and parameters, security
patches, access control rules, login accounts, etc.
• Login Access Management– Login authorization for administrative, craft, peer-carrier, law
enforcement, vendor, customer (enterprise, wholesale, retail)
• Authentication Credentials Management– passwords, SecureID (tokens), Radius, symmetric/asymmetric
cryptographic key material
• Verification & Validation Management– Auditing, Vulnerability Analyses, Intrusion Detection
27
10 minute break, please be prompt.
28
Healthcare—Security Examples
This health care security discussion follows the presentation in Ross Anderson 2008 "Security Engineering" (Computer Lab, U Cambridge, UK, http://www.cl.cam.ac.uk/~rja14/)
• Privacy of Patient Record in Hospital Systems
• Protection of Patient Identity in Research Studies
• Security of Web-Based Applications• New Safety Risks in New Technologies
2929
Hospitals: Privacy of Patient Record Systems
• Who should have access to patient data and for how long? – Obviously not all staff– Devise and implement rules such as
"nurses in department can see record of any patient treated by the department in the last year"
• Difficulties for traditional security systems– Changing security roles, e.g. nurses change department.
Traditional security systems use role based models but prefer static roles– Cross dependencies: if personnel system is used to drive access, e.g.
nurse file in personnel system includes access privileges,
personnel system becomes critical for safety, privacy or for both.
Traditional security systems strive to define separate domains/levels with limited cross dependencies
3030
Research: Protection of Patient Identity
• How do we anonymize /de-identify data reliably?
• Difficult because removing names and encryption does not protect from revealing identity through queries such as
"Show all records of males between 25 and 35 years treated for tear of the anterior cruciate ligament (ACL) in 2003".
(ACL is the most serious basketball injury, requiring surgery, 9-12 months rehab, and potentially lasting limitations on running and jumping.)
Protection techniques are known as inference control
3131
Web-Based Applications: Safety & Security
• New Assurance Problems:
– reference books (e.g. drug directories) move onlineassurance that life-critical data (e.g. dosage per body
weight), are correct as published by the relevant authority, not mangled due to transport, storage, interference, etc.
data integrity becomes a safety issue– doctors process patient records from
home/laptops/PDAneed suitable authentication and encryption tools
3232
New Technologies: New Risks
• New risks not well understood, e.g.online radiology systems: X-rays go directly from
machine to server in distant town (not as previously in an envelope to the operating theatre)
network failure can stop the surgery just as can power failure
Difference: typically there are clear procedures for dealing with outages of power, telephone, etc. but how to deal with server crash or network disruptions is rarely well documented.
3333
Medical Information Systems & Security
• Younger field than defense and banking• Healthcare spending in developed countries is a much larger
percentage of GDP than military
for the US in 2009 healthcare spending (including private) is – $2,142 B or 17.6% of GDP
https://www.cms.gov/NationalHealthExpendData/25_NHE_Fact_sheet.asp (DHSS website)
vs. – $640 B or 4.7% for defense http://data.worldbank.org/indicator/MS.MIL.XPND.GD.ZS
• 2006 study by Department of Health and Human Services (DHHS) : investments in IT will be recouped in 3-13 years & will make services safer and more efficient
• 2012 US Budget: health 22.62% defense 19.27% http://www.whitehouse.gov/omb/budget
3434
The Controversy of Medical Data Privacy
• 1995: Mark Farley, convicted child rapist working as orthopedic technician in Newton-Wellesley Hospital, Newton, MA, was using patient records to find targetsHIPPA co-sponsored by Ed Kennedy
• UK attempt to centralize all medical record in 1995-96 led to a confrontation with the BMA
• Late 1990s: Iceland national medical database project that also incorporates genetic and genealogical data to track inherited diseases across generation, caused uproar. – 11% of population opted out– Supreme Court decided the database should be opt-in rather than opt-
out– ca. half the population now participates
3535
The Controversy… (continued)
• Debate on Safety vs. Privacy Tradeoff of Emergency Medical Information in Europe– emergency medical data should be readily available for safety– "readily available" can mean less secure and vice versa
"secure" can mean "not readily available"– Germany: current prescriptions and allergy on medical insurance card that
person carries—private/secure, but is it safe?
If patient falls ill in country where smart card readers are not available this becomes a safety risk and the alternative
information in human-readable format on a bracelet is safer though less secure– UK: government is creating a 'summary care record' of prescriptions and
allergies kept on central database, available to many health-care workers (emergency services, out-of-hour help lines)—safe, but
not secure as it may reveal sensitive information, e.g. HIV, depression, alcoholism.
3636
HIPAA (Health Insurance Portability & Accountability Act)
1996 passed by Congress in; 2003 as HIPAA Final Security Rule; 2006 further simplified; includes five technical security services requirements and required and addressable implementation specs (CFR 45 § 164.312 Technical safeguards.• Access control
– required: unique user identification (i.e. no group and generic logins), emergency access procedure
– addressable: automatic logoff, encryption/decryption• Audit control
– addressable: health information has not been altered or destroyed in an unauthorized manner.
• Data Integrity • Person or Entity Authentication• Transmission Security
– addressable: integrity controls, encryption/decryption
Common-sense general requirements; Few implementation specifics.
3737
Summary of Challenges/Requirements for Security Engineer
• Dynamic Security Roles—Role Based Models• Multilateral/Compartmented Security Model• Safety vs. Security Tradeoffs• Access Control Decisions involve the
– data subject (e.g. consent to disclose health data, religious beliefs, sexual orientation, etc.) as opposed to by a
– central authority (defense systems) or by – system user (discretionary)
3838
The Threat Model• main threat: access abuse by insiders• most common threat vector (path/tool to attack target): social
engineering, e.g. the perpetrator calls the doctor's office
"Hello, this is Dr. Henderson from Mass General. Your patient, Bob Smith, had an accident and was brought into ER unconscious. Can you tell me….."
Most of the time Dr. Henderson gets everything he asks for…
• operational security is not part of healthcare culture; and this is good thing: "If everybody was as unhelpful as intelligence-agency staff are trained to be, the world would grind to a halt." (R. Anderson. Security Engineering, p.285)
3939
The Threat Model (continued)• Lack of technical security knowledge: old PC sold with
recoverable data. • Large centralized databases are managed more
professionally but at the same time are a more valuable target and the abuse potentially more damaging. aggregation of data increases risks– Veterans' Administration has centralized system. After Hurricane
Katrina veterans who were refugees in other states had their records readily available in the local VA hospital at any place in the country.
– May 2006 personal information on all 26.5 million veterans (including names, SS, etc.) stolen from the residence of an employee who had taken them home w/o authorization.
4040
BMA Security Policy
Ross J Anderson (1996) Security in Clinical Information Systems states the following nine principles (A Security Policy Model for Clinical Information Systems , IEEE Symposium on Security and Privacy, in html at http://www.cl.cam.ac.uk/~rja14/policy11/policy11.html ):
• Access control: Each identifiable clinical record shall be marked with an access control list naming the people or groups of people who may read it and append data to it. The system shall prevent anyone not on the access control list from accessing the record in any way. "
• Record Opening: A clinician may open a record with herself and the patient on the access control list. Where a patient has been referred, she may open a record with herself, the patient and the referring clinician(s) on the access control list.
• Control: One of the clinicians on the access control list must be marked as being responsible. Only she may alter the access control list, and she may only add other health care professionals to it.
4141
BMA Security Policy (continued)
• Consent and notification : The responsible clinician must notify the patient of the names on his record's access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred. His consent must also be obtained, except in emergency or in the case of statutory exemptions.
• Persistence: No-one shall have the ability to delete clinical information until the appropriate time period has expired.
• Attribution: All accesses to clinical records shall be marked on the record with the subject's name, as well as the date and time. An audit trail must also be kept of all deletions.
• Information flow: Information derived from record A may be appended to record B if and only if B's access control list is contained in A's.
4242
BMA Security Policy
• Aggregation control: There shall be effective measures to prevent the aggregation of personal health information. In particular, patients must receive special notification if any person whom it is proposed to add to their access control list already has access to personal health information on a large number of people.
• Trusted Computing Base: Computer systems that handle personal health information shall have a subsystem that enforces the above principles in an effective way. Its effectiveness shall be subject to evaluation by independent experts.
4343
Inference Control• Privacy protection in secondary applications, such as databases
for research, cost controls, clinical audits is even harder then in hospital systems:
• Standard protection is de-identification or anonymization: remove names & addresses but well designed queries can find the identity
• US Healthcare Finance Administration (HCFA) maintains three sets of records: complete; beneficiary encrypted (names and SS obscured) for trusted researchers; public-access
• HIPAA recognizes medical de-identified information as information that has been 'properly' de-identified, i.e.– 18 specific identifiers have been removed and operator has no knowledge
that remaining information can be used to identify the subject– qualified statistician concludes risk is substantially limited– If such data are inadequate for research HIPAA recognizes limited data sets
with more information available to contractually bound & qualified users
4444
Inference Control Theory• Developed by Denning and others late 1970s-early 1980s• Objective: prevent disclosure of sensitive statistics• Characteristic formula is expression (in some DB query
language) that selects a set, known as query set of records. • Smallest query sets, obtained by logical AND of all its attributes
(or their negation) are known as elementary sets or cells. • Statistics of query sets may be sensitive statistics if they meet
certain criteria, e.g. set size too small. • D—set of statistics disclosed• P—set of sensitive statistics
Privacy assured if
where is the complement of P
if the protection is precise
45
PD P
PD
45
Inference Control
• Simplest protection: limit query size• Most important attack: Trackers—query sets that reveal
identity– individual tracker example: there is only one female faculty in the
department; then a set of just two queries reveal her salary:
"Average salary of all faculty in the department?"
"Average salary of all male faculty?"– general trackers—sets of formulae that can reveal any sensitive statistic.
disappointingly, they are not very difficult to construct. It was shown that
If smallest query set less than a quarter of all statistics, and
no restrictions on the type of query
Then one can find a formula that provides general trackers.
(Denning et al, 1979)
• Area of active research
4646
Practical Problem #1
A Nigerian cyber crime team wants to access medical records in a particular hospital, to create a fictitious billing scheme so they can steal money from insurance companies. The criminals have an accomplice who works as a technician for a service company to deliver computer supplies and install PCs at the hospital.
• What can hospital security personnel do to protect the hospital and its patients from such a threat?– Please consider what:
• the key issues are,• vulnerabilities the delivery person could exploit• the hospital should do when dealing with suppliers• possible security mechanisms the hospital should
deploy47
Practical Problem #1 Response• Vulnerabilities:
– Technician access to hospital network and patient records system when installing a PC.
• The threat:– Technician eavesdrops (passive attack) on network traffic
looking for hospital employee identities & authentication information (login IDs and passwords)
– Technician tries to access patient records system by masquerading (active attack) as a legitimate hospital employee
• Key issues:– How to ensure only authorized access to hospital network
communications and patient records– Hospital relies on company for employee background
checks, however this does not abrogate hospital from responsibility
48
Practical Problem #1 Response (continued)
• Possible hospital actions regarding 3rd party suppliers:– Background check on supplier company to verify reputation and integrity– Confirm company has a security program governing employee behavior– Contract with company should include clauses on company obligations
and liabilities. • Possible hospital deployed security mechanisms:
– Require that patient record access requires proper authentication and access compartmentalized by hospital employee role/department
– Train/educate hospital employees about social engineering– Deploy network access controls, such as 802.1X, to prevent unauthorized
access to network.– Limit access to hospital systems via a role-based multilateral system. For
example, the technician would find it easiest masquerade as a floor nurse given his/her limited time and information BUT nurses should not be granted access to billing or insurance information.
49
Practical Problem #2
Dr. Hastings reviews the record of one of his patients and is puzzled when he sees that the radiologist noted a small growth in the brain three years ago but there is no follow up exams and labs and the latest entry gives the patient a clean bill of health.
• What could have happened?• How can the doctor determine what happened?• How can hospital system security have prevented
this from happening?
50
Practical Problem #2 Response
• What could have happened?– The most likely cause would be by accident (as in a mistake by a
nurse or other hospital employee who is authorized access to the record
• How can Doctor determine what happened?– If all changes to patient records are recorded in a log/audit file
then Doctor can request examination of the log entries to identify who accessed the record, when access occurred and what was done when record was accessed (Attribution)
• How could hospital system security have prevented this from happening?– Not allow deletions of information to patient records prior to the
expiration of a specified time period (Persistence)– Not allow modification of information in patient records without
confirmation by second employee (Separation of Duties)
51
