Skip Nav

Looking for other ways to read this?

Bell Laboratories scientist George Stibitz uses relays for a demonstration adder

❶Other space scientists dispute that idea.

PAST BLOGS

News and highlights in machine learning
Hewlett-Packard is founded
Research areas

Optimizing imperative functions in relational databases with Froid Read More. News and highlights in machine learning. Malmo, Minecraft and machine learning with Dr. Reinforcement learning in a complex world. Security, privacy, and cryptography. View All Research Areas. Data management, analysis and visualization. Hardware, devices and quantum computing. Medical, health and genomics.

Programming languages and software engineering. Search and information retrieval. Technology for emerging markets. The Microsoft Research Podcast An ongoing series of conversations bringing you right up to the cutting edge of Microsoft Research. Latest episode Playing to the crowd and other social media mandates with Dr. Practical systems adopt a mixture of the two approaches; thus, in physical security one may install a reasonably strong lock an obstacle and an alarm system representing deterrence, because apprehension in the act of breaking in carries criminal sanctions.

Deterrence assumes that individuals who constitute a threat can be identified and subjected to such sanctions. Technical support for deterrence centers on mechanisms for identifying users and auditing their actions. Obstacles are most often used in situations in which the threat cannot be identified or it is not practical to impose sanctions, such as in the protection of military or diplomatic information.

Technical supports for imposition of obstacles include mechanisms for making a priori determinations of authorized use and then taking active steps to prevent unauthorized acts. Three factors inhibit organizational adoption of obstacles: Deterrence mechanisms also entail costs, but these costs tend to be more indirect e.

Health care organizations must therefore assess their information systems to determine the types of threats to which they are most vulnerable and must then implement the necessary organizational and technical mechanisms. Although the precise implementation will vary from one institution to another, some general rules of thumb apply across organizations Table 3.

Specific ways of implementing the types of mechanisms identified are outlined in Chapters 4 and 5. Threat 1 can best be countered by organizational mechanisms that detect and deter abuses. More sophisticated technology per se can do little to prevent this kind of disclosure.

Simple procedural measures appear to be most appropriate—for example, reminders about behavioral codes, confirmation of actions that might route or access information erroneously, or screen savers and automatic log-outs to prevent access to unattended displays.

Chapter 4 examines the possibility of extending these procedures by maintaining patient anonymity through the use of coded patient identifiers pseudonyms in most of the care process. The principal countermeasure for threat 2 is deterrence: Technology can also play a role in controlling inappropriate access to patient information.

Strong user authentication, based on cryptographic techniques, can effectively control access to health information networks and computer systems-at least to the extent that system users protect their identifying data and make appropriate use of the information they are authorized to access.

The use of encryption can place significant obstacles in the way of potential abusers, requiring them to obtain special data keys to make patient information legible. Properly analyzed audit records of accesses are another powerful tool to deter abuse. A combination of obstacles and deterrence is necessary to counter threat 3. These include reasonable obstacles to prevent unauthorized access without interfering with authorized use and the deterrence steps used against threat 2.

Audit trails are particularly effective at deterring this type of threat. The countermeasures for threat 4 rely heavily on deterrence, supplemented with strong technical obstacles. Attackers run the risk of immediate identification and apprehension and have the potential of leaving physical evidence of intrusion e.

The obstacles that can be placed in the way of threat 4 include both technical security measures such as strong identification and authentication mechanisms and physical security measures such as requiring badges, and challenging strangers.

Countermeasures against threat 5 are based purely on the obstacle approach. In this case, the threat is not readily identifiable; its physical. Physical security and technical mechanisms such as authentication and access controls. Technological obstacles to intruders include the use of firewalls to isolate internal and external networks and strong encryption-based authentication and authorization technologies to prevent intruders from masquerading as legitimate users.

However, the effectiveness of technological obstacles can be ensured only when network connections between the health information system and the outside world are restricted administratively to passing nonsensitive data e. If external network connections are used for both sensitive and nonsensitive data, then the technical countermeasures required to guarantee security may well push the state of the art, 8 to say nothing of exceeding the state of practice observed in the site visits.

Furthermore, for some types of attack, there are no known obstacles at all; for example, denial-of-service attacks based on exhaustion of resources are very hard to defend against, especially when timeliness of response is an issue, although defenses against denial-of-service attacks can sometimes be created on an ad hoc basis.

This is not to say that technical countermeasures are useless indeed, the focus of Chapter 4 is on technical countermeasures that can be deployed to useful effect. Nevertheless, technical countermeasures cannot be viewed as a cure-all for security problems. Obstacles such as encryption and authentication are the only effective ways to counter organizational threats against systems that have an Internet interface because there are minimal, if any, accountability mechanisms in effect on the Internet.

In addition, the Internet spans multiple legal and national jurisdictions. The same holds true—to a lesser degree—for systems with any kind of "dial-in" interface. As a consequence, extensive use of the Internet to access or transfer health record data will carry with it a significant and growing risk from organizational threats to the security and privacy of the data unless steps are taken to mitigate this risk; these steps are the focus of Chapter 4 and Chapter 6.

The largest portion of these risks will not be mitigated until ways are developed of holding Internet users accountable for their actions and agreements are in place across multiple legal and national jurisdictions to impose sanctions for violations of the security and privacy of health information. Provided that adequate obstacle-based security mechanisms exist at the Internet interface e.

Countering organizational threats by erecting technical obstacles to access is not, in general, compatible with the efficient and effective operation of systems used by providers. The time pressures on providers do not permit the level of security-driven interaction that such mechanisms require, and the risk that an obstacle-based mechanism will deny legitimate access to data in an emergency with the consequent liability is inherent in such mechanisms.

An important enabling mechanism for such an approach is an identification and authentication mechanism that has adequate strength and is acceptable to all classes of users. Systemic concerns about the privacy of patient-specific health information are generally rooted in the use of such information in a manner that acts against the interests of the individual patient involved. These interests may involve specific identifiable adverse consequences such as increased difficulty in obtaining employment or insurance or less tangible ones such as personal embarrassment or discomfort.

In order to understand how public concerns about such use arise, it is helpful first to examine the exchanges of health information throughout the health care system. Health information-both paper and electronic-is used for many purposes by a variety of individuals and organizations within and outside the health care industry Table 3.

Primary users include physicians, clinics, and hospitals that provide care to patients. Secondary users employ health information for a variety of societal, business, and government purposes other than providing care. As part of their management functions, these payer organizations also conduct analyses of the quality of health care delivered by provider organizations and its relative costs. Other secondary users include medical and social science researchers, rehabilitation and social welfare programs, public health services, pharmaceutical companies, marketing firms, the judicial system, and the media.

Marketing firms and vendors of health-related products also obtain health information that will help them target particular types of patients for direct marketing. The types of information collected by primary and secondary users vary greatly across individual organizations. Exchanges of data among these organizations are highly complex and dynamic. Rather than attempting to enumerate every possible flow, the discussion below traces the records of a hypothetical, but typical, patient named Alice.

Alice's story is a representative, although by no means comprehensive, description of how health records are shared between organizations and individuals. Alice is in her late twenties, married, and employed by a small company. Bob, her husband, is employed by a large firm. Bob's company offers its employees a choice of three health benefit plans: Differences in the ways their health records may be stored and controlled are not outlined in the program descriptions, and Alice and Bob do not consider this factor in their decision.

Bob's employer is self-insured—an increasingly popular strategy for many large employers—though this fact is not stated openly during the enrollment process.

When they set up housekeeping in their current location, Alice and Bob consult friends, colleagues, and local sources of information to find. Some states sell driver's license records, complete with height, weight, full name, and address, and allow focused marketing based on any of these characteristics. Demographic information purchased from a particular type of organization, such as an AIDS clinic, a maternal care center, or a wellness program can also help target individuals for specific marketing campaigns.

On her first visit to a prospective primary physician, who is a member of a small group practice, Alice is asked to fill out a medical history form and specify how she will pay for her care in the future. She indicates that she will use the health insurance benefits available to her through her husband's job. Since Alice specifies that some of her charges will be covered by a party other than herself, she is also given a form to sign that would authorize the physician's office to send information to the insurer for payment of claims.

This release covers all future visits Alice makes to this practice. Alice's initial visit is satisfactory, and she decides to use this physician as her primary care provider. Records for her initial examination are recorded on paper and held in the physician's office.

Blood samples taken from her during the visit, however, are sent to an outside laboratory for analysis. Automated analysis equipment records the laboratory results and prints a paper copy that is returned to the physician; the laboratory bills Alice for the service.

The laboratory also retains a record of the test and of Alice's identity. Through the third-party administrator used by Bob's firm to manage health care benefits, Bob's firm receives a claim from Alice for the office visit and the blood test, and approves payment.

The following year, Alice's annual checkup reveals hypertension, and blood tests show mild anemia. The physician prescribes two medications, and Alice fills the prescriptions at a local pharmacy.

The pharmacy's charges are reimbursed through a pharmacy benefits program connected with the health insurance option selected by Bob.

The pharmacy records Alice's name and address, reads her pharmacy benefits card, notifies the benefits program, and is reimbursed. Parts of Alice's health record now reside with the retail pharmacy and the pharmacy benefits provider, as well as her care provider. When Alice becomes pregnant, she develops a condition that her primary care provider wishes to discuss with another physician outside the group.

She requests Alice's permission to release information to the consulting physician, since Alice may wish a second opinion, and Alice will pay for part of the cost. Acting in accordance with the rules specified by Bob's firm, the third-party administrator approves both the consultation and part of the consultant's fee.

The primary care provider trusts the consultant to keep information in Alice's record confidential. The child is delivered at a local hospital used by the group practice.

Prior to Alice's admission, she provides evidence of her ability to pay by showing her insurance card, and she signs a form authorizing the hospital to release to paying parties any data from this admission required for payment.

The hospital performs a variety of tests and procedures during Alice's stay and creates a related set of records, some automated and. The child's birth is recorded with the state, which also opens an immunization record for the child. Subsequently, the hospital is visited by an accrediting body, which, as a routine part of its investigation, checks on the record-keeping procedures at the hospital. As it happens, Alice's records are among those reviewed, but the accreditors do not remove them from the hospital or make any copies.

They simply check the records for accuracy and completeness and to ensure that they are stored in compliance with accrediting procedures. Bob's company, feeling competitive pressures, considers ways to save money and increase productivity. Improving employees' health seems to be a positive step, since it may both decrease claims and improve performance.

Since Bob's company is self-insuring, it asks the third-party administrator to provide it with claims information pertaining to its employees. Though reluctant to share patient-identifiable information because of concerns over privacy, the third-party administrator has no legal basis on which to refuse the request and, to maintain good relations with its client, provides the information to Bob's employer.

Alice's company, under similar pressure, initiates a company clinic on-site and a ''wellness" program. Although she continues to be insured by Bob's company, Alice uses the clinic occasionally and, on her first visit, provides the clinic with her history, including a list of medications she is taking.

After the birth of their child, Bob and Alice realize that they need life insurance. Both of their companies provide some group coverage, but it is inadequate for their needs.

Alice applies for coverage with a large, respected firm, which will provide the coverage she wants if she passes a physical examination. The life insurance company will pay for the examination, but she must sign a release permitting the results of the examination to be forwarded to the Medical Information Bureau MIB.

The life insurance company decides to accept the risk of insuring her but forwards the hypertension results to the MIB in accordance with the industry's practices because her hypertension, although under control, may potentially affect her longevity.

The group practice Alice uses is purchased by a managed care firm, which installs its automated records program. Results of Alice's office visits are now stored on a local computer system. The managed care firm, facing the same competitive pressures as Bob's company, periodically. Not all insurers will provide such information to self-insured clients, but others report that they do because they have no legal basis on which to refuse.

The managed care firm denies a request from another patient within the practice to consult a specialist for a condition similar to the one for which Alice was treated. The patient subsequently sues the practice, and her lawyers request disclosure of records from similar cases within the practice. The court grants a subpoena for the records involved, including Alice's, and the practice is compelled to provide copies of the records to lawyers.

Alice's name is removed from the record. A researcher wants to investigate the long-term effects of the hypertension medication Alice has been taking. He gets a federal grant to support the study and gains approval of his organization's institutional review board. He then writes to hospitals and physicians to request access to their records. Alice's physician contacts Alice and several other patients to ask if they are willing to participate in the study. Alice agrees and signs a consent form granting her physician permission to provide her records to the researcher for purposes of this study, but she insists that her identity not be revealed.

The records are provided as requested, but with the name, address, and Social Security number fields scrambled in such a way as to allow Alice's records to be linked without divulging her identity. At this point, parts of Alice's health record are held by a wide variety of organizations: Most of these organizations have information that specifically identifies Alice. She has explicitly consented to grant access to some of these holders; she is aware of others to whom she has not granted access; of others, she may be entirely unaware.

If Alice and Bob had chosen a different health plan, the flows might differ. A comprehensive HMO, providing medical, hospital, and pharmacy service, might have more flows within it and fewer outside organizations, for example. If Alice were an impoverished single parent receiving government benefits, additional flows of data would involve state and federal social services agencies. The federal government collects data for reimbursement of care provided under Medicare and Medicaid, but states also collect large amounts of patient-identifiable information for their own pur-.

State health agencies can provide services and collect identifiable data about patients just as providers in private health care entities would. Functioning as providers, they would release identifiable data with patient consent to insurers and other providers depending on the need to know. State health agencies collect data for the purposes of analyzing and disseminating information on health status, personal health problems, population groups at risk, availability and quality of services, and health resource availability.

Environmental services, Medicaid, professional and facility licensing, and alcohol and drug abuse or mental health services are not located consistently in all state health departments across the country.

For a review and analysis of state laws that regulate the acquisition, storage, and use of public health data, see Gostin, Lawrence O. Neslund, and Michael T. The types of data systems related to each of these categories can be extensive Table 3. Databases created for these purposes generally have a designated steward who is responsible for managing the protection and the uses of the data.

These types of data are released in an identifiable form only in select situations: In the latter case, identifiable data are released to specially authorized public health investigators or private physicians who are responsible for care of the person believed to have a reportable condition or disease e. The steward of the database determines which staff members are allowed to access identifiable data for the purposes of analyzing them.

Finally, state laws include penalties that prohibit improper release of data by a state government employee. As Alice's story shows, the types of organizations that collect, process, and store health information include not only other members of health care provider teams, such as referral providers, nurses, and laboratory technicians, but also groups such as insurance companies and third party payers, utilization and outcomes assessment groups, public health and disease registry groups, clinical research groups, and a growing health information services industry.

These various organizations have historically developed separate policies with regard to the protection of information in these records. These separate policies reflect the different perceptions of individual stakeholders regarding the proper trade-off between Alice's privacy interests and their use of the data.

Although these policies are not always formalized or documented, a consensus among the members of each stakeholder group can generally be discerned. Such consensus typically does not exist between different groups of stakeholders e. A collection of health insurance executives is likely to agree regarding the bounds of legitimate access within their own business sector, as is a collection of physicians, but the two definitions of legitimate access are likely to differ significantly from one another.

As a result, the movement of data around a network of. Information on all patients discharged from acute care hospitals; systems track morbidity, hospital use and costs, and the distribution and utilization of services. Summary statistics on services and volumes of contracted genetic counseling clinics. Information on vaccination status of adults in schools and adults in health care facilities. Yearly telephone survey on health-related behaviors of a sample of individuals 18 and older, used to develop statewide prevalence estimates to target preventive health services to counties, age groups, and so on.

Information on all births occurring in a particular state; used to monitor trends in population fertility and maternal and child morbidity, to establish legal residence, and to assist in epidemiological analyses.

Documentation of statewide incidences of cancer from hospital tumor registries and laboratory data. Information on all deaths occurring in a particular state; used to monitor trends in mortality, establish legal benefits, and assist in epidemiological analyses.

Information on laboratory tests for hemoglobinopathies, which are performed on all newborns delivered in hospitals in the state; used for early identification and treatment of these disorders. Information on immunization status for residents and staff of long-term care facility.

Tracking of suspected events following immunization; used to initiate follow-up action if needed. Information on occupation-related mortality and effects of occupational exposures on natality. Information of occurrences of diseases used for disease surveillance and conditions. Information on morbidity and epidemiological investigations and follow up actions for individuals or partners testing positive for sexually transmitted diseases.

Information on management of individual cases of persons with tuberculosis and individuals exposed to tuberculosis and their follow-up and treatment. Minimum information required by U. Information on child abuse or neglect referrals, subsequent investigations, and responses to referrals and investigations.

Washington State Department of Health, Rather, data are treated in accordance with a variety of local policies that may or may not be consistent with the patient's understanding when signing a form that authorizes initial release of the information.

Individual organizations often have strong business incentives to protect health information from other parties because they regard such information as having significant business value; nevertheless, almost all of the sites that the committee visited during the course of this study expressed serious concerns about potential harm to patient interests resulting from unrestrained use of patient information by organizations not involved in the provision of care.

Without industry-wide standards or regulations governing the uses of health information by primary and secondary users, the information can—and sometimes is—employed for purposes that violate patient privacy or are detrimental to the interests of the patient. One example of the kinds of harm that can befall patients is outlined in a recent case study 13 that describes the results of a survey in which respondents reported discrimination as a result of access to genetic information.

Such discrimination resulted in loss of employment, loss of insurance coverage, or ineligibility for insurance. The cases were screened carefully to identify those in which discrimination was based on the future potential for disease rather than existing manifestations of a particular malady i. A second example of harm is illustrated by the case of a pharmaceutical company that acquired a drug reimbursement service or pharmaceutical benefits manager PBM.

The PBM used information in its database in an attempt to convince physicians to prescribe drugs manufactured by the pharmaceutical company. In a March consent decree filed in Minnesota and joined by 17 other states, 14 one such firm agreed to stop interfering in the prescription of medications from other manufacturers when it assessed patients' eligibility for coverage.

Although no direct financial or physical harm befell patients in this case, their privacy interests were compromised when confidential information about them was. These examples clearly suggest that the interests of patients may not be well served by wide dissemination of health care information.

If Alice had developed an expensive, chronic condition as a complication of her pregnancy, Bob's self-insured employer could be made aware of that fact through its review of billing data which contain detailed diagnostic codes and could use such information to influence a decision about Bob's continued employment. Managers in Bob's company might well argue that Bob's high health insurance bills make him too expensive to keep on the payroll. In a recent survey of Fortune corporations, 35 percent responded that they use individual health records in making employment-related decisions.

An earlier survey indicated that 50 percent of the companies used health records in making employment-related decisions and that 19 percent did not inform employees of such use. Furthermore, no legal standard prevents Bob's old employer from discussing Alice's condition with a potential new employer or prevents some entrepreneur from establishing a clearinghouse of data on employees with high insurance costs.

Concerns about the systemic sharing of electronic health information are linked to efforts to establish a universal patient identifier for indexing patient records throughout the U.

The goals of this initiative are multiple and include improving the quality of care by allowing providers to more easily locate patient records, facilitating health services research, and simplifying the administrative aspects of managing and paying for care. University of Illinois Press, Urbana, Ill. For example, the employer may shift a pregnant worker out of a hazardous environment.

Detecting fraud may be possible only when abuse is revealed through unusual patterns of health care usage linked through individual patient records. Large, integrated delivery systems and managed care programs routinely assign patients identifiers for use within their health care systems without generating much controversy.

For example, the idea of using the Social Security number SSN as a universal health identifier raises concerns not only that all medical data associated with a given individual can be linked, but also that an individual's medical data could be linked with financial data, purchasing habit data, family details, and other items of information—many of which are already indexed by the SSN—to create a personally identifiable, inter-linked record containing sensitive information.

The use of any single number as a universal identifier could expand beyond its initial intent and become widespread in other domains, just as use of the SSN expanded well beyond the realm of identifying Social Security records. Adoption of a universal patient identifier would raise concerns about its use to link large numbers of personal data transactions in two distinct areas:. It is advantageous for a patient in the emergency room or one who is being treated for substance abuse to have medical data linked so that care providers can make clinically informed decisions regarding care.

If health care moves to a more integrated service model in which large megaorganizations are responsible for more dimensions of care and an individual has less choice in selecting the organization with which he or she will interact, controversy may yet develop. Szolovits, Peter, and Isaac Kohane. Mitigating the impact of such concerns is generally a matter of public policy. Health care enterprises and others with access to health care information can decide voluntarily to refrain from using a universal health identifier in particular ways, or mandatory mechanisms can be put in place by legislation.

Legislative approaches might choose to prohibit discrimination in employment on the basis of patient information or prohibit the dissemination of patient information to employers. Nevertheless, it may be possible to design an identification and linking scheme that can satisfy the needs of the health care industry without jeopardizing patient privacy or that can help enforce any policy framework established for protecting privacy. For example, it may be possible to design a system that does not rely on a single number.

Chapter 4 outlines some approaches for identifying and linking records. Chapter 6 contains the committee's judgments on these issues. The chapters include recommendations for extensive education of the public about threats to the privacy of health care information and criteria for ensuring that the development of any universal patient identifier explicitly recognizes its potential effects on privacy.

They also include recommendations for the passage of legislation setting down the principles by which trustees of health care information are limited in its collection, use, and disposal and are responsible for disclosure of accesses to it. Finally, they include the development of technologies that control the integrity of, access to, and accountability for uses of health care information across all stakeholders. Patient-identifiable health information has business value to organizations such as insurers, employers, providers, and drug companies.

This value leads to organizational pressure to disseminate and use the data for purposes other than those for which they were collected. Individual patients are at a disadvantage in resisting this pressure because of the imbalance of power between them and these organizations. Systemic concerns arise from deep differences among stakeholders as to what constitutes fair information practice. Every stakeholder that receives data about a patient has an argument to support its claims about a bona fide need for patient information.

No consensus exists across society regarding the legitimacy of these needs and against which they can be independently assessed. Nor does consensus exist regarding the uses made of such information.

Lohrmann on Cybersecurity & Infrastructure

Main Topics

Privacy Policy

1. Look up “the paper that started the study of computer security.” Prepare a summary of the key points. What in this paper specifically addresses security in areas previously unexamined? a.

Privacy FAQs

Answer to Look up "the paper that started the study of computer security." Prepare a summary of the key points. What in this paper specifically addresses.

About Our Ads

Answer to Look up “the paper that started the study of computer security.” Prepare a summary of the key points. What in this. Summary of the key points: To develop techniques and obtain experience on interconnecting computers. To improve and increase computer research productivity through resource sharing. Any program or user on any of the networked computers can access any other program or subsystem connected in the network without changing the remote program%(13).

Cookie Info

Information Security - Chapter 1. STUDY. PLAY. computer security. considered as the paper that started the study of computer security. the scope of computer security expanded into: securing the data, limiting random and unauthorized access to that data, involving personnel from multiple levels of the organization in information security. • The Rand Report R was the document that started computer security. • The Rand Report contains valuable material on security controls for resource-sharing and computer systems. It discusses intrusions, physical security threats, policy considerations. It also makes recommendations, and is now used in technical literature.