Abstract
Healthcare employees generally have access to view hospital patient's medical records. This access can be simply viewing their chart or reviewing information on a computer screen. With this type of accessibly, hospital employees have the opportunity to view diagnosis, personal medical histories, as well as demographic information such as age and gender. Social engineers can use methods such as familiarity with co-workers for instance to obtain this information from unsuspecting health care workers. In addition, weak password selection can provide opportunities for a wealth of information to be stolen. In this chapter, current security legislation that addresses the security of patient's health care records, social engineering tactics, and passwords are explored.
TopIntroduction
There are many threats to the privacy of a patient’s information, and one of the largest threats is social engineers or the act of social engineering. Social engineering is generally defined to include the use of trickery, personal relationships and trust to obtain information; more specifically, it is the art of deceiving people into giving confidential, private or privileged information or access to a hacker (Gragg, 2007).
Another threat to the privacy of security of patient’s information can be the employees themselves. Internal employees actually can pose the largest threat to the security and privacy of information as they can exploit the trust of their co-workers, and they generally are the individuals who have or have had authorized access to the health care organization’s network. As well, they are generally familiar with the internal policies and procedures of the organization. Additionally, internal employees can exploit that knowledge to facilitate attacks and even collude with external attackers (http://www.hhs.gov/news/facts/privacy.html). HIPAA regulations were enacted to protect the privacy and security of patients and their medical records; simply put, they make it illegal for unauthorized personnel to access or release information from someone's medical records.
Despite its legal requirements, however, HIPAA standards have been known to be difficult to implement and are not always followed. As required by HIPAA, healthcare institutions are required to provide security methods in order to protect patient’s information. One such method is through the authentication of the individual requesting access. Healthcare employees are generally subjected to some type of authentication process. Although there are different ways of authenticating employees, most systems are based on the use of a physical token (something one has), secret knowledge (something one knows) or biometrics (something one is) (Burnett & Kleiman, 2006).
Due to increased regulations and the increased opportunities for exploitation that exist in today’s digital world, it is even more important for healthcare providers to keep healthcare records and the information held within, safe and private. Governmental agencies have adopted initiatives that specifically address the issues and rights of healthcare patients. More specifically, the security and privacy of healthcare information is protected by the Health Insurance Portability and Accountability Act (HIPAA), requiring healthcare agencies to do everything possible to protect their information.
Key Terms in this Chapter
Password: A secret word known only to the individual and computer systems created proven a person’s identity and grant them access to a system.
Computer-Based Attack: An attack on a system using and targeting primarily technologies directly.
HITECH: The Health Information Technology for Economic and Clinical Health Act is another Federal law regulating health information sharing, security, and privacy.
Biometrics: A marker of someone’s identity based on tangible and observable physical characteristics.
Social engineering: The art and science of manipulating people and processes to get what an attacker wants.
Hacker: Someone with the skill and ability to modify a part of a system to use it in ways not originally intended, such as gaining unauthorized access and information.
HIPPA: The Health Insurance Portability and Accountability Act; a Federal law regulating health information privacy.
Human-Based Attack: An attack on a system using and targeting primarily humans as a way to get to through the technology to the information they desire.