299-Article Text-492-1-10-20160203.pdf

Similarly when the patients communication device

Info icon This preview shows pages 8–10. Sign up to view the full content.

Similarly, when the patient’s communication device wants to send or receive data from the PHR/EHR system, both require mutual authentication. Then the PHR/EHR can trust that it is receiving/sending data from/to the correct
Image of page 8

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

device (the right patient respectively), and the patient’s communication device can trust that it is sending/receiving data to/from the correct server (the right healthcare provider respectively). In the second category (authorization and access threats) threats related to unauthorized access to system components are listed. These threats include elevation of privilege, data tampering and/or disclosure of confidential data. With elevation of privilege threats, insiders may attempt to elevate their privileges in order to gain additional access to system components. For example, a patient or healthcare provider may impersonate the context of administrators in order to gain additional privileges and more control over the application or system. Data tampering refers to intentionally or accidentally modify, add and/or delete data, caused by insiders having over-privileges or inapplicable access control of a resource. Confidential data disclosure potentially occurs if sensitive data, such as patient health records and login credentials, can be viewed by unauthorized users due to improper data protection. The potential damage of such threats is stated as low, medium or high, depending on the distribution of business functions and processes. According to Table 3 (Threat Class 2 (T2)), the majority of threats are rated high, because for instance, gaining access to powerful accounts such as those of members of local administrator groups or local system accounts may cause massive damage to patients or healthcare providers. In the third section of the table, threats related to privacy are identified. Privacy is subject to a variety of threats, including access to sensitive data in storage and data tampering. Threats to sensitive data in storage can affect data stored in the patients’ communication devices or on PHR/EHR servers. Improper data protection on patient communication devices may allow attackers to read information not intended for disclosure. In the final section, threats related to auditing and logging are listed. Auditing and logging should be used to help detecting suspicious activities, such as footprinting or possible password cracking attempts before exploitation actually occurs. These can also help dealing with the threat of repudiation. It is much harder for a user to deny performing an operation if a series of synchronized log entries on multiple servers indicate that the user indeed performed the transaction. Threats related to auditing and logging include potential data repudiation, log tampering and insufficient auditing. Data repudiation concerns users denying they had performed an action or initiated a transaction. For example, a patient or healthcare professional denies or claims that he/she did not receive, write or edit data. Log tampering entails an insider attacking logs via log files. For threats due to insufficient auditing,
Image of page 9
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern