Security and Privacy in an Electronic Age Chapter 12
Privacy and Security Many companies and some government departments have lost, misplaced, or sold confidential information—some of it medical. With 2014 as a target year for computerizing medical records, effective security for the privacy of computerized information is a necessity.
Threats to Information Technology Crime such as spreading viruses Natural disasters such as flood or fire Human error
Computer Technology and Crime Computer technology has led to new forms of crime. Crimes using computers and crimes against computers: Most are both—using computers to harm computers
Computer Crime Spreading viruses Programs that reproduce themselves and harm computers
Computer Crime Theft of information Breaking into private databases, such as hospital databases, and misusing information Theft of services Theft of cable TV
Computer Crime Fraud Using a computer program to illegally transfer money from one account to another Software piracy Illegally copying copyrighted software
Identity Theft An identity thief needs only a few pieces of information (such as Social Security number, mother's maiden name) to steal your identity. Among those who find out who stole their identity, half are members of the family or household of the victim. Many states have passed laws against identity theft.
Identity Theft Identity theft is now at a low point. In 2010, the average amount that fraud victims had to pay had increased from $ to $ due to new account fraud. 2009–2010—Data breaches, which put your identity at risk, have increased 33%.
Current Threats to Computer Systems Spyware Software that can be installed without user's knowledge to track their actions on a computer Adware May display unwanted popup advertisements on your monitor May be related to the sites you search on the Web or even the content of your
Current Threats to Computer Systems A fraudulent dialer can: Connect the user with numbers without the user's knowledge Connect the user's computer to an expensive 900 number Phishing involves sending fraudulent messages via or instant message that purport to be from a legitimate source.
Current Threats to Computer Systems A Trojan horse appears to be a normal program, such as a computer game, but conceals malicious functions. An bomb or denial-of-service attack sends so much to one address that the server stops working. Botnets can remove software or send spam.
Current Threats to Computer Systems Keylogging can be used by anyone to track anyone else's keystrokes. Malware includes many forms of malicious hardware, software, and firmware. Spybot Search and Destroy software can remove malware, adware, spyware, fraudulent dialers, and keyloggers from your computer.
Security Security systems try to protect computer hardware, software, and data from harm by restricting access, training employees, and passing laws. Attempts at restricting access: PINs (personal identification numbers) or passwords Locking computer rooms and requiring employees to carry ID cards and keys
Security Biometric methods Fingerprints Hand prints Retina or iris scans Lip prints Facial thermography
Security Biometrics also include: Body odor sensors Facial structure scans Iris and retina scans Keyboards that can identify a person by behavior, fingerprint, voice, or gait None of these methods is foolproof.
Security On April 12, 2011, assistant director of the FBI's cyberdivision, Gordon Snow, told the Senate Judiciary Crime and Terrorism Subcommittee that criminals can “penetrate any system that is accessible from the Internet.”
Security This means, he continued, that “government networks and the nation's critical infrastructure could be degraded, disrupted, or destroyed.” Even when a crime is detected, it is very difficult to know where it originated or who did it.
Backup Systems No security system is foolproof. A backup system is necessary: Copies of data Copies of software Off-site
Figure 12.3 Federal laws intended to protect computer systems and privacy of individuals.
Figure 12.3 (continued) Federal laws intended to protect computer systems and privacy of individuals.
Privacy Privacy refers to the right to control your personal information.
Threats to Privacy Government databases maintained at the local, state, and federal level include: Tax information Welfare information Property ownership Driving records Criminal records
Threats to Privacy RFID (radio frequency identification) tags: The FDA has approved the tags for medical use. These chips are very easily counterfeited.
Threats to Privacy There are legal restrictions on the federal government and what it does with information it collects. There are few restrictions on state and local jurisdictions: Some local jurisdictions sell information. Some put the information on the Internet.
Threats to Privacy Private databases maintained by corporations interested in buying habits to personalize advertising. These databases hold information on: Buying habits Credit rating Health information Reading habits
Threats to Privacy Databases online with information available for a fee Information from government databases can be linked to private databases by using Social Security numbers.
Threats to Privacy Real ID Act of 2005: Directly imposes prescriptive federal driver's license standards by the federal government on the states Requires every American to have an electronic identification card
Threats to Privacy Real ID Act of 2005: State DMVs must share all of the information in their databases with all other states' DMV databases; this creates a huge database. However, by 2011, according to some sources, the Real ID Act had been put in limbo after 25 states adopted legislation opposing it.
Privacy, Security, and Health Care: HIPAA and HITECH Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the first federal legislation to put a national floor under the privacy of medical information. HITECH extends the privacy protections of HIPAA.
HIPAA and HITECH HIPAA and HITECH encourage the use of the electronic medical record (EMR) and encryption to protect its privacy. HIPAA requires health care facilities (protected entities) to conduct a risk analysis and to address the risks.
HIPAA and HITECH Until recently, the Department of Health and Human Services preferred to work for voluntary compliance and settle complaints through corrective action plans.
HIPAA and HITECH However, in July 2008, for the first time, a covered entity was required to pay a fine. After receiving 31 complaints about one company, the OCR and CMS investigated and required it to pay $100,000. There has also been an increase in criminal prosecutions by the Department of Justice.
MIB Group, Inc. Comprised of 470 insurance companies Contains health information on 15 million people: According to Business Week, “two-thirds of all insurance companies are using consumers' medical histories and personal information to deny coverage, charge higher premiums, and exclude certain medical conditions from policies.”
MIB Group, Inc. Contains health information on 15 million people: However, the MIB Group, Inc. denies this, stating that “MIB Members... are strictly forbidden from using MIB information about you as the basis for determining your eligibility for insurance."
MIB Group, Inc. Contains health information on 15 million people: "MIB Members only use MIB's information as an 'alert' or 'red flag,' which prompts them to obtain additional information through traditional underwriting tools and methods.”
Data Warehouses Some private data warehouses exist for the sole purpose of collecting and selling personal information. They sell information to credit bureaus and to employers for background checks. Electronic databases are now being linked into larger and more comprehensive super databases.
Privacy and Security The USA Patriot Act weakens privacy protections and requires institutions to give government agents information without informing the person. The future of privacy of medical information under HIPAA and the USA Patriot Act (which works against privacy) is not yet known.
Other Privacy Issues: Telemedicine Telemedicine raises issues of the privacy of: Medical information on networks Information that routinely crosses state lines
Other Privacy Issues: is not legally private. in a health care setting can be read by many people, including clerks, secretaries, and health care providers. Offices that use need to inform the patient of who will read it, what issues may be mentioned in s, and the turnaround time.
Other Privacy Issues: Genetic Information As research focuses on genetics and an individual's genetic probability of developing certain diseases, privacy issues arise.
Other Privacy Issues: Genetic Information GINA, the Genetic Information Nondiscrimination Act, became law on May 21, Basic purpose is to protect people from discrimination by health insurers and employers based on genetic information.
Other Privacy Issues: Genetic Information The latest updates on GINA, effective in 2011, clarify who the law covers in regard to employment: applicants, trainees, apprentices, and current and former employees.
Other Privacy Issues: the EMR The electronic medical record (EMR), like other information in electronic form, is not secure. HIPAA and HITECH encourage its use. HIPAA and HITECH require security measures for all personally identifiable medical information.
Security Breaches Events that potentially put a person's name, Social Security number, driver's license number, medical record, or financial record (credit or debit card) potentially at risk, either in electronic or paper form.
Security Breaches As of March 17, 2011, OCR had posted on its Web site 249 breaches. The breaches affected 8,289,236 individuals. The dates of these breaches ranged from September 22, 2009, to January 12, 2011.
Security Breaches Most of the breaches were by covered entities, but some involved business associates. HITECH extended HIPAA's privacy protections to business associates of covered entities.
Conclusion If medical and health records are digitized and put online, HITECH requires encryption. A national database of health records could improve health care by making all your medical information (including allergies, medications, and most recent test results) available in any hospital, doctor's office, and emergency room.
Conclusion Currently, data is not secure. As a result: Marketers can tailor advertising to people with a particular disease. Lenders can disqualify people on the basis of an estimate of how long they would live. Employers can deny employment or promotion (although this is not legal).