digitised signature: An electronic image of an actual written signature. A digitised signature looks much the same as the original, but it does not provide the same protection as a digital signature, as they can be forged and copied. [AHIMA96a]. See electronic signature.
disaster plan: A plan the provides direction and guidelines to protect health information from damage, minimise disruption, ensure stability, and provide for orderly recovery in the event of a disaster, such as flood, fire, etc. [AHIMA96b] The Joint Commission on Accreditation of Healthcare Organisations requires that accredited facilities develop a management plan that addresses emergency preparedness. [Joint Commission, 1996]
disaster recovery: The process whereby an enterprise would restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. [CPRI96c]
disaster recovery See contingency plan.
plan:
disclosure: The release of information to third parties within or outside the healthcare provider organisation from an individual's record with or without the consent of the individual to whom the record pertains. There are a multitude of internal and external users of health information for which various policies of disclosure may apply. For instance, when patients present to a healthcare facility or provider for treatment, it is reasonable to assume that they are authorising the caregiver to have information about their condition and treatment. However, such assumption should not extend to all employees of a healthcare provider organisation, but only those with a need to know. Disclosures for quality monitoring, educational purposes, research, administrative purpose, payment purposes, attorneys, law enforcement personnel and agencies, family members, and the patients themselves all must be conducted according to institutional policies. [CPRI95b; CPRI95c]
discretionary An access control policy regime wherein the creator of a resource access control is permitted to manage its access control policy information. (DAC): The controls are discretionary in the sense that a subject with a
certain access permission is capable of passing that permission
(perhaps indirectly) on to any other subject (unless restrained by
mandatory access control). [O’Reilly, 1992]
domain: The set of objects that a subject is allowed to access. [O’Reilly, 1992]
eavesdropping: Unauthorised interception of information. Usually refers to passive interception (receiving information), rather than active interception (changing information). [O’Reilly, 1992]
electronic The attribute that is affixed to an electronic document to bind it signature: to a particular entity. An electronic signature process secures the
user authentication (proof of claimed identity, such as by
biometrics {fingerprints, retinal scans, hand written signature
verification, etc.}, tokens or passwords) at the time the signature is
generated; creates the logical manifestation of signature (including
the possibility for multiple parties to sign a document and have the
order of application recognised and proven) and supply additional
information such as timestamp and signature purpose specific to
that user; and ensures the integrity of the signed document to
enable transportability, interoperability, independent verifiability,
and continuity of signature capability. Verifying a signature on a
document verifies the integrity of the document and associated
attributes and verifies the identity of the signer. There are several
technologies available for user authentication, including
passwords, cryptography, and biometrics. [ASTM95b]
encryption: The cryptographic transformation of data to produce ciphertext. [ISO89]
The process of encoding a message so that its meaning is not obvious. [OTA, 1993]
end-to-end A type of encryption in which a message is encrypted when it is encryption: transmitted and is decrypted and then encrypted again each time it
passes through a network communications node. Sometimes
called ”online encryption”. Contrast with link encryption.
erasure: Removal of signals recorded on magnetic media. Simply reinitialising a disk or tape doesn’t erase data; it simply makes the data harder to access. Someone who knows how to bypass ordinary volume checking mechanisms may still be able to access sensitive data on reinitialised disks or tapes. [O’Reilly, 1992]
exploitation: Announcement of publications.
fingerprint system: A biometric system that compares a fingerprint pattern with a stored pattern to determine whether there’s a match. [O’Reilly, 1992]
firewall: A dedicated computer equipped with safeguards that acts as a single, more easily defined, Internet connection. [Cheswick94]
freedom of Requires that records pertaining to the executive branch of the information act: federal government be available to the public except for matters
that fall within exempted areas, including "medical files and
similar files, the disclosure of which would constitute a clearly
unwarranted invasion of personal privacy." [U.S.C. §552]
functional A statement of the system behaviour needed to enforce a given requirements: policy. Requirements are used to derive the technical specification
of a system. [National Security Council, 1991]
gateway: Typically, a system that is attached to two systems, devices, or networks that otherwise do not communicate with each other. Communications from one system or network to another are routed through the gateway. A gateway system may be used as a guardian or ”firewall” between trusted and untrusted systems or networks. The gateway filters out any information that’s not allowed to pass from the trusted system to the untrusted system or network, or vice versa. [O’Reilly, 1992]
A device in the computer communications environment that directs information traffic. Gateways are often employed to connect a network under the control of one organisation (an internal network) to a network controlled by another organisation (an external network such as a public network). Thus gateways are natural points at which to enforce access control policies. [National Research Council, 1991]
granularity: The relative fineness or coarseness by which a mechanism may be adjusted. [OMG97]
An expression of the relative size of a unit. The smallest discrete information that can be directly retrieved. [ASTM95c]
In security, degree of protection. Protection at the file level is considered coarse granularity, whereas protection at the field level is finer granularity. Granularity at a single user is fine granularity because it means the access-control mechanism can be adjusted to include or exclude any single user. [Fites93]
hash function: A function that maps a variable-length data block or message into a fixed-length value called a hash code. The function is designed in such a way that, when protected, it provides an authenticator to the data or message. Also referred to as a message digest. [Stallings95]
A function which maps strings of bits to fixed-length strings of bits satisfying that it is computationally unfeasible to find for a given output an input which maps to this output and computationally unfeasible to find for a given input a second input which maps to the same output. [ASTM95b] One-way hash function: A (mathematical) function that is comparatively easy to compute but, when knowing a result, it is computationally unfeasible to find any of the values that my have been supplied to obtain it. [ASTM95b]
healthcare data: Data which are input, stored, processed or output by the automated information system which support the business functions of the healthcare establishment. These data may relate to person identifiable records or may be part of an administrative system where persons are not identified.
administrative Data/information collected during the course of a healthcare event data/information: unrelated to the status of the individual's health or healthcare.
Includes demographics, provider identification, caregiver
identification, date and time of care, and other such data providing
the who, what, when, and where of data capture. [CPRI95a]
clinical Data/information related to the health and healthcare of an data/information: individual collected from or about an individual receiving
healthcare services. Includes a caregiver's objective measurement
or subjective evaluation of a patient's physical or mental state of
health; descriptions of an individual's health history and family
health history; diagnostic studies; decision rationale; descriptions
of procedures performed; findings; therapeutic interventions;
medications prescribed; description of responses to treatment;
prognostic statements; and descriptions of socio-economic and
environmental factors related to the patient's health. [CPRI96b;
ASTM95c]
identification: The process of telling a system the identity of a subject (e.g., a user or another system). Usually, this is done by entering a name or presenting a token to the system. See also authentication. [O’Reilly, 1992]
impact: The embarrassment, harm, financial loss, legal or other damage which could occur in consequence to a particular security breach.
impersonation: Posing as an unauthorised user, usually in an attempt to gain access to a system. Synonymous with masquerade. [O’Reilly, 1992]
information: Data to which meaning is assigned, according to context and assumed conventions. [National Security Council, 1991]
integrity: The property that data has not been altered or destroyed in an unauthorised manner. [ISO89]
A security principle that keeps information from being modified or otherwise corrupted either maliciously or accidentally. Integrity protects against forgery or tampering. [O’Reilly]
The property that an object (health data or information) only in a specified and authorised manner. Data integrity (the accuracy and completeness of the data [Ball92]) , program integrity, system integrity, and network integrity are all relevant to consideration of computer and system security. [National Research Council, 1991]
IETF: Internet Engineering Task Force. Reviews and issues internet standards. [OMG97]
interoperability: The ability of software and hardware on multiple machines from multiple vendors to communicate.
The ability of a system to use the parts or equipment of another system.
intruder: An individual who gains, or attempts to gain, unauthorised access to a computer system or to gain unauthorised privileges on that system. [Stallings95]
kerberos: The name given to Project Athena’s code authentication service. [Stallings95]
key: In cryptography, a secret value that’s used to encrypt and decrypt messages. A sequence of symbols (often a large number) that’s usually known only to the sender and the receiver of the message. See also private key encryption and public key encryption. [O’Reilly, 1992]
An input that controls the transformation of data by an encryption algorithm [National Research Council, 1991]
link encryption: A type of encryption in which a message is encrypted when it is transmitted and is decrypted when it is received. Contrast with end-to-end encryption.[O’Reilly, 1992]
logic bomb: Logic embedded in a computer program that checks for a certain set of conditions to be present on the system. When these conditions are met, the logic bomb executes some function that results in unauthorised actions. [Stallings95]
login: The process of identifying oneself to, and having one’s identity authenticated by, a computer system. [O’Reilly, 1992]
longitudinal/ The concept of access to health information across an individual's lifetime patient lifetime. [Dick91] A permanent, coordinated record of significant record: information, in chronological sequence. It may include all
historical data collected or be retrieved as a user designated
synopsis of significant demographic, genetic, clinical, and
environmental facts and events maintained within an automated
system. [ASTM96]
MAC: Mandatory Access Control - an access control regime wherein resource access control policy information is always managed by a designated authority, regardless of who creates the resources. [OMG97]
A means of restricting access to objects that is based on fixed security attributes assigned to users and to files and other objects. The controls are mandatory in the sense that they cannot be modified by users or their programs. [Stallings95] Contrast with discretionary access control.
masquerade: Posing as an authorised user, usually in an attempt to gain access to a system. Synonymous with impersonation. [O’Reilly, 1992]
master patient The means for locating a patient record in a numeric
index (MPI): identification system. [Abdelhak96] It has generally referred to an
index within a given healthcare facility, in which case it serves as
a patient directory. [CPRI96a]
mechanism: A specific implementation of security services, using particular algorithms, data structures, and protocols. [OMG97]
message Ensuring, typically with a message authentication code, that a authentication: message received (usually via a network) matches the message
sent. [O’Reilly, 1992]
message A code calculated during encryption and appended to a message. authentication If the message authentication code calculated during decryption code: matches the appended code, the message was not altered during
transmission. [O’Reilly, 1992] Sometimes the acronym ”MAC” is
used for message authentication code.
message digest: Hash function. [Stallings95]
model: See security model.
need to know: A security principle stating that a user should have access only to the data he or she needs to perform a particular function. [O’Reilly, 1992]
non-repudiation: The provision of evidence which will prevent a participant in an action from convincingly denying his responsibility for the action. [OMG97]
Proof (to a third party) that only the signer could have created a signature. A basis of legal recognition of electronic signatures. [ASTM95b]
object: From the Orange Book definition: ”A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records, blocks, pages, segments, files, directories, directory trees, and programs, as well as bits, bytes, words, files, processors, video displays, keyboards, clocks, printers, network nodes, etc.” [O’Reilly, 1992]
one-time cipher: A type of encryption in which a cipher is used only once. Two copies of a pad are created; one coy goes to the sender, and the other to the recipient. The pad contains a random number for each character in the original message. The pad is destroyed after use. Sometimes called a ”one-time- pad”. [O’Reilly, 1992]
open security An environment in which at least one of the following conditions environment: is true:
Application developers do not have sufficient clearance or authorisation to provide an acceptable presumption that they have not introduced malicious logic.
Configuration control does not provide sufficient assurance that applications are protected against the introduction of malicious logic prior to and during the operation of system applications. [O’Reilly, 1992]
open systems Use of standardised technology and structures for hardware, architecture: operating system, data bases, fault tolerances, and networking and
communications transport. [ASTM95c]
operational Confidence that a trusted system’s architecture and implementaassurance: tion enforce the system’s security policy. In the Orange Book, the
set of operational assurances includes system architecture, system
integrity, covert channel analysis, and trusted recovery. [O’Reilly,
1992]
Orange Book: Common name for the Department of Defense document that is the basic definition of the Trusted Computer System Evaluation Criteria (US DOD, 1985d). The Orange Book provides criteria for the evaluation of different classes of trusted systems and is supplemented by many documents relating to its extension and interpretation. [National Research Council, 1991]
ownership: It is a generally accepted principle that the primary patient record is maintained and owned by the healthcare provider. This principle is established by statutes and licensing regulations in many states, which grant the provider control over the physical document, but give the patient ownership-type rights to the information contained in the record. Therefore, the patient generally has control over the release of patient-identifiable (confidential) information, except in circumstances identified by case law, by federal or state statutes and regulations, and by provider policy. [CPRI94]
passive threat: A type of threat that involves the interception, but not the alteration, of information. For example, a passive tap is a type of wiretapping that involves eavesdropping, monitoring, and/or recording of information, but not the generation of false messages or control signals. The danger of a passive threat is primarily the secrecy of the information being transmitted. Contrast with active threat. [O’Reilly, 1992]
The threat of unauthorised disclosure of information without changing the state of the system. [OMG97]
password: Confidential authentication information composed of a string of characters. [ISO89]
A sequence that an individual presents to a system for purposes of authentication. [National Research Council, 1991]
penetration: A successful,, unauthorised access to a computer system. [O’Reilly, 1992]
personally Health information which contains an individual's identifiers (e.g., identifiable name, social security number, birth date) or contains a sufficient health number of variable to allow identification of an individual. [OTA, information: 1993; Institute of Medicine, 1994 ]
personal A number or code of some kind that’s unique to an individual and identification can be used to provide identity. Often used with automatic teller number (PIN): machines and access devices. [O’Reilly, 1992]
Typically used in connection with automated teller machines to authenticate a user. [National Research Council, 1991]
physical security: Protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. Also covers the use of locks, keys, and administrative measures used to control access to computer systems and facilities. [O’Reilly, 1992]
The measures used to provide physical protection of resources against deliberate and accidental threats. [OMG97]
plaintext: The input to an encryption function or the output of a decryption function. See cleartext. [O’Reilly, 1992]
primary patient The primary legal record documenting the healthcare services record provided to a person in any aspect of healthcare delivery. This (primary record term is synonymous with medical record, health record, primary of care): patient record, client record, and residence record; when stored in
a computer system and used by caregivers while providing patient
care services to review patient data, receive decision support, and
document their own observations, actions, or instructions
synonymous with all terms associated with computer-based
patient record. [ASTM96; CPRI96d]
principal: A user or programmatic entity with the ability to use the resources of a system. [OMG97]
privacy: An individual’s desire to limit the disclosure of personal information. [NRC97]
The right of individuals to keep information about themselves from being disclosed to anyone. [CPRI95c] As set forth by Samuel Warren and Louis Brandeis in a 1890 article that first enunciated the concept of privacy as a legal interest deserving an independent remedy, privacy was described as "the right to be let alone." Further, Alan Westin conceived of privacy as "an instrument for achieving individual goals of self realisation." [OTA, 1993] Ball and Collen describe privacy as the right of an individual to be left alone, to withdraw from the influence of the environment; to be secluded, not annoyed, and not intruded upon by extension of the right to be protected against physical or psychological invasion or against the misuse or abuse of something legally owned by an individual or normally considered by society to be property. [Ball92]
A security principle that protects individuals from the collection, storage, and dissemination of information about themselves and the possible compromises resulting from unauthorised release of that information. [O’Reilly, 1992]
Privacy Act of Grants people certain rights to information collected about them 1974: by the federal government and its agencies. Rights include finding
out what information has been collected, to see and have a copy of
the information, to correct or amend the information, and to
exercise limited control of the disclosure of that information to
other parties. [U.S.C. §552a(b), 1977]
private key: One of the two keys used in an asymmetric encryption system. For secure communication, the private key should be known only to its creator. [Stallings95]
A key in an asymmetric algorithm; the possession of this key is restricted, usually to one entity. [ASTM95b]
private-key A type of encryption that uses a single key to both encrypt and encryption: decrypt information. Also called symmetric, or single-key,
encryption in contrast to public key encryption. [O’Reilly, 1992]
privilege: A right granted to a user, a program, or a process. For example, certain users may have the privileges that allow them to access certain files in a system. Only the system administrator may have the privileges necessary to export data from a trusted system. [O’Reilly, 1992]
A security attribute which need not have the property of uniqueness, and which thus may be shared by many users and other principals. Examples of privileges include groups, roles, and clearances. [OMG97]
The individual's right to hold private and confidential the information given to a healthcare provider in the context of a professional relationship. The individual may by overt act of consent or by other means waive the right to privilege. For example, if a patient brings a lawsuit against a facility and the records are needed to present the facility's case, the privilege is waived. [Fites93]
proof of delivery: Non-repudiation evidence demonstrating that a message or data has been delivered. [OMG97]
proof of origin: Non-repudiation evidence identifying the originator of a message or data. [OMG97]
proof of receipt: Non-repudiation evidence demonstrating that a message or data has been received by a particular party. [OMG97]
proof of Non-repudiation evidence demonstrating that a message or data submission: has been submitted to a particular principal or service. [OMG97]
protection The domain boundary within which security services provide boundary: a known level of protection against threats. [OMG97]
protection profile: A reusable and complete combination of security objectives, functional and assurance requirements with associated rationale. [ComCrit98]
protocol: A set of rules and formats for the exchange of information, particularly over a communications network. [O’Reilly, 1992] Examples include X12 and HL7.
Protocol Data The data fields of a protocol message, as distinguished from the Unit (PDU): protocol header and trailer fields. [OMG97]
public key: One of the two keys used in an asymmetric encryption system. The public key is made public, to be used in conjunction with a corresponding private key. [Stallings95]
In a public-key (asymmetric) cryptosystem, the component of a key pair which is revealed. [OMG97]
A key in an asymmetric algorithm, that is publicly available. [ASTM95b]
public-key An encryption system which uses an asymmetric-key (q.v.) crypto-system: cryptographic algorithm. [OMG97]
public-key A type of encryption that uses two mathematically related keys. encryption: The public key is known within a group of users. The private key
is known only to its owner. Asymmetric encryption. Contrast with
private key encryption. [O’Reilly, 1992]
read: An operation involving the flow of information from an object to a subject. It does not involve the alteration of that information. [O’Reilly, 1992]
recovery: The restoration of an information system back to an error-free and secure state from which normal operation can resume. [O’Reilly, 1992]
redisclosure: The disclosure by a third party recipient of disclosed health information without the authorisation of the patient. [Abdelhak96]
release of The disclosure of documents containing patient-identifiable infor- information: mation to a third party requester. [Huffman, 1985]
reliability: A measure of consistency of data items based on their reproducibility and an estimation of their error of measurement. [Institute of Medicine, 1994]
replay: The recording of a legitimate message and the later, unauthorised resending of the message. [O’Reilly, 1992]
repudiation: The denial by a message sender that the message was sent, or by a message recipient that the message was received. [O’Reilly, 1992]
Denial by one of the entities involved in a communication of having participated in all or part of the communication. [ASTM95b]
residue: Data left in storage or on a medium before the data has been rewritten or eliminated in some other way. [O’Reilly, 1992]
retina system: A biometric system that compares a retina blood vessel pattern with a stored pattern to determine whether there’s a match. [O’Reilly, 1992]
retention: The maintenance and preservation of information in some form (e.g., paper, microfilm, or electronic storage) for a given period of time. [Abdelhak96] There are no federal laws outlining time frames for the retention of health information. Many states, however, have specific requirements, and these, as well as the statutes of limitation, Medicare Conditions of Participation, and use for patient care, legal, research, or educational purposes, should be used as a basis for developing a retention policy. [AHIMA94b]
right: A named value conferring the ability to perform actions in a system. Access control policies grant rights to principals (on the basis of their security attributes); in order to make an access control decision, access decision functions compare the rights granted to a principal against the rights required to perform an operation.[OMG97]
risk: The aggregate effect of the likelihood of occurrence of a particular threat with the degree of vulnerability to that threat and the potential consequences of the impact to the organisation if the threat did occur. [Stallings95]
risk assessment: An analysis of a system’s information needs and vulnerabilities to determine how likely they are to be exploited in different ways and the costs of losing and/or recovering the system or its information. [O’Reilly, 1992]
role: A privilege attribute representing the position or function a user represents in seeking security authentication. A given human being may play multiple roles and therefore require multiple role privilege attributes. [OMG97]
RSA Algorithm: An asymmetric encryption algorithm invented by Ron Rivest, Adi Shamir, and Len Adelman. A public-key algorithm based on exponentiation in modular arithmetic. It is the only algorithm generally accepted as practical and secure for public-key encryption. [Stallings95]
A public key crypto-system, invented and patented by Ronald Rivest, Adi Shamir, and Leonard Adleman, based on large prime numbers. [National Security Council] RSA is the most well-known asymmetric algorithm. [ASTM95b]
safety: The property that a system will satisfy certain criteria related to the preservation of personal and collective freedom from risk. [National Research Council, 1991]
sanitizing: The overwriting of sensitive information. On magnetic media, degaussing. Sometimes called ”scrubbing”. [O’Reilly, 1992]
seal: To encrypt data for the purpose of providing confidentiality protection. [OMG97]
secondary record: A record that is derived from the primary record and contains selected data elements. [ASTM96]
secrecy: The intentional concealment or withholding of information. [OTA, 1993]
A security principle that keeps information from being disclosed to anyone not authorised to access it. Synonymous with confidentiality. [O’Reilly, 1992]
secret key: A key in a symmetric algorithm; the possession of this key is restricted, usually to two entities. [ASTM95b]
secret-key A cryptosystem which uses a symmetric-key (q.v.) cryptographic crypto-system: algorithm. [OMG97]
secure time: A reliable time service that has not been compromised, and whose messages can be authenticated by their recipients. [OMG97]
security: The combination of availability, confidentiality, integrity and accountability. Freedom from risk or danger. Safety and the assurance of safety. [O’Reilly, 1992]
Means to control access and protect information from accidental or intentional disclosure to unauthorised persons and from alteration, destruction, or loss. [CPRI95b] Protection of information systems against unauthorised access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorised users or the provision of service to unauthorised users, including those measures necessary to detect, document, and counter such threats. [National Security Council] Data/information security: The result of effective protection measures that safeguard data/information from undesired occurrences and exposure to accidental or intentional disclosure to unauthorised persons, accidental or malicious alteration, unauthorised copying, loss by theft and/or destruction by hardware failures, software deficiencies, operating mistakes, or physical damage by fire, water, smoke, excessive temperature, electrical failure, or sabotage. [Institute of Medicine, 1994] The protection of the integrity, availability, and confidentiality of computer-based information and resources used to enter, store, process, and communicate it. [NIST, 1994]
security audit: An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policies and operational procedures, to detect security breaches and to recommend any indicated changes in control policy and procedures. [ISO89]
The facility of a secure system which records information about security-relevant events in a tamper-resistant log. Often used to facilitate an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend changes in control, policy and procedures. [OMG97]
security breach: The unauthorised disclosure, destruction, modification or withholding of information. [Stallings95]
security domain: A set of information system assets for which an organisation (or user) has responsibility for the implementation and maintenance of security. [Stallings95]
security The systematic, defined method to provide information and to education teach skills related to all activities of the organisation related to program: information security. A complete information security education
program addresses policies, standards, training, controls, risk
assessment, auditing and monitoring, and assigned responsibility
for management of the program. [CPRI95c]
security level: A representation of the sensitivity of information, derived from a sensitivity label (consisting of a classification and categories). [O’Reilly, 1992]
security manager: The person assigned responsibility for management of the organisation's security program. [CPRI96c]
security model: A precise statement of the security rules of a system. [O’Reilly, 1992]
security objective: A statement of intent to counter a given threat or enforce a given organisational security policy. [ComCrit98]
security perimeter: An imaginary boundary between the trusted computing base (inside the perimeter) and other system functions (outside the perimeter). In a networking environment, sometimes used to refer to the boundary between trusted and untrusted systems and networks. [O’Reilly, 1992]
security policy: A statement of the set of rules, measures and procedures that determine the physical, procedural and personnel security controls imposed on the management, distribution and protection of assets. [Stallings95]
The framework within which an organisation establishes needed levels of information security to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organisation commitment for a system. It is a set of laws, rules, and practices that regulate how an organisation manages, protects, and distributes sensitive information. [OTA, 1993] The American Health Information Management Association recommends that security policies apply to all employees, medical staff members, volunteers, students, faculty, independent contractors, and agents. [AHIMA96c]
From the Orange Book definition: ”The set of laws, rules, and practices that regulate how an organisation manages, protects, and distributes sensitive information. [O’Reilly, 1992]
The data which defines what protection a system’s security services must provide. There are many kinds of security policy, including access control policy, audit policy, message protection policy, non-repudiation policy, etc. [OMG97]
security service: Code that implements a defined set of security functionality. Security services include access control, audit, non-repudiation, and others. [OMG97]
security target: The statement of security requirements and functional specifications to be used as baseline for an evaluation. [ITSEC91]
sensitive Information that, if lost or compromised, would negatively affect information: the owner of the information, would jeopardise the ability of the
system to continue processing, and/or would require substantial
resources to recreate. According to the U.S. government (NTISSP
2), ”information the disclosure, alteration, loss, or destruction of
which could adversely affect national security or other federal
government interests”. [O’Reilly, 1992]
sensitivity: The degree of importance assigned to information denoting its need for protection against confidentiality related security breaches.
sensitivity label: A security level associated with the content of the information. [National Security Council] Society has historically considered information which has a heightened potential for causing harm to the patient or data subject, or to others, such as the subject's spouse, children, friends, or sexual partners. The degree to which the information will cause public humiliation, stigmatisation, lost employment, insurance problems, or loss of family and friends all contributes to it being identified as "sensitive." Records that contain information about socially or politically prominent persons have also been accorded special protections. Society is beginning to attribute special sensitivity to any and all health information. [Kunitz and Associates, Inc., 1995]
A label representing the security level of an object and describing the sensitivity of the data in the object. The label consists of two parts: a hierarchical classification and a set of non-hierarchical categories or compartments. In systems supporting mandatory access controls, sensitivity labels determine whether a particular subject will be allowed to access a particular object. [O’Reilly, 1992]
signature system: A biometric system that compares a signature with a stored pattern to determine whether there’s a match. [O’Reilly, 1992]
smart card: An access card containing encoded information and sometimes a microprocessor and a user interface. The information on the code, or the information generated by the processor, is used to gain access to a facility or a computer system. [O’Reilly, 1992]
spoof: A trick that causes an authorised user to perform an action that violates system security or that gives away information to an intruder. [O’Reilly, 1992]
standards: A specification of the characteristics of some product or activity that has been agreed by a standards body operating on a national, a regional or a world basis. In the information systems area the key issue is that of ensuring that information systems can work together effectively and in the information security area the key issue is that the security provided by the component or system should be up to the standard specified. The European regional standards body concerned with Medical Informatics is CEN and conformance with European standards is a requirement for public bodies within the European Union when purchasing systems over a certain value.
subject: From the Orange Book definition: ”An active entity, generally in the form of a person, process, or device that causes information to flow among objects or change the system state. [O’Reilly, 1992]
symmetric A form of cryptosystem in which encryption and decryption are encryption: performed using the same key. Also known as conventional
encryption. [Stallings95]
symmetric key: The key used in a symmetric ("secret-key") encryption system. In such systems, the same key is used for encryption and decryption. [OMG97]
system security: The result of all safeguards including hardware, software, personnel policies, information practice policies, disaster preparedness, and oversight of these components. [Institute of Medicine, 1994]
system security The person who controls access to computer systems by entering administrator: commands to perform such functions as assigning user access
codes and privileges, revoking user access privileges, and setting
file protection parameters. [CPRI96c]
strong Authentication by means of cryptographically derived credentials.
authentication: [ISO93a]
technical A technical description of the desired behaviour of a system, as specification: derived from its requirements. A specification is used to develop
and test an implementation of a system. [National Research
Council, 1991]
threat: An action or event that might prejudice security. [ITSEC91]
A possible danger to the information system. See also active threat and passive threat. [O’Reilly, 1992]
The potential for exploitation of a vulnerability. [National Research Council, 1991]
token: When used in the context of authentication, a physical device necessary for user identification. [National Research Council, 1991]
A physical item that’s used to provide identity. Typically an electronic device that can be inserted in a door or a computer system to gain access. [O’Reilly, 1992]
top level security A generalised statement of intended security goals relating to the objective: availability, confidentiality and integrity of healthcare
information.
traced delegation: Delegation wherein information about the initiator and all intervening intermediates is available to each recipient in the call chain, or to the authorisation subsystem controlling access to each recipient. [OMG97]
traffic: The message flow across a network. Analysis of message characteristics (e.g., length, frequency, destination) can sometimes provide information to an eavesdropper. [O’Reilly, 1992]
transmission: The exchange of data between person and program, or program and program, when the sender and receiver are remote from each other. [Longley, 1987]
trap door: Secret undocumented entry point into a program, used to grant access without normal methods of access authentication. [Stallings95]
A hidden mechanism that allows normal system protection to be circumvented. Trap doors are often planted system developers to allow them to test programs without having to follow security procedure or other user interfaces. They are typically activated in some unobvious way (e.g., by typing a particular sequence of keys). [O’Reilly, 1992]
Trojan horse: A type of programmed threat. An independent program that appears to perform a useful function but that hides another unauthorised program inside it. When an authorised user performs the apparent function, the Trojan horse performs the unauthorised function as well (often usurping the privileges of the user). [O’Reilly, 1992]
trust: Reliance on the ability of a system to meet its specifications. [O’Reilly, 1992]
trust model: A description of which components of the system and which entities outside the system must be trusted, and what they must be trusted for, if the system is to remain secure. [OMG97]
trusted code: Code assumed to always perform some specified set of operations correctly. [OMG97]
Trusted From the Orange Book definition: ”The totality of protection Computing mechanisms within a computer system - including hardware, firmBase ware, and software - the combination of which is responsible (TCB): for enforcing a security policy. A TCB consists of one or more
components that together enforce a unified security policy over a
product or system. The ability of a TCB to correctly enforce a
security policy depends solely on the mechanisms within the TCB
and on the correct input by system administrative personnel of
parameters (e.g., a user’s clearance) related to the security policy.
[O’Reilly, 1992]
Trusted Computing Base: The portion of a system which must function correctly in order for the system to remain secure. A TCB should be tamper-proof and its enforcement of policy should be non-circumventable. Ideally a system’s TCB should also be as small as possible, to facilitate analysis of its integrity. [OMG97]
trusted The process of distributing a trusted system in a way that assures distribution: that the system that arrives at the customer site is the exact,
evaluated system shipped by the vendor. [O’Reilly, 1992]
trusted facility The management of a trusted system in a way that assures management: separation of duties (e.g., separate operator, system administrator,
and security administrator roles), with duties clearly delineated for
each role. [O’Reilly, 1992]
trusted path: A mechanism that allows a terminal user to communicate directly with the Trusted Computing Base. The mechanism can be activated only by the person or the TCB and cannot be initiated by untrusted software. With a trusted path, there is no way an intermediary program can mimic trusted software. [O’Reilly, 1992]
trusted recovery: The set of procedures involved in restoring a system and its data in trusted fashion after a system crash or some other type of system failure. [O’Reilly, 1992]
trusted system: A system believed to enforce a given set of attributes to a stated degree of assurance (confidence). [National Research Council, 1991]
A system designed and developed in accordance with Orange Book criteria and evaluated according to those criteria. [O’Reilly, 1992]
A computer and operating system that can be verified to implement a given security policy. [Stallings95]
universal A means to provide positive recognition of a particular individual identifier: for all people in a population. A universal healthcare or patient
identifier provides the identifier for use in healthcare transactions.
[ASTM95a]
user: A human being using the system to issue requests to objects in order to get them to perform functions in the system on his behalf. [OMG97]
A person or a process who accesses a computer system. [O’Reilly, 1992]
validation: The cognitive process of establishing a valid proof.
The stage in the software life-cycle at the end of the development process where software is evaluated to ensure that it complies with the requirements.
validity: The extent to which data correspond to the actual state of affairs or an instrument that measures what it purports to measure. Validity concerns relate to the issue of whether analyses done on a given database are appropriate for the questions being asked and whether those analyses will provide defensible answers that are internally consistent and externally generalisable. [Institute of Medicine, 1994]
verification: The process of determining whether or not the products of a given phase in the life-cycle fulfil a set of established requirements.
virus: A computer program, typically hidden, that attaches itself to other programs and has the ability to replicate. In personal computers, "viruses" are generally Trojan horse programs that are replicated by inadvertent human action and which when executed result in undesired side effects generally unanticipated by the user.
A type of programmed threat: A code fragment (not an independent program) that reproduces by attaching to another program. It may damage data directly, or it may degrade system performance by taking over system resources which are then not available to authorised users. [O’Reilly, 1992]
Code embedded within a program that causes a copy of itself to be inserted in one or more other programs. In addition to propagation, the virus usually performs some unwanted function. [Stallings95]
voice system: A biometric system that compares a vocal pattern with a stored pattern to determine whether there’s a match. [O’Reilly, 1992]
vulnerability: A security weakness in the system due to failures in analysis, design, implementation or operation. [ITSEC91]
A weakness in a system that can be exploited to violate the system's intended behaviour. There may be security, integrity, availability, and other vulnerabilities. The act of exploiting a vulnerability represents a threat, which has an associated risk of being exploited. [National Research Council, 1991]
worm: Program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function. [O’Reilly, 1992]
References
[Abdelhak96]
|
Abdelhak M (Ed.), 1996 Health Information: Management of Strategic Resource. Philadelphia: W.B. Saunders Company.
|
[AHIMA94a]
|
AHIMA, 1994a. Guidelines on Maintenance, Disclosure, and Redisclosure of Health Information. Chicago: American Health Information Management Association.
|
[Stallings95]
|
W. Stallings, "Network and Internetwork Security Principles and Practice", The Institute of Electrical and Electronic Engineers, Inc., New York, 1995. ISBN 0-02-415483-0.
|
Editor's Note: Has to be clarified
[Huffman, 1985]
|
|
[Institute of Medicine, 1994]
|
|
[WEDI, 1992]
|
|
Dostları ilə paylaş: |