coworkers, or celebrities; clandestine observation of employees; and the desire to search the health records of parties involved in contentious interpersonal situations such as divorce or the breakup of intimate relationships.

Resources. With respect to resources available to them, potential attackers can range from individuals with modest financial and computing resources to well-funded and determined intelligence agencies and organized crime. In between lie medium and large organizations that have an economic interest in gathering health data. To date, the threat posed by intelligence agencies and organized crime has not surfaced in the health care arena.6 The resources used in an attack against a health care organization are therefore those that would be available to an individual or a small group.

Initial Access. Initial access, the relationship of the attacker to the target data prior to the attacker's initiation of an assault on some stakeholder's system, has three elements:

  • 1.  

    Site access. The attacker either does or does not have the ability (or inclination) to enter the facility where data are accessed on a regular basis.

  • 2.  

    System authorization. The attacker either does or does not have authorization to use the information system in one way or another. System authorization is typically dependent on site access: a person without site access (either physical or electronic) is unlikely to have system authorization.

  • 3.  

    Data authorization. The attacker either does or does not have authorization to access the desired data. Data authorization is dependent on system authorization: a person without system authorization is unlikely to have data authorization.

These three elements of initial access can be combined in various ways to characterize a potential attacker. For example, an individual may have system authorization by virtue of being a financial clerk, not have data authorization for patient records, and have site access because he or she has a badge that allows movement freely about a hospital or clinic (Table 3.1). Site access is an important element when countermeasures are being considered.


Whether such organizations are motivated to access patient health information improperly is not clear. Organized crime might be motivated by an interest in blackmailing an individual.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement