Log Analysis of Human Computer Interactions Regarding Break The Glass Accesses to Genetic Reports

Ana Ferreira, Pedro Farinha, Cátia Santos-Pereira, Ricardo Correia, Pedro P. Rodrigues, Altamiro Costa-Pereira, Verónica Orvalho

2013

Abstract

Patients’ privacy is critical in healthcare but users of Electronic Health Records (EHR) frequently circumvent existing security rules to perform their daily work. Users are so-called the weakest link in security but they are, many times, part of the solution when they are involved in systems’ design. In the healthcare domain, the focus is to treat patients (many times with scarce technological, time and human resources) and not to secure their information. Therefore, security must not interfere with this process but be present, nevertheless. Security usability issues must also be met with interdisciplinary knowledge from human-computer-interaction, social sciences and psychology. The main goal of this paper is to raise security and usability awareness with the analysis of users’ interaction logs of a BreakTheGlass (BTG) feature. This feature is used to restrict access to patient reports to a group of healthcare professionals within an EHR but also permit access control override in emergency and/or unexpected situations. The analysis of BTG user interaction logs allows, in a short time span and transparently to the user, revealing security and usability problems. This log analysis permits a better choice of methodologies to further apply in the investigation and resolution of the encountered problems.

References

  1. Assembleia da República, 2005. Lei n. 12/2005 de 26 de Janeiro. DIÁRIO DA REPÚBLICA - I SÉRIE-A.
  2. Break-glass, 2004. An approach to granting emergency access to healthcare systems. White paper, Joint - NEMA/COCIR/JIRA Security and Privacy Committee (SPC).
  3. Break Glass, 2012. Granting Emergency Access to Critical ePHI Systems - HIPAA Security. Accessed at: http://hipaa.yale.edu/security/breakglass.html. Accessed on the 13th December 2012.
  4. Brostoff, S., Sasse, A., 2000. Are passfaces more usable than password? A field trial investigation. People and Computers XIV-Usability of else. Proceedings of HCI 2000. S. McDonald Springer, 405-424.
  5. Cranor & Garfinkel, 2005. Security and usability: designing secure systems that people can use. O'Reilly.
  6. Cruz-Correia, R., Lapão, L., Rodrigues, P., 2011. Traceability of patient records usage: barriers and opportunities for improving user interface design and data management. Studies in Health Technologies and Informatics, vol. 169, pp. 275-279.
  7. Cruz-Correia, R., Vieira-Marques, P., Costa, P., Ferreira, A., Oliveira-Palhares, E., Araújo, F., Costa-Pereira, A., 2005. Integration of Hospital data using Agent Technologies - a case study. AICommunications special issue of ECAI, 18(3):191-200.
  8. Cruz-Correia, R., Vieira-Marques, P., Ferreira, A., Almeida, F., Wyatt, J., Costa-Pereira, A., 2007. Reviewing the integration of patient data: how systems are evolving in practice to meet patient needs. BMC Medical Informatics and Decision Making, 7(14).
  9. Farinha, P., Cruz-Correia, R., Antunes, L., Almeida, F., Ferreira, A., 2010. From legislation to practice: a case study of break the glass in healthcare. Proceedings of the International Conference on Health Informatics, 114-120.
  10. Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, R., Chandramouli, R., 2001. Proposed NIST Standard for Role-based Access Control. ACM Transactions on Information and systems security, 4(3): 224-274.
  11. Ferreira, A., Antunes, L., Chadwick, D., Cruz-Correia, R., 2010. Grounding Information Security in Healthcare. International Journal of Medical Informatics, 79(4): 268-283.
  12. Ferreira, A., Correia-Cruz, R., Antunes, L., 2011a. Usability of authentication and access control: a case study in healthcare. IEEE International Carnahan Conference on Security Technology, 1-7.
  13. Ferreira, A., Cruz-Correia, R., Chadwick, D., Santos, H., Gomes, R., Reis, D., Antunes, L., 2011b. Password sharing and how to reduce it. Certification and Security in Health-Related Web Applications: Concepts and Solutions, 243-263.
  14. Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D. W., Costa-Pereira, A., 2006. How to break access control in a controlled manner? Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems, 847-851.
  15. Harris, S., 2012. CISSP All-in-one Exam Guide. McGrawHill Osborne Media. 6th Edition.
  16. Iglesias, J., Angelov, P., Ledezma, A., Sanchis, A., 2012. Creating evolving user behavior profiles automatically. IEEE Trasactions on Knowledge and data engineering, 24(5): 854-867.
  17. Kainda, R., Flechais, I., Roscoe, A.W., 2010. Security and usability: analysis and evaluation. International conference on Availability, Reliability and Security, 275 - 282.
  18. Kuo, C., Romanosky, S., Cranor, L., 2006. Human Selection of Mnemonic Phrase-Based Passwords. Symposium on usable privacy and security (SOUPS), 67-78.
  19. Lehoux, P., Sicotte, C., Denis, J., 1999. Assessment of a computerized medical record system: disclosing scripts of use. Evaluation and Program Planning, 22( 4): 439-53.
  20. NHS care records service, 2012. NHS Connecting for Health. Sealing Overview. Accessed at: http://www.connectingforhealth.nhs.uk/elearning/scr/s cr2008b/modules/scr07_sealing/t1/scr07t1p1.htm. Accessed on the 13th December 2012.
  21. Palanque, P., Barboni, E., Martinie, C., Navare, D., Winckler, M., 2011. Proceedings of the 3rd ACM SIGCHI symposium on Engineering interactive computing systems, 21-30.
  22. Redish, J., Dumas, J., 1999. A Practical Guide to Usability Testing. Intellect Ltd.
  23. Saltzer, J., Schroeder, M., 1975. The protection of Information in Computer Systems. Proceedings of the IEEE, 63(9): 1278-1308.
  24. Santos-Pereira, Cátia., Augusto, Alexandre., Correia, Manuel., Ferreira, Ana., Cruz-Correia, Ricardo., 2012. A Mobile Based Authorization Mechanism for Patient Managed Role Based Access Control. Information Technology in Bio and Medical Informatics. Lecture Notes in Computer Science, 7451: 54-68.
  25. Sasse A., 2003. Computer Security: Anatomy of a Usability Disaster and a Plan for Recovery. Proceedings of CHI2003 Workshop on HumanComputer Interaction and Security Systems.
  26. Schneier, B., 2000. Secrets and Lies: digital security in a networked world. 1st ed.: John Wiley &Sons
  27. Shun-Hua, T., Miao, C., Guo-Hai, Y., 2010. User behavior mining on large scale web log data. International Conference on Apperceiving Computing and Intelligence Analysis, 60-63.
  28. Whitten, A., Tygar, J., 1999. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. Proceedings of 8th USENIX Security Symposium, 169-183.
  29. Xhafa, F., Ruiz, J., Caballe, S., Spaho, E., Barolli, L., Miho, R., 2012. Massive Processing of Activity Logs of a Virtual Campus. Third International Conference on Emerging Intelligent Data and Web Technologies, 104-110.
  30. ZIshuang, Ye., Smith, S., 2005. Trusted Paths for Browsers. ACM transactions in information systems security, 8(2): 153-186.
Download


Paper Citation


in Harvard Style

Ferreira A., Farinha P., Santos-Pereira C., Correia R., P. Rodrigues P., Costa-Pereira A. and Orvalho V. (2013). Log Analysis of Human Computer Interactions Regarding Break The Glass Accesses to Genetic Reports . In Proceedings of the 15th International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 978-989-8565-61-7, pages 46-53. DOI: 10.5220/0004419200460053


in Bibtex Style

@conference{iceis13,
author={Ana Ferreira and Pedro Farinha and Cátia Santos-Pereira and Ricardo Correia and Pedro P. Rodrigues and Altamiro Costa-Pereira and Verónica Orvalho},
title={Log Analysis of Human Computer Interactions Regarding Break The Glass Accesses to Genetic Reports},
booktitle={Proceedings of the 15th International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2013},
pages={46-53},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004419200460053},
isbn={978-989-8565-61-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 15th International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - Log Analysis of Human Computer Interactions Regarding Break The Glass Accesses to Genetic Reports
SN - 978-989-8565-61-7
AU - Ferreira A.
AU - Farinha P.
AU - Santos-Pereira C.
AU - Correia R.
AU - P. Rodrigues P.
AU - Costa-Pereira A.
AU - Orvalho V.
PY - 2013
SP - 46
EP - 53
DO - 10.5220/0004419200460053