Article

An Empirical Investigation: Health Care Employee Passwords and Their Crack Times in Relationship to HIPAA Security Standards.

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... 4. The table shows publications indicating that e-HISs are more auditable than paper systems due to robust access controls [35,20,39]. Still other publications suggest clinicians collude with other staff, such as by sharing Passwords, so audits of e-HIS access cannot identify the actual end-user [6,37,22,38]. 5. It seems IT magnifies pressure on already inadequate health budgets due to training, capital equipment and maintenance costs, not to mention interoperability shortcomings. ...
... At the same time, international confusion over privacy jurisdictions has prompted professional organizations, such as the Australian Medical Association, to ask health authorities to determine consistent and unequivocal P&S rules to ease understandable clinical confusion about protecting the confidentiality of patient records [3,44]. Contradictory laws and policies at various government levels have fostered widespread confusion about ways to mitigate HIS P&S risks [3,37,44]. The confusion ensures the generality of security advice that many clinician associations across the globe are able to provide to members. ...
... If they existed, national or international standards might alleviate the confusion [3]. Standards document specifications against which a series of best practices for a process or technology can be measured [37]. In the absence of a national information security standard, "HB1742003 Information security management-Implementation guide for the health sector" outlines practical HIS security measures for Australian clinicians [45]. ...
Article
This manuscript describes the health information system security threat lifecycle (HISSTL) theory. The theory is grounded in case study data analyzing clinicians' health information system (HIS) privacy and security (P&S) experiences in the practice context. The 'questerview' technique was applied to this study of 26 clinicians situated in 3 large Australian (across Victoria) teaching hospitals. Questerviews rely on data collection that apply standardized questions and questionnaires during recorded interviews. Analysis (using Nvivo) involved the iterative scrutiny of interview transcripts to identify emergent themes. Issues including poor training, ambiguous legal frameworks containing punitive threats, productivity challenges, usability errors and the limitations of the natural hospital environment emerged from empirical data about the clinicians' HIS P&S practices. The natural hospital environment is defined by the permanence of electronic HISs (e-HISs), shared workspaces, outdated HIT infrastructure, constant interruption, a P&S regulatory environment that is not conducive to optimal training outcomes and budgetary constraints. The evidence also indicated the obtrusiveness, timeliness, and reliability of P&S implementations for clinical work affected participant attitudes to, and use of, e-HISs. The HISSTL emerged from the analysis of study evidence. The theory embodies elements such as the fiscal, regulatory and natural hospital environments which impede P&S implementations in practice settings. These elements conflict with improved patient care outcomes. Efforts by clinicians to avoid conflict and emphasize patient care above P&S tended to manifest as security breaches. These breaches entrench factors beyond clinician control and perpetuate those within clinician control. Security breaches of health information can progress through the HISSTL. Some preliminary suggestions for addressing these issues are proposed. Legislative frameworks that are not related to direct patient care were excluded from this study. Other limitations included an exclusive focus on patient care tasks post-admission and pre-discharge from public hospital wards. Finally, the number of cases was limited by the number of participants who volunteered to participate in the study. It is reasonable to assume these participants were more interested in the P&S of patient care work than their counterparts, though the study was not intended to provide quantitative or statistical data. Nonetheless, additional case studies would strengthen the HISSTL theory if confirmatory, practice-based evidence were found.
... To create meaningful word pairs, we need to analyze their semantic similarities. For this purpose, NLTK's path similarity [16] is used with the first noun meaning (n.01) on Wordnet for all identified nouns. The path similarity returns a score denoting how similar two word senses are, based on the shortest path that connects the senses in the is-a (hypernym/hyponym) taxonomy. ...
... Researchers have found that some of the most used semantic themes in passwords are locations [17] and years. [18]. ...
Conference Paper
Full-text available
Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named "mask attack" where the attacker needs to assume a password's structure. Even if it narrows the combination pool significantly, it's still too large to use for online attacks or offline attacks with low hardware resources. Analyses on leaked password databases showed that people tend to use meaningful En-glish words for their passwords, and most of them are nouns or proper nouns. Other research shows that people are choosing these nouns from their hobbies and other interest areas. Since people are exposing their hobbies and other interest areas on Twitter, it's possible to identify these by analyzing their tweets. Rhodiola tool is developed to narrow the combination pool by creating a per-sonalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist.
... Heath care organizations are not proactive in adopting security requirements [24]. Research literature in information security identifies several factors instrumental in overall providing of security to organizations: awareness [19,23], effectiveness [18], culture [20], behavior [5,21], deterrence [8,27], training [22], communication [22], and compliance [8,27]. ...
... Heath care organizations are not proactive in adopting security requirements [24]. Research literature in information security identifies several factors instrumental in overall providing of security to organizations: awareness [19,23], effectiveness [18], culture [20], behavior [5,21], deterrence [8,27], training [22], communication [22], and compliance [8,27]. ...
... According to an analysis of leaked passwords from RockYou, the most popular passwords were "123456," "password" and "iloveyou" [112]. Other prevalent semantic themes in passwords include names, locations, dates, animals, and money [69,113]. ...
Preprint
Full-text available
We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our online experiment (n=1,386) compared the effectiveness of a threat appeal (highlighting negative consequences of breached passwords) and a coping appeal (providing instructions on how to change the breached password) in a 2x2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords; both comparisons have a small effect size. Participants' password change behaviors are further associated with other factors such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based nudges are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
... Temuan ini sejalan dengan hasil (Siani, 2020) yang menemukan terdapat pengaruh antara pertumbuhan ekonomi dengan kemiskinan. Hasi ini tidak berhasil mendukung temuan (Jauhari & Periansya, 2021); (Medlin & Cazier, 2007) yang menemukan bahwa pertumbuhan ekonomi tidak memiliki korelasi dengan kemiskinan Gini Ratio menunjukkan nilai ketimpangan pendapatan di masyarakat, nilai gini ratio berada dalam kisaran 0 sampai dengan 1. Nilai gini ratio 0 menunjukkan tidak terjadinya ketimpangan atau pendapatan masyarakat merata dan sebaliknya nilai gini ratio 1 menunjukkan ketimpangan pendapatan yang sempurna. Ketimpangan sempurna maknanya terdapat satu orang yang memiliki pendapatan yang berlebihan semntara yang lainnya tidak memiliki pendapatan (BPS, 2019). ...
Article
Full-text available
Peningkatan angka kemiskinan selama Pandemi Covid-19 dialami oleh semua negara di dunia termasuk Indonesia. Kajian bersifat makro terhadap kemiskinan telah banyak dilakukan, tetapi kajian yang menganalisis korelasi antar variabel makro tersebut masih sangat terbatas. Variabel makro apa saja yang berpengaruh terhadap kemiskinan dan bagaimana korelasi antar variabel menarik untuk dikaji secara ilmiah. Penelitian ini bertujuan menganalisis determinan penentu kemiskinan dan menganalisis korelasi antar variabel. Jenis data yang digunakan adalah data skunder yang dikumpulkan dengan metode dokumentasi. Data bersumber dari Badan Pusat Statistik, dengan menggunakan data 34 Provinsi Tahun 2021. Teknik analisis data yang digunakan adalah SEM PLS dengan bantuan software SmartPLS 3.8. Semua kriteria model sudah terpenuhi dari sisi Q square dan GoF. Hasil pengujian hipotesis menunjukkan persentase rumah tangga menggunakan listrik dan Indeks Pembangunan Manusia berpengaruh negatif signifikan terhadap kemiskinan, pertumbuhan ekonomi bepengaruh negatif tetapi tidak signifikan terhadap kemiskinan. Ketimpangan berpengaruh positif signifikan terhadap kemiskinan. Unmet kesehatan berpengaruh negatif signifikan, sedangkan pemakaian modal dalam negeri dan lama sekolah berpengaruh positif signifikan terhadap Indeks Pembangunan Manusia. Pemakaian modal luar negeri dan sektor informal berpengaruh positif signifikan terhadap pertumbuhan ekonomi, dan pertumbuhan ekonomi tidak signifikan terhadap Indeks Pembangunan Manusia, tetapi pertumbuhan ekonomi berpengaruh negatif signifikan terhadap ketimpangan. Implikasi penelitian diperlukan kebijakan-kebijakan yang tepat sasaran dalam mengentaskan kemiskinan dan ketimpangan pendapatan sehingga dapat meningkatkan Indeks Pembangunan Manusia, pertumbuhan ekonomi dan menurunkan angka kemiskinan di Indonesia.
... According to an analysis of leaked passwords from RockYou, the most popular passwords were "123456," "password" and "iloveyou" [545]. Other prevalent semantic themes in passwords include names, locations, dates, animals, and money [338,549]. ...
Thesis
As much as consumers express desires to safeguard their online privacy, they often fail to do so effectively in reality. In my dissertation, I combine qualitative, quantitative, and design methods to uncover the challenges consumers face in adopting online privacy behaviors, then develop and evaluate different context-specific approaches to encouraging adoption. By examining consumer reactions to data breaches, I find how consumers' assessment of risks and decisions to take action could be subject to bounded rationality and potential biases. My analysis of data breach notifications provides another lens for interpreting inaction: unclear risk communications and overwhelming presentations of recommended actions in these notifications introduce more barriers to action. I then turn to investigate a broader set of privacy, security, and identity theft protection practices; the findings further illuminate individual differences in adoption and how impractical advice could lead to practice abandonment. Leveraging these insights, I investigate how to help consumers adopt online privacy-protective behaviors in three studies: (1) a user-centered design process that identified icons to help consumers better find and exercise privacy controls, (2) a qualitative study with multiple stakeholders to reimagine computer security customer support for serving survivors of intimate partner violence, and (3) a longitudinal experiment to evaluate nudges that encourage consumers to change passwords after data breaches, taking inspiration from the Protection Motivation Theory. These three studies demonstrate how developing support solutions for consumers requires varying approaches to account for the specific context and population studied. My dissertation further suggests the importance of critically reflecting on when and how to encourage adoption. While inaction could be misguided sometimes, it could also result from rational cost-benefit deliberations or resignation in the face of practical constraints.
... However text based passwords remains at the top priority of the users for authenticating their resources [2]. Continuous effort has been done in the field of password usage and integrity, but different types of obstacles are there in collecting realistic data for analyzing, collecting data from experimental studies rather than from deploying authentication systems [3]. ...
Article
Full-text available
In this paper, we use Recurrent Neural Network for predicting the password characters using back propagation algorithm. For today's security system text password is an extensively used form of authentication. Evaluation of password strength and guessing attacks are some concepts that help in modelling of the password. We propose Artificial Neural Network to generate the text password on the basis of their training methods. This approach is fast and accurate and applied on text data only.
... Researchers have also focused on the semantic content of passwords [60] [64]. Historically, researchers have found that some of the most prevalent semantic themes in passwords include names and locations [39], as well as dates and years [65]. Researchers have also noted love, animals, and money as common semantic themes [64]. ...
Conference Paper
Users often make passwords that are easy for attackers to guess. Prior studies have documented features that lead to easily guessed passwords, but have not probed why users craft weak passwords. To understand the genesis of common password patterns and uncover average users’ misconceptions about password strength, we conducted a qualitative interview study. In our lab, 49 participants each created passwords for fictitious banking, email, and news website accounts while thinking aloud. We then interviewed them about their general strategies and inspirations. Most participants had a well-defined process for creating passwords. In some cases, participants consciously made weak passwords. In other cases, however, weak passwords resulted from misconceptions, such as the belief that adding “!” to the end of a password instantly makes it secure or that words that are difficult to spell are more secure than easy-to-spell words. Participants commonly anticipated only very targeted attacks, believing that using a birthday or name is secure if those data are not on Facebook. In contrast, some participants made secure passwords using unpredictable phrases or non-standard capitalization. Based on our data, we identify aspects of password creation ripe for improved guidance or automated intervention.
... They act as barriers between the "outside" world and the world of networked systems at large. If a social engineer is able to obtain a password and other identifiable information, they can likely impersonate the employee and gain admittance to the system (Medlin & Cazier, 2007); the intrusion will most likely go unnoticed. ...
Article
One of the main threats to keeping health information secure in today's digital world is that of social engineering. The healthcare industry has benefitted from its employees' ability to view patient data. Although access to and transmission of patient data may improve care, increase delivery time of services and reduce health care costs, security of that information may be jeopardized due to the innocent sharing of personal and non-personal data with the wrong person. Through the tactic of social engineering, hackers are able to obtain information from employees that may allow them access into the hospitals networked information system. In this study we simulate a social engineering attack in five different hospitals of varying sizes with the goal of obtaining employees passwords. 73% of respondents shared their password. This raises serious concerns about the state of employee security awareness in our healthcare system.
... Considerable effort has been spent studying the usage and characteristics of passwords (e.g., [13, 17, 34, 35, 45] ), but password research is consistently hampered by the difficulty in collecting realistic data to analyze. Prior password studies all have one or more of the following drawbacks: very small data sets [36], data from experimental studies rather than from deployed authentication sys- tems [31], no access to plaintext passwords [3] , self-reported password information [47] , leaked data of questionable validity, or accounts of minimal value [26, 53] . As a result, the important question of whether the results apply to real, high-value passwords has remained open. ...
Conference Paper
Full-text available
Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood. We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.5 times as strong as those of users associated with the business school. while users associated with computer science make strong ones. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them. We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies.
Chapter
Full-text available
Social engineering can be briefly defined as the obtaining of information through deceptive methods. The intention of the action is to acquire information that will be of use in order to gain access to a system or use of information obtained from the system. There are benefits gained by allowing health care workers access to patient data, but the ability to maintain security of that information may be compromised due to the accessibility. Using methods such as social engineering, health care workers may innocently provide sensitive information without realizing that they have participated in the process of deception. This chapter addresses the issue of social engineering used to obtain health care worker’s passwords, as well as the laws that govern health care workers in relation to the privacy and security of confidential patient information.
Article
Full-text available
Bu çalışmanın amacı, bir üniversite hastanesinde, planlama, uygulama ve iyileştirme aşamalarıyla toplamda üç yıl süren Bilgi Güvenliği Yönetim Sistemi kurulum süreci tecrübelerimizi ve ulaştığımız sonuçları, yöneticilere rehber olabilecek uygulamalı bir örnek olarak literatüre kazandırmaktır. Bu çalışmada; hastanede oluşturulan temel bilgi güvenliği yönetimi politika ve prosedürleri hakkında bilgi verilmekte, uygulanan yöntemler ile karşılaşılan teknik ve yönetimsel zorluklar ve bu zorlukların nasıl üstesinden gelinebileceği başarılı bir uygulama örneği üzerinden tartışılmakta, kurumsal bilgi güvenliği kültürü ve bilinci oluşturma aşamaları ile sistem kurulmadan önce ve sonra hastanenin bilgi güvenliği seviyesinin durumu karşılaştırmalı şekilde aktarılmaktadır.
Chapter
This research paper is a brief study on social engineering that explores the internet awareness among males and females of different age groups. In our study, we have researched on how an individual shares his/her identity and sensitive information which directly or indirectly affects them on social networking sites. This information can be user’s personal identification traits, their photos, visited places, etc. The parameters chosen for influence of social engineering in social networking sites are passwords, share ability, and awareness. This research briefly explains how people between age group of 13–40 years share their information over the web and their awareness of netiquettes. This information is then conclusively used to calculate average amount of sensitive information which can be extracted through social engineering for different age groups of males and females.
Conference Paper
HIPAA security compliance in academic medical centers is a central concern of researchers, academicians, and practitioners. Despite increasing accounts of data security breaches, greater numbers of information technology implementations, and new HIPAA Security Rule requirements and audits, academic medical centers have shown limited HIPAA security compliance. Based on a literature review of technology acceptance and security effectiveness, this study investigated the factors that affect HIPAA security compliance. A theoretical model using management support, security awareness, security culture, and computer self-efficacy to predict security behavior and security effectiveness was proposed. Multiple linear regression and correlation analysis demonstrated that security awareness, management support, and security culture were significant predictors of security effectiveness and security behavior, with security awareness being the most significant predictor. The results of this research provide guidance to those involved with HIPAA security compliance initiatives in health care.
Conference Paper
Full-text available
The goal of this paper is to gain insight into the relative performance of communication mechanisms as bisection bandwidth and network latency vary. We compare shared memory with and without prefetching, message passing with interrupts and with polling, and bulk transfer via DMA. We present two sets of experiments involving four irregular applications on the MIT Alewife multiprocessor. First, we introduce I/O cross-traffic to vary bisection bandwidth. Second, we change processor clock speeds to vary relative network latency. We establish a framework from which to understand a range of results. On Alewife, shared memory provides good performance, even on producer-consumer applications with little data-reuse. On machines with lower bisection bandwidth and higher network latency, however, message-passing mechanisms become important. In particular, the high communication volume of shared memory threatens to become difficult to support on future machines without expensive, high-dimensional networks. Furthermore, the round-trip nature of shared memory may not be able to tolerate the latencies of future networks
Article
Full-text available
Strong passwords are essential to the security of any e-commerce site as well as to individual users. Without them, hackers can penetrate a network and stop critical processes that assist consumers and keep companies operating. For most e-commerce sites, consumers have the responsibility of creating their own passwords and often do so without guidance from the web site or system administrator. One fact is well known about password creation—consumers do not create long or complicated passwords because they cannot remember them. Through an empirical analysis, this paper examines whether the passwords created by individuals on an e-commerce site use either positive or negative password practices. This paper also addresses the issue of crack times in relationship to password choices. The results of this study will show the actual password practices of current consumers, which could enforce the need for systems administrators to recommend secure password practices on e-commerce sites and in general.