You are on page 1of 58

Security in Practice: Examining the Collaborative

Management of Sensitive Information in Childcare


Centers and Physician’s Offices

Laurian Vega
February 14th, 2011

1
Outline

• Motivation for Work

• Research Method

• Security & Privacy Breakdowns

• Discussion

• Security & Privacy Embodiment

• Communities of Security

• Zones of Ambiguity

• Security & Privacy Scenarios

2
Motivation for Work

Related Work

Human-
Usable Medical
Computer
Security Informatics
Interaction

3
Motivation for Work:
Related Work

Usable Security
Human-
Medical
Usable Security Computer
Informatics
Interaction

• Push back at belief that


humans are weak link in
security
• Software is what is not
usable
• Balance between social
and technical
mechanisms for security
• Security in incongruent
with the user’s primary
Adams & Sasse (1999): Users Are Not
task
the Enemy, in Communications of the
ACM. pp 40-46.
4
Motivation for Work:
Related Work

Human-Computer Interaction
Human-
Medical
Usable Security Computer
Informatics
Interaction

• The focus on
supporting the user; the
user is always right
• User actions
demonstrate values
• That technology
provides unknown
potential that will impact
privacy
Palen & Dourish (2003). Unpacking "privacy" for a
networked world. Conference on Human Factors in • A need to account for
Computing Systems, Ft. Lauderdale, Florida, USA,
ACM.
privacy - of which cannot
prior models cannot be
used 5
Motivation for Work:
Related Work

Medical Informatics
Human- Medical
Usable Security Computer Informatics
Interaction

• Increasing adoption of
electronic systems
• National regulation,
HIPAA (Health Insurance
Portability and
Accountability Act)
• Changing relationship
between patient,
technology, & physician
Berner, Detmer & Simborg (2005): Will the Wave
Finally Break? A Brief View of the Adoption of • Shared awareness &
Electronic Medical Records in the United States.
Journal of American Medical Informatics Association. social relationships key
12(1): pp.3-7.
for information sharing
6
Motivation for Work

Related Work

Human-
Usable Medical
Computer
Security Informatics
Interaction

Study of Collaborative Management


of Sensitive Information
7
Research Method:
Location

• Rural-serving southwest Virginia

• Socio-economic status

• Digital divide

• Different care

• Impacted by local universities

• Location types:

• 13 Childcare Centers

• 19 Physician’s Offices

8
Research Method:
Participant Demographics

Childcare Physicians’
Parents Centers Offices

21 Interviews 12 Interviews 16 Interviews


4 Observation Locations 5 Observation Locations
64.5 Hours Observation 61.25 Hours Observation

1-2 Avg Number of Children 12.5 Avg Years Experience 20.16 Avg Years Experience
4 Avg Age of Child 20 Avg Person Staff Size 10 Avg Person Staff Size
14 Months Avg Time 85 Avg Children Enrolled 128 Avg Children Enrolled

9
Research Method:
Conducting Observations

Patient Room Front Office • Observed Directors of


childcare centers and
Director physicians’ offices

Receptionist • Primarily sat within office of


directors and took paper and
Me electronic time-stamped notes
(recordings when IRB
approved)
• Annotated actions within office
of people accessing/
modifying/sharing client
information verbally or
electronically along with the
guiding task of the participants

10
Research Method:
Observations

Childcare Centers Physicians’ Offices


7 8 9 10 11 12 1 2 3 4 5 6 8 9 10 11 12 1 2 3 4 5
August 30th, 2010 August 16th, 2010
August 31st, 2010 August 19th, 2010
October 13th, 2009 August 19th, 2010
October 13th, 2009 August 20th, 2010
October 14th, 2009 August 20th, 2010
October 15th, 2009 August 23rd, 2010
October 16th, 2009
August 26th, 2010
October 21st, 2009
July 13th, 2010
October 22nd, 2009
July 15th, 2010
October 23rd, 2009
July 1st, 2010
October 26th, 2009
July 6th, 2010
October 29th, 2009
June 7th, 2010
October 30th, 2009
September 14th, 2010 September 1st, 2010
September 15th, 2010 September 7th, 2010
September 2nd, 2010 September 9th, 2010
September 2nd, 2010
September 8th, 2010
September 8th, 2010
September 9th, 2010

11
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)

12
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)

13
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)

14
Research Method:
Analysis
1. Collected and aggregated data
2. Used Activity Theory to isolate all
breakdowns related to security and
privacy (281 breakdowns)
3. Collate similar breakdowns into
breakdown type (84 breakdown types)
4. Phenomenologically analyzed
breakdowns to thematically categorize
breakdown types (15 Themes)

15
Security & Privacy Breakdowns

Thought topics...
•What is the threat in each breakdown?

•What is the role of the individual versus group?

•What is the ambiguity present in any situation?

16
Security & Privacy Breakdowns:
Not Knowing Who Accessed Client Information

“<people in the office> can


Physician’s Office access anything. That’s their
Front Office job.”

Nurse “Yeah because it doesn’t


show who’s logged in and
Nurse most of the time I’m logged in
Receptionist in the front because I’m the
only one up there, but
Assistant
occasionally someone else
will come up and they’ll just
do it, and I usually check to
Nurse Director make sure just because it is
on my login, but that’s one
Doctor Assistant Director thing is we wanted it to
Surgeon Echo-cardiologist actually show who’s logged
in.”
Nurse Partitioner 17
Security & Privacy Breakdowns:
Parents Not Knowing Who Can Access Their File
Childcare Center
Who do you think can access
Director’s Office Parents your child’s file?
“I guess the officers in the day care
the main teacher the director... I
guess some of the confidential
information even the teachers
cannot get just the officers”
“You know I'm probably guessing
Teacher that the director or enrollment
Lead Teacher person probably has access to
that.”
Cook
“No idea. Never thought about it.”
Licensor
“Right. I am really not sure.”
Owner
Bus Driver
18
Security & Privacy Breakdowns:
Looking Up Patients on Sex Offender Website

“Yesterday they were looking up people


Front Office
and found one, and it “floored” <the
receptionist>. <The nurse> was reading
Nurse the news that morning and saw a news
story where <the patient> went into the
Receptionist
house of a younger lady...They then
started to talk about him, and decided
that they were going to look up some of
their other patients to see if they were in
Sexual the sex offender database. There is also
Offenders a discussion about whether or not the
Database person was really a sex offender... I think
this is some way for them to think
through giving this person their care,
Local while knowing that they might be a
Newspaper pretty bad person.”
19
Security & Privacy Breakdowns:
Children’s Pictures on Facebook
“Two or three of the teachers had friended
facebook
me on Facebook. An a week later in
Lady Teacher looking at their Facebook I noticed that
they had pictures of the children playing in
that I daycare... I called the daycare and
Lady Teacher
words words words more words told the director... Then when I got there
some others words words words
words more words some others
words words words words more
to pick them up the owner was there. So
words some others words
January 25th, 2011 * lock * like * Comment she pulled me aside and apologized and
Lady Teacher and Other said that it would get fixed. And they
Teacher are now friends.
January 25th, 2011 * lock * like * Comment
brought all the securities, teachers into
Other Teacher the office and watched them take the
words words words more words
some others words words words
words more words some others
picture down off from the internet before
words words words words more
words some others words
they left that day. So, they are definitely
January 25th, 2011 * lock * like * Comment

on it as far as fixing the problem and


Lady Teacher
words words words more words
some others words words words
that’s the feeling of nervousness that I
words more words some others
words words words words more have. You know just like very personal
words some others words
January 25th, 2011 * lock * like * Comment
pictures are up.”
20
Security & Privacy Breakdowns:
Sharing Login

Director’s Office Lobby Entrance Infant Room “The lead teacher in the lobby
computer asks <the director>
about the password of the
computer. This is what she
said, ‘Hey <lead teacher>,
eventually I will remember the
Lead password, but can you tell me
Director Teacher Kitchen now’. <The director> gives
out the password loudly.
Anyone in the office or lobby
or infant room should be able
to hear it. It’s a sequence of
four digits like 1234.”

21
Security & Privacy Breakdowns:
Client Information is Permanent
Director’s Office “No we even have the
deceased; we don’t get rid of
anything”

“We’ve got everything from 70


some or almost 80 years to 14
weeks”
Owner’s Home
“The problem is, and someone
Owner Owner wouldn’t think about why it’s
so important, but it’s like the
Owner’s Server
Cohabitants Managers Virginia Tech massacre we had
3 patients who we had to
Storage Facility identify the bodies”

Owner “We can make them inactive,


but you can’t delete them”
Storage Facility
Owners 22
Security & Privacy Breakdowns:
Hesitation about Writing or Storing Information

“... we train our doctors to write it all


down... if we’re in the court of law...
And if you write it down then you got
a record of what occurred.”
“...they use initials, they put it in a
cabinet... so that no one will
accidentally discover it. At the same
time we don't want them to see, like
especially if it becomes an unfounded
LCV
case. We try to keep that stuff kinda
separate... so that it's not necessarily
SB 100% visible.”
LCV
“and a lot of the times we will have a
person listed as the child's father but
is not actually the child's father and
we know that but it's not... listed in
23
Security & Privacy Breakdowns:
Incorrect Beliefs about Technology

“So, we've got password


Childcare Centers protection--there's password
protection for everything--
Licenser they're like 'don't write it
down', I'm like 'excuse me'
Director
<inaudible> … if somebody
Licenser's
really wants on they're gonna
Laptop
be smart enough to get on it,
whether I have a nice long 12-
letter multi-digit pass code or
Director
not.”

Director

24
Security & Privacy Breakdowns:
HIPAA Violations
“<The doctor> comes in and <the
director> talks about a phone call
Mechanist earlier...It was a man who was
looking for his wife... <the director>
Patient’s Spouse
said that she would pass on the
message to the wife... The doctor
said that that was good. But <the
nurse> said that was against HIPAA.
Director’s Office Entrance
The doctor jokes that <the nurse> is
all HIPAA compliant - he acts like he
doesn’t take it very seriously. She
says, ‘Well, that is about privacy,
Doctor
what if he was an estranged spouse
Patient looking for his wife to kill her’...
Nurse There isn’t a conclusion on whether
or not <the director> did the right
Patient Room thing.”
25
Security & Privacy Breakdowns:
Licensing Issues
“I tend to, you know 'this is what it says and
before I deviate from this, you know I'm
going to ask someone. I'm reading it this
way is it really ok to do it this way?'”
“<The licensor> has already noted the purse
on the child-accessible, unlocked shelf and
how she dismissed closer inspection for
social reasons. We later learn that she
overlooked a can of spray chemicals in an
unlocked cabinet in the art room, and an
unprotected outlet. Finally, she was made
aware that files were not fully updated and
said that she would turn the other cheek as
long as she didn’t see <the director>
actually updating the files. In the end of the
day, no violations were reported in the final
write-up.” 26
Security & Privacy Breakdowns:
Staff Catching Incorrect Medical Procedure

Patient Room Front Office “The <echo-cardiologist>


comes to the window with
Nurse <the receptionist>. Turns out
that this patient was scheduled
Receptionist
for a stress test. The problem
Echo- is that <the office staff> didn’t
cardiologist realize that he’d had a heart
attack just a month ago. The
echo guy gets on the phone to
cancel the stress test.”
Hospital

Stress
Test
Administrator

27
Security & Privacy Breakdowns:
Menacing Outsider

• Man in a red bandana who


Lawn Care Person maintains the lawn care

Director’s Office Lobby Entrance • Casual mention, and no intention


to take action

• Only mention by any participant


of a real security threat

Me Director

28
Discussion

•Security & Privacy Embodiment

•Communities of Security

•Zones of Ambiguity

29
Security & Privacy Embodiment:
Threat Models

Security threats as a model for situating security and privacy:

“In these domains the adversarial actions are unintentional, unwelcome,


and intrusive access and modification of sensitive personal information.
Examples include medical and childcare center personnel, medical
researchers, and insurance companies accessing patient or child
information that should not be available (i.e., private). A second example
includes ‘work-around’ practices of the personnel themselves that
results in unknown and insecure information disclosures.”

30
Security & Privacy Embodiment:
Threat Models

Security threats as a model for situating security and privacy:

“In these domains the adversarial actions are unintentional, unwelcome,


and intrusive access and modification of sensitive personal information.
Examples include medical and childcare center personnel, medical
researchers, and insurance companies accessing patient or child
information that should not be available (i.e., private). A second example
includes ‘work-around’ practices of the personnel themselves that
results in unknown and insecure information disclosures.”

30
Security & Privacy Embodiment:
Threat Models & Practice
“Computing systems are only security in principle. They are rarely secure in
practice” ~Bellotti & Sellen

Threat models
cannot account
for secure
practice.

31
Security & Privacy Embodiment:
Where Security & Privacy are Not Located

• Conflicts between policies

• HIPAA and office policy

• Licensing and center policy

• Uninstantiated policies

• Policy catching up to technology (Pictures of children on Facebook)

• Ambiguous situations (Client files are indefinitely stored)

• Undiscovered Boundaries (Looking Up Patients on Sex Offender Website)

32
Security & Privacy Embodiment:
Where Security & Privacy are Located

• Local

• Individual

• Care

• Robustness of Information

33
Discussion

•Security & Privacy Embodiment

•Communities of Security

•Zones of Ambiguity

34
Communities of Security
Entrance Patient Room • Supporting the community in
their shared task of security
Patient and privacy
Patient’s
Family • The activity of managing
sensitive information is
collaborative, yet security is
considered an individual task -
supporting the “user”
Doctor
Patient • Childcare centers and
Director’s Office Nurse physicians’ offices personnel
did not consider their work
Patient Room individual

35
Communities of Security:
Roles, Role Based Authentication
Patient Patient’s Medical Record
Patient’s Family Patient’s Billing Record
Director Post-it Notes Attached to Patient Record
Receptionist Schedule
Doctor Patient’s Medical Record
Nurse Patient’s Billing Record

Role-based authentication. A user is assigned a role that has predefined


access to certain information

36
Communities of Security:
Roles representing work

37
Communities of Security:
Roles representing work

“They can access


anything. That’s their
job.” ~ Office Director

37
Communities of Security:
Roles representing work

Care for the Client

“They can access


anything. That’s their
job.” ~ Office Director

37
Communities of Security:
Roles representing work

Care for the Client


Pull client files

Pat backs

Answer questions

See the client

“They can access Update client’s information


anything. That’s their
job.” ~ Office Director Discuss next course of action about client

Bill the client

Pay bills

Put client files away

37
Communities of Security:
Relationships & Mediation

• Economic exchange model


Center
Care Client
• You give me x and I provide x
service = You give me your
Information information and I provide you
care

• Relationships as mediators

Client
• “Privacy is not simply a way that
information is managed but how
social relations are
managed” (Dourish & Anderson
2006)

38
Discussion

•Security & Privacy Embodiment

•Communities of Security

•Zones of Ambiguity

39
Zones of Ambiguity

A zone of ambiguity is where


current behavioral practices allow
fundamentally contradictory
concerns to exist in tacit
compromise with one another.  

Social systems afford ambiguity -


they allow for the unsaid and the
unarticulated

Technology articulates and


formalizes policies and
procedures, leaving little room for
ambiguity

40
Zones of Ambiguity:
Accountability is Ambiguous

Who accessed, modifies, and


deletes information is not
tracked.

The values of collaboration is in


direct contradiction to security,
reflected in ambiguity

Leaving workstations open,


passwords not being used, and
passwords being shouted.

41
Zones of Ambiguity:
Information Management is Ambiguous

Parents have little knowledge of


Director’s Office Parents
who accesses their information, how
it is handled, and how long it is there
for.

Power is in the hands of the centers.

Teacher
The ambiguity over information
Lead Teacher management allows centers to
create facade and for clients to
Cook
continue going to the center without
Licensor expending energy to become
Owner knowledgeable

Bus Driver

42
Zones of Ambiguity:
‘Client’ is Ambiguous

When does a client become (or


stop being) a client?

Client files are stored forever, and


the definitive time that a person is
a client is nebulous.

What constitutes a client is also


vague (friends, people who pay,
referred people, wait list).

43
Security & Privacy Scenarios

• Access v. Inaccess

• Anonymity v. Visibility
Patient
• Permanence v. Decay
Patient’s Family
• Centralization v. Decentralization
Director
• Layered v. Flat
Receptionist
• Contextual Awareness v. Lack of
Doctor Contextual Awareness

Nurse • Center-managed Privacy v. Client


managed Privacy

• Technological v. Social

44
Security & Privacy Scenarios

• Access v. Inaccess

• Anonymity v. Visibility
Patient
• Permanence v. Decay
Patient’s Family
• Centralization v. Decentralization
Director
• Layered v. Flat
Receptionist
• Contextual Awareness v. Lack of
Doctor Contextual Awareness

Nurse • Center-managed Privacy v. Client


managed Privacy

• Technological v. Social

45
Security & Privacy Scenarios:
Center-managed Privacy v. Client-managed

clientbook Center-managed Privacy


Reese Client Alice logs into clientbook to respond to Reese’s
request for information from last meeting. She
looks at the Reese’s information, assigns a 30 day
decay to that information for Reese to see. She
Alice LadyNa
me
yo ur blood work
are can see others from the center who have
Results from
now available
here. And au d io .
accessed the file recently and one of Reese’s
friends who wrote a comment. Alice selects this
friend and restricts their access to any information
from her center.
t
like * Commen
2011 * lock *
January 25th,

to r S o m eth ingor Anothe


r Client-managed Privacy
Do c
The results fro
m your urine Reese logs into clientbook to listen to the audio
e that ... more
analysis indicat
from the last meeting with his center. After
listening he adds indefinite access for his friends
and family. He can see that Alice recently added a
t
note to the recording. He selects the note and
like * Commen
January 25th,
2011 * lock *
makes it private so that only he and Alice can see
Sherley Frien
sa
d
w your latest x- it. While there, he looks at who has accessed his
Hey Reese,
ary stuff!
rays. Wow, sc lock * like * Comment
January 25th,
2011 *
file recently, selects those he does not know, and

46
Security & Privacy Scenarios:
Center-managed Privacy v. Client-managed

clientbook

Reese Client
• Access reflects ownership
• Ambiguity over ownership
me
Alice LadyNa are

• Centers share responsibility,


yo ur blood work
Results from d io .
here. And au
now available

clients are only one person

January 25th,
2011 * lock * like * Comm
ent • Sharing access with external
ingor Anothe
r
people
cto r S o m eth
Do
m your urine
The results fro
e that ... more
analysis indicat

t
like * Commen
2011 * lock *
January 25th,

d
Sherley Frien
sa w your latest x-
Hey Reese,
ary stuff!
rays. Wow, sc lock * like * Comment
2011 *
January 25th,

47
Conclusions

• HCI theory and phenomenological analysis can be applied to problems of


security and the adoption of electronic records to understand and evaluate
the collaborative practice of managing sensitive personal information.

• Security & Privacy are deeply embodied into the care and robustness of
information and are local and individually enacted

• Security & Privacy are communal and systems should be designed to support
collaborative tasks, not individual

• As electronic systems are adopted, they should be designed to support


ambiguities to support the needs of all users.

48
Thank you

Thank you to Laura Agnich, Monika Akbar, Aubrey Baker, Stacy Branham,
Tom DeHart, Zalia Shams, and Edgardo Vega.

49
Definitions:
Childcare Center & Physician’s Office

• Childcare center: a facility where parents engage in an service agreement


with a care giver to assume responsibility and provide supervision of the child
for approximately five days a week – less than 24 hours in the day, baring
sickness; hold more than two children under the age of 13; licensed by the
Virginia Department of Social Services (adapted from Virginia Department of
Social Services Website (2010a)) .

• Physician’s Office: a facility where patients engage in a service agreement


with an health care professionals to provide care, education, and treatment to
the patient, usually less serious than to warrant a visit to the hospital
emergency room; seen by appointment and during regular business hours
(adapted from Virginia Board of Medicine Website (2006) and inclusive of
practices as defined by HIPAA to include doctors, clinics, psychologists,
dentists, chiropractors, nursing homes, and pharmacies (2010e)).

50
Rigor & Phenomenology

• Neutrality - Bracketing in memos and understanding personal bias

• Discussing progress with researchers

• However...

• the personal reflections with the data are valued within a


phenomenological analysis

• Phenomenology is not grounded theory, the concentration is less on the


objective information transfer, but on the experience, which is inherently
subjective

• Armour, Marilyn, Stephanie L. Rivaux and Holly Bell (2009). "Using Context to Build Rigor." Qualitative Social Work 8(1): 101-122.
• Creswell, John W. (2007). Qualitative Inquiry and Research Design: Choosing Among Five Approaches. Thousand Oaks, California, Sage Publications, Inc.
51
Research Method:
Phenomenology
Data Reading & Describing Classifying Interpreting Representing
Managing Memoing
Evaluating the Group initial Generating a Creating a
Collecting the Reading the
personal codes or textual description of
data and data, writing
experience statements description of the essence
organizing it notes in the
along with the into related the of the
into margins,
essence of the clusters or phenomenon experience
appropriate writing
experience of meaning explaining and
forms and memos,
the units the ‘what’ discussing it
files forming
participants and ‘how’
initial codes

52
Research Method:
Activity Theory

Tool

Transformation
Subject Object Process Outcome

Division of
Rules Community
Labor

53
Research Method:
Activity Theory
Filing Cabinets

Access Policy Nurse Client File Files stored

Violations:
within reach

Discussion of
Local Receptionist: Organize files; in+out patient;
HIPAA Practice Physician’s
Office
add in coming information; fax relevant
information

Violations Filing Cabinets


Nurse: Annotate file; review client information;
return file to receptionist
Doctor: Annotate file; review client information

Nurse Client File Privacy

Healthcare Every person enacts the


HIPAA Community HIPAA guidelines 54