algorithm: A procedure for solving a mathematical problem in a finite number of steps that frequently involves repetition of an operation. In 1972 the National Bureau of Standards (NBS; now the National Institute of Standards and Technology) identified the need for a data encryption standard for use in unclassified applications. The Data Encryption Standard (DES) represents the first cryptographic algorithm openly developed by the US government and has become an American National Standards Institute (ANSI) standard (number X3.92-1981/R1987). [National Research Council, 1991]

architecture: An arrangement of components intended to fulfil some need. [Tuttle, 1994]

asymmetric encryption: A form of cryptosystem in which encryption and decryption are performed using two different keys, one of which is referred to as the public key and one of which is referred to as the private key. Also known as public-key encryption. [ Stallings, ]

asymmetric key: One half of a key pair used in an asymmetric ("public-key") encryption system. Asymmetric encryption systems have two important properties: (i) the key used for encryption is different from the one used for decryption (ii) neither key can feasibly be derived from the other. [CORBA Security Services, 1997]

attack: The act of aggressively trying to bypass security controls. The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system and the effectiveness of existing countermeasures. [Fites and Kratz, 1993]

An attempt to bypass security controls on a system. An active attack alters data. A passive attack releases data. Whether or not an attack will succeed depends on the vulnerability of the system and the effectiveness of existing countermeasures. [O’Reilly, 1992]

audit: To record independently and later examine system activity (e.g., logins and logouts, file accesses, security violations). See security audit. [O’Reilly, 1992]

audit event: The data collected about a system event for inclusion in the system audit log. [CORBA Security Services, 1997]

audit trail: Data collected and potentially used to facilitate a security audit. [ISO 7498-2].

The chronological set of records that provides evidence of system activity. These records can be used to reconstruct, review, and examine transactions from inception to output of final results. The records can also be used to track system usage and detect and identify intruders. [O’Reilly, 1992]

Documentary evidence of monitoring each operation of individuals on health information. [National Research Council, 1991] Audit trails may be comprehensive or specific to the individual and information. For example, an audit trail may be a record of all actions taken by anyone on a particularly sensitive file. [OTA, 1993]

authentication: The corroboration that an entity is the one claimed. [ISO 7498 - 2].

The process of proving that a subject (e.g., a user or a system) is what the subject claims to be. Authentication is a measure used to verify the eligibility of a subject and the ability of that subject to access certain information. It protects against the fraudulent use of a system or the fraudulent transmission of information. There are three classic ways to authenticate oneself: something you know, something you have, and something you are. [O’Reilly, 1992]

Providing assurance regarding the identity of subject (author) or object (information). [ASTM 1762] Authentication of data origin is corroboration that the source of data is received as is claimed [ASTM E1762] Authentication of user is the provision of assurance of the claimed identity of an individual or entity [ASTM E1762]

authenticity: A security principle that ensures that a message is received in exactly the form in which it was sent. See also message authentication and message authentication code. [O’Reilly, 1992]

authorise: Granting of rights, which includes granting of access based on access rights. [ISO 7498-2]

authorisation: The granting of rights, which includes the granting of access based on access rights. [ISO 7498 - 2]

The mechanism for obtaining consent for the use and disclosure of health information. The American Health Information Management Association has recommended requirements for valid authorisation. Within the context of a computer-based patient record system, these requirements would include that the authorisation: be documented (electronically), be addressed to a specific health care provider, specifically identify the patient, identify the individual or entity authorised to receive the information, identify the information that is to be released, specify the purpose for the disclosure, specify under what conditions the authorisation will expire unless revoked earlier, indicate that the authorisation is subject to revocation, be (electronically) signed by the patient or patient's legal representative, and be dated sometime after the information has been collected. [AHIMA, 1994a]

authorised disclosure: The release of personally identifiable information to a third party upon authorisation. [Abdelhak, 1996]

availability: The property of being accessible and useable upon demand by an authorised entity. [ISO 7498 - 2].

biometrics: The statistical study of biological data. In computer security, the use of unique, quantifiable physiological, behavioural, and morphological characteristics to provide positive personal identification. Examples of such characteristics are fingerprints, retina patterns, and signatures. [O’Reilly]

A biometric identification system identifies a human from a measurement of a physical feature or repeatable action of the individual (e.g., hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, and hand written signature). [ASTM E1762]

breach of confidentiality: Breach of contract as applied to confidentiality refers to an action by an individual which reveals a confidence entrusted to that individual by another without the other's consent. For example, courts have demonstrated a willingness to apply the ethical standards of the medical profession to compel physicians to maintain the confidentiality of information they obtain in the course of treating their patients. [OTA, 1993]

breach of security: Any action by an authorized or unauthorized user which results in a negative impact upon the data in the system or the system itself, or which causes data or services within a system to suffer unauthorized disclosure, modification, destruction, or denial of service. [CPRI, 1995c]

certification: The technical evaluation performed as part of, and in support of, the accreditation process that establishes the extent to which a particular computer system or network design and implementation meet a pre-specified set of security requirements. [O’Reilly, 1992]

The administrative act of approving a system for use in a particular application. [National Research Council, 1991]

certification authority: A party trusted to vouch for the binding between names or identities and public keys. In some systems, certification authorities generate public keys.[CORBA Security Services, 1997]

A trusted issuer of certification. [National Research Council, 1991] (Public key) certificate An agreement that binds a user's name to a public key, signed by a trusted issuer. A framework for the use of public key certificates was defined in Consultative Committee on International Telephony and Telegraphy (CCITT) standard X.509. [National Research Council, 1991] The certificate contains the user's name and public key, the certification authority's name, a serial number, and a validity period. [ASTM E1762]

cipher: An algorithm for encryption and decryption. A cipher replaces a piece of information (an element in cleartext) with another object, with the intent to conceal meaning. Typically, the replacement rule is governed by a secret key. [Stallings, 1995]

ciphertext: The result of applying encryption to input data; encrypted text. [CORBA Security Services, 1997]

checksum: Numbers summed according to a particular set of rules and used to verify that transmitted data has not been modified during transmission. [O’Reilly, 1992]

Digits or bits summed according to arbitrary rules and used to verify the integrity of data. [National Research Council, 1991]

check digit: The resultant representation of a checksum operation. [Verhoeff, 1969]

classification: The hierarchical portion of a sensitivity label. (The non-hierarchical portion is called the "category set" or the "compartments.") A classification is a single level in a stratified set of levels. For example, in a military environment, each of the levels UNCLASSIFIED, CONFIDENTIAL, SECRET and TOP SECRET is more trusted than the level beneath it. When included in a sensitivity label in a system supporting mandatory access controls, a classification is used to limit access to those cleared at that level. [O’Reilly, 1992]

classification level: The security level of information. [National Security Council, 1991] See also sensitivity label.

clearance: A representation of the sensitivity level (the classification and the categories) associated with a user in a system supporting mandatory access controls. A user with a particular clearance can typically access only information with a sensitivity label equal to or lower than the user’s clearance. [O’Reilly, 1992]

clearance level: The security level of an individual who may access information. [National Research Council, 1991]

clinical data/information: Data/information related to the health and health care of an individual collected from or about an individual receiving health care services. Includes a caregiver's objective measurement or subjective evaluation of a patient's physical or mental state of health; descriptions of an individual's health history and family health history; diagnostic studies; decision rationale; descriptions of procedures performed; findings; therapeutic interventions; medications prescribed; description of responses to treatment; prognostic statements; and descriptions of socio-economic and environmental factors related to the patient's health. [CPRI, 1996b; ASTM 1769]

cleartext: Intelligible data; text which has not been encrypted or which has been decrypted using the correct key. Also known as plaintext. [CORBA Security Services, 1997]

closed security environment: An environment in which both of the following conditions are true:

confidential: That which is not freely disclosed; private information which is entrusted to another with the confidence that unauthorised disclosure which would be prejudicial to the individual will not occur. [CPRI, 1994]

confidentiality: A condition in which information is shared or released in a controlled manner. [National Research Council, 1997].

The property that information is not made available or disclosed to unauthorised individuals, entities or processes. [ISO 7498 - 2].

A security principle that keeps information from being disclosed to any one not authorised to access it. [O’Reilly]

The act of limiting disclosure of private matters; maintaining the trust that an individual has placed in one which has been entrusted with private matters. [CPRI, 1995b]

The status accorded to data or information indicating that it is sensitive for some reason, and that therefore it needs to be protected against theft or improper use and must be disseminated only to individuals or organisations authorised to have it. [Ball and Collen, 1992; OTA, 1993]

communications security: Protection of information while it’s being transmitted, particularly via telecommunications. A particular focus of communications security is message authenticity. [Stallings, 1995]

computer-based patient record system: The people, data, rules and procedures, processing and storage devices, and communication and support facilities that provide the capture, storage, processing, communication, security, and presentation of computer-based patient record information. [CPRI, 1995a]

connectivity: The potential (of a computer-based patient record system) to establish links to or interact effectively (with another computer system). [Institute of Medicine, 1994]

consent: The agreement of an individual for a given action relative to the individual. [Huffman, 1985] In health care, consent refers to a communication process between the caregiver and the patient, and may refer to consent for treatment, special procedures, release of information, and advanced directives (which give instructions regarding the patient's wishes in special medical situations {Patient Self-Determination Act, December 1991}). [Abdelhak, 1996] Expressed consent Oral or written agreement. Because it is difficult to prove that oral consent was given, most expressed consent is expected to be recorded with a signature. [Huffman, 1985]

Implied consent An action other than an expressed consent on the part of a patient that demonstrates consent. [Huffman, 1985] For example, the presentation of a person to a caregiver implies to a certain extent consent to at least basic consent. [Abdelhak, 1996]

Informed consent The Veteran's Administration defines that for a consent to be valid, the patient must be informed, which is "a freely given consent that follows a careful explanation by a caregiver to a patient or patient's representative of the proposed diagnostic or therapeutic procedure or course of treatment...the patient should be given the opportunity to ask questions, to indicate comprehension of the information provided, and to grant permission freely and without any coercion for performance of a procedure or course of treatment, as well as the opportunity to withhold or revoke such permission at any time without prejudice." [Huffman, 1985] Regulations promulgated by the Department of Health and Human Services for consent by human subjects in medical treatment (4 CFR Section 46.116) provides that informed consent to release of information should include the elements of disclosure, voluntariness, comprehension, and competence to consent. [OTA, 1993]

contingency plan: A plan for responding to a system emergency. The plan includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster. Synonymous with disaster recovery plan. [O’Reilly, 1992]

countermeasure: An action, device, procedure, technique, or other measure that reduces the vulnerability of a system or a threat to that system. [O’Reilly, 1992]

covert channel: A communications channel that allows a process to transfer information in a way that violates a system’s security policy. [O’Reilly, 1992]

credentials: Information describing the security attributes (identity and/or privileges) of a user or other principal. Credentials are claimed through authentication or delegation and used by access control. [CORBA Security Services, 1997]

cryptanalysis: The branch of cryptology dealing with the breaking of a cipher to recover information, or forging encrypted information that will be accepted as authentic. [Stallings, 1995]

cryptography: The branch of cryptology dealing with the design of algorithms for encryption and decryption, intended to ensure the secrecy and/or authenticity of messages. [Stallings, 1995]

The study of encryption and decryption. From the Greek "kryptos" meaning "hidden" and "graphia" meaning "writing". [O’Reilly, 1992]

The art of keeping data secret, primarily through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again. [National Research Council, 1991]

cryptology: The study of secure communications, which encompasses both cryptography and cryptanalysis. [Stallings, 1995]

cyclic redundancy checks (CRC): A mathematical (polynomial division) means to digitally fingerprint or perform an error check on a block of data. [Prosise, 1996]

data: A sequence of symbols to which meaning may be assigned. [National Research Council, 1991]

data dictionary: Information describing the specifications and location of all data contained in a system. [WEDI, 1992] It provides the central resource for ensuring that standard definitions for data elements and data structures are used throughout the computer system. [Abdelhak, 1996]

data integrity: The property that data has not been undetectably altered or destroyed in an unauthorised manner or by unauthorised users. [CORBA Security Services, 1997]

Data Encryption Standard (DES): A private key encryption algorithm adopted as the federal standard for the protection of sensitive unclassified information and used extensively for the protection of commercial data as well. [O’Reilly, 1992]

decryption: The translation of encrypted text or data (called ciphertext) into original text or data (called cleartext). [Kratz, 1997]. Also called deciphering.

The process of decoding a message so that its meaning becomes obvious. [OTA, 1993]

The transformation of encrypted text (called ciphertext) into original text (called plaintext). Sometimes called "deciphering". [O’Reilly, 1992]

delegation: The act whereby one user or principal authorises another to use his (or her or its) identity or privileges, perhaps with restrictions. [CORBA Security Services, 1997]

denial of service: The prevention of authorised access to resources or the delaying of time-critical operations. [ISO 7498 - 2]

digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the unit and protect against forgery e.g. by the recipient. [ISO 7498 - 2].

An authentication mechanism which enables the creator of a message to attach a code that acts as a signature. The signature guarantees the source and integrity of the message.[Stallings]

An authentication tool that verifies the origin of a message and the identity of the sender and receiver. Can be used to resolve any authentication issues between the sender and receiver. A digital signature is unique for every transaction. [O’Reilly, 1992]

A means to guarantee the authenticity of a set of input data the same way a written signature verifies the authenticity of a paper document. A cryptographic transformation of data that allows a recipient of the data to prove the source and integrity of the data and protect against forgery. Specifically, an asymmetric cryptographic technique in which each user is associated with a public key distributed to potential verifiers of the user's digital signature used to encrypt messages destined for other users, and a private key known only to the user and is used to decrypt incoming messages. To sign a document, the document and private key are input to a cryptographic process which outputs a bit string (the signature). To verify a signature, the signature, document, and user's public key are input to a cryptographic process, which returns an indication of success for failure. Any modification to the document after it is signed will cause the signature verification to fail (integrity). If the signature was computed using a private key other than the one corresponding to the public key used for verification, the verification will fail (authentication). [ASTM E1762]

digitized signature: An electronic image of an actual written signature. A digitized signature looks much the same as the original, but it does not provide the same protection as a digital signature, as they can be forged and copied. [AHIMA, 1996a]. See electronic signature.

disaster plan: A plan the provides direction and guidelines to protect health information from damage, minimise disruption, ensure stability, and provide for orderly recovery in the event of a disaster, such as flood, fire, etc. [AHIMA, 1996b] The Joint Commission on Accreditation of Healthcare Organisations requires that accredited facilities develop a management plan that addresses emergency preparedness. [Joint Commission, 1996]

disaster recovery: The process whereby an enterprise would restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. [CPRI, 1996c]

disaster recovery plan: See contingency plan.

disclosure: The release of information to third parties within or outside the health care provider organisation from an individual's record with or without the consent of the individual to whom the record pertains. There are a multitude of internal and external users of health information for which various policies of disclosure may apply. For instance, when patients present to a health care facility or provider for treatment, it is reasonable to assume that they are authorising the caregiver to have information about their condition and treatment. However, such assumption should not extend to all employees of a health care provider organisation, but only those with a need to know. Disclosures for quality monitoring, educational purposes, research, administrative purpose, payment purposes, attorneys, law enforcement personnel and agencies, family members, and the patients themselves all must be conducted according to institutional policies. [CPRI, 1995b; CPRI, 1995c]

discretionary access control (DAC): An access control policy regime wherein the creator of a resource is permitted to manage its access control policy information. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control). [O’Reilly, 1992]

domain: The set of objects that a subject is allowed to access. [O’Reilly, 1992]

eavesdropping: Unauthorised interception of information. Usually refers to passive interception (receiving information), rather than active interception (changing information). [O’Reilly, 1992]

electronic signature: The attribute that is affixed to an electronic document to bind it to a particular entity. An electronic signature process secures the user authentication (proof of claimed identity, such as by biometrics {fingerprints, retinal scans, hand written signature verification, etc.}, tokens or passwords) at the time the signature is generated; creates the logical manifestation of signature (including the possibility for multiple parties to sign a document and have the order of application recognised and proven) and supply additional information such as time stamp and signature purpose specific to that user; and ensures the integrity of the signed document to enable transportability, interoperability, independent verifiability, and continuity of signature capability. Verifying a signature on a document verifies the integrity of the document and associated attributes and verifies the identity of the signer. There are several technologies available for user authentication, including passwords, cryptography, and biometrics. [ASTM 1762]

encryption: The cryptographic transformation of data to produce ciphertext. [ISO 7498-2].

The process of encoding a message so that its meaning is not obvious. [OTA, 1993]

end-to-end encryption: A type of encryption in which a message is encrypted when it is transmitted and is decrypted and then encrypted again each time it passes through a network communications node. Sometimes called "online encryption". Contrast with link encryption.

erasure: Removal of signals recorded on magnetic media. Simply reinitialising a disk or tape doesn’t erase data; it simply makes the data harder to access. Someone who knows how to bypass ordinary volume checking mechanisms may still be able to access sensitive data on reinitialised disks or tapes. [O’Reilly, 1992]

fingerprint system: A biometric system that compares a fingerprint pattern with a stored pattern to determine whether there’s a match. [O’Reilly, 1992]

firewall: A dedicated computer equipped with safeguards that acts as a single, more easily defined, Internet connection [Cheswick and Bellovin, 1994]

freedom of information act: Requires that records pertaining to the executive branch of the federal government be available to the public except for matters that fall within exempted areas, including "medical files and similar files, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." [U.S.C. §552]

functional requirements: A statement of the system behaviour needed to enforce a given policy. Requirements are used to derive the technical specification of a system. [National Security Council, 1991]

gateway: Typically, a system that is attached to two systems, devices, or networks that otherwise do not communicate with each other. Communications from one system or network to another are routed through the gateway. A gateway system may be used as a guardian or "firewall" between trusted and untrusted systems or networks. The gateway filters out any information that’s not allowed to pass from the trusted system to the untrusted system or network, or vice versa. [O’Reilly, 1992]

A device in the computer communications environment that directs information traffic. Gateways are often employed to connect a network under the control of one organisation (an internal network) to a network controlled by another organisation (an external network such as a public network). Thus gateways are natural points at which to enforce access control policies. [National Research Council, 1991]

granularity: The relative fineness or coarseness by which a mechanism may be adjusted. [CORBA Security Services, 1992]

An expression of the relative size of a unit. The smallest discrete information that can be directly retrieved. [ASTM E1769]

In security, degree of protection. Protection at the file level is considered coarse granularity, whereas protection at the field level is finer granularity. Granularity at a single user is fine granularity because it means the access-control mechanism can be adjusted to include or exclude any single user. [Fites and Kratz, 1993]

hash function: A function that maps a variable-length data block or message into a fixed-length value called a hash code. The function is designed in such a way that, when protected, it provides an authenticator to the data or message. Also referred to as a message digest. [Stallings, 1995]

A function which maps strings of bits to fixed-length strings of bits satisfying that it is computationally infeasible to find for a given output an input which maps to this output and computationally infeasible to find for a given input a second input which maps to the same output. [ASTM E1762] One-way hash function A (mathematical) function that is comparatively easy to compute but, when knowing a result, it is computationally infeasible to find any of the values that my have been supplied to obtain it. [ASTM E1762]

health care data: Data which are input, stored, processed or output by the automated information system which support the business functions of the Health care Establishment. These data may relate to person identifiable records or may be part of an administrative system where persons are not identified.

administrative data/information: Data/information collected during the course of a health care event unrelated to the status of the individual's health or health care. Includes demographics, provider identification, caregiver identification, date and time of care, and other such data providing the who, what, when, and where of data capture. [CPRI, 1995a].

clinical data/information: Data/information related to the health and health care of an individual collected from or about an individual receiving health care services. Includes a caregiver's objective measurement or subjective evaluation of a patient's physical or mental state of health; descriptions of an individual's health history and family health history; diagnostic studies; decision rationale; descriptions of procedures performed; findings; therapeutic interventions; medications prescribed; description of responses to treatment; prognostic statements; and descriptions of socio-economic and environmental factors related to the patient's health. [CPRI, 1996b; ASTM 1769]

identification: The process of telling a system the identity of a subject (e.g., a user or another system). Usually, this is done by entering a name or presenting a token to the system. See also authentication. [O’Reilly, 1992]

impersonation: Posing as an unauthorised user, usually in an attempt to gain access to a system. Synonymous with masquerade. [O’Reilly, 1992]

information: Data to which meaning is assigned, according to context and assumed conventions. [National Security Council, 1991]

integrity: The property that data has not been altered or destroyed in an unauthorised manner. [ISO 7498 - 2].

A security principle that keeps information from being modified or otherwise corrupted either maliciously or accidentally. Integrity protects against forgery or tampering.[O’Reilly]

The property that an object (health data or information) only in a specified and authorised manner. Data integrity (the accuracy and completeness of the data [Ball and Collen, 1992]) , program integrity, system integrity, and network integrity are all relevant to consideration of computer and system security. [National Research Council, 1991]

IETF: Internet Engineering Task Force. Reviews and issues Internet standards. [CORBA Security Services, 1997]

intruder: An individual who gains, or attempts to gain, unauthorised access to a computer system or to gain unauthorised privileges on that system. [Stallings, 1995]

kerberos: The name given to Project Athena’s code authentication service. [Stallings, 1995]

key: In cryptography, a secret value that’s used to encrypt and decrypt messages. A sequence of symbols (often a large number) that’s usually known only to the sender and the receiver of the message. See also private key encryption and public key encryption. [O’Reilly, 1992]

An input that controls the transformation of data by an encryption algorithm [National Research Council, 1991]

link encryption: A type of encryption in which a message is encrypted when it is transmitted and is decrypted when it is received. Contrast with end-to-end encryption.[O’Reilly, 1992]

logic bomb: Logic embedded in a computer program that checks for a certain set of conditions to be present on the system. When these conditions are met, the logic bomb executes some function that results in unauthorised actions. [Stallings, 1995]

login: The process of identifying oneself to, and having one’s identity authenticated by, a computer system. [O’Reilly, 1992]

longitudinal/lifetime patient record: The concept of access to health information across an individual's lifetime. [Dick and Steen, 1991] A permanent, co-ordinated record of significant information, in chronological sequence. It may include all historical data collected or be retrieved as a user designated synopsis of significant demographic, genetic, clinical, and environmental facts and events maintained within an automated system. [ASTM E1384]

MAC: Mandatory Access Control - an access control regime wherein resource access control policy information is always managed by a designated authority, regardless of who creates the resources. [CORBA Security Services, 1997]

A means of restricting access to objects that is based on fixed security attributes assigned to users and to files and other objects. The controls are mandatory in the sense that they cannot be modified by users or their programs. [Stallings, 1995] Contrast with discretionary access control.

masquerade: Posing as an authorised user, usually in an attempt to gain access to a system. Synonymous with impersonation. [O’Reilly, 1992]

master patient index (MPI): The means for locating a patient record in a numeric identification system. [Abdelhak, 1996] It has generally referred to an index within a given health care facility, in which case it serves as a patient directory. [CPRI, 1996a]

mechanism: A specific implementation of security services, using particular algorithms, data structures, and protocols. [CORBA Security Services, 1997]

message authentication: Ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent. [O’Reilly, 1992]

message authentication code: A code calculated during encryption and appended to a message. If the message authentication code calculated during decryption matches the appended code, the message was not altered during transmission. [O’Reilly, 1992] Sometimes the acronym "MAC" is used for message authentication code.

message digest: Hash function. [Stallings, 1995]

model: See security model.

need to know: A security principle stating that a user should have access only to the data he or she needs to perform a particular function. [O’Reilly, 1992]

non-repudiation: The provision of evidence which will prevent a participant in an action from convincingly denying his responsibility for the action. [CORBA Security Services, 1997]]

Proof (to a third party) that only the signer could have created a signature. A basis of legal recognition of electronic signatures. [ASTM E1762]

object: From the Orange Book definition: "A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records, blocks, pages, segments, files, directories, directory trees, and programs, as well as bits, bytes, words, files, processors, video displays, keyboards, clocks, printers, network nodes, etc." [O’Reilly, 1992]

one-time cipher: A type of encryption in which a cipher is used only once. Two copies of a pad are created; one coy goes to the sender, and the other to the recipient. The pad contains a random number for each character in the original message. The pad is destroyed after use. Sometimes called a "one-time- pad". [O’Reilly, 1992]

open security environment: An environment in which at least one of the following conditions is true:

open systems architecture: Use of standardised technology and structures for hardware, operating system, data bases, fault tolerances, and networking and communications transport. [ASTM E1769]

operational assurance: Confidence that a trusted system’s architecture and implementation enforce the system’s security policy. In the Orange Book, the set of operational assurances includes system architecture, system integrity, covert channel analysis, and trusted recovery. [O’Reilly, 1992]

Orange Book: Common name for the Department of Defense document that is the basic definition of the Trusted Computer System Evaluation Criteria (US DOD, 1985d). The Orange Book provides criteria for the evaluation of different classes of trusted systems and is supplemented by many documents relating to its extension and interpretation. [National Research Council, 1991]

ownership: It is a generally accepted principle that the primary patient record is maintained and owned by the health care provider. This principle is established by statutes and licensing regulations in many states, which grant the provider control over the physical document, but give the patient ownership-type rights to the information contained in the record. Therefore, the patient generally has control over the release of patient-identifiable (confidential) information, except in circumstances identified by case law, by federal or state statutes and regulations, and by provider policy. [CPRI, 1994]

passive threat: A type of threat that involves the interception, but not the alteration, of information. For example, a passive tap is a type of wiretapping that involves eavesdropping, monitoring, and/or recording of information, but not the generation of false messages or control signals. The danger of a passive threat is primarily the secrecy of the information being transmitted. Contrast with active threat. [O’Reilly, 1992]

The threat of unauthorised disclosure of information without changing the state of the system. [CORBA Security Services, 1997]

password: Confidential authentication information composed of a string of characters. [ISO 7498 - 2]

A sequence that an individual presents to a system for purposes of authentication. [National Research Council, 1991]

penetration: A successful,, unauthorised access to a computer system. [O’Reilly, 1992]

personally identifiable health information: Health information which contains an individual's identifiers (e.g., name, social security number, birth date) or contains a sufficient number of variable to allow identification of an individual. [OTA, 1993, Institute of Medicine, 1994 ]

personal identification number (PIN): A number or code of some kind that’s unique to an individual and can be used to provide identity. Often used with automatic teller machines and access devices. [O’Reilly, 1992]

Typically used in connection with automated teller machines to authenticate a user. [National Research Council, 1991]

physical security: Protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. Also covers the use of locks, keys, and administrative measures used to control access to computer systems and facilities. [O’Reilly, 1992]

The measures used to provide physical protection of resources against deliberate and accidental threats. [CORBA Security Services, 1997]

plaintext: The input to an encryption function or the output of a decryption function. See cleartext. [O’Reilly, 1992]

primary patient record (primary record of care): The primary legal record documenting the health care services provided to a person in any aspect of health care delivery. This term is synonymous with medical record, health record, primary patient record, client record, and residence record; when stored in a computer system and used by caregivers while providing patient care services to review patient data, receive decision support, and document their own observations, actions, or instructions synonymous with all terms associated with computer-based patient record. [ASTM E1384; CPRI, 1996d]

principal: A user or programmatic entity with the ability to use the resources of a system. [CORBA Security Services, 1997]

privacy: An individual’s desire to limit the disclosure of personal information.[NRC,1997]

The right of individuals to keep information about themselves from being disclosed to anyone. [CPRI, 1995c] As set forth by Samuel Warren and Louis Brandeis in a 1890 article that first enunciated the concept of privacy as a legal interest deserving an independent remedy, privacy was described as "the right to be let alone." Further, Alan Westin conceived of privacy as "an instrument for achieving individual goals of self realisation." [OTA, 1993] Ball and Collen describe privacy as the right of an individual to be left alone, to withdraw from the influence of the environment; to be secluded, not annoyed, and not intruded upon by extension of the right to be protected against physical or psychological invasion or against the misuse or abuse of something legally owned by an individual or normally considered by society to be property. [Ball and Collen, 1992]

A security principle that protects individuals from the collection, storage, and dissemination of information about themselves and the possible compromises resulting from unauthorised release of that information. [O’Reilly, 1992]

Privacy Act of 1974: Grants people certain rights to information collected about them by the federal government and its agencies. Rights include finding out what information has been collected, to see and have a copy of the information, to correct or amend the information, and to exercise limited control of the disclosure of that information to other parties. [U.S.C. §552a(b), 1977]

private key: One of the two keys used in an asymmetric encryption system. For secure communication, the private key should be known only to its creator.[Stallings, 1995]

A key in an asymmetric algorithm; the possession of this key is restricted, usually to one entity. [ASTM E1762]

private-key encryption: A type of encryption that uses a single key to both encrypt and decrypt information. Also called symmetric, or single-key, encryption. contrast with public key encryption. [O’Reilly, 1992]

privilege: A right granted to a user, a program, or a process. For example, certain users may have the privileges that allow them to access certain files in a system. Only the system administrator may have the privileges necessary to export data from a trusted system. [O’Reilly, 1992]

A security attribute which need not have the property of uniqueness, and which thus may be shared by many users and other principals. Examples of privileges include groups, roles, and clearances. [CORBA Security Services, 1997]

The individual's right to hold private and confidential the information given to a health care provider in the context of a professional relationship. The individual may by overt act of consent or by other means waive the right to privilege. For example, if a patient brings a lawsuit against a facility and the records are needed to present the facility's case, the privilege is waived. [Fites and Kratz, 1993]

proof of delivery: Non-repudiation evidence demonstrating that a message or data has been delivered. [CORBA Security Services, 1997]

proof of origin: Non-repudiation evidence identifying the originator of a message or data. [CORBA Security Services, 1997]

proof of receipt: Non-repudiation evidence demonstrating that a message or data has been received by a particular party. [CORBA Security Services, 1997]

proof of submission: Non-repudiation evidence demonstrating that a message or data has been submitted to a particular principal or service. [CORBA Security Services, 1997]

protection boundary: The domain boundary within which security services provide a known level of protection against threats. [CORBA Security Services, 1997]

protocol: A set of rules and formats for the exchange of information, particularly over a communications network. [O’Reilly, 1992] Examples include X12 and HL7.

Protocol Data Unit (PDU): The data fields of a protocol message, as distinguished from the protocol header and trailer fields. [CORBA Security Services, 1997]

public key: One of the two keys used in an asymmetric encryption system. The public key is made public, to be used in conjunction with a corresponding private key.[Stallings, 1995]

In a public-key (asymmetric) cryptosystem, the component of a key pair which is revealed. [CORBA Security Services, 1997]

A key in an asymmetric algorithm, that is publicly available. [ASTM E1762]

public-key cryptosystem: An encryption system which uses an asymmetric-key (q.v.) cryptographic algorithm. [CORBA Security Services, 1997]

public-key encryption: A type of encryption that uses two mathematically related keys. The public key is known within a group of users. The private key is known only to its owner. Asymmetric encryption. Contrast with private key encyption. [O’Reilly, 1992]

read: An operation involving the flow of information from an object to a subject. It does not involve the alteration of that information. [O’Reilly, 1992]

recovery: The restoration of an information system back to an error-free and secure state from which normal operation can resume. [O’Reilly, 1992]

redisclosure: The disclosure by a third party recipient of disclosed health information without the authorisation of the patient. [Abdelhak, 1996]

release of information: The disclosure of documents containing patient-identifiable information to a third party requester. [Huffman, 1985]

reliability: A measure of consistency of data items based on their reproducibility and an estimation of their error of measurement. [Institute of Medicine, 1994]

replay: The recording of a legitimate message and the later, unauthorised resending of the message. [O’Reilly, 1992]

repudiation: The denial by a message sender that the message was sent, or by a message recipient that the message was received. [O’Reilly, 1992]

Denial by one of the entities involved in a communication of having participated in all or part of the communication. [ASTM 1762]

residue: Data left in storage or on a medium before the data has been rewritten or eliminated in some other way. [O’Reilly, 1992]

retina system: A biometric system that compares a retina blood vessel pattern with a stored pattern to determine whether there’s a match. [O’Reilly, 1992]

retention: The maintenance and preservation of information in some form (e.g., paper, microfilm, or electronic storage) for a given period of time. [Abdelhak, 1996] There are no federal laws outlining time frames for the retention of health information. Many states, however, have specific requirements, and these, as well as the statutes of limitation, Medicare Conditions of Participation, and use for patient care, legal, research, or educational purposes, should be used as a basis for developing a retention policy. [AHIMA, 1994]

right: A named value conferring the ability to perform actions in a system. Access control policies grant rights to principals (on the basis of their security attributes); in order to make an access control decision, access decision functions compare the rights granted to a principal against the rights required to perform an operation.[CORBA Security Services, 1997]]

risk: The aggregate effect of the likelihood of occurrence of a particular threat with the degree of vulnerability to that threat and the potential consequences of the impact to the organisation if the threat did occur.[Stallings, 1995]

risk assessment: An analysis of a system’s information needs and vulnerabilities to determine how likely they are to be exploited in different ways and the costs of losing and/or recovering the system or its information. [O’Reilly, 1992]

role: A privilege attribute representing the position or function a user represents in seeking security authentication. A given human being may play multiple roles and therefore require multiple role privilege attributes.[CORBA Security Services, 1997]

RSA Algorithm: An asymmetric encryption algorithm invented by Ron Rivest, Adi Shamir, and Len Adelman. A public-key algorithm based on exponentiation in modular arithmetic. It is the only algorithm generally accepted as practical and secure for public-key encryption.[Stallings, 1995]

A public key crypto-system, invented and patented by Ronald Rivest, Adi Shamir, and Leonard Adelman, based on large prime numbers. [National Security Council] RSA is the most well-known asymmetric algorithm. [ASTM E1762]

safety: The property that a system will satisfy certain criteria related to the preservation of personal and collective freedom from risk. [National Research Council, 1991]

sanitizing: The overwriting of sensitive information. On magnetic media, degaussing. Sometimes called "scrubbing". [O’Reilly, 1992]

seal: To encrypt data for the purpose of providing confidentiality protection. [CORBA Security Services, 1997]

secondary record: A record that is derived from the primary record and contains selected data elements. [ASTM E1384]

secrecy: The intentional concealment or withholding of information [OTA, 1993]

A security principle that keeps information from being disclosed to anyone not authorised to access it. Synonymous with confidentiality. [O’Reilly, 1992]

secret key: A key in a symmetric algorithm; the possession of this key is restricted, usually to two entities. [ASTM E1762]

secret-key cryptosystem: A cryptosystem which uses a symmetric-key (q.v.) cryptographic algorithm. [CORBA Security Services, 1997]

secure time: A reliable Time service that has not been compromised, and whose messages can be authenticated by their recipients. [CORBA Security Services, 1997]

security: The combination of availability, confidentiality, integrity and accountability. Freedom from risk or danger. Safety and the assurance of safety.[O’Reilly, 1992]]

Means to control access and protect information from accidental or intentional disclosure to unauthorised persons and from alteration, destruction, or loss. [CPRI, 1995b] Protection of information systems against unauthorised access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorised users or the provision of service to unauthorised users, including those measures necessary to detect, document, and counter such threats. [National Security Council] Data/information security The result of effective protection measures that safeguard data/information from undesired occurrences and exposure to accidental or intentional disclosure to unauthorised persons, accidental or malicious alteration, unauthorised copying, loss by theft and/or destruction by hardware failures, software deficiencies, operating mistakes, or physical damage by fire, water, smoke, excessive temperature, electrical failure, or sabotage. [Institute of Medicine, 1994] The protection of the integrity, availability, and confidentiality of computer-based information and resources used to enter, store, process, and communicate it. [NIST, 1994]

security audit: An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policies and operational procedures, to detect security breaches and to recommend any indicated changes in control policy and procedures. [ISO 7498 - 2]

The facility of a secure system which records information about security-relevant events in a tamper-resistant log. Often used to facilitate an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend changes in control, policy and procedures. [CORBA Security Services, 1997]

security breach: The unauthorised disclosure, destruction, modification or withholding of information. [Stallings, 1995]

security domain: A set of information system assets for which an organisation (or user) has responsibility for the implementation and maintenance of security. [Stallings, 1995]

security education program: The systematic, defined method to provide information and to teach skills related to all activities of the organisation related to information security. A complete information security education program addresses policies, standards, training, controls, risk assessment, auditing and monitoring, and assigned responsibility for management of the program. [CPRI, 1995c]

security level: A representation of the sensitivity of information, derived from a sensitivity label (consisting of a classification and categories). [O’Reilly, 1992]

security manager: The person assigned responsibility for management of the organisation's security program. [CPRI, 1996c]

security model: A precise statement of the security rules of a system. [O’Reilly, 1992]

security objective: A statement of intent to counter a given threat or enforce a given organisational security policy. [Common criteria]

security perimeter: An imaginary boundary between the Trusted Computing Base (inside the perimeter) and other system functions (outside the perimeter). In a networking environment, sometimes used to refer to the boundary between trusted and untrusted systems and networks. [O’Reilly, 1992]

security policy: A statement of the set of rules, measures and procedures that determine the physical, procedural and personnel security controls imposed on the management, distribution and protection of assets.[Stallings, 1995]

The framework within which an organisation establishes needed levels of information security to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organisation commitment for a system. It is a set of laws, rules, and practices that regulate how an organisation manages, protects, and distributes sensitive information. [OTA, 1993] The American Health Information Management Association recommends that security policies apply to all employees, medical staff members, volunteers, students, faculty, independent contractors, and agents. [AHIMA, 1996c]

From the Orange Book definition: "The set of laws, rules, and practices that regulate how an organisation manages, protects, and distributes sensitive information. [O’Reilly, 1992]

The data which defines what protection a system’s security services must provide. There are many kinds of security policy, including access control policy, audit policy, message protection policy, non-repudiation policy, etc. [CORBA Security Services, 1997]

security service: Code that implements a defined set of security functionality. Security services include Access Control, Audit, Non-repudiation, and others. [CORBA Security Services, 1997]

security target: The statement of security requirements and functional specifications to be used as baseline for an evaluation. [ITSEC]

sensitive information: Information that, if lost or compromised, would negatively affect the owner of the information, would jeopardise the ability of the system to continue processing, and/or would require substantial resources to recreate. According to the U.S. government (NTISSP 2), "information the disclosure, alteration, loss, or destruction of which could adversely affect national security or other federal government interests". [O’Reilly, 1992]

sensitivity: The degree of importance assigned to information denoting its need for protection against confidentiality related security breaches.

sensitivity label: A security level associated with the content of the information. [National Security Council] Society has historically considered information which has a heightened potential for causing harm to the patient or data subject, or to others, such as the subject's spouse, children, friends, or sexual partners. The degree to which the information will cause public humiliation, stigmatisation, lost employment, insurance problems, or loss of family and friends all contributes to it being identified as "sensitive." Records that contain information about socially or politically prominent persons have also been accorded special protections. Society is beginning to attribute special sensitivity to any and all health information. [Kunitz and Associates, Inc., 1995]

A label representing the security level of an object and describing the sensitivity of the data in the object. The label consists of two parts: a hierarchical classification and a set of non-hierarchical categories or compartments. In systems supporting mandatory access controls, sensitivity labels determine whether a particular subject will be allowed to access a particular object. [O’Reilly, 1992]

signature system: A biometric system that compares a signature with a stored pattern to determine whether there’s a match. [O’Reilly, 1992]

smart card: An access card containing encoded information and sometimes a microprocessor and a user interface. The information on the code, or the information generated by the processor, is used to gain access to a facility or a computer system. [O’Reilly, 1992]

spoof: A trick that causes an authorised user to perform an action that violates system security or that gives away information to an intruder. [O’Reilly, 1992]

subject: From the Orange Book definition: "An active entity, generally in the form of a person, process, or device that causes information to flow among objects or change the system state. [O’Reilly, 1992]

symmetric encryption: A form of cryptosystem in which encryption and decryption are performed using the same key. Also known as conventional encryption. [Stallings, 1995]

symmetric key: The key used in a symmetric ("secret-key") encryption system. In such systems, the same key is used for encryption and decryption. [CORBA Security Services, 1997]

system security: The result of all safeguards including hardware, software, personnel policies, information practice policies, disaster preparedness, and oversight of these components. [Institute of Medicine, 1994]

system security administrator: The person who controls access to computer systems by entering commands to perform such functions as assigning user access codes and privileges, revoking user access privileges, and setting file protection parameters. [CPRI, 1996c]

strong authentication: Authentication by means of cryptographically derived credentials. [ISO/IEC 9594- 8]

technical specification: A technical description of the desired behaviour of a system, as derived from its requirements. A specification is used to develop and test an implementation of a system. [National Research Council, 1991]

threat: An action or event that might prejudice security. [ITSEC]

A possible danger to a computer system. See also active threat and passive threat. [O’Reilly, 1992]

The potential for exploitation of a vulnerability. [National Research Council, 1991]

token: When used in the context of authentication, a physical device necessary for user identification. [National Research Council, 1991]

A physical item that’s used to provide identity. Typically an electronic device that can be inserted in a door or a computer system to gain access. [O’Reilly, 1992]

traced delegation: Delegation wherein information about the initiator and all intervening intermediates is available to each recipient in the call chain, or to the authorisation subsystem controlling access to each recipient. [CORBA Security Services, 1997]

traffic: The message flow across a network. Analysis of message characteristics (e.g., length, frequency, destination) can sometimes provide information to an eavesdropper. [O’Reilly, 1992]

transmission: The exchange of data between person and program, or program and program, when the sender and receiver are remote from each other. [Longley, 1987]

trap door: Secret undocumented entry point into a program, used to grant access without normal methods of access authentication. [Stallings, 1995]

A hidden mechanism that allows normal system protection to be circumvented. Trap doors are often planted system developers to allow them to test programs without having to follow security procedure or other user interfaces. They are typically activated in some unobvious way (elg., by typing a particular sequence of keys). [O’Reilly, 1992]

Trojan horse: A type of programmed threat. An independent program that appears to perform a useful function but that hides another unauthorised program inside it. When an authorised user performs the apparent function, the Trojan house performs the unauthorised function as well (often usurping the privileges of the user). [O’Reilly, 1992]

trust: Reliance on the ability of a system to meet its specifications. [O’Reilly, 1992]

trust model: A description of which components of the system and which entities outside the system must be trusted, and what they must be trusted for, if the system is to remain secure. [CORBA Security Service, 1997]

trusted code: Code assumed to always perform some specified set of operations correctly. [CORBA Security Services, 1997]

TCSEC: Trusted Computer System Evaluation Criteria (a U.S. Department of Defence Standard specifying requirements for secure systems). [CORBA Security Services, 1997]

Trusted Computing Base (TCB): From the Orange Book definition: "The totality of protection mechanisms within a computer system - including hardware, firmware, and software - the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a TCB to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user’s clearance) related to the security policy. [O’Reilly, 1992]

Trusted Computing Base. The portion of a system which must function correctly in order for the system to remain secure. A TCB should be tamper-proof and its enforcement of policy should be non-circumventable. Ideally a system’s TCB should also be as small as possible, to facilitate analysis of its integrity. [CORBA Security Services, 1997]

trusted distribution: The process of distributing a trusted system in a way that assures that the system that arrives at the customer site is the exact, evaluated system shipped by the vendor. [O’Reilly, 1992]

trusted facility management: The management of a trusted system in a way that assures separation of duties (e.g., separate operator, system administrator, and security administrator roles), with duties clearly delineated for each role. [O’Reilly, 1992]

trusted path: A mechanism that allows a terminal user to communicate directly with the Trusted Computing Base. The mechanism can be activated only by the person or the TCB and cannot be initiated by untrusted software. With a trusted path, there is no way an intermediary program can mimic trusted software. [O’Reilly, 1992]

trusted recovery: The set of procedures involved in restoring a system and its data in trusted fashion after a system crash or some other type of system failure. [O’Reilly, 1992]

trusted system: A system believed to enforce a given set of attributes to a stated degree of assurance (confidence). [National Research Council, 1991]

A system designed and developed in accordance with Orange Book criteria and evaluated according to those criteria. [O’Reilly, 1992]

A computer and operating system that can be verified to implement a given security policy. [Stallings, 1995]

universal identifier: A means to provide positive recognition of a particular individual for all people in a population. A universal health care or patient identifier provides the identifier for use in health care transactions. [ASTM E1714]

user: A human being using the system to issue requests to objects in order to get them to perform functions in the system on his behalf. [CORBA Security Services, 1997]

A person or a process who accesses a computer system. [O’Reilly, 1992]

validity: The extent to which data correspond to the actual state of affairs or an instrument that measures what it purports to measure. Validity concerns relate to the issue of whether analyses done on a given database are appropriate for the questions being asked and whether those analyses will provide defensible answers that are internally consistent and externally generalizable. [Institute of Medicine, 1994]

virus: A computer program, typically hidden, that attaches itself to other programs and has the ability to replicate. In personal computers, "viruses" are generally Trojan horse programs that are replicated by inadvertent human action and which when executed result in undesired side effects generally unanticipated by the user.

A type of programmed threat. A code fragment (not an independent program) that reproduces by attaching to another program. It may damage data directly, or it may degrade system performance by taking over system resources which are then not available to authorised users. [O’Reilly, 1992]

Code embedded within a program that causes a copy of itself to be inserted in one or more other programs. In addition to propagation, the virus usually performs some unwanted function. [Stallings, 1995]

voice system: A biometric system that compares a vocal pattern with a stored pattern to determine whether there’s a match. [O’Reilly, 1992]

vulnerability: A security weakness due to failures in analysis, design, implementation or operation. [ITSEC]

A weakness in a system that can be exploited to violate the system's intended behaviour. There may be security, integrity, availability, and other vulnerabilities. The act of exploiting a vulnerability represents a threat, which has an associated risk of being exploited. [National Research Council, 1991]

worm: Program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function. [O’Reilly, 1992]