Security and Privacy
Overview
Security and privacy have similar connotations, but they are not quite the same
Security - broadly refers to the protection of an individual, organization, network, etc. from threats.
Privacy - A right of individuals
Privacy
The ability of individuals to seclude themselves from others and to manage their own information (i.e. the info that pertains to them).
When something is considered private, that generally means it is of some inherently sensitive or special nature to the person
Privacy can also include bodily integrity - the ability to seclude oneself from bodily harm, invasion, nonconsensual medical operations / donations, etc.
In many countries, the right not to be subjected to unsanctioned invasions of privacy by the government, corporations or individuals is built into the law.
In the US, the right of privacy is built into the fourth amendment.
In some cases, the concept of public interest can affect the right to privacy
For example, In the case Bartnicki v. Vopper, it was determined that a media outlet cannot be held liable for publishing information that another party illegally obtained (even if the outlet knows it was illegally obtained).
In this case, the freedom of speech and press, and the public interest in the published information, outweighed the individual’s right to privacy.
One of the most important exceptions to the right to privacy is voluntary consent
Although certain information may be considered private, the individual to whom it pertains can still choose to surrender that privacy.
This may be necessary to use some services, or may be motivated by incentives such as discounts or other financial rewards.
Personally Identifiable Information (PII) - information that can be used to identify an individual.
Some Examples:
SSN
Your Name
Address
Pin #
Physical ID
Medical Records
Direct Identifier - Information that can unilaterally identify an individual
Quasi-Identifier / Pseudo-Identifier - Information that normally cannot identify an individual, but can do so when combined with other information
When enough quasi-identifiers are combined to identify an individual, they may be considered PII.
Some examples of quasi-identifiers:
Hair Color
Height
Gender
Zip Code
Aesthetics
Occupation
Approximate Location
Medical Condition
In a study by Carnegie Mellon University, it was determined 87% of the USA could be identified by their sex, date of birth, and ZIP code.
At the time of publication, that was around 216 million people
PII breach - occurs when PII data is mishandled, exposed, accessed by an unauthorized party, or becomes otherwise compromised.
If attackers gain access to PII, they can use it to commit identify theft / fraud, inform future attacks, or sell the information for profit.
PHI - yk what this is
Information that would not constitute PHI include:
Number of steps walked on a pedometer
Number of calories burned during exercise
Blood sugar *
Blood pressure *
Heart rate *
* in the absence of PII to link to a patient
HIPAA regulates the use and disclosure of PHI by “covered entities”
Covered entities include:
Health Care Providers: Doctors, clinics, psychologists, dentists, chriopractors, nursing homes, pharmacies, etc.
Health Plans: Health insurance companies, health maintenance organizations, company health plans, Medicare, Medicaid, military and veteran health care programs
Health Care Clearinghouses: Entities involved in the exchange of data between health care providers and health plans, for purposes such as error checkings
Business Associates: Consultants, medical transcriptionists, audit groups
Subcontractors: Entities whose services are used by businesses associates in the performance of their duties (ex. third party data stroage, IT support, etc.)
Covered entities must provide pateitns with a Notice of Privacy Practices (NPP) that details the ways in which the entitie can (and cannot) use and disclose the pateint’s data
In most circumstances patients have a right to view their PHI, to inspect for errors, and to request that changes be made
Patients can also specify the means (medium, location) by which PHI should be provided to them. For example, a patient could specify that they be called only on their cell phone, and not on their home phone.
Fair Information Practice Principles (FIPPS) - a set of eight principles that inform privacy policies in both the government and the private sector
based on the Privacy Act of 1974
Principle 1: Data Quality & Integrity
Any PII collected should be relevant to the purposes identified for its use and should be accurate, complete, and up-to-date
Principle 2: Collection Limitation / Data Minimization
PII should be collected solely for the specified purpose, and retained only for as long as is necessary to fulfill that purpose.
Principle 3: Use Limitation
PII should not be disclosed, published, or otherwise used for any purpose other than those specified, except with the consent of the individual or by the authority of law.
Principle 4: Security / Safeguards
Agencies should institute reasonable security safeguards to protect PII against loss, unauthorized access, destruction, misues, modification, etc.
Principle 5: Accountability and Auditing
Agency personnel and contractors are accountable for complying with FIPPs, providing training to all employees and contractors who used PII, and for auditing the actual use and storage of PII.
Principle 6: Openness / Transparency
Agencies should be transparent and provide notice to the individual regarding collection, use, dissemination, and maintenance of PII
Principle 7:
Individuals should be involved in the use of their PII, and to the exten practical, provide consent for its collection, use, disssemination, and maintance. Individual should likewise be provided with means of accessing and correcting PII to its use
Principle 8:
go thourhg notes at some point put it down and simplify