Security of electronic patient
health information(e-PHI) is emerging as a critical issue. In the United States, the Health Insurance
Portability and Accountability Act(HIPAA) 1996 was passed to make protection of
e-PHI a legal requirement for organisations that manage e-PHI. However the lack of specificity in its
provisions raises uncertainty about their interpretations for any particular
organisation.
In this thesis, we present
the results of an exploratory investigation of security requirements under
HIPAA, as perceived by the US dental schools for their enterprise dental
information systems. This study was
inspired by Software of Excellence Ltd, a NZ software vendor who exports
enterprise dental information systems to the US market. It was experiencing diąculties developing
appropriate security features for its products due to the lack of information
about its customers' perceived security requirements under HIPAA. We used an online survey to elicit the
perceived security requirements for enterprise dental information systems.
We used threat modeling as
our main analytical framework for eliciting security requirements. Our survey instrument was designed to support
analysis. The survey responses revealed
some general perceptions held by the US dental schools regarding the security
of their e-PHI and HIPAA. The survey
also identified several security threats that the US dental schools were
concerned about. We analyse these
threats using a particular technique of threat modeling called the misuse case
analysis. We conduct our analysis in the context of a model of a generic,
enterprise dental information system which we define. We propose improvements to the existing
taxonomy of threats against e-PHI and classify our threats into the improved
taxonomy. Finally we focus on one of the threats identified from the survey to
propose mitigation.