international journal of security ijs_v5_i1

8/6/2019 International Journal of Security IJS_V5_I1

1/60

INTERNATIONAL JOURNAL OF SECURITY

(IJS)

VOLUME 5, ISSUE 1, 2011

EDITED BYDR. NABEEL TAHIR

ISSN (Online): 1985-2320

International Journal of Security (IJS) is published both in traditional paper form and in Internet.

This journal is published at the website http://www.cscjournals.org, maintained by Computer

Science Journals (CSC Journals), Malaysia.

IJS Journal is a part of CSC Publishers

Computer Science Journals

http://www.cscjournals.org


2/60

INTERNATIONAL JOURNAL OF SECURITY (IJS)

Book: Volume 5, Issue 1, May 2011

Publishing Date: 31-05-2011

ISSN (Online): 1985-2320

This work is subjected to copyright. All rights are reserved whether the whole or

part of the material is concerned, specifically the rights of translation, reprinting,

re-use of illusions, recitation, broadcasting, reproduction on microfilms or in any

other way, and storage in data banks. Duplication of this publication of parts

thereof is permitted only under the provision of the copyright law 1965, in its

current version, and permission of use must always be obtained from CSC

Publishers.

IJS Journal is a part of CSC Publishers

http://www.cscjournals.org

IJS Journal

Published in Malaysia

Typesetting: Camera-ready by author, data conversation by CSC Publishing Services CSC Journals,

Malaysia

CSC Publishers, 2011


3/60

EDITORIAL PREFACE

This is the first issue of volume fifth of The International Journal of Security (IJS). The Journal ispublished bi-monthly, with papers being peer reviewed to high international standards. TheInternational Journal of Security is not limited to a specific aspect of Security Science but it isdevoted to the publication of high quality papers on all division of computer security in general.

IJS intends to disseminate knowledge in the various disciplines of the computer security field fromtheoretical, practical and analytical research to physical implications and theoretical orquantitative discussion intended for academic and industrial progress. In order to position IJS asone of the good journal on Security Science, a group of highly valuable scholars are serving onthe editorial board. The International Editorial Board ensures that significant developments incomputer security from around the world are reflected in the Journal. Some important topicscovers by journal are Access control and audit, Anonymity and pseudonym, Computer forensics,Denial of service, Network forensics etc.

The initial efforts helped to shape the editorial policy and to sharpen the focus of the journal.Starting with volume 5, 2011, IJS appears in more focused issues. Besides normal publications,IJS intend to organized special issues on more focused topics. Each special issue will have adesignated editor (editors) either member of the editorial board or another recognized specialist

in the respective field.

The coverage of the journal includes all new theoretical and experimental findings in the fields ofcomputer security which enhance the knowledge of scientist, industrials, researchers and allthose persons who are coupled with computer security field. IJS objective is to publish articlesthat are not only technically proficient but also contains information and ideas of fresh interest forInternational readership. IJS aims to handle submissions courteously and promptly. IJSobjectives are to promote and extend the use of all methods in the principal disciplines ofcomputer security.

IJS editors understand that how much it is important for authors and researchers to have theirwork published with a minimum delay after submission of their papers. They also strongly believe

that the direct communication between the editors and authors are important for the welfare,quality and wellbeing of the Journal and its readers. Therefore, all activities from papersubmission to paper publication are controlled through electronic systems that include electronicsubmission, editorial panel and review system that ensures rapid decision with least delays in thepublication processes.

To build its international reputation, we are disseminating the publication information throughGoogle Books, Google Scholar, Directory of Open Access Journals (DOAJ), Open J Gate,ScientificCommons, Docstoc and many more. Our International Editors are working onestablishing ISI listing and a good impact factor for IJS. We would like to remind you that thesuccess of our journal depends directly on the number of quality articles submitted for review.Accordingly, we would like to request your participation by submitting quality manuscripts forreview and encouraging your colleagues to submit quality manuscripts for review. One of thegreat benefits we can provide to our prospective authors is the mentoring nature of our reviewprocess. IJS provides authors with high quality, helpful reviews that are shaped to assist authorsin improving their manuscripts.

Editorial Board MembersInternational Journal of Security (IJS)


4/60

EDITORIAL BOARD

EDITOR-in-CHIEF (EiC)

Dr. Wei WangNorwegian University of Science and Technology (NTNU)(Norway)

ASSOCIATE EDITORS (AEiCs)

Dr.Elena Irina Neaga

Loughborough UniversityUnited Kindom

EDITORIAL BOARD MEMBERS (EBMs)

Dr. Jianguo DingUniversity of Science and TechnologyNorway

Dr.Lei Chen

Sam Houston State UniversityUnited States America

Professor Hung-Min SunNational Tsing Hua UniversityTaiwan


5/60

International Journal of Security (IJS), Volume (5), Issue (1) : 2011

TABLE OF CONTENTS

Volume 5, Issue 1, May 2011

Pages

1 - 12 A New Watermarking Approach Based on Combination of Reversible Watermarking and

CDMA in Spatial and DWT Domain

S.Bekkouche, A.Chouarfia

13- 21 An Exploratory Study of the Security Management Practices of Hispanic StudentsYi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert Crossler, Jesus Tanguma

22-34 Medical Information Security

William C Figg, Hwee Joo Kam

35-61 An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobile

Networks

Mustafa Fayomi, Jaafer AL-Saraireh


6/60

S.Bekkouche & A.Chouarfia

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011 1

A New Watermarking Approach Based on Combination ofReversible Watermarking and CDMA in Spatial and DWT Domain

S.Bekkouche [email protected]

University of Sciences and Technology Oran USTOOran, 31100, Algeria

A.Chouarfia [email protected] of Sciences and Technology Oran USTOOran, 31100, Algeria

Abstract

Image watermarking can be defined as a technique that allows insertion of imperceptible andindelible digital data into an image. In addition to its initial application which is the copyright,watermarking can be used in other fields, particularly in the medical f ield in order to contribute tosecure images shared on the network for telemedicine applications. In this report we study some

watermarking methods and the comparison result of their combination, the first one is based onthe CDMA (Code Division Multiple Access) in DWT(Discrete Wavelet Transform) domain, notedCDMA-DWT and CDMA in spatial domain, noted CDMA-SD and their aim are to verify theimage authenticity whereas the second one is the reversible watermarking (the least significantbits LSB and cryptography tools) , the reversible carte mapping RCM their objective are to checkthe integrity of the image and to keep the Confidentiality of the patient data. A new scheme ofwatermarking is the combination of the reversible watermarking method and the method ofCDMA-DWT and the second is the combination of the reversible watermarking and the methodof CDMA-sp to verify the three security properties Integrity, Authenticity and Confidentiality ofmedical data and patient information. In the end, we made a comparison between these methodswithin the parameters of quality of medical images Initially, an in-depth study on thecharacteristics of medical images would contribute to improve these methods to measurementshave been done on the watermarked image to verify that this technique does not lead to a wrong

diagnostic. The robustness of the watermarked images against attacks has been verified on theparameters of PSNR (Peak Signal to Noise Ratio), MSE (Mean Square Error), MAE (MeanAbsolute Error) and SNR (Signal to Noise Ratio ) which show that the resulting quality ofcombination watermarking method is good in DWT than other techniques.

Keywords: Watermarking, Reversible watermarking, CDMA-DWT, Integrity, Authentication,Confidentiality.


7/60


8/60



from the watermarked image. One way is by comparing this image to the original one, while theother doesnt resort to this comparison. The second are usually referred to as blind watermarkingtechniques and are preferable.

Six different watermarking techniques each from different domain i.e. Spatial Domain andWavelet Domain [10] watermarking have been chosen for the experiment. The techniques usedfor the comparative analysis of watermarking process are CDMA in spatial domain noted CDMA-SD, CDMA-DWT [1] [10], reversible watermarking [3] [10], RCM [8] [11], the reversiblewatermarking and the proposed approach which is the combination of the CDMA-DWT and thereversible watermarking.

Previous work on embedding invisible watermarks can be broadly grouped into spatial domainand transform domain methods. Typically, the data used to represent the digital watermarks are avery small fraction of the host image data. Such signatures include, for example, pseudo-randomnumbers, trademark symbols and binary images. CDMA-SD method usually modifies the least-significant bits of the host image but the CDMA-DWT technique can be employing to scatter eachof the bits randomly throughout the cover image.

RCM is a simple integer transform that applies to pairs of pixels. For some pairs of pixels, RCMis invertible, even if the least significant bits (LSBs) of the transformed pixels are lost. The data

space occupied by the LSBs is suitable for data hiding. The embedded information bit-rates of theproposed spatial domain reversible watermarking scheme are close to the highest bit-ratesreported so far. The scheme does not need additional data compression, and, in terms ofmathematical complexity, it appears to be the lowest complexity one proposed up to now.Reversible watermarking (RW) technique which lossless compress the bits to be affected by theembedding operation to preserve the original data and create space for the watermark. Thecompressed data and the watermark are then embedded into the host image. This practice ofcompressing original data for reversibility purpose has been widely adopted based on LSB andcryptography selects pixels or transformation coefficients, and then lossless compresses them soas to save space for the watermark. Therefore, it has the property that the embedding distortioncan be completely removed from the watermarked image without any side channel. At the otherside, the original host image can be recovered in its integrality.

3. PROPOSED APPROACH3.1 Primary combinationBy applying the reversible watermarking(RW) [2] based on LSB bits and cryptography tools whichgive an image The method of CDMA-SD [3] is applied in this image for given a watermarked

_image.

a. Insertion processThe insertion is the same of that the insertion reversible watermarking process which gives aresult, considering this result as a new input or a new original image using the originalwatermarking dominates the CDMA in spatial domain.

In the insertion process, we scan the image by rows and Lossless compress the bit-stream ofLSB values as the image is scanned. Once this compressed bit-stream is obtained, weconcatenate it with the encrypted patient information and hash the result of concatenation andembed it into the LSBs by scanning the image in the same pattern. The overall procedure isthen a four steps process:

(1) Calculate the authentication code (MAC) of the image Using SHA algorithm [7](2) concatenate the authentication code and patient information and encrypt the resulting string;(3) Select the LSBs of all pixels and compress the resulting string using RLE algorithm [5].(4) Concatenate the compressed string and the encrypted string and insert them back into theLSB locations by adding blanks if necessary which give a watermarked image1.


9/60



The insertion process of CDMA in spatial domain[3] was applied on the watermarked image1 for obtain the watermarked_ image.the insertion primary combination has been shown below in Figure1

FIGURE1: Insertion primary combination process

b- Extraction process- Using the step of the extraction CDMA process [3] on the watermarked image.- The result will be used as watermarked image1.- Applying extraction reversible watermarking process [2] on the watermarked image1 toextracting data from LSBs.- Convert binary to ASCII to get to "@" character represents the end of the data inserted.- Make a decoding key using the RSA inclusion K.- Separate the footprint (size unknown) of Patient data and calculate the footprint of image to

obtain the original ones.The extraction primary combination has been shown below in Figure2

FIGURE2: Extraction primary combination process

WatermarkedImage 1

Extraction CDMA-SD

Originalimage

ExtractionreversibleWatermarking

Watermarkedimage

Watermarkedimage1

Insertion

ReversibleWatermarking Originalimage

InsertionCDMA-SD

Watermarkedimage


10/60



3.2. Second combination

By applying the reversible watermarking based on LSB bits and cryptography tools which give animage. The method of CDMA-DWT is applied in this image for given a watermarked image. Thenconsult the results of insertion and extraction steps and we test the performance against differenttypes of attacks.

a. Insertion processBy applying the reversible watermarking [2] and CDMA - DWT [1].

1. The insertion process is the same of that of the insertion reversible watermarking processwhich gives a result.2. Considering this result as a new input or a new original image using the originalwatermarking dominates the CDMA in DWT domain.In the insertion process, we scan the image by rows and Lossless compress the bit-stream ofLSB values as the image is scanned. Once this compressed bit-stream is obtained, weconcatenate it with the encrypted patient information and the hash the concatenate result andinsert it into the LSBs by scanning the image in the same pattern. The overall procedure is thena four steps process:(1) Calculate the authentication code (MAC) of the image using SHA algorithm [7].

(2) Concatenate the authentication code and patient information and encrypt the resultingstring.(3) Select the LSBs of all pixels and compress the resulting string using RLE algorithm [5].(4) Concatenate the compressed string and the encrypted string and insert them back into theLSB locations by adding blanks if necessary which give a watermarked image1.- Generation of the multilayer sequence using a Key K.- Generation of mark W.- Decomposition of the watermarked_ image1 with a DWT resolution level.- DWT (I) = (IA, DH, DV, DD)

With IA: approximate image DH; horizontal detail, DV and DD vertical and diagonal detail

respectively.

- Insertion of the watermark in the three decomposed image details (diagonal, vertical and

horizontal).

The mark is weighted by the coeff icient .We get the three details scored:

DH = DH + WDV = DV + WDD = DD + W

Note that the mark must be the same size as the details.

- Reconstruction of the decomposed image which will give the watermarked image using

the inverse discrete wavelet transforms IDWT:

= IDWT (IA, DH, DV, DD).The insertion process has been shown below in Figure1.


11/60


12/60



4. IMPLEMENTATION AND RESULT

4.1. Test Images

We have implemented six algorithms (reversible watermarking, CDMA-SD, CDMA-DWT,

RCM, combination of reversible watermarking and CDMA-SD and our approach). Based on

our proposal to investigate the performance of the algorithms based on PSNR values

computed.

The tests were performed on IRM medical images coded on 256 gray levels, bitmap format

and size 256x256.

We conducted tests on 10 IRM medical images.

(a)

FIGURE3 : An IRM medical image

4.2. Insertion and Extraction Data

To insert the signature, the user must fill out the following input:

the signature (64 bit)

The secret key

the number of layers used

Upon insertion, the user gets the number of bits in the signature. This data is necessary

for the detection phase.To detect the patient data the user must have:

The marked image

The key

The number of embedded bits

After the achievement of six techniques we compare them to evaluate the rate of evaluation of

each it.

4.3. Discussion

The comparative analysis of the six watermarking techniques has been done on the basis of

noise and rotation attacks. Results of the individual watermarking technique have been compared

on the basis of PSNR, MSE, MAE and SNR [6] given in Equations (1) to (4).

The obtained PSNRs between original and watermarked imagesfor the six techniques are usedto measure the distortion caused by the watermarking. This ratio is often used as a quality

measurement between the original and a watermarked image. If the PSNR is higher then the

watermarked image quality is better. The PSNR is the square of ratio of maximum pixel value i.e.

255 to the MSE value.

For a good image the SNR value must be high, according to the results established, we select the

application field of the watermark where the luminance (Xmax) is maximum.


13/60



The MSE is used to quantify the distortion generated by the digital watermarking. In fact, we use

an additive scheme to watermark the image. This modification could hinder the quality of the

image. The equation (2) quantifies the mean absolute differences between original image and the

watermarked image.

2)),(),((1

jiIjiIMN

MSEi j

w = (1)

=i j

w jiIjiIMN

MAE ),(),(1

(2)

MSEMSE

XPSNR

22

10

255maxlog10 == (3)

=M N

se

M N

I

II

SNRs

1

2

1

1 1

2

)(

(4)

Where is an original image is watermarked image, MN is the image size.

TABLE 1: Comparative parameters of the six techniques.

4.4. Noise Attacks on Watermarked Image

The attack methodology on the watermarked image is based on the idea that an attacker does not

have any

access to the original image or the watermark image/signature. The attacks are, therefore, done on

the watermarked image using only the watermarked image as input. The intruder, i.e. attacker, likely

has no idea if the attack worked or not so the results are not known to the attacker.

With addition of salt and pepper noise, performance of watermarking scheme is analyzed.

PSNR SNR MSE MAE Properties ofSecurity

ReversibleWatermarking (RW)

49.20 (dB) 33.17 (dB) 0.78 0.78 Authentification

CDMA-SD 45.12 (dB) 29.04 (dB) 2.00 1.002 Integrity andConfidentiality

CDMA-DWT 66.22 (dB) 310.13 (dB) 1.55e-02

6.75e-

01Integrity and

Confidentiality

RCM 54.84 (dB) 38.71 (dB) 0.213 0.213 Authentification

CombinaisonRW/CDMA-SD

46.51 (dB) 30.44 (dB) 1.45 0.228 Authentification,Integrity and

Confidentiality

CombinaisonRW/CDMA-DWT

49.17 dB 1.265 0.7866 80.29 Authentification,Integrity and

Confidentiality


14/60



Salt and pepper noise: Figure 4 (d) and figure5 (d), shows the simulation results of

watermarked image with salt and pepper noise at a gain factor of 0.02.

4.5. Results of Noise Attacks

(a) (b)

(c) (d)

FIGURE4 :The combination RW/CDMA-SD(a) Original image,(b)Watermarked Image after reversible watermarking,

(c) Watermarked Image after RW/CDMA-SD,

(d) Noise watermarked Image

(a) (b)

(c) (d)

FIGURE5: The combination RW/CDMA-DWT

(a) Original image,

(b)Watermarked Image after RW,


15/60



(c) Watermarked Image after RW/CDMA-DWT,

(d) Noise watermarked Image

The PSNR have been shown in Table 2 expressed in (dB) is calculated between the

original image and noise Watermarked image.

TABLE 2 : The Performance analysis of watermarking

techniques against noise Attack

4.6. Results of Rotation Attack

Rotation attack is among the most popular kinds of geometrical attack on digital multimedia

images [8]. Three levels of rotations have been implemented. The original watermarked

image is being rotated respectively by 90 degree, 180 degree and 270 degree. The rotation

attack has been shown below in Figure 6.

(a) (b)

(c) (d)

FIGURE 6 : Rotation attack on the watermarked image

(a) Watermarked image,

Method PSNR(dB)

MSE

Reversible watermarki

(RW)

26.90 132.89

RCM 26.90 132.52

CDMA-SD

in spatial domain

26.46

(dB)

146.94

CDMA-DWT 26.7098 138.707

RW/CDMA-SD 26.48 146.14

Proposed approach 26.73 137.85


16/60



(b) Watermarked image after 90 degree rotation,

(c) Watermarked image after 180, (d) Watermarked image after 270.

TABLE 3: Performance analysis of watermarking techniques against rotation attack

The PSNR values in Table3 show that the combination watermarking in Wavelet domain

technique is having the greatest value for the PSNR value. This shows that the wavelet domain

watermarking is the best practice for the digital image watermarking purpose.

5. CONCLUSIONThis paper proposed an efficient digital watermark scheme to increase security, authentication,

confidentiality and integrity of medical image and patient information, to transmit it via internet

based on combining two watermarking techniques. First technique uses a reversible

watermarking by combine the least significant bit and cryptographies tools. Second technique

uses the CDMA-DWT. domain.

The watermark can be used to introduce the patient's information in a private and sure manner allwhile preserving the v isual quality of watermarked image.

The experimental results show that our scheme is highly robust against others of image

processing operations such as salt and pepper noise. The simulation results show that high

quality image i.e. watermarked image with high PSNR is obtained by embedding the watermark in

DWT domain than other techniques presented in this article.

The paper focuses on the robustness of the watermarking techniques chosen from all domains of

watermarking against rotation attack.

It seems that the proposed approach is best and most robust for medical images watermarking.

This work could further be extended to the watermarking purpose of another digital content like

audio and video.

Method PSNR(dB) MSE

90

RW/CDMA-SD 24.5225 (dB) 229.5225

RW/CDMA-

DWT

24.6972 (dB) 220.4724

180

RW/CDMA-SD 25.81 (dB) 170.582

RW/CDMA-

DWT 26.083 (dB) 160.225

270

RW/CDMA-SD 24.5225 (dB) 229.3715

RW/CDMA-

DWT 24.6972 (dB) 220.4724


17/60



6. REFERENCES[1] Chris Shoemaker, Hidden Bits: A Survey of Techniques for Digital Watermarking,

Independent Study EER-290, 2002.

[2] S. Boucherkha & M. Benmohamed, A lossless watermarking based authentication system formedical image, In International Journal of Signal Processing, Vol.1, N4, 2004.

[3] B. Vassaux, Technique multicouches pour le tatouage d'images et adaptation aux flux vidoMPEG-2 et MPEG-4, Thse de Doctorat, Institut National Polytechnique Grenoble France,2003.

[4] Y.I. Khamlichi, M. Machkour, K. Afdel, A. Moudden, ' Medical Image Watermarked bySimultaneous Moment Invariants and Content-Based for Privacy and Tamper Detection',Proceedings of the 6th WSEAS International Conference on Multimedia Systems & SignalProcessing, Hangzhou, China, April 16-18, pp109-113, 2006.

[5] Rainer Steinwandt, Viktria I. Villnyi, "A one-time signature using run-length encoding",Journal Information processing Letters ,Volume 108 Issue 4,October ,2008.

[6] B. Aiazzi, L. Alparone and S. Baronti. Near-lossless compression of 3-D optical data. IEEETransactions on Geosciences and RemoteSensing, vol. 39, no 11, pp: 25472557, 2001.

[7] Xu Yan-ping, Jia Li-qin,"Research of a Digital Watermarking Algorithm Based on DiscreteCosine Transform", Proceedings of the Third International Symposium on ElectronicCommerce and Security Workshops(ISECS 10) Guangzhou China 29-31 July 2010 pp 373-375

[8] Ping Dong, Jovan G. Brankov, Nikolas P. Galatsanos, Yongyi Yang, Franck Davoine, DigitalWatermarking Robust to Geometric Distortions, IEEE Transactions on Image Processing,Vol. 14, NO. 12, December, 2005.

[9] YongJie Wang, Yao Zhao, Jeng-Shyang Pan and ShaoWei Weng,"A Reversible Watermark

Scheme Combined with Hash Function and Lossless Compression ", Volume 3682/2005, pp:1168-1174, DOI: 10.1007/11552451_161, Computer Science, 2005.

[10] Harsh K Verma1, Abhishek Narain Singh, Raman Kumar, Robustness of the Digital ImageWatermarking Techniques against Brightness and Rotation Attack", International Journal ofComputer Science and Information Security, Vol. 5, No. 1, 2009.

[11] Yeh-Shun Chen, Ran-Zan Wang, Yeuan-Kuen Lee, Shih-Yu Huang "Steganalysis ofReversible Contrast Mapping Watermarking", Proceedings of the World Congress onEngineering 2008, Vol 1, WCE 2008, July 2 - 4, 2008, London, U.K

[12] W.-T. Huang, S-Y. Tan, Y.-J Chang and C.-H. Chen, A robust watermarking technique forcopyright protection using discrete wavelet transform, WSEAS Trans. Computers, vol. 9, no.

5, pp. 485-495, 2010.


18/60

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma


An Exploratory Study of the Security Management Practices ofHispanic Students

Yi-Chia Wu [email protected]

College of Business AdministrationDepartment of MarketingUniversity of Texas-Pan AmericanEdinburg, 78539, USA

Francis Kofi Andoh-Baidoo [email protected] of Business AdministrationDepartment of Computer Information Systems & Quantitative MethodsUniversity of Texas-Pan AmericanEdinburg, 78539, USA

Robert E. Crossler [email protected] of Business AdministrationDepartment of Computer Information Systems & Quantitative MethodsUniversity of Texas-Pan AmericanEdinburg, 78539, USA

Jesus Tanguma [email protected] of Business AdministrationDepartment of Computer Information Systems & Quantitative MethodsUniversity of Texas-Pan AmericanEdinburg, 78539, USA

Abstract

The growing Internet and mobile technologies create opportunities for efficient communicationand coordination among individuals and institutions. However, these technologies also posesecurity challenges. Although users understanding and behavior towards security solutions have

been recognized as critical to ensuring effective security solutions, few research articles haveexamined user security management practices. The literature lacks empirical research thatexamines users everyday behavior and practices to managing security. In an effort to bridge thegap in user security management practices, this paper presents an exploratory study of howHispanic college students manage the security of their computer systems. Specifically, weexamine how ethnicity, gender, and age influence users behavior towards updating theiroperating systems, non-operating system software and antivirus definitions. The results revealthat gender influences the frequency of updating operating systems, antivirus definitions and non-operating system software, whereas ethnicity and age influence only frequency of update ofoperating systems but not the frequency of update of non-operating system software andantivirus definitions.

Keywords: Non-operating System Software, Antivirus Software, Security Practices, Software

Update, Users Security Management, Hispanic.

1. INTRODUCTIONEven as the Internet and mobile technologies facilitate electronic commerce and effective globalcoordination and communication, users security management practices can hinder the benefitsthat such technologies promise [1]. Studies show that users security management is a problem[2] [3] [4] [5]. Other studies have noted that people tend to delegate computer securityresponsibilities to technology, trusted individuals or trusted institutions [1] [2]. When an individual


19/60


20/60



patches, the more vulnerable the computer is to outside attacks. It is increasingly dangerouswhen the end users fail to update a patch within days of it being made available [8].

2.2 Factors That May Influence Security BehaviorOne of the major demographic variables that may influence security practices is gender. Furnell,Bryant and Phippen [12] conducted research on the awareness of security issues andrespondents attitude on the use of safeguard tools of 415 personal internet users in the UK. Thefindings indicated that male respondents tend to be more confident in considering themselves asadvanced in IT experience. Similarly, Dourish and Grinters [1] study noted that age influencesusers attitude towards security.

In this study, we use students from a higher education institution for our study. This is veryimportant especially for the group of users that is the target of this study. Education levelsinfluence Internet usage [13]. Ten percent of Latinos have a college degree, and of that smallgroup, 89% go online. By comparison, 28% of whites have college degrees, and 91% of them usethe Internet. Twenty percent of African Americans have college degrees, and 93% report usingthe Internet [14]. According to previous studies, higher education may lead to higher confidenceand the adoption of self-service technology [13].

According to the 2010 United States census data, Hispanics make up the fastest growing ethnic

group in the population [15]. Also, Latinos are a young population with approximately twice aslarge a share of adults under age 40 than that among the white non-Hispanic population. Sixty-seven percent of Latinos age 18-29 go online, whereas 77% of African Americans and 86%whites in the same age range go online [14]. For ages 30-41, 61% of Latinos, 77% AfricanAmericans, and 85% whites go online. Fifty-eight percent of Latinos, 69% of African Americans,and 80% of whites age 42-51 use the internet. Finally 46% of Latinos, 49% of African Americans,and 75% of whites age 52-60 go online [14].

Based on the extant literature discussed in this section, we present a set of hypotheses that aretested in this exploratory study (see Table 1). Our dependent variables are frequency of updatesof operating systems, non-OS and antivirus definitions whereas the independent variables areEthnicity (Hispanic vs. Non-Hispanic), Age (< 21 years vs. >= 21 years) and Gender (Male vs.Female).

H1 Non-Hispanics are more likely to update their operating systems software than Hispanics.

H2 Non-Hispanics are more likely to update their non-operating system software than Hispanics.

H3 Non-Hispanics are more likely to update their antivirus definitions than Hispanics.

H4 Males are more likely to update their operating systems than Females.

H5 Males are more likely to update their non-operating systems than Females.

H6 Males are more likely to update their antivirus software than Females.

H7Students less than 21 years of age are more likely to update their operating systems than thoseolder than 21 years.

H8Students less than 21 years of age are more likely to update their non-operating systems thanthose older than 21 years.

H9Students less than 21 years of age are more likely are to update their antivirus software thanthose older than 21 years.

TABLE 1: Set of Hypotheses tested in this study.

3. METHODOLOGYDourish and Grinter [1] found that users in general had a neutral to negative attitude towardsecurity technologies. Our definition of security practices is based on Dourish and Grinters [1]work where they define security practices as actions, and what practices and patterns peopleadopt to manage their security needs and accommodate them into their work (p. 393).


21/60



Data CollectionA survey was conducted to gather information regarding students behavior to security practices.The sample consisted of 315 students taking an entry level Computer Information Systems classin a Hispanic serving university in the South Eastern region of the United States. This studyallowed students to have abundant time to answer the survey questions and guaranteed theanonymity of the responses. Students were permitted to opt out anytime during the administrationof the survey. There were no identifying questions enclosed in the survey. The survey includeddemographic questions based on the 2010 United States Census form.

This study uses the chi-square statistical test to examine the percentage of students responsesthat fit into the various categories of the frequency of updates (automatic, weekly, monthly,rarely, never, and I dont know) for the different values of the independent variables. Theindependent variables are gender, ethnicity, and age.

4. RESULTS AND DISCUSSIONAccording to 2000 census Overview of Race and Hispanic Origin guideline, Hispanics can becategorized as any race. Hispanic groups such as Mexican, Puerto Rican, or Cuban, areclassified as Some other race category [6]. Therefore, students who self-identify themselves asHispanic may contain Hispanic origin as well as with at least one other race. In order to examinedifferent levels of demographic variables affecting the frequency of updating the operatingsystems, non-OS and antivirus definitions among students, this study splits race into twocategories: Hispanics/Latinos and Non-Hispanics/Latinos. Table 2 presents the Chi-squareanalysis for the % distribution of students responses within the different categories within theindependent variables.

Operating System Non-Operating System Antivirus Update

Auto W N ? X2

W M R X2

W M R X2

GenderMale 69.5 16.1 7.6 6.8

15.8818 17.1 65

9.95939.4 24 36.5

6.777Female 70.4 5 7.5 17.1 9.1 10.1 80.8 25.7 24 50.3

EthnicityHispanic 70.7 8.7 6.3 14.3

10.56 2.827 0.285Non-Hispanic 62.1 13.8 21 3.4

Age< 21 71 6.7 8 14.3

7.545 0.734 1.026>=21 66.2 16.9 6.5 10.4

Note: All the numbers are in the unit of percentage except for Chi-Square.Auto = Automatic update, W = Weekly, M = Monthly, N = Never, ? = I don't know,R = Rarely, X

2= Pearson Chi-Square.

TABLE 2: Chi-Square Analysis-User Response Percentage Distribution

Prior to discussing the statistically significant differences in our results, it is interesting to note thelow overall level of security practices. Operating system updates is the behavior that is mostregularly performed automatically. However, this is a setting that is generally set by default andtaken care of by the operating system vendor. When it comes to updating non-Operating Systemsoftware and antivirus definitions there is very poor performance. While this in itself presentsuseful information for the overall population of interest, we also demonstrate in the following

section that there are differences in behavior based on demographic variables.


22/60



HypothesisPearson

Chi-Square

P-ValueHypothesissupported?

H1 Males are more likely to update their operating systems thanFemales

15.881 0.001*** Yes

H2 Males are more likely to update their non-operating systemsthan Females

9.959 0.007*** Yes

H3 Males are more likely to update their antivirus software thanFemales

6.777 0.034** Yes

H4 Non-Hispanics are more likely to update their operatingsystems software than Hispanics

10.56 0.014*** Yes

H5 Non-Hispanics are more likely to update their non-operatingsystem software than Hispanics.

2.827 0.243 No

H6 Non-Hispanics are more likely to update their antivirusdefinitions than Hispanics

0.285 0.867 No

H7 Students less than 21 years of age are more likely to updatetheir operating systems than those older than 21 years

7.545 0.056* Yes

H8 Students less than 21 years of age are more likely to updatetheir non-operating systems than those older than 21 years

0.734 0.693 No

H9 Students less than 21 years of age are more likely are toupdate their antivirus software than those older than 21 years

1.026 0.599 No

Note: *** Significance at 0.01, ** Significance at 0.05, * Significance at 0.1

TABLE 3: Results of the Hypotheses tests

Table 3 shows that gender is the only independent variable that significantly influences thefrequency of update of all the three dependent variables (operating systems, non-OS andantivirus definitions). The Ethnicity and Age variables only significantly influence the frequency ofupdate of operating systems but not non-OS and antivirus definitions.

4.1 Gender and Frequency of Update of Operating System

The calculated Pearson Chi-Square (2 = 15.881, d.f. = 3) and its corresponding p-value (p< .05)for the relationship between frequency of update of operating system and gender indicate thathypothesis 1 is supported at the 5% significance level. Our research shows that males are morelikely to update their operating systems frequently than females. While the difference in the

number of students who set up their operating system to automatic update is low between malesand females (69.5% v. 70.4%), there are differences for the weekly and I dont know"categories. This observation can be explained by Durish and Grinters [1] observation thatindividual users are likely to rely on a set of guarantees such as technology, family member,friends or institutions and delegate their security responsibilities to the guarantee. As we can seefrom our data, the female users were more dependent on the guarantee than the males as wesee that more males updated their antivirus on a weekly basis. Further, the percentage of thosewho responded I dont know was far higher for females (17.1%) compared to 6.8% for males.This suggests that females are more likely to exhibit a security behavior whereby once theydelegate their security management responsibility do not even worry about what security guardsare available on their systems and do nothing to enhance the security of their systems.

4.2 Gender and Frequency of Update of Non-OS

Once again our data reveals that males are more likely to update their non-OS than females.Hence hypothesis 2 that states that males would update their non-OS more frequently thanfemales is supported. Although both hypotheses 1 and 2 are supported, there is a sharpdistinction concerning gender and frequency of update between operating systems and non-OS.Unlike the operating systems where a great majority of both males and females set their systemsto automatic, here a great majority report that they rarely update their non-OS (80.8% females to65.0% males). Both females and males feel that they are at disadvantage in comparison withhackers and others who can undo all what they could do to protect their security and would ratherprefer to delegate their security management practice to a tool or trusted person or institution andnot be bothered by the mundane of managing non-operating systems.


23/60



4.3 Gender and Frequency of Update of Antivirus DefinitionsHypothesis 3 is supported as the Pearson Chi-Square was significant at the 5% level.Specifically, about 39.4% males compared to 25.7% females update their antivirus definitions ona weekly basis. In addition, while 50.3% of females update their antivirus definitions rarely, only36.5% of males do so. This suggests that males are less likely to delegate their responsibility toupdate their antivirus definitions to others and take time to frequently update their antivirusdefinitions in comparison to females.

4.4 Ethnicity and Frequency of Update of Operating SystemThe literature suggests that Non-Hispanics are more likely to have experience with computersthan Hispanics. Dourish and Grinter [1] suggest that experience with technology influences usersbehavior towards security management practice. Thus as we observe from the data, Non-Hispanics are more likely to update their operating systems more frequently than Hispanicsbecause the former have more experience with technologies such as operating systems. Hencehypothesis 4 is supported. We also observe from our data that Hispanics are more likely todelegate their security management practice to the technology as observed in 70.7% of Hispanicscompared to 62.1% setting their operating systems to automatic update. However, more Non-Hispanics update their operating systems on a weekly basis with higher percentage of Hispanicsresponding that they do not know whether their operating systems are being updated or not.

4.5 Ethnicity and Frequency of Update of Non-OS

The Pearson Chi-Square value (2= 2.827, d.f. = 2, p= 0.243 > = 0.05) for hypothesis 5 thattests the relationship between ethnicity and frequency of update of non-OS demonstrates that thehypothesis was not supported by our data. A plausible reason for this observation is that mostusers may have negative attitudes towards non-OS systems in terms of how they may hinder howthey use their systems [1]. Similarly, others have observed that users sometimes believe thathackers have more technological skills than they do and that whatever they do to protect theircomputers against viruses and other attacks, hackers can overdo and so make no effort to worktowards protecting the security of their computer systems [1] [5]. Dourish and Grinter [1] also notethat users see security as a barrier. They observed from their study that users could notdistinguish between security and spam. To the users, security and spam were different aspects ofsecurity and so feel that a single technology can address all kinds of problems. Hence they are

less interested in addressing issues of non-OS. Thus, users lackadaisical attitudes towardsupdating non-operating systems may not differ between ethnicities (here Hispanics and Non-Hispanics).

4.6 Ethnicity and Frequency of Update of Antivirus DefinitionsSimilar to the relationship between ethnicity and frequency of update of antivirus definitions, therelationship between ethnicity and frequency of update of antivirus definition is not significant.Thus, hypothesis 6 is not supported by our data. Once again, users may rely on technology andmay not see the importance of worrying about updating antivirus definitions. Dourish and Grinter[1] observe that users may look at an antivirus definition as complete solution to securityproblems.

4.7 Age and Frequency of Update of Operating Systems

Our results reveal that young people (ages < 21) delegate their responsibility to update operatingsystems to technology than people older than 21 years (71% vs. 66.2%). At the same highpercentage of people older than 21 update their operating systems on a more regular weeklybasis than those who are younger than 21. The situation is different when it comes to those whoreport that they never update their operating systems or do not know whether their operatingsystems are updated or not. The results suggest that those young people who have experiencewith operating systems would typically set their systems to automatic update while those whomay have less experience may not care about the update of the operating systems. However, ingeneral gender influences the frequency of update of operating systems supporting other studies


24/60



that suggest that gender influence security practice. Thus hypothesis 7 is supported by our dataat the 10% significance level.

4.8 Age and Frequency of Update of Non-OSFor the relationship between age and frequency of updating the non-OS, the calculated Pearson

Chi-Square value (2= 0.734, d.f. = 2, p> .05) indicates that hypothesis 8 is not supported by our

data. The explanation that was offered for relationship between ethnicity and frequency of updateof non-OS may be relevant in this relationship as well. While Dourish and Gritner [1] observe thatyoung people have confidence in what they can do with computer systems, they generally areunhappy with security technologies that hinder their abilities to work efficiently and may thereforechoose not to worry about updating non-OS which they may feel would hinder their overallproductivity and experience with their computer systems.

4.9 Age and frequency of update of antivirus definitionAge was not found to influence the frequency of update of antivirus definitions. Hence our datadid not support hypothesis 9. Once again, users irrespective of age would rather delegateresponsibility of updates of antivirus definitions or may not be bothered.

5. CONCLUSIONThe study examined security management practices of Hispanic college students. Specifically,we examine how ethnicity, gender, and age influence users behavior towards updating theiroperating systems, non-OS and antivirus definitions. The results reveal that gender influences thefrequency of updating operating systems, non-OS and antivirus definitions, whereas ethnicity andage influence only frequency of update of operating systems but not the frequency of update ofnon-OS and antivirus definitions. In particular, we observe that non-Hispanic students rarelyupdate their systems. Second, male students tend to update their system more frequently. Ourresearch supports other study that demonstrates that male users in a primarily Hispanic institutionnot only update non-OS more frequently than females, but also update Anti-Virus software morefrequently as well [17]. Our results also support prior research that shows that users typicallydelegate their security management responsibilities to technology, trusted individuals andinstitutions [1].

6. SUGGESTIONS FOR FUTURE RESEARCHThe fundamental question that derives from this research is: what are the implications for endusers in regard to updates of operating systems, non-OS and antivirus definitions. It is arguablethat certain non-operating systems would not endanger individuals information security when thesoftware is not exploited frequently. Without the updates of the new patches, the original files arestill protected and performed with no technical issues. The non-OS such as iTunes can functionwithout the new updates based on the end users purposes. However, the lack of new updates ofanti-virus software will imperil the end users information security if the new patches are notupdated in time exposing the user to threats from outside attacks.

This empirical study concludes that race (Hispanic versus non-Hispanic students) and age arenot significant indicators for non-OS and antivirus definition update. For further research, thisstudy suggests that the range of the non-OS should be narrowed down to several specificcategories in order to detect participants awareness of non-OS updates. Additionally, future

research could conduct a similar survey at a non-primarily Hispanic serving institution andcompare the results. The results would provide insight to the differences in security practicesbetween the groups of students served at each of these universities. Further research could alsobe conducted that utilizes theories, as opposed to demographics to hypothesize differences insecurity practices at primarily Hispanic serving institutions.


25/60



7. REFERENCES[1] P. Dourish, R.E. Grinter, J.D.D.L Flor, and M. Joseph. Security in the wild: user strategies

for managing security as an everyday, practical problem. Personal Ubiquitous Computing,vol. 8, pp. 391401, 2004.

[2] B. Friedman, D. Hurley, D. Howe, E. Felten, and H. Nissenbaum. Users Conceptions of

Web Security: A Comparative Study, Short paper presented at ACM Conf. Human Factorsin Computing Systems CHI, Minneapolis, MN, USA, 2002.

[3] J. Rimmer, I. Wakeman, L. Sheeran and M.A. Sasse. Examining users repertoire ofinternet applications, In Sasse and Johnson (eds), Human-Computer Interaction: Proc. ofInteract99, 1999.

[4] L. Sheeran, M.A. Sasse, J. Rimmer and I. Wakeman. (2002). "How Web browsers shapeusers understanding of networks." Electronic Library, The. [On-line]. 20(1), pp. 35-42.Available:http://www.emeraldinsight.com/journals.htm?articleid=861950 [Jan. 31, 2011].

[5] D. Weirich and M.A. Sasse. Pretty good persuasion: a first step towards effective passwordsecurity for the real world, In: Proc. of the ACM new security paradigms workshop (NSPW2001), Cloudcroft, New Mexico, ACM Press, New York, 2001, pp. 137143.

[6] S. Fox and G. Livingston. Latinos Online: Hispanics with Lower Levels of Education andEnglish Proficiency Remain Largely Disconnected from the Internet. Internet:http://www.eric.ed.gov/PDFS/ED495954.pdf, Mar. 14, 2007 [Jan. 22, 2011].

[7] Home network security. United States Computer Emergency Readiness Team. Internet:http://www.us-cert.gov/reading_room/home-network-security/#IV-A-7, Dec. 5, 2001 [Jan.25, 2011].

[8] J. Antman. Patch Management: An Overview. Internet:http://rutgerswork.jasonantman.com/antman-patchManagement.pdf, Dec. 10, 2008,[January 21, 2011]

[9] Updating non-operating system software, Updating non-operating system software toprevent security compromises. Internet: UCSF ITS, University of California, San Francisco:http://security.ucsf.edu/EIS/BestPractices/Staff/StaffUpdatingSoftware.html, 2010 [Jan. 25,2011]

[10] D. Brandl. (2008). DONA forget about security. Control Engineering. 55 (12), pp.14.

[11] C. Higby and M. Bailey. Wireless security patch management system, in Proc. of the 5thconference on Information technology education, Salt Lake City, UT, USA: ACM, 2004.

[12] S.M. Furnell, P. Bryant, and A.D. Phippen. (2007). Assessing the security perceptions ofpersonal Internet users. Computers & Security. [On-line] 26 (5), pp. 410-417. Available:

http://www.sciencedirect.com/science/article/B6V8G-4N6NJTT-1/2/492a40cf1c60d7fbf02f0bdc01c3f609 [Jan. 25, 2011].

[13] M.L. Meuter, M.J. Bitner, A.L. Ostrom and S.W. Brown. Choosing among alternativeservice delivery modes: An investigation of customer trial of self-service technologies.Journal of Marketing, vol. 69(2), pp. 61-83, 2005.

[14] S. Fox and G. Livingston.Latinos Online: 2006-2008: Narrowing the Gap. Internet:http://pewhispanic.org/reports/report.php?ReportID=119, Dec. 22, 2009 [Jan. 22, 2011].


26/60



[15] K. Humes, N. A. Jones and R.R. Ramirez. Overview of Race and Hispanic Origin: 2010,2010 Census Briefs. Internet: http://www.census.gov/prod/cen2010/briefs/c2010br-02.pdf,Mar. 2011 [Jan. 22, 2011]

[16] E.M. Grieco and R.C. Cassidy. United State Overview of Race and Hispanic Origin:Census 2000 Brief. Internet: http://www.census.gov/prod/2001pubs/cenbr01-1.pdf, Mar.,2001 [Jan. 22, 2011].

[17] R. Crossler, M. A. Villarreal, and F. K. Andoh-Baidoo. A Preliminary Study Examining theSecurity Practices of Hispanic College Students. SouthWest Decision Science Institute,2011.


27/60


28/60


29/60

William C. Figg, Ph.D. & Hwee Joo Kam M.S.


research conducted by University of Michigan imposes security mechanism to protect sensitive healthdata. A system called the honest broker is developed to embark upon the issue of health informationsecurity. The Honest Broker (HB) is built on the two-component architecture the non-identifiable data isstored in a separate system whereas the identifiable data is stored in another system. HB meditatesbetween these systems and manages data transfer and electronic storage of personal health identifiers[4]. This architecture increases the burden on attackers who need to compromise two systems in order tomatch the identifiable record with the non-identifiable one. (3) Technology can mitigate the threat of thede-identification of anonymous data and reduce the risks involving the linkability of genomic data such asDNA. A patients location visit pattern, or trail, can be constructed because patients are mobile and theirdata can be collected and shared by multiple health care organizations. The uniqueness of patient s trailcan link to a patients record, revealing a patients identity. A formal privacy protection model called k-unlinkability is introduced to thwart the trail re-identification and prevent the tracing of DNA records of apatient [22]. This model adopts computational basis and is configured to strip off patients identifiers in abiomedical database.

4. HEALTH CARE MANAGEMENT AND ADMINISTRATIONAlthough the aforementioned security mechanism supported by information technology can assuage theviolation of patients information security, a few literatures have unveiled the fact that non technicalchallenges such as administrative and management issue have adversely impacted patients informationsecurity and posed a thorny issue. Currently, the health care industry lacks precise instrumentation andmakes no serious attempt to measure health care fraud; there has been attempt initiated by Office ofInspector General (OIG) to institute its annual audit program but the weak methodology produces onlylow loss estimates [31]. Furthermore, health care administration and management have permittedpatients information to be reviewed and used without patients consent in the name of cost saving,quality improvement, public health, advances in research, and other commendable goals [1]. Forinstance, insurance companies, managed health care organizations, and health care employees areinterested to access individuals medical records in an attempt to reduce expenses [17]; managed carecompanies insist on reviewing medical charts to determine if care should be authorized; accreditingbodies want to ensure that the clinicians notes are detailed and complete; government agencies seekidentifiable information for planning purposes; and law enforcement agencies see medical records amean to identify and convict wrongdoers [1].

5. DATA SECURITY BREACHES: MEDICAL IDENTITY THEFTGiven that many parties can view patients medical records without patients knowledge, data securitybreaches in health care have unfortunately become common. According to William Wikenwerder, theassistant secretary of defense for health affairs, privacy and security are the Chernobyl that is waitingto happen for the healthcare industry [5]. Among the data security breaches in health care, the newlyemerging health care privacy threat is medical identity theft, which is considered a crime. Byron Hollis,director of the antifraud department at the Blue Cross and Blue Shield Association, mentioned that''medical identity theft is the fastest-growing form of health care fraud (Pear, 2008). Through 2005,there have been nearly 18,000 cases of medical identity theft or about 1.8% of all identity theft casesreported to Federal Trade Commission (FTC) [5]. According to World Privacy Forum, there have been19, 428 complaints regarding medical identity theft to the Federal Trade Commission (FTC) since1992, the earliest date the FTC started to process the complaints; and the number of people whoexperienced medical identity theft rose from 1.6 percent in 2001 to 1.8 percent in 2005 [9]. In addition,the World Privacy Forum issued a report revealing that the growing of medical phenomenon is

estimated to have impacted as many as 3.25 million people [3].

6. WHAT IS MEDICAL IDENTITY THEFT?Identity theft, essentially, refers to the appropriation of an individuals personal information in order toimpersonate that person for ones financial gain or other benefits [32]. In this regard, medical identity theftis defined as an occurrence in which a person uses another persons identity such as persons name,insurance information, Medicaid number or social security number, without the persons knowledge andconsent, to obtain medical care or services or to generate a plethora of bogus medical bills for thepurpose of claiming Medicare[8]. According to World Privacy Forum, medical identity theft is an


30/60


31/60



for all kind of other services that were provided [31]. The preceding example shows that medical identitytheft is committed by insiders and victims are mere a commodity in the eyes of the perpetrators.

Other than insiders access to patients records, identity thieves may obtain information by [7]: (1)accessing information based on a legitimate need and then distributing the sensitive information forcriminal purposes; (2) hacking into computerized patient information; (3) dumpster driving or collectinginformation from organizations trash or recyclables; and (4) stealing wallets, purses, or mail frompatients, visitors, or staff.

9. NEGATIVE IMPACTS OF MEDICAL IDENTITY THEFTAccording to World Privacy Forum [9], Medical Identity Theft has profoundly and adversely impacted thevictims in the following ways:

Victims may experience the familiar consequences of financial identity theft that can include lossof credit, harassment by debt collectors, and inability to find employment.

False entries in victims medical record may remain in victims medical files for years and maynot be corrected or even discovered. There is seriously lack of recourse for victims to makeamendment to the falsified and inaccurate medical records. HIPAA rules do not mandate healthcare providers that did not create a falsified record correct the falsified entry.

Alteration of patients medical records will reflect inaccurate medical conditions, blood types, drug

allergies, and other health information relied upon to administer medical care. False entries invictims medical record may cause the victims to receive wrong medical treatment. This is mostegregious crime because inaccurate medical record can kill a patient.

Victims may find their health insurance exhausted, and become uninsurable for both life andhealth insurance coverage.

10. DETECTION OF MEDICAL IDENTITY THEFTGiven that medical identity theft is a crime that hides well, victims usually discover it at some veryunpleasant moments, such as getting rejected of health care insurance and employment opportunities.Victims always discover this crime after it has occurred for a considerable amount of time. Very fewliteratures provide suggestions on how to proactively detect medical identity theft before it inflicts seriousdamages upon the victims. The following depicts how the victims of medical identity theft detect the crime:

Collection notices: perpetrators change the billing address and the phone numbers on the

medical charts of victims. This will make it hard for the bill collector to find the victims. If theperpetrators are not very sophisticated, the victim received letter from collection services todemand the victim to pay for the medical treatment that he or she never received.

Credit report: consumers whose medical identity was stolen and used to open multiple credit cardaccounts will be able to detect this crime after reviewing their credit reports. However, most ofthese crimes are committed by educated, sophisticated perpetrators who know how to hidecrimes well.

Receipt of someone elses bills: A less sophisticated criminal will create medical bills that can tipvictims off.

Notification by law enforcement or an insurance company: victims may be contacted by aninsurance fraud investigator or law enforcement regarding crime.

Notification by a health care provider: it is very unusual for health care provider, such as a doctoror a hospital, to notify the patients of medical identity theft. However, there have been a few

cases reported by hospital when the discrepancies in the medical records are discovered. Medical problem at an emergency room: the most unfortunate thing is that victims learn about

medical identity theft during the course of medical emergency. Most often, victims spot falseentries in their medical records.

Denial of insurance coverage, notification that run out, or lifetime cap has been reached: this isanother way for victims to discover medical identity theft. Victims may be notified that thecoverage for their medical services is being denied because their benefits have been depleted.

11. PREVENTION OF MEDICAL IDENTITY THEFT


32/60



This research paper outlines preventive steps after analyzing data in multiple case studies. Currently,literature reviews provide background knowledge on this subject matter. An identity theft literature,Identity Theft and Fraud the Impact on HIM Operations, outlines the practical preventive guidance:

Ensure appropriate background checks of employees and business associates who mayhave access to the patient protected health information.

Minimize the use of social security numbers for identifications whenever possible and avoid

displaying the entire social security numbers on the computer screens, documents or datacollection fields.

Store patient protected health information (PHI) in a secure manner by enforcing physicalsafeguards (e.g.: use restricted areas or locks).

Implement and comply with organizational policies for the appropriate disposal, destruction,and reuse of any media used to store and collect patient protected health information (PHI).

Train staff on organizational policies and practices to provide protection and appropriate useand disclosure of patient protected health information (PHI) as well as appropriate ways tohandle identity theft events.

Develop a proactive identity theft response plan or policy that clearly delineates the responseprocess and identifies the organizations obligations to report the crime.

12. POLICIES AND PROCEDURES AND SECURITY CULTURE

Implementing policies and procedures to protect patients data from medical identity theft requires notonly sound management skills but also a culture of security awareness. Security culture embodies allsocio-cultural measures that support technical security measures, so that patients information securitybecomes a natural aspect in the daily activities of every employee [28]. The importance of security culturebecomes apparent when much of the security problem is not of a technical-only nature but of a cognitiveand organization nature, as well [16]. The formulation and implementation of a security policy andprocedures draw on the existing culture, norms and rules and have the potential to affect them andtherefore these processes can have an impact on the social context [18]. On the bright side, culturepresents a common language to foster the understanding of policy and procedure and helps to enforcethe security practice. Otherwise, culture can eat technology for lunch. In other words, culture decideswhether to espouse or eschew security practice. The components of security culture are shown below:

1. Attitude and AwarenessThe attitude of the given societal environment, regarding enforcement of securityrules.The awareness of the societal environment, regarding security issues in general.The attitude of the relevant professional community towards enforcing security rules [19].

2. Power Relation between UsersThe exercise of power by health care professions affect the implementation of policy and procedure.Political perspective: the ability of health care professions to affect an outcome and to get thingsdone.

3. Collective Norms, Values, and KnowledgeThe introduction of new rules and interpretation schemas can be in accordance or in conflict with thepre-existing ones, therefore altering the way people perceive things and thus creating new norms andpatterns of practice [18].

The context in which a security policy is formulated and eventually put to practice is characterized bycertain rules, norms and interpretation schemes [18].

Reluctance to change working practices in order to make information more secure among health careprofessionals can be an impediment to the implementation of policy and procedure [15].

4. Assumptions and Beliefs


33/60



The organization values shape the underlying assumptions and beliefs that influence the securityculture.

In regard of medical identity theft, health care professions must be aware of the ethical issues andsecurity practices in health care environment. Many health care professions are unaware of the securitythreats across the integrated network delivery system that involves multiple third parties. The security

awareness will become more important after the implementation of the proposed National HealthInformation Network (NHIN). The United States Department of Health and Human Services (HHS)envisages that by placing health records online and making health records available everywhere, NHINwill save lives and reduce frauds [9]. However, without proper safeguards and appropriate administrationsupported by a culture of security, NHIN will run the risk of malicious attack and information theft. In therealm of data security breaches, technology itself is not the culprit but poor enforcement of health carepolicies due to a lack of security culture is. The result of the research will shed lights on how tocoordinate health care policy and procedure with security awareness.

13. RESEARCH METHOD

1. Qualitative Positivist ApproachA qualitative positivist approach is adopted. The key feature of qualitative positivist research methodemphasizes on the scientific adoption of positivist approach (e.g.: theory testing, hypothesis testing,formal propositions, inferences making etc.) to attain a better understanding of a phenomenon from theparticipants view points. Qualitative positivist research method can be used for the exploration,classification, and hypothesis development stages of the knowledge building process [2]. This approachis well suited to capturing the knowledge of practitioners and developing theories from it; and theknowledge can later be formalized and brought to the testing stage [2]. Given that, qualitative positivistapproach is suitable for this research topic because I would like to use case studies to capture a healthcare phenomenon in a natural setting and then collect data or empirical materials to draw inferences toexplore the issue of medical identity theft, a topic that is less researched and studied.

14. PURPOSE OF CASE STUDIESIn health care research, case studies encompassed knowledge pertaining to technology utilization,medical and organizational innovations, and the implementation of specific health legislation, policies, andprograms [33]. The need for case studies arises when an empirical inquiry must examine a contemporaryphenomenon in its real life context especially when the boundaries between phenomenon and real life arenot clearly evident [34]. In this regard, the primary purpose of the case studies is to explore and explainthe insider job aspect of medical identity theft (phenomenon) in a natural health care setting (context).Case studies can be employed to develop and to test a theory through induction [6]. Given that medicalidentity theft is a new topic, this theory isconstructed from a case study so as to start from a cleantheoretical slate. Theory-building research stems from the notion that there is no theory underconsideration and no hypotheses to test [11]. Another viable option is running hypothesis testing or theorytesting. Lee [20] has posited that when using case studies to test theories, natural science model canincorporated to make controlled observation, make controlled deduction, allow for replicability, and allowfor generalizability. Finally, proposing multiple case studies for theory-building purpose to address thatthere are very few theory-building researches in this topic according to the available literatures. Not manyinsights are offered to explain the insider jobs of medical identity theft. Hence, it makes sense to buildtheory based on the findings and discoveries.

15. CASE STUDY DESIGN

1. Multiple Case StudiesRegarding this research topic, multiple case studies are used because (1) multiple case studies providethe opportunities for juxtaposition of all the cases. Cross case research analysis prevents theresearchers from jumping to conclusion by allowing researchers to draw juxtaposition to search forpatterns and counteract the tendencies by divergently looking at the data; (2) multiple case studies permitresearchers to conduct cross-case analysis that lists the similarities and differences between cases and


34/60



subsequently makes the researchers look at the subtle similarities and differences. This enablesresearchers to break simplistic frame, leading to sophisticated understanding [11]; and (3) case studiescan be used for both exploratory and explanatory purposes. For example, the first case study will exploremedical identity theft in the natural health care setting. After data collection and data analysis, the secondcase study will be carried out. The earlier case may produce certain facts in which its significance wasonly realized after a subsequent case has been completed and the reinterpretation of facts in thesubsequent case facilitates the materialization of a more general explanation across all the cases [34].This will achieve the purpose of exploring and explaining medical identity theft.

2. Operational Framework

FIGURE 1: A Detailed View of Operational Framework (Baker, Verizon 2010)

The two case studies are conducted in two different health settings Northern Michigan Hospital andEmmet County Health Care Department. Several constructs, as shown in figure 1, are outlinedtentatively. The constructs demarcated are based on the findings from literature reviews. The frameworkabove is a logical model that shapes the priorities for exploring in this case study research. Yin [35]postulated that good case studies should contain some operational framework; and having an operationalframework prior to the inception of a case study helps to define what is to be studied as well as the topicsor questions might have to be covered. The operational framework defined may inadvertently createbiases but the framework itself is not a rigid design. Realizing that multiple case studies will unveildifferent findings, the framework will be modified to reflect the significant findings and discoveries. Forinstance, more constructs will be added or an existing construct will be better defined. Flexibility and thepossibility of discovery have already been taken into consideration. In case study research, flexibilityallows researchers take advantage of the uniqueness of a specific case and the emergence of newthemes to improve the existing framework and resultant theory [11].

16. DATA COLLECTIONTypically, theory-building researchers combine multiple data collection methods [11]. Therefore, in thesetheory-building case studies, multiple data collection methods from multiple sources will be combined tomake use of triangulation in support of construct validity. Medical identity theft victims and health carepractitioners were interviewed wherethe interview questions were open-ended and all the interviews wererecorded and transcribed to word processor, with interview date and time.


35/60



1. Interview questions that involve the victims will encompass:

The process of identifying medical identity theft

The time frame of detecting medical identity theft Steps taken to notify the health care providers

Any help offered by the health care providers

The repercussion of medical identity theft to the individual

2. The interview questions that health care practitioners or administrators participated are asfollows:

Approximately how many times did the victim contact the health care providers

What are the response given to the victim

What steps have been taken by health care administrator to rectify the situationOther than interviews, different data collection methods were utilized, such as questionnaires,

documentations, and direct observations. Both qualitative and quantitative data were collected in thiscase study research. Quantitative data can indicate relationships that may not salient to the researcherwhereas qualitative data is useful for understanding the rationale revealed in quantitative data [11].In summary, the following depicts different data collection methods:

17. DATA COLLECTION

1. Questionnaires The main purpose of the questionnaire is to find out whether the health careemployeesare aware of the security policies and whether they support thepolicies [28].The questions serve to measure the security attitude and perception ofemployees.

2. Documentations Health care settings have a staggering number of documents and forms thatrequire research attention. This is because documents usually show theoperationsand events in health care settings over a period of time.This method allows researchers to keep records of exact references and detailsof events. In specific, this method allows us to study the existing policies andproceduresand technological application in a health care setting.

3. Interviews Unstructured interviews will be conducted with health care professionals andvictims of medical identity theft. Interviews are necessary to directly focus on thevictims andhealth care workers perspective.

4. Direct Observation Health care workers may not reveal their true value in questionnaires orinterviews.The objective of direct observation is to compare the answer givenduring interviewwith their real behavior.

The challenge of multiple resources of data collection is that it may be hard to attain convergenceinformation [34]. Given an array of evidence gathered, it is essential to determine whether evidences fromdifferent sources converge on a similar set of facts [34]. One of a good way is to investigate. For example,through an informant (health care administrator) most of the health care workers strictly adhere to HIPAAregulations for the purpose of safeguarding personal health information. Through direct observation, theinvestigator may discover that copies of health care records with Medicaid ID and patients social security

number are left unattended and this practice has continued for several days. This will disconfirm theinformation provided by informant and the convergence information will reveal that health care workers inthe health care setting do not take necessary actions to safeguard personal health information.

18. VALIDITY AND RELIABILITYThe proper use of case study protocol indicates reliability [6],[35]. Given that, the protocol refers tosequential design in multiple case studies. The first case study, as indicated in the preceding section, wasconducted in Northern Michigan Hospital. There are two rounds of data collection for each case study.The second round of data collection will serve the purpose of filling the information gap but not for


36/60



longitudinal reasons. The final case analysis for the first case was written after the second round of datacollection. Next, a subsequent case study was carried out Emmet County Health Care Department. Thefinal analysis for each case will be compared and further analyzed. Construct validity can be enforced bysharing the collected data and research findings with the informants and getting feedback from theinformants [6]. Although the informants may disagree with the findings, they will point out the incorrectdata, if any. The purpose of using sequential design is to allow for reinterpretation with the facts of theearlier case and apply general explanation across all cases [34]. Given that, multiple case studies willserve both exploratory and explanatory purposes.

1. Data AnalysisCase studies research will yield a tremendous amount of data. Breaking the data by data source is agood way to handle a staggering amount of data. For instance, data collected from interviews and datacollected from questionnaires independently was reviewed independently. This is to separate thequalitative data analysis from quantitative data analysis. It is important to keep in mind that qualitativedata provides insights about the underlying issue of medical identity theft in a dynamic environment.There is anticipation that new variables will emerge as a result of serendipitous changes in the dynamicenvironment. The predefined constructs may have to iterate between constructs and case data toredefine the operational framework that serves as guideline in this case study.

19. RESULT/CONCLUSIONAttitude and perception of employees towards security has been discovered through the results ofquestionnaire. Descriptive statistic will be applied in data analysis of the questionnaire to give us a cluepertaining to security awareness in health care organization. This piece of information will then beintegrated with qualitative data that will provide us the insight of prevention and detection of medicalidentity theft. The qualitative data will embody data collected from interviews, documentations (e.g. healthcare records), and notes taken from direct observation. In summary, the following table depicts researchresults:

1. Questionnaire Descriptive statistic will yield result that will shed light on the security culture of a

health care organization.

2. Interview Data collected from interviews will produce result regarding the insights of

medical identity theft, including how it occurred, the way health provider handled

this issue, and the negative ramification on the victims.

3. Documentation Documentation will include meeting minutes, medical forms, billing forms, and

health record. The result will provide insights about organization structure and

the operation issue within a health care organization.

4. Direct Observation The result of direct observation will be able to capture part of the organization

culture and attitude towards security.

The results from every type of data collection will be integrated to shape a holistic view of medical identitytheft. In specific, the incident of medical identity theft can be viewed from organizational, operational,technology, and human resource perspectives [12]. This holistic view will facilitate proper suggestions of

health care policies and procedures and build theories regarding medical identity theft. Most likely,multiple theories will be derived from multiple case studies. These theories will involve several variablesincluding detection and prevention of medical identity theft, health care policies and procedure, securityculture, and technology application.

Cross case analysis will point to contradicting facts. There is strong evidence indicating a lack of securityculture in one case study and strong security culture in another.Thisoccurrence caused addition oftechnology as a new construct in the operation framework, inferring that technology plays a role in fightingmedical identity theft.


37/60



A juxtaposition of multiple case studies will reveal subtle similarities and differences. For example, bothcase studies show that the incidents of medical identity theft were committed by medical billingspecialists. The victim in a case study discovered the crime through inaccurate billing whereas the victimin another case study discovered the crime through inaccurate medical data that was unveiled when thevictim was admitted to the hospital for surgery. The difference may infer that the perpetrator in the latercase study was much more sophisticated than that of the former case. Pro-active detection of medicalidentity theft, in this regard, will encompass reviewing both medical billing record and patients medicaldata [4].

Macroscopically, the resultant theories from these case studies will suggest proactive detection andprevention of medical identity theft and recommend sound policies and procedures to mitigate the risks ofsecurity breaches in health care information systems. This will also provide suggestion to reduce securityrisk in the proposed National Healthcare Information Network (NHIN).

20. FUTURE RESEARCHThe future research will test new theories formed in multi case studies. Given that, the next action will beshaping hypotheses by comparing the relationship with each case study to see how well it fits with casedata. The hypotheses-shaping process will also involve sharpening of constructs that will encompassrefining the definition of the construct and building evidence that measures the construct in each case.

REFERENCES1. Appelbaum, P.S., Threats to the Confidentiality of Medical Records No Place to Hide, JAMA;

(283:6), pp. 795-797, Feb 2000.

2. Benbasat I., Goldstein D.K., and Mead M.,The Case Research Strategy in Studies of Information

Systems, MIS Quarterly; (11:3), pp. 369-386, Sept. 1987

3. Biotech Business Week, Electronic Medical Records: Medical Identity Theft Survey ShowsConsumers Concerned about Privacy, Protection of Records, Jan 8, 2007.

4. Boyd, A.D., Hosner, C., Hunscher, D.A., Athey, B.D., Clauw, D.J., and Green L.A., An HonestBroker mechanism to Maintain Privacy for Patient Care and Academic Medical Research,

International Journal of Medical Informatics; (76); pp. 407-411, 2007,.

5. Conn, J., "A Real Steal. Patients, Providers Face Big Liabilities as Medical Identity Theft Continues to

Rise, and in Many Cases it's an Inside Job,"Mod Healthc;(36), pp. 26-28, 2006.

6. Cooper, R. B., Information Technology Development Creativity: A Case Study of Attempted Radical

Change, MIS Quarterly; (24:2), pp. 245-276, Jun. 2000,.

7. Davis, N., Leniery, C., and Roberts K.,Identity Theft and Fraud The Impact on HIM Operations,

Journal of AHIMA; (76:4); April 2005.

8. Davenport, K.A.,Identity Theft that can Kill you, Available at

www.law.uh.edu/healthlaw/perspectives/2006/(KD) IdentityTheft.pdf

9. Dixon, P., Medical Identity Theft: the Information Crime that can Kill You, The World Privacy Forum;

May 2006.

10. Earp, B.E. and Payton, F.C.,Information Privacy in the Service Sector: An Exploratory Study ofHealth Care and Banking Professional, Journal of Organizational Computing and ElectronicCommerce; (16:2), pp. 105-122, 2006.


38/60



11. Eisenhardt, K.M., Building T

international journal of security ijs_v5_i1

Documents