As healthcare data are pushed online, consumers have raised big concerns on the breach of their personal information. Law and regulations have placed businesses and public organizations under obligations to take actions to prevent data breach. Among various threats, insider threats have been identified to be a major threat on data loss. Thus, effective mechanisms to control insider threats on data loss are urgently needed. The objective of this research is to address data loss prevention challenges in healthcare enterprise environment. First, a novel approach is provided to model internal threat, specifically inside activities. With inside activities modeling, data loss paths and threat vectors are formally described and identified. Then, threat vectors and potential data loss paths have been investigated in a healthcare enterprise environment. Threat vectors have been enumerated and data loss statistics data for some threat vectors have been collected. After that, issues on data loss prevention and inside activity incident identification, tracking, and reconstruction are discussed. Finally, evidences of inside activities are modeled as evidence trees to provide guidance for inside activity identification and reconstruction.


Biggs, S. and Vidalis, S. (2010). Cloud Computing Storms: IJICR 1(1), pp. 61- 68.

Bradford, P., Brown, M., Perdue, J. (2004). Towards proactive computer-system forensics. IEEE International Conference on Information Technology: Coding and Computing (ITCC 2004).

Bruening, P. J. and Treacy, B. C. (2009). Cloud computing: privacy, security challenges. Privacy & Security Law Report by The Bureau of National Affairs, Inc. [online]. Available: http://www.bna.com.

Brunette, G. and Mogull, R. (2009). Security Guidance for critical areas of focus in Cloud Computing V2. 1. CSA (Cloud Security Alliance), USA. [online]. Available: http://www.cloudsecurityalliance.org/gui dance/csaguide.

Burford, J., Lewis, L., and Jakobson, G. (2008). Insider threat detection using situation-aware MAS. In IEEE 11th International Conference on Information Fusion, 1–8, Germany.

Carrier, B. & Spafford, E. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2).

Carrier, B. & Spafford, E. (2004, July). An event-based digital forensic investigation framework. In Proceedings of Digital Forensic Research Workshop. Case, A.

Cristina, A., Marziale, L., Richard G., & Roussev, V. (2008). FACE: automated digital evidence discovery and correlation. Digital Investigation, 5, s65- s75.

CENZIC. (2008). Q1 Cenzic application security trends report. [online]. Available: http://www.cenzic.com/downloads/Cenzi c_AppSecTrends_Q3_Q4-2008.pdf.

Chen, P., Laih, C., Pouget, E. and Dacier, M. (2005). Comarative survey of local honeypot sensor to assist network forensics. Proceedings of the 1st International Workshop on Systematic Approach to Digital Forensics Engineering, 120-132.

Chivers, H., Nobles, P., Shaikh, S., Clark, J., Chen, H. (2009). Accumulating Evidence of Insider Attacks. 1st International Workshop on Managing Inside Security Threats (MIST09).

Eberle, W. and Holder, L. (2009). Insider threat detection using graph-based approaches. Proceedings of IEEE Cybersecurity Applications & Technology Conference for Homeland Security (CATCH), 237-241.

Ellard, D. and Megquier, J. (2004). DISP: practical, efficient, secure and faulttolerant distributed data storage. ACM Transactions on Storage. 1(1). 71-94.

El Emam, K., Neri, E., Jonker, E., Sokolova, M., Peyton, L., Neisa, A., Scassa, T. (2010). The inadvertent disclosure of personal health information through peer‐ to‐peer file sharing programs. J. American Medical Informatics Assoc., 17(2), 148–158.

Ernst & Young. (2011). Data loss prevention: keeping your sensitive data out of the public domain. White Paper. [online]. Available: https://www.watchguard.com/tipsresources/grc/wp-data-lossprevention.asp.

Fratto, M. (2008). Security survey: we’re spending more, but data’s no safer than last year. [online]. Available: http://www.informationweek.com/news/s ecurity/management/showArticle.jhtml?a rticleID=208800942.

Halbesleben, J.R.B, Wakefield, D.S. and Wakefield, B.J. (2008). Work-arounds in healthcare settings: literature review and research agenda. Health Care Management Rev., 33(1), pp. 2–12.

Harris, S. (2012). CISSP All-In-One Exam Guide. 6th edition, ISBN: 978- 0071781749.

Hoffman, P. (2007). RSA security reports low level of trust in online banking security. eWeek News. [online]. Available:http://www.eweek.com/c/a/Se curity/RSA-Survey-Reports-Low-Levelof-Trust-in-Online-Banking-Security/.

Johnson, M. E, and Willey, N. (2011). Usability failures and healthcare data hemorrhages. IEEE Security and Privacy. Issue March/April 2011, pp. 18-25.

Kowalski, E., Conway, T., Keverline, S., Williams, M., Cappelli, D. and Moore, A. (2008). Insider threat study: illicit cyber activity in the government sector. [online]. Available: http://www.cert.org/insider_threat/.

Mauw, S. & Oostdijk, M. (2005). Foundations of attack trees. In Won, D., Kim, S., eds.: International Conference on Information Security and Cryptology – ICISC 2005.Volume 3935 of LNCS, Springer 186–198.

Moore, A., Cappelli, D.. & Trzeciak, R. (2008). The “big picture” of insider IT sabotage across U.S. critical infrastructures. Advances in Information Security. 39, 17-52.

Murphey, R. (2007). Automated windows event logs forensics. Journal of Digital Investigations. 4S, S92-S100.

Phua, C., Lee, V., Smith, K. and Gayler, R. (2007). A comprehensive survey of data mining-based fraud detection research. [online]. Available: http://www.bsys.monash.edu.au/people/ cphua/.

Poolsapassit, N. & Ray, I. (2007). Investigating computer attacks using attack trees. IFIP International Federation for Information Processing, Vol. 242. Advanced Digital Forensics III.

Popovsky, B. E. & Frincke, D. (2004). Adding the fourth “R”. In Proceeding of the 2004 IEEE Workshop on Information Assurance.

Popovsky, B. E., Frincke, D., and Taylor, C. (2007). A theoretical framework for organizational network forensic readiness. Journal of Computers. Vol. 2, No. 3.

Ramzan, Z. (2008). Security trends of 2008 and predictions for 2009. Net Security News, [online]. Available: http://www.netsecurity.org/article.php?id=1194. Dec. 24.

Randazzo, M. Keeney, M., Kowalski, E., Cappelli, D. and Moore, A. (2004). Insider threat study: illicit cyber activity in the banking and finance sector,” [online]. Available: http://www.cert.org/insider_threat/.

Rowlinson, R. (2004). Ten steps to forensic readiness. International Journal of Digital Evidence, 2(3).

Rozinat, A. van der Aalst, W., Dustdar, S., Fiadeiro, J. and Sheth, A. (2006). Decision mining in ProM. In: Lecture Notes in Computer Science. 4102.

Springer, Berli Rozinat, A., Mans, R., Song, M. and van der Aalst, W. (2008). Discovering colored petri nets from event logs. International Journal on Software Tools for Technology Transfer, 10(1).

RSA Security. (2008). CSI computer crime & security survey. [online]. Available: http://i.zdnet.com/blogs/csisurvey2008.p df.

Saini, V., Duan, Q., Paruchuri, V. (2008). Threat modeling using attack trees. J. Comput.Small Coll. 23(4).

Schneier, B. (1999). Attack trees: modeling security threats. Dr. Dobb’s Journal.

Seltxer, L. (2006). Is online banking too dangerous? eWeek News. [online]. Available: http://www.eweek.com/c/a/Security/IsOnline-Banking-Too-Dangerous/.

Shah, A. (2009). More employees neglecting data security, survey says. [online]. Available: http://www.networkworld.com/news/200 9/061009-more-employees-neglectingdata-security.html. IDG News Service.

Sheyner, O., Haines, J., Jha, S., Lippmann, R. and Wing, J. (2002). Automated generation and analysis of attack graphs. Proceedings of the IEEE Symposium on Security and Privacy, 273-284.

Singleton, T., Singleton, A., Bologna, G., and Lindquist, R. (2006). Fraud Auditing and Forensic Accounting, 3rd edition. ISBN: 9780471785910.

Wiley. Siponen, M. and Oinas-Kukkonen, H. (2007). A review of information security issues and respective research contributions. Database for Advances in Information Systems. 38(1), 60-80.

Tan, J. (2001). Forensics readiness. Electronic version available at HTUhttp://www.arcert.gov.ar/webs/text os/forensic_readiness.pdf.

Tang, Y. and Daniels, T. (2005). A simple framework for distributed forensics. In Proceedings of the 25th IEEE International Conference on Distributed Computing Systems Workshops, 163-169.

Todtmann, B., Riebach, S. and Rathgeb, E. (2007). The honeynet quarantine: reducing collateral damage caused by early intrusion response. In proceedings of the 6th international Conference on Networking, 464-465.

Tu, M., Xu, D., Butler, E., and Schwartz, A. (2012). Locating and identifying forensic evidence for attacks against online business information systems by using honeynet. Journal of Digital Forensics, Security, and Law. 7(4), 73- 97.

Wilson, W. & Wolfe, H. (2003). Management strategies for implementing forensic security measures. Information Security Technical Report, 8(2).

Wippich, B. (2007). Detecting and preventing unauthorized outbound traffic. White Paper, SANs Institute Reading Room. [online]. Available: https://www.sans.org/readingroom/whitepapers/detection/detectingpreventing-unauthorized-outboundtraffic-1951.

Yasinsac, A. and Manzano, Y. (2001). Policies to enhance computer and network forensics. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security.





To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.