Medical Data Sharing: Establishing Trust in Health Information Exchange (SANS Reading Room)

Sorry! The paper Medical Data Sharing: Establishing Trust in Health Information Exchange could not be found.

Legal Issues

Featuring 53 Papers as of March 1, 2017

  • Medical Data Sharing: Establishing Trust in Health Information Exchange

    STI Graduate Student Research
    by Barbara Filkins – March 1, 2017 

    Health information exchange (HIE) “allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient’s vital medical information electronically–improving the speed, quality, safety and cost of patient care” (, 2014). The greatest gain in the use of HIE is the ability to achieve interoperability across providers that, except for the care of a given patient, are unrelated. But, by its very nature, HIE also raises concern around the protection and integrity of shared, sensitive data. Trust is a major barrier to interoperability.

  • Cyber Insurance Conundrum: Using CIS Critical Security Controls for Underwriting Cyber Risk

    STI Graduate Student Research
    by Oleg Bogomolniy – February 1, 2017 

    There has been a number of insurance industry- related research done to define new cyber security frameworks to help insurers underwrite cyber risk. This research includes copula-based actuarial models for pricing cyber insurance based on the number of computers; using peaks-over-threshold method (from extreme value theory) to identifying “cyber risks of daily life”; using Principal-Agent model (from microeconomic theory); creating methodology for common cyber risk categorization; modeling cyber risk based on operational risk, and more. However, there has been little to no input or research into cyber insurance related topics from cyber security experts. The purpose of this exploratory study is to propose the integration of a risk framework for underwriting cyber risk. This paper will analyze how CIS Critical Security Controls, along with its accompanying quantified metrics, benchmarking, and auditing tools can be used as a rating mechanism for determining the cybersecurity posture of insured organizations. Furthermore, such mechanism can be perpetually used for either self-assessments by insured organizations, or by independent qualified security assessors.

  • Minimizing Legal Risk When Using Cybersecurity Scanning Tools

    STI Graduate Student Research
    by John Dittmer – January 19, 2017 

    When cybersecurity professionals use scanning tools on the networks and devices of organizations, there can be legal risks that need to be managed by individuals and enterprises. Often, scanning tools are used to measure compliance with cybersecurity policies and laws, so they must be used with due care. There are protocols that should be followed to ensure proper use of the scanning tools to prevent interference with normal network or system operations and to ensure the accuracy of the scanning results. Several challenges will be examined in depth, such as, measuring for scanner accuracy, proper methods of obtaining written consent for scanning, and how to set up a scanning session for optimum examination of systems or networks. This paper will provide cybersecurity professionals and managers with a better understanding of how and when to use the scanning tools while minimizing the legal risk to themselves and their enterprises.

  • Legal Considerations When Creating an Incident Response Plan

    STI Graduate Student Research
    by Bryan Chou – December 22, 2016 

    Creating a cybersecurity incident response plan (CSIRP) is basic requirements of any security program. CSIRPs generally follow the six phases of the incident response process (preparation, identification, containment, eradication, recovery, and lessons learned) or some derivation of those steps (Kral, 2011). Once a security event begins, the cybersecurity incident response team (CSIRT) is focused on identification, containment, eradication, and recovery.. In other words, they are trying to get operations back to normal. The preparation phase is the time to thoughtfully consider and research the legal decisions required during a security event. Legal considerations to include in the CSIRP include the pertinent laws and regulations, what to do if prosecution is a possibility, and maintaining attorney-client privilege.

  • Next Generation of Privacy in Europe and the Impact on Information Security: Complying with the GDPR

    STI Graduate Student Research
    by Edward Yuwono – December 5, 2016 

    Human rights have a strong place within Europe, part of this includes the fundamental right to privacy. Over the years, individual privacy has strengthened through various European directives. With the evolution of privacy continuing in Europe through the release of the General Data Protection Regulation (GDPR), how will the latest iteration of European Union (EU) regulation affect organisations and what will information security leaders need to do to meet this change? This paper will explore the evolution of privacy in Europe, the objectives and changes this iteration of EU privacy regulation will provide, what challenges organisations will experience, and how information security could be leveraged to satisfy the regulation.

  • Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey

    Analyst Paper
    by Barbara Filkins – June 20, 2016 

    Results of this survey, conducted in conjunction with Advisen, Ltd., make it clear that the effort to achieve a common understanding of cyber insurance and derive value from it will require focused attention from all sides. This study also sets a direction toward a common, achievable goal: reducing the risk of financial loss from a cyber incident. The gaps identified in this survey come together to form the building blocks needed to achieve this goal.

  • Email Acceptable Use: Balancing the Needs of the Organization and the Need to Comply with National Labor Relations Board Rulings

    STI Graduate Student Research
    by Paul Hershberger – October 26, 2015 

    Organizations strive to enact policies that protect intellectual property, including the reputation of their brand, and support a productive work environment, while at the same time respecting employee privacy and freedom of expression. Despite good intentions, organizations sometimes discover that their existing policies suddenly conflict with the legal system. Unexpected legal rulings can arise as authorities assess how technology changes the workplace. What is acceptable policy within an organization one day may be in violation of law the next. This paper examines National Labor Relations Board (NLRB) rulings regarding the use of email by employees for protected purposes such as union organizing and then presents an analysis of the implications of those rulings. Suggestions as to how policies and practices must evolve to meet the needs of the organization are made, while also complying with the NLRB’s interpretation of employment law.

  • What Companies need to consider for e-Discovery

    by Thomas Vines – August 24, 2015 

    Within the legal environment, Discovery is the process of identifying, locating, preserving, securing, collecting, preparing, reviewing, and producing facts, information, and materials for the purpose of producing/obtaining evidence for utilization in the legal process. Electronic Discovery (e-Discovery) is an extension of these processes into the digital environment and Electronically Stored Information (ESI). Legal departments are ill-prepared to deal with the digital environment of a business. Increasingly they are turning to the company’s Information Technology (IT) department in order to identify, locate, preserve, and collect ESI. This is not break/fix work that is typical in IT operations. This is a new area of Data Governance and Records Information Management. This paper explores the relationships between Executive Management, Legal, Risk Management, IT, and Security in fulfilling the demands and obligations for defensible e-Discovery. This analysis includes a discussion of the Electronic Discovery Reference Model (ERDM) and its integration with Information Governance Reference Model (IGRM).

  • A Concise Guide to Various Australian Laws Related to Privacy and Cybersecurity Domains

    STI Graduate Student Research
    by Babu Veerappa Srinivas – July 6, 2015 

    There are many laws in Australia related to privacy and cyber security domains. In this paper, the author intends to collate the current laws related to privacy and cyber security domains so that interested readers could get relevant information specific to Australia in one concise document. Additionally, there are no industry specific acts or regulations like HIPAA, SOX or GLBA. Because of this, some organizations do not know their obligations in relation to these laws.

    This paper presents research on the current applicable cyber security related laws, Acts and regulations published by the Federal and State Governments, established relationship with other applicable Acts, performed a gap assessment and identified relevant industry frameworks that can be adopted as best practices. For ease of future research, the source of these current artefacts and database are cited for throughout the document.

    Disclaimer: Contents of this document must not be construed as legal advice. Readers are encouraged to seek legal advice prior to consideration.

  • Evidence Collection From Social Media Sites

    by Keil Hubert – December 2, 2014 

    Original content written and posted by an individual to a social media site may identify or substantiate an employee’s misconduct, whether their own or misconduct by a fellow employee. Capturing evidence from social media sites can significantly support the evidence gathered from other sources (e.g., text messages, e-mails, etc.) in the construction of an event timeline. Proper capture, handling, and presentation of evidence from social media sites will help the investigator explain what happened to upper management, to legal, and to law enforcement agencies.

  • A Model for Licensing IT Security

    STI Graduate Student Research
    by Mason Pokladnik – August 6, 2013 

    In 2009, the United States’ Senate considered legislation that would require the Department of Commerce to create a national licensing, certification and recertification program for information security professionals (Rockefeller, 2009).

  • Cloud Computing – Maze in the Haze

    by Godha Iyengar – October 18, 2011 

    In recent days, “Cloud Computing” has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.

  • Solution Architecture for Cyber Deterrence

    by Thomas Mowbray – April 29, 2010 

    The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace” (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90’s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).

  • IT Guidance to the Legal Team

    STI Graduate Student Research
    by Brad Ruppert – March 8, 2010 

    Technology can be a great tool to simplify a process or increase the output of existing processes. Despite this, Information Technology (IT) teams must be cautious when implementing new technology into their environment because this can also increase their liability of information retrieval if a lawsuit is filed against them. Rarely if ever is an enterprise application, such as e-discovery software, ready to go out of the box. Most enterprise applications of scale require months of planning, negotiations, architecture discussions, engineering consultation, cross-divisional resource allocation, and process redesign to accommodate the software. Information security and IT teams, knowledgeable of this fact should interface with their legal teams prior to ideation of implementing an enterprise e-discovery tool. Just having a tool and not a defined process to effectively manage, correlate, extract, and secure subpoenaed data can leave a company exposed to multiple financial and legal repercussions. An example of this was seen with the case of Morgan Stanley vs. Ronald Perelman where “Morgan Stanley was hit with a $1.75 billion jury verdict, which hinged primarily on the company’s lax e-discovery procedures.” (Cummings, 2007)

  • Electronic Contracting In An Insecure World

    STI Graduate Student Research
    by Craig Wright – February 1, 2008 

    The paper covers the legal aspects of electronic contracts
    and the technologies that aid in the creation and preservation of these instruments and the implications associated with online contractual dealings and the issues that have created these uncertainties. It closes by addressing the issues with digital signatures and repudiation concerning online transactions.

  • The Outsourced Productivity Information Security Risk

    by Eric Mittler – March 9, 2005 

    Many of your data protection security controls will be by-passed by your vendors if they feel pressured to do so by employees at your company, unless you specifically mitigate this risk.

  • Hearsay and Evidence in the Computer Emergency Response Team (CERT)

    by Susan Sherman – January 28, 2005 

    The Computer Emergency Response Team (CERT) is responsible for computer related information incident handling within a specific government Agency. Part of that mission is the inherent issue to provide support to law enforcement officials. CERT must provide evidence to those that are going to complete the law enforcement effort of an incident.

  • Ethics in the IT Community

    by Anthony Bundschuh – January 22, 2005 

    This paper is an overview of the current state of ethics in the IT community. It describes the current state of ethics in IT, identifies the major areas of concern for the IT community, and discusses the relationships an IT professional will face, and the conflicts that may jeopardize those relationships.

  • Federal Computer Crime Laws

    by Maxim May – August 15, 2004 

    The Internet has been a boon to business, science, education and just about any field you can think of, including crime. Just like every human invention, Internet has two sides to it, on the one hand it allows businesses to be more productive and scientists to share research data almost instantaneously, on the other hand it grants criminals an additional tool to commit crimes and get away with it.

  • An Overview of Sarbanes-Oxley for the Information Security Professional

    by Gregg Stults – July 25, 2004 

    The Sarbanes-Oxley Act of 2002 has dramatically affected overall awareness and management of internal controls in public corporations. Responsibility for accurate financial reporting has landed squarely on the shoulders of senior management, including the potential for personal criminal liability for CEOs and CFOs.

  • Offshore Outsourcing and Information Confidentiality

    by Mark Lum – July 25, 2004 

    While recent news headlines of the past few months have focused on the controversial topic of offshore outsourcing of jobs from the United States to countries such as India, China, and Mexico, other headlines, relating to some of the effects of this phenomenon, have exposed problematic consequences and outcomes.

  • Cyber Risk Insurance

    by Denis Drouin – June 9, 2004 

    Technology has continued to astound the world’s electronic culture by reacting with the use of mechanisms to defend and protect against the unknown. Cyber insurance has been one of those phenomenons that has experienced many challenges and at the same time mutated into a more complex tool to protect companies.

  • The Role of IT Security in Sarbanes-Oxley Compliance

    by Mary Fleming – April 8, 2004 

    This document will summarize the requirements of Sarbanes-Oxley as they apply to IT and define the controls IT must be concerned with in the certification process. This document pertains only to the role of IT and IT security in Sarbanes-Oxley controls compliance; other company departments – accounting, finance, human resources, etc., may be subject to controls not covered herein.

  • U.S. Government IT Security Laws

    by Trevor Burke – January 11, 2004 

    This document will serve as a guide to those new to federal IT law and address the above four issues, outline the guidelines and steps to ensure successful C&A as designed by NIST, and subsequently address lessons learned from trying to comply with FISMA.

  • Issues in Protecting Our Critical Infrastructure

    by William Nance – June 2, 2003 

    The Internet has brought many important changes to the way we do business, both in the public and private sectors. We can use it to instantly communicate with others across the country, conduct business meetings, or control equipment in remote locations.

  • Financial Institutions Required To Do Their Part To Fight Crime

    by Terry Ritter – February 9, 2003 

    This paper will briefly explain how the U.S. Patriot Act legislation came into existence, but its main focus will be to outline the requirements of the recently proposed Section 326 “Customer Identification Program.

  • The Legal System and Ethics in Information Security

    by Amit Philip – July 15, 2002 

    A discussion of the issues faced by the legal system in keeping up with the fast paced development of technology and the ways in which the current laws can help, as well as the role that ethics have to play in the world of computer security.

  • Dangerous Technology: Management Beware

    by Brent McKinley – March 27, 2002 

    The purpose of this paper is to inform management and upper level administration of the legal liabilities and loss of productivity due to the inappropriate use of the Internet, email, interconnected computer systems and pirated software.

  • The Ethics and Legality of Port Scanning

    by Shaun Jamieson – October 8, 2001 

    This paper will define and outline the process of port scanning, discuss ethical and legal issues surrounding port scanning, and assert the importance of strictly defining scanning in an organization’s policy.

  • The Art of Enforcement

    by Jeff Neithercutt – September 28, 2001 

    The careful planning, integration, training, and support of a multi-disciplined group of Incident Responders will continue to be, for most corporations, the last line of defense against computer crimes; and, the better their relationship with the Local, State, and Federal Agencies they work with, the better the success of both their proactive and reactive activities.

  • Malaysian Law and Computer Crime

    by Wong Yew – August 8, 2001 

    This paper attempts to describe the Malaysian Computer Crimes Act 1997 (CCA 1997) and provide important guidelines for a successful computer crime investigation.

  • Big Brother at the Office: Friend or Foe?

    by Clint Satterwhite – July 13, 2001 

    This paper outlines most of the issues regarding monitoring of employee workplace computer use and attempts to present an objective presentation of the information from both the employee and employer’s perspectives.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published “as is”. Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Source: SANS ISC SecNewsFeed @ March 1, 2017 at 01:30PM