Professional Documents
Culture Documents
CHCI Proposal For Childcares Study
CHCI Proposal For Childcares Study
Virginia Tech 2202 Kraft Drive Blacksburg, VA 24061 T 540.239.9334 Laurian.vega@gmail.com http://www.laurianvega.com
Usable Security Team
Introduction
President Obama has recently called for a complete revamping of the medical system. Within that call to action, there
has been a push to make medical records not only electronic, but usable. However, medical records are a type of
information that is primarily stored in paper form. Securing a piece of paper, one would think, is as simple as locking it in
a filing cabinet. Additionally, determining who has access or had access to the medical information is relatively
conventional given that paper can only be handed from person-to-person. What happens, though, when medical records
become not only electronic but stored online[1]? How many people can access those files? How do you figure out who
has access the files? Who owns the medical record? The patient, the doctor? And, who does the patient trust with their
records? Should a doctor be able to see all of a patient’s records? The grand scope of this research attempts to answer
some of those questions.
In this proposal I have scaled down our project to a small pilot study. We are proposing an area of study that is not life
critical – such as the emergency room, but one that contains medical-like sensitive information. I would like to study how
information is secured and accessed in local childcares. Childcares have many different kinds of people (childcare
workers, auditors, owners, parents – to name a few) and contains information that should not be shared with others. A
study of current practices showing all of the different methods of information access and types of people who share
information would provide insight into how to design information security measures for the personal health record domain
where there are similar stakeholders. Some of the questions we are asking:
• what are the kinds of information different people have access to?
• what is the kind of audit trail left after someone accesses a piece of critical information?
From this study I anticipate knowing a lot more about how critical information is accessed and secured in real life
situations.
Research to Date
At this point I have finished one half of a two part study that has been approved by the IRB; the IRB approval number is
09-515. In July an REU student and I interviewed twelve childcare directors in the NRV area. From this study we were
able to derive the official policy on how information about the children and their families is stored, secured, accessed, and
located. Now that we know what is the official policy, we would like to further explore what is the actual practice of
information security by interviewing the parents of children in childcares.
While in the childcares we asked if a flyer could be hung to encourage parents to participate in the second half of this
study. From those flyers we have received a call from one parent participant. We have not received more phone calls.
This has shown that our current recruitment methods are not as successful as we had hoped. In talking with Dr. Tatar
about craftier recruitment methods, she believes that a monetary incentive along with fuller coverage in places where
parents are located would greatly improve the chances of voluntary participation.
Interviews will be set up for September through November with transcripts being done within a week. The participant will
be paid after the interview has been conducted. A final report of all the interviews will be completed by the end of the
semester.
Procedure
The participants will contact me by phone to to indicate that they would like to participate. A meeting will be set up to
take place at the person's work or home location at a time of their choice.
Upon arrival at the meeting an informed consent will be given, explained, and signed. The participant will then be
instructed that the interview will be audio recorded and that at any time they can choose to not participate. The audio
recording will then be started. They will be asked questions from the interview protocol that has been attached. We
expect the study to last no longer than 30-45 minutes. Copies of pertinent artifacts may be collected. After the interview
is over the participant will be thanked for his/her time and we will leave.
1) An audio recording from an MP3 recorder will be made which transcriptions will be made from. (2) Copies of forms will
be collected and associated with a participants ID number (which will be assigned to the participant after agreeing to
participate in the study). (3) A digital picture may be taken of pertinent artifacts. All of these materials will be digitized and
the originals will be shredded. All original digital documents will be stored on Laurian Vega's personal machine that will be
password protected.
Budget
I am applying for $200.00 to interview twenty people in the fall semester 2009. Each participant would be paid $10.00 for
30 minutes of time.
References
Kaelber, D.C., et al., A Research Agenda for Personal Health Records (PHRs). J Am Med Inform Assoc, 2008: p.
M2547-M2547.
Appendix
Interview Protocol & Questions: Field Study of In-use Information Security and Interfaces within Childcare Facilities
Parents
Section 1: Demographic and Background Information
Goal: To collect background information about the parent and their child or children.
Name: ________________________________________________________________
Gender: M/F
Number of children in a childcare program: _____
Age(s) of child(ren): ____________________________
Childcare Facility in which your children are enrolled in: _____________________
How long has/have your child/children been enrolled in a childcare program: ________
How long has/have your child/children been enrolled in the current childcare program: _____________
• What reassurances have you been given that the information about your child has been protected? Do you know who
has access to information about your child?
• Maybe (intrusive): Has there ever been an incident between your child and another at the childcare (e.g. physical
altercations)?
• If so, what kind of information was given to you about the incident (e.g. name of the other child, what exactly happened
between the two children, etc)?