Securing Sensitive Information in Work Practice
Laurian Vega, Stacy Branham, Steve Harrison, Dennis Kafura
Center for Human Computer Interaction, Computer Science2202 Kraft DriveVirginia Tech, Blacksburg, VA
{Laurian, SBranham, SRH, Kafura}@vt.edu
ABSTRACT
There is a need in HCI to study how issues of trust and privacy
can and do affect the ad hoc negotiation of security rules and how
they are managed by humans in actual practice. In this paper we
present a field study of security and privacy through the use of
interviews and observations that examine the physical and
electronic security practices of childcares and medical offices. We
show that the issues of human-mediated access management,
information duplications, and the creation of a community of trust
all affect aspects of the human-side of security.
Categories and Subject Descriptors
K.4.3 [Computers and Society]: Organizational Impacts –
Computer supported collaborative work; H.3.1 [Information
Systems]: Information Storage and Retrieval; H.2.1 [Information
Systems]: Human Factors.
General Terms
Experimentation, Security, Human Factors
Keywords
Security, CSCW, Shared documentation, Privacy, Trust, Work
practice
1. INTRODUCTION
Traditionally, electronic and physical security has been concerned
with creating rules, locks, and passwords. However, security
systems that neglect people as a significant part of the equation
“are seldom secure in practice” [8]. Practice is what happens in
the moment; it is the activity; it is what is actually done. It is often
in the human-centered moment, and not in the computer-centered
planning stages, when security policies or mechanisms break
down and the safety of sensitive information is compromised) [2,
4, 14]. When a breakdown occurs in a social system (as opposed
to a computational one), workers do not stop what they are doing.
Instead, they create special cases or methods that allow them to
continue by bending formal work policies, e.g. when users create
write passwords on post-it notes, or shout them across the room,
as observed in this work [2, 4, 14]. As a result, there exists a need
to study and understand the holistic practice of how security is
managed in socio-technical systems [13].
Prior research has examined how plans, work, and documentation
are mediated by artifacts [5, 21], how models and frameworks can
be used to design for privacy [30], and the effects of deploying
technology probes aimed at exploring security and privacy [10].
However, the study of how current work practices maintain and
secure sensitive information has been underrepresented in the
larger area of security [4]. When socio-technical concerns are
considered, human issues of trust [16], privacy [3, 8], and
negotiation [13] emerge: trust, because people often share
sensitive information toward attaining mutual professional goals;
privacy, because people are working with sensitive information;
and, negotiation, because the rules or standards of practice break
down or are not clearly defined [24] and hence require mediation.
The work presented here not only addresses the need for more
practice-based study, but also explores these three human-centric
themes of security practice.
This work looks at security-in-practice by engaging in
environments that are rich in sensitive information that is
managed through significant amounts of collaborative
documentation, access, and retrieval. The two domains we have
explored are the childcare domain––where both parents and
childcare personnel document information about a child’s
developmental and physical progress––and the medical domain––
where patients and medical staff document information about the
patient’s health. The study of these is becoming ever more
necessary as we strive to design secure and usable systems for
childcares and medical practices that are increasingly adopting
digital documentation systems [20].
In this paper we present an ethnographically-informed analysis of
social and technical mechanisms that are used to manage sensitive
personal information. Through the use of field studies that probe
issues of trust, privacy, and negotiation in security practice, we
present three factors that critically impact security mechanisms:
human-mediated access management, information duplication,
and a community of trust. These three factors are tightly coupled
and used to co-produce a holistic understanding of security in the
practice of managing sensitive personal information. A final
contribution presented in this paper is a set of design implications
for the three factors.
2. BACKGROUND
Prior work has explored several different aspects of the usable
security problem. For example, there has been a large body of
research and development of technologies that support educating
and informing the user. The work of Ackerman [1] has suggested
the use of privacy labels so that users can be notified of possible
data capture, use, and reuse as they interact with web-based
technologies. Another example is the work of Cranor et al. called
Privacy Bird [11]. Privacy Bird reads the P3P information in a
website and then displays a visual indicator of how closely the
privacy standards for that website match personal settings (e.g.,
green indicator means a good match). Our work examines the a
different aspect of usable security; we examine current practices
as a method to inform future technology design.
Bellotti and Sellen [8] present a design framework for
understanding privacy and security needs through the aspects of
user feedback and control when creating ubiquitous technologies.
Similarly, the work of Flechais et al. [16] demonstrated the
difference between social and technical security measures. By
their definitions, human-based security measures are progressive
and adaptive yet are unreliable due to the effects of emotions and
circumstances. Technical security, on the other hand, works well
on repetitive tasks, but is less capable of being flexible in
unanticipated situations. These studies emphasize the importance
of understanding the context of the user to provide adaptive instead of standardized surveys were used to generate rich
security needs. In our studies we explore how security is affected responses in regards to aspects of their work and practice that may
by both technical and social measures. We do this to provide a affect the security of information. Qualitative studies, such as
holistic conception of security in socio-technical systems that interviews and observations are critical as initial investigation
accounts for both trust, privacy, and negotiation with respect to mechanisms because they account for the reasons and motivations
social and technical security mechanisms. that may go unreported on surveys. Also, a study of practice is
There has been a dearth of research examining the day-to-day critical dependent on an undestanding of nuances in context-
practices of childcares and their relation to information security. dependent behavior. Qualitative methods are indispensable in
However, the work of Kientz et al. has explored how to design a capturing and properly analyzing such practice-oriented
technological solution for information that is stored and managed situations.
about children [22, 23]. This work started as a qualitative inquiry All directors were recruited through a comprehensive list of all
that examined how a network of caregivers managed the record- area providers; the response rates were 55% for childcares, and
keeping process. One important finding from the study was that 26% for medical practices- not including the local hospitals.
doctors were the most trusted source of information about a Parents were recruited through listservs, flyers, and company
child’s development. This is a key finding to understand the newsletters. The only incentives provided to participate were
conceptions that parents have about authoritative information, offered to parents; parents were paid ten dollars.
thus impacting what is shared and documented about their child. All participants were from the Southwest area of Virginia. This
The second related finding is that parents had concerns about the area is rural, yet technologically impacted by the proximity to the
privacy of information managed by secondary caregivers, like University. Waitlists exist for the best childcares and medical
childcares or nannies. While this work embodies some of the practices. The number of children being managed in the
same user needs as our own study (i.e., mass amounts of participating childcares was 26 to 200 (sd = 63.7) with children
information, data recording, etc.), it does not focus on the security ranging in age from six weeks to sixth grade. The staff size at
and privacy of practice. Additionally, Kientz’s work focuses on these facilities ranged from 9 to 45 (sd = 10.3). The average
how parents manage the documentation. Instead, we are focusing number of years of experience as a childcare director the
on how childcares co-manage documentation with parents and participants had was 12.6. The medical practices varied in size
other secondary care givers. from 2 to 50 individuals with the average staff size being 13,
There has been extensive research on security and privacy in including doctors and administrators. One participant was a
medical settings. Prior work has examined the security of private practicing chiropractor and owner of nine practices in Southwest
information [2], how documentation and articulation work Virginia; staff size (37) and patients served weekly (2000) reflects
supports collaboration in a medical setting [9], how to manage the the entire nine location as well as the staff of the corporate
mobility of medical collaboration [6], and the use and creation of location. Another participant was a doctor at a local surgical
multiple surfaces to help collaboration and management – with a center and also the chief doctor of the location with administrative
specific focus on supporting work practice [7]. The work of responsibilities. He reported personally seeing forty patients and
Reddy and Dourish [27] is representative of how practice and employing fifty individuals, but was unable to recall how many
context can affect information dissemination and communication patients were seen at the center. Apart from these two cases, the
in hospitals – specifically, intensive care units. In their paper approximate number of patients seen weekly ranged from 55 to
temporal rhythms are proposed to explain community patterns that 400, with an average of 121.8.
healthcare workers follow in seeking, providing, and managing
information. Our work, instead, focuses on the inextricable
relationship between social and technical mechanisms that are Childcare Medical Parents
used in the medical work practice to negotiate ad hoc security and Directors Office
privacy needs. Directors +
Doctors
3. METHOD When Summer + Summer 2009 Fall 2009
Four studies were conducted using interviews and observations to Fall 2009
triangulate findings and explore security issues involved in the
practice of collaborative sensitive information management. Basic Number + Summer = 11 9 women, 4 18 women, 3
dimensions of these studies can be seen in Table 1. In total, we Gender women, 1 men men
interviewed 46 participants, and conducted 14 observations. The man; Fall = 4
studies involved interviews with the directors from childcares and women
medical practices within their work place with guided tours. Four Method Interviews: Interviews: Interviews: 30
childcare directors were then selected for the second set of studies 30 – 60 30 minutes minutes
as the representatives of the strongest information practices (i.e. minutes;
least Department of Social Services violations, clear practices on Observation
how information is managed and regulated). Childcare directors
participated in interviews that lasted approximately 45 minutes. Location Place of Place of work Place of
Two to four observation sessions lasting 2- 3 hours each were work convenience
then conducted following the interviews. Twenty-one parents (eg, coffee
participated in 30-minute interviews in regard to their beliefs shop)
about sensitive private information management. All interviews Table 1. Dimensions of four studies by participant type.
and observations were audio recorded and transcribed. Interviews
Grounded theory was used to analyze the body of data. Grounded
theory is a method of evaluating ethnographic data through the
use of codes by sorting groups of findings into “themes.” These
themes then inform the research as a type of data finding. (See
[15] for a thorough explanation.) All data from the studies were
coded by at least two researchers for an agreed set of codes. The
codes from the first study were co-created prior to coding, and
then individual coders evaluated all materials. Future studies built
upon the prior set of codes with phases of training, establishing
new agreed upon codes, and then coding the new body of data.
(See [29] for more detail on the coding process.)
4. ASPECTS OF SECURITY IN PRACTICE
In this section we discuss themes that provide insight into how
security is managed in real practice within information rich
environments. All themes highlight the overarching tension
between needing to keep information secure and private with the
need to access information to work in an effective manner.
In this paper we use the term ‘director’ to refer to both childcare
and medical directors and ‘center’ to refer to both childcare
centers and medical practices. We also use the term ‘client’ to
refer to parents, children, and patients.
4.1 Human-Mediated Access Management
The central nucleus of information being stored and managed
about a patient or a child is located in their file. The centers in our
studies kept the files in expansive filing shelves, like those in
medical practice shown in Figure 1, or in filing cabinets. The
location of these files is of particular importance. The files can
appear to be the central part of the director’s workspace. Indeed,
accessing, searching, and managing the files is a larger part of the
role of the director. However, the role of director also extends to
mediating the access and use of the files by others in the center.
We found three factors that affected how access to a file was
mediated: (1) ownership, (2) place-based norms, and (3) role-
based monitoring.
4.1.1 Ownership
One theme that impacted access and monitoring of the
information in a file was the director’s mental schemas about the
ownership of the information in the file. The information in the
file is intrinsically personal and sensitive; it is information about
the patient or the child. At the same time the information is
produced by the center: documented on the center’s forms,
annotated by staff, and used regularly by the center. Individual
conceptions of who owns the file or other instantiations of the
personal information could hypothetically affect the management
of its privacy. This is especially true given the lack of an over-
arching US government regulation specifying rules about who
owns this information. Even the HIPAA Privacy Rule, which is a
U.S. Government regulation that enforces certain privacy and
security laws, does not explicitly cover ownership of the
information. The concept of ownership can impact the practice of
sensitive information management. For instance, if the director
believes that their job is to steward the personal information that
belongs to the client, the director is more likely to enforce stricter
security policies. In contrast, if the director believes that the
personal information is their property, they are more likely to be
liberal with sharing that information (regardless of what the client
desires) as long as the behavior is compliant with government
regulations and professional norms.
In probing this topic we asked both directors and parents about
who they believed to be the owner of the information. The
responses indicate a range of beliefs. For example, one medical
director explained how both parties have ownership, “the
information in a file belongs to a patient, but the file itself belongs
to the doctor… So people think when they get an Xray they’ve
bought an X-ray but no, the information on the X-ray belongs to
the patient but the actual film itself belongs to the doctor.”
Alternatively, other medical directors emphasized that they would
not provide the patient access to their file. Instead, they will make
copies of anything for which the patient knows to ask. One
medical center director explains “... but if they want a copy I’d
give them a copy. Whatever they want. It’s their records.” The
idea of only copying part of the file was reflected in the comments
of another medical director who said, “No, we don’t give them the
whole file. There’s a limit to a one page thing, but it’s basically
treatment that we’ve done.” These quotes reflect individual
conflicting concepts of ownership beliefs then affecting access to
personal sensitive information.
Childcares had similar issues of ownership in regards to the
child’s file. A primary difference is that most childcare centers
would talk about parents entering the directors office, reading the
file, and making copies of pertinent information (11/12
participants). This type of open discussion may be more common
in childcares where open discussion about a child’s progress can
be encouraged. However, while this practice appears to be one of
open access to the child’s own personal information, the fact that
the director is present while the parent examines the file and its
contents emphasizes that access to one’s own information is still a
mediated process.
When asking about what information a client might not be able to
see in the file, directors generally said that the patient could see
anything. However, there were three medical directors and one
childcare director who said that the patient or parent could not
have access to the file. The reason cited by one of the participants
was that the patient would not understand the annotations. The
three remaining participants reported that the centers keep
information about the client that they would not want them to see.
For example, one director said, “We have a website they can look
at. We don't usually let them see the files because it has notes
possibly even about them and things like that.” Two additional
Figure 1. The office of a medical director with one wall of
patients’ files. Files are color coded by name and by date of
last session.
participants mentioned that they might take notes on sticky pads
and temporarily attach sensitive information to a file and remove
it later. One participant said that she keeps a separate file of
highly sensitive information that she would not allow access to
about particular children (i.e., detailing abuse information): “it's
not that we're hiding it necessarily, but we're just not making it
100% visible, if that makes sense.” These four directors represent
the side of the ownership spectrum where they have a sense of
owning the information; the file is a collection of their annotations
and notes about the patient, not the client’s information.
Parents also displayed shifting ideas about the ownership of a
child’s files. One third of the participants believed that they were
owners of the files, where as another one third believed that the
childcare was the owner of the file. The remaining participants
had complex ideas about ownership. For example, two parents
believed that they owned the information, but that the childcare
owned the physical file. Another two participants initially
responded that the childcare owned the file, but then after a couple
of minutes retuned to the topic and said that they were the owners
of the files. Perhaps most relevant in the parents responses is that
all (21/21) participants reflected that they had not spent time
thinking about this question. Unlike the director, who had explicit
policies regulating access, parents expressed a lack of knowledge
about even what was in their child’s file. After discussion of this
question all participants reflected that the process of their child’s
information management was not transparent.
4.1.2 Place-based Norms
The physical environment of the workplaces in the centers
impacted the security practices. As Harrison and Dourish explain
in their work on place and space [18], the meaning that is ascribed
to a physical location, or space, denotes communal norms and
understanding, or place. We found that where sensitive personal
information was physically located impacted how it was access
and managed by the centers. Specifically, we found information
was mindfully placed in different forms and in different spaces to
restrict access and enforce privacy policies.
In medical practices, many of the rules related to privacy concerns
are stipulated by and enforced through the HIPAA Act. However,
how particular medical practices put the HIPAA Act’s policies
into practice varied by office. One example of this variation is in
the form taken by the physical files would take. For instance, one
medical practice kept a physical file of the patient’s health
information separate from both the electronic and physical
versions of the billing information. The director believed that
keeping health and billing information in different physical
locations helped keep the patient’s information private (“Due to
the HIPAA thing, you know, you’re not allowed to keep patient’s
financial information there in their chart.”)
Another medical director talked about how he discloses sensitive
personal information to a patient in different physical locations,
but how the application of HIPAA appears to be overly restrictive:
HIPAA as I understand it was developed to protect information that is
sent over the internet… Now HIPAA in my opinion, and I don’t mind if
this is recorded, I think it’s a stupid thing… I wouldn’t go out in the
waiting room and say, you know, “hey Ms. Jones your syphilis test is
negative,” so to me it’s an ethical thing and not a legal issue… now my
understanding of HIPAA interpretations, you’re not even allowed to
say the patient’s name in the office. But what a load of crap, all that. If
I got an 80-year-old lady, she wants a hug. I’m not gonna ignore her,
you know, “205, you’re up!” That’s just, that’s a little ridiculous.
The director is expressing the fact that HIPAA regulations are not
only restrictive, in some cases, but that external policies are
affecting how he manages the disclosure of personal information
in different locations; he is respecting the contextual integrity of
the place [25]. The implication for what he is explaining is that
different locations afford different disclosure policies. Expanding
the participant’s example, when talking to a room full of patients
he feels it is appropriate to say the client’s name, but not her
diagnosis. This is important when considering the impact of the
physical context and privacy policy management.
In both childcares and medical practices we found that the office
of the director functioned as a highly distinctive place with
particular implications for privacy and security. The client’s
physical files were usually located surrounding the desk of the
director, as shown in Figure 1, or were directly behind the desk of
the director. The director in the office then worked to mediated
access to the files. There were subtle cues that indicated the
importance of the placement of these files. For example, the
location of the furniture and computers was used to indicate that
access was inhibited – similar to what was described in [12].
Other workers, when needing information or wanting to ask the
director a question would stand in the doorway to pass on their
request. After explaining their purpose the director would then
encourage them into the room. For example, in just one observed
three-hour session this behavior was noted four separate times.
One medical director also explained that she used a screen saver
to hide sensitive personal information when she was away from
her desk to protect against accidental disclosure through passing
personnel.
During our observations of the childcare centers, we were able to
examine more nuanced forms of place-based norms that impacted
the management of sensitive personal information embedded in
the environment. For example, one medical director tucked highly
sensitive personal information towards the back of a file so that it
was less likely to be seen unless explicitly the target of a search
by someone who knew to look for it. This is a place-based
instantiation of security through obscurity. Another childcare
director used the corner of her desk as a place where semi-
sensitive information was kept. This location denoted that the
place was one of communicating information with particular
people and about particular types of information. For example, a
black box of emergency contact information about children was
stored there. These instances of the use of place to demark privacy
policies are ones of social norm negotiation and management.
4.1.3 Role-based Monitoring
The role of the director was found to mediate the information
seeker’s goal in a way that is flexible, negotiated, and determined
in a case-by-case fashion. This allowed the director to best
balance the need for information to conduct work with the need to
preserve privacy. The role of the director made her a central judge
for not only information access, but also a mediator for
establishing and adjusting the explicit and implicit social norms of
how the center manages sensitive private information. This is
similar to the concepts addressed in the work of Harper et al. that
addressed workplace concerns regarding the collection of
location-based information [17].
In medical practices, participants made specific references to how
it was their job to modify or limit the amount of sensitive
information that was to be shared with the following people and
secondary parties (7 out of 13 participants): patients and their
family members, insurance companies, pharmacies, other staff
members, referring doctors, other doctors in the practice, and
hospitals. When information needed to be shared, the directors
made reference to having their patient’s sign medical waivers to
protect their practice. In probing this issue further, we found that
medical directors did not want to “usually get involved in that.”
They liked the information on their forms for their purposes.
Passing information on was considered to be “their problem” – as
one childcare director said.
Directing and managing sensitive information flow was only one
part of the role of director. Directors also spent time auditing
sensitive information management. One medical director
mentioned that she even had a method of validating any
information that was placed in the electronic filing system to
monitor and verify that it was correct. She validated because she
wanted to make sure that the information was correct given that it
was associated with her login information: “most of the time I’m
logged-in in the front because I’m the only one up there, but
occasionally someone else will come up and they’ll just do it, and
I usually check to make sure just because it is on my login.” This
statement emphasizes that not only does she see her job
responsibility as managing the electronic patient files, but that she
monitors access and updates made by others in the system. This is
due, in part, to the fact that current electronic system is incapable
of distinguishing between the current user of the system outside
the application of logging and passwords. Requiring separate log-
ins for different people undoubtedly conflicts with the fluid
demands of practice.
Childcare directors mentioned similar issues of monitoring,
accessing, and distributing information to the workplace. In
reference to their responsibility to monitor access to the child’s
file one director said, “When a teacher comes in and wants access
to a file they have to come through me first and they have to tell
me their reason basically, you know, why do you need to go in
there?” This director is explaining how she monitors access to the
files in a method that is more than simply checking access rights
to information. She is additionally checking the teacher’s work-
related purpose, which extends into managing information
privacy. In our observations, we were able to watch a teacher
attempt to access a child’s files. The following is an excerpt from
one observer’s field notes:
A teacher… approaches the corner of Director’s desk: “Hey” "If I
want my kids' middle names, are they gonna be in here or in the file?"
<points to black box> … The teacher then says, in a much softer voice,
“can I dig?” The informality of this word, the tone of her voice makes
this seem like a common practice. The Director responds with a
carefully-laid sentence and a slight sternness in her voice--her
eyebrows raised, eyes widened, and a scolding manner in the slow,
undulating movements of her head and voice as she speaks: “I’ll have
to dig for you.” I can only see the side of the teacher’s face, but she
looks shocked in that her face pauses, gaze held with the Director’s,
and there’s a space created that seems to beg of a verbal response. The
Director fills the silence with a soft, earnest “I’m sorry.”
This interaction excerpt highlights that the director enforces
access policies in a way that establishes her has a point of
authority. Other methods of monitoring that were observed
included the use of one-way mirrors, an internal system of web-
cameras that only the director and administrative staff could see,
and one participant having a link on her computer to let her see
the contents and use of the other computer in the center.
4.2 Information Duplication
Information was duplicated in the working environments of
childcares and medical practices. From a security perspective
having only one instance to protect is the simplest case. When
information, however, becomes dispersed to better support
individual practice, security is traditionally conceived as
becoming more difficult to manage due to numerous access
points. Given the large amount of duplication of sensitive personal
information, we investigated the purposes and methods of
managing multiple copies. We found that duplication of
information was supported through different privacy and security
mechanisms in two senses: (1) information was redundantly
duplicated so that if it went missing in one location is would still
be available to the workplace as a whole, and (2) information was
replicated so that it would be on hand for impromptu activity.
4.2.1 Information Redundancy
Eleven out of thirteen of the medical centers used electronic
record systems; only one childcare center used an electronic
record system. All participants used computers in some fashion
(i.e. submitting for insurance payments or word processing tasks)
All directors also keep paper copies of client files, even if all the
information was replicated in an electronic form. (See [28] for
more on the myth of the paperless workplace.) Not only were
there electronic and physical copies of sensitive personal
information, but there were also multiple copies of files for
different purposes. Not all information was kept in one central
file, but instead some information was in certain files for a
specific purpose. For example, patient history could be kept in the
large manila file, but “recent-visit” information may be kept at the
front of a travel file. The three reasons participants gave for
keeping redundant information were (1) to use appropriate
information based on contextual needs, (2) to serve a community
purpose, and (3) to protect information from being lost. These
three factors are critical to understanding the use and motivations
for duplication, which then impacts the security practices of what
might traditionally be valued as redundant information.
The first, and perhaps the most compelling, reason for keeping
redundant information is that information can be repurposed for
multiple needs and within different settings. The same
demographic information is kept in the patient’s manila file, but it
is also stored on their electronic record for billing, and possibly an
electronic health record. In childcares, the parent’s contact
information and child’s name is kept in the various electronic and
physical files, but they are also going to be kept in the classroom
to function for emergency purposes, on the bus to make sure that
the appropriate children are on board, in the billing ledger, on old
waitlists, in rolodex’s for administrative assistants, and many
more. Information in these settings is retooled and repurposed
based on the need. One medical director explains:
“We have an electronic medical record here – so it’s all eventually
entered in. The information is taken down by a nurse interviewer
preoperatively on a pre-op visit.... And then eventually that all gets put
into the electronic medical record... but of course we transfer a lot of
that information onto the anesthesia record which is entered in real
time into the electronic medical record”
In this simple example, the information is transferred from the
patient, to the nurse. The nurse transfers the information to a pre-
op visit form, which is then translated into an electronic medical
record. The information in the electronic record is repurposed for
the anesthesia record, which is then entered back into the
electronic medical record. In another example, a medical director
explains that she may communicate with patients through email.
The emails, though, are then printed out and kept in the patient’s
file. This allows her to take advantage of electronic
communication, but still keep that information for understanding
the patient’s medical history (“Usually she’ll write back
something and then she’ll print it out and put it in the chart.”)
The second reason for keeping redundant information is that the
centers serve a community purpose through the work. In
particular, we observed that participants kept files for an
extraneous period of time and in multiple forms because of the
individual and community based value that is embodied in the
information. In this sense, redundant means keeping information
well past when the client is involved in the center, i.e., past seven
years. When asking about how long the participants kept their
files, all directors said that they’ve kept some files indefinitely.
One participant said that he is the third generation of his medical
practice and had inherited financial and patient files from the early
1930s. These files are kept because they serve as a representation
of their job (“this is my life work, I don’t want to throw too much
of it away"), but also because the centers never know when they
will be required to provide that information again in the future.
For example, one medical director explained how she had to find
old records to identify bodies: “The problem is, and someone
wouldn’t think about why it’s so important, but it’s like the
Virginia Tech massacre we had 3 patients who we had to identify
the bodies.” The fact that these records server a purpose outside of
the office means that the value that is attributed to their use and
their security reflects a community need to have prolonged access.
The centers in our study kept redundant information to protect
information from being lost. This is because medical centers and
childcares do more than serve a community purpose to heal and
care. They also function as a business. The information about
patients and children are what allows them to operate, e.g.,
schedules, patient histories, emergency contact information, etc.
Keeping that information safe and well managed can be translated
into keeping a prosperous business. For example, all fourteen
participants who used an electronic system kept a back up of their
files in multiple locations. One medical director explains:
“…we actually have a series of backups. We have a local tape backup
and we have an off site backup which actually backs up over the
internet at my house at night... And then at my home we actually have
two hard drives and my wife goes to the safety deposit box and swaps
them out regularly. So if somebody’s mad enough to burn this office
down and my home down, we’ll still have a record in a safe deposit
box.”
In this setting, security has moved beyond the conception of
keeping sensitive personal information secure for the purposes
patient care, but to also encompass the idea that security keeps the
business safe. This practice is managed through keeping
redundant copies in ‘safe’ locations to protect information from
being lost. What is interesting though, are the different
mechanisms and people involved in security procedures for
keeping the information safe. For instance, the participant in the
quote above talks about his wife having access to client’s
information. Her relationship to the object in need of securing is
through the practice of security, and not necessarily to privacy.
4.2.2 Information On Hand
Medical practices and childcares are places that are regularly
reacting to circumstances that arise in the moment. The personnel
in these places are responding to sick children, different patient’s
needs, new customers, and other information intensive activities
such as licensing. While these situations cannot be entirely
planned for, medical centers and childcares attempt to be ready
for any situation by having information on hand. For example,
childcares have emergency contact sheets in their classroom that
have allergy information visible for substitute teachers. Chefs
additionally have a child’s allergy information visible in the
kitchen. Teachers also keep communication logs in the classrooms
of relevant activities for when teachers are switched out of rooms.
Additionally, teachers will display logs of the day’s activities on
the outside of the classrooms so that as parents enter they can
become knowledgeable about their child’s daily activities.
There is a tension that exists between needing to keep information
private and secure while also needing it to work. In our
observations of childcares we were able to witness an inspection
by a Department of Social Services licensor. The licensor explains
this tension to the observer:
“… things have to be kept confidential and locked, per se, but the staff
still need to be able to have access to it even if [the director is] not
here and for emergency contact information. So, sometimes they will
produce their own emergency contact form for their classroom… and
that way [the manila folder] can remain locked but people still have
access to the information needed"
The licensor is explaining how the central collection of the
sensitive information is kept in a locked filing cabinet. However,
relevant sensitive information that is stored in the manila folder
needs to be in the environment to protect the privacy of the
children. To balance this need, the childcare keeps a separate form
in the classroom with the child’s information.
There are two other reasons why sensitive information may be
kept on hand. The first reason is anticipating extreme
circumstances. For example, one medical director keeps hard
copies of files for the next day home with her “just in case
anything were to happen.” Another childcare director keeps a
copy of all of the children’s emergency health insurance
information in a separate folder in case of a medical emergency.
The second reason is that some files may become too large. One
medical director said that after a patient’s file becomes too large,
she starts a new file and rubber bands the old one to the new one
in storage. When a file becomes this large, a doctor may need only
part of the medical record for certain purposes. For example, one
medical director explained that she creates a separate packet of
information for surgeries (“I think she does just take certain
information, because we have a packet that we make up with all
the information.”) Understanding what information is going to be
kept in what space or form, and who has access to those instances
is something that is determined by the function of the information
and also the context surrounding the information use.
4.3 Community of Trust
To manage security while still functioning as a workplace, our
study findings demonstrate that the childcares and medical centers
establish communities of trust. The other themes presented in this
work reflect a need to restrict access to information present in
diverse locations and used in various contexts. If the focus of
work is always on keeping sensitive personal information safe,
then it will be hard to progress past assessing access policies.
Prior research has demonstrated that trust is a factor that decreases
expenditures (i.e., time on security concerns) by mitigating needs
for countermeasures, but also by creating feelings of shared
responsibility thus decreasing selfishness and carelessness [16].
These benefits explain why the centers in our study create
communities of heightened trust to decrease expenditures of time In this example the
and money to enforce security mechanisms. staff of the childcare
We found different representations of communities of trust in our are sharing communal
studies. Some examples of a community of trust in the medical responsibilities. One
setting is a literal mom-and-pop practice that worked together to method to manage the
create a sense that their patients were part of the family. Similarly, responsibilities is
the childcares in our study focused on creating an away-from- through keeping track
home feel by displaying children’s artwork, teacher pictures with of work that needs to
likes and dislikes (shown in Figure 1), window-box flower be done – such as
arrangements, and other homey features. The feelings from these through the use of
spaces are that they are places of sharing and caring. This sense of notebooks. Even
community influenced the practice of security. For example, though these artifacts
seeing that a teacher will posts so much of her own personal contain sensitive
information elicits a reciprocal feeling of “now I can share my personal information
information as well.” One childcare director explains her feelings (e.g., late payment),
on balancing trust and privacy: they are left open to
the staff so that they
“… teachers are bound by confidentiality, it's in their agreement, it's in can work as a
our handbook, any violation of confidentiality is immediate grounds of
coherent team.
termination. We try to use a lot of trust… more often than not there's
not anything that they can't see. Um, there are cases of children that Another example Figure 2. An example of the type of
you know we've had suspicions of abuse or different information, but comes from the information placed in the
we kinda want at the same time for [the staff] to be privy.” locking of physical environment to elicit reciprocal
filing cabinets. It is feelings of sharing. Identifying
While there are explicit policies about who can access what
the official policy that information has been blurred.
information, there is also a need to trust co-workers, especially in
filing cabinets
situations of abuse or neglect, to be discrete and manage privacy
containing files should be locked when the director is absent:
issues socially. One medical director specifically mentioned that
“[files are] all kept in here in a cabinet that's locked when I’m not
her co-workers were trained on HIPAA regulations, and this
here and the door is locked as well.” The use of a key was,
allows her to trust their actions.
however, never observed.
One aspect of security that we asked about was the use of
These examples are not work-around security practices. They are,
passwords. Computers, when used for accessing patient
instead, examples of how communities establish and negotiate
information, were generally in the director’s space, or the in
what needs to be made secure. It is a demonstration of contextual
doctor’s office. Of those medical centers that used electronic
integrity [25] playing its role in facilitating communities of people
systems, only seven (29%) had individual passwords. This finding
trusting one another in situ.
is similar to the work of Heckle & Lutters who found that people
who shared workstations shared passwords [19]. However, Heckle 5. DISCUSSION & IMPLICATONS
& Lutters approached the reasons why people shared passwords The three factors outlined above provide insight into the types of
as a need to share workstations. In our study, when asked why, a tensions existing between work practice and security. We have
director said, “They can access anything. That’s their job.” This shown how security and work practices––socially-constructed and
statement emphasizes that to be able to do the work required for uncertain though they may be––are not in direct conflict with one
the job, levels of security have to become normalized to function. another. Our findings have demonstrated that practice is what is
In our study, the lack of a password to protect files is to enable enacted after security rules are put in place. The practice of
people to get work done as a community. Why would they need a security is the ongoing “boundary regulation” [26] that resolves
password since it is their job? This finding is perhaps, in direct the tension between the disclosure required for work and the
conflict with the prior finding of the director auditing who had restriction consistent with the obligation to preserve the privacy of
changed information in the system while logged on with her personal information. It is through creating a community that
password. The balance between these two findings reflects a values security that the rules and roles of work can be understood.
tension that exists between information access and information In this section we outline four design considerations for the
entry, or that provenance of information is critical but sharing practice of security and privacy.
information is communal.
Recognizing situations where technology should not intervene.
In one observation of a childcare, we observed someone One of the central factors we presented in our work was that
examining a notebook that an assistant director keeps at the front directors are mediating the security of information in their centers.
desk. This notebook keeps track of on going work, sometimes the This means that access is a negotiation between the explicit and
need to update children’s sensitive information, but also the implicit norms that regulate practice and the contextual needs of
comings and goings of activities in the childcare: the situation. In particular, the issue of ownership of the sensitive
The notebooks I saw open earlier that [the administrative assistant] personal information created confusion about who could access
was working on are still open. This teacher is looking at the notebooks the information. This lack of common understanding about who
and other files. She is not brushing through the data, she has her full owns the information created space for negotiation to occur. This
concentration. She is an older woman, in her 50s, with an apron which
makes me think that she might also work as a kitchen staff. She is
gray area does not imply that a computer system should concretize
reading the files without any kind of hesitation. It looks like she doesn’t ideas of ownership. Ideally, the lack of firm ideas of ownership
care if someone sees her reading those files. reflects a shared notion that this is a complex area that can defy
explicit rules. Designers of technologies for the collaborative
management of sensitive personal information should recognize
that there are places in the design space where social mechanisms
should be allowed to dictate practice. At a basic level this suggests
technological solutions such as temporary access or decaying
access rights to information could be implemented to allow for
flexible and negotiated privacy management.
Designing social mechanisms into layers of security. The other
two sub-themes of human-mediated access management
demonstrated how the physical spaces and the director’s roles
were used to convey community-held social norms. As electronic
systems are integrated into practice, respecting the current
socially-mediated function that place and roles play in managing
sensitive personal information will be a responsibility of the
designer. For instance, how will the placement of the technologies
in particular physical locations impact coordination of the client’s
privacy? Should there be one computer that all staff can access
that is within the same space as the director? These questions lend
themselves to further considerations of when designing social
mechanisms into security policies. It is our suggestion that
technology be designed to create the feeling of social presence
similar to those currently utilized when a director physically
regulates access to files; the technology must thus embody notions
of human-mediated monitoring based on place and role.
As one example, it could be possible for staff to have handheld
devices that only allow access to information in particular
physical locations based on the role of the user. This would
support information being available for the context of the
situation. For instance, it is perfectly acceptable to be looking up
medical information in the infirmary, but not in the playground.
Another design implication is that, that technology could be
designed so that when people are co-present only specified layers
of sensitive personal information are unveiled to allow access. For
instance, if the director was ever co-present in a particular
location, such as the waiting room, with another staff member,
layers of privacy policy on hand held devices could be removed to
allow for social security mechanisms to take over. Alternatively,
when people are in particular physical locations, like an
emergency room, all layers of privacy policy are removed to
support full access to sensitive information.
Taking the idea further to appeal to both place and social-
mediation of security, we might design a technology such that the
physical exterior and spatial location of the technology indicate
the type of information that can be accessed through it. For
example, a wall-mounted touch screen might contain access to
emergency information only, whereas an iPad-like tablet filed
away on the outside of the director’s door might contain bus rider
information and allow for mobility. When devices move
sufficiently far away from the “place” that they belong,
information access can be restricted. By coupling information
access to a physical device in its place, a community member
from across the room might see an individual using the device and
know at an instant if they have legitimate access. When the
physical device is removed from its “place,” it could serve as a
visual signal of security breach while also supporting physical
information distribution.
Understanding the purpose in information duplication. We found
that information was duplicated in numerous locations and in
different forms to create redundancy and to allow information to
be on hand. The current use of technology-based solutions to
information duplication does not embody the concept of
duplication in this same way. Instead, technology encourages
multiple visualizations of data that is collected in a single
database. The technology-based model allows for a central
repository of information so that nothing is lost and everything is
aggregated. However, our study has demonstrated that
information is kept in multiple locations to allow for secrecy,
multiple purposes, and to prevent work breakdowns. To support
the current work practices of the centers in our study, numerous
versions of a database should be stored on different computers.
Alternatively, different views of the information could be
accessible from different locations by different purposes. A
different solution is to allow for systems to know that information
is being stored in a different database, but not have knowledge of
what explicit information is stored there. This would support
current practices while still maintaining the need for secrecy.
Mimicking, in a sense, the fact that staff know that highly
sensitive information is stored at the back of a client’s file, but not
exactly what information is stored there. This design implication,
in a sense, is asserting that not all information should be
ubiquitous.
Balancing transparency and reciprocity to reflect a community of
trust. The last theme that was examined demonstrated that there
was a community of trust to allow for workers to balance the need
for security with getting work done. One design implication for
this research is the increased use of reciprocity in knowing whom
and when a patient or child’s files are being accessed; if you can
see my files, I should at least be able to see your pertinent
information. If you use my log-in to modify information, I should
be able to see what you changed. For example, if a nurse from a
medical center accessed Susan’s files, Susan and the surrounding
relevant stakeholders could be notified. Additionally, as
technology use grows, electronic systems should not obfuscate the
community standards that enable a community of trust to function.
These should be flexible and adaptive to particular work settings.
Overall, the major implication for our findings is that security
should be flexible to represent the shifting context of access and
management of information.
6. CONCLUSIONS
Though our preliminary studies of child and health care practices
we have explored how issues of security and privacy are
instantiated within information rich environments. We have
shown that there is a balance between needing to get work done
with needing to keep information secure. Three themes were
explored to demonstrate how this balance is negotiated in practice
to create functioning secure and privacy-respecting work places.
First, the use of human-mediated monitoring demonstrated how
one person and place within a work center acts not only as a hub
of information access and retrieval, but also as the central location
of case-by-case negotiated security. Second, the duplication of
information across physical spaces and electronic forms
demonstrated how information redundancy works as a form of
security. Last, a community of trust is established in these work
places to create an environment whose security standards and
respect contextual integrity. We believe that our approach, while
preliminary, offers valuable insight to furthering research on how
understanding practice affects the design of secure systems.
7. ACKNOWLEDGEMENTS
We would like to thank and acknowledge the hard work of Laura
Agnich, Monika Akbar, Tom DeHart, Zalia Shams, and Edgardo
Vega who helped run, collect, and analyze the large amount of
data. We would also like to thank the Virginia Tech Usable
Security Team for their feedback and guidance on this work.
Specifically, Denis Gracanin and Francis Quek were invaluable.
This work was funded, in part by NSF Grant #0851774.
8. REFERENCES
[1] Ackerman, M.S., Privacy in pervasive environments: next
generation labeling protocols. Personal Ubiquitous Comput.,
2004. 8(6): p. 430-439.
[2] Adams, A. and A. Blandford, Bridging the Gap Between
Organizational and User Perspectives of Security in the
Clinical Domain. International Journal of Human-Computer
Studies, 2005. 63(1-2): p. 175-202.
[3] Adams, A., A. Blandford, D. Budd and N. Bailey,
Organizational communication and awareness: a novel
solution for health informatics. Health Informatics Journal,
2005. 11(3): p. 163-178.
[4] Adams, A. and M.A. Sasse, Users Are Not the Enemy, in
Communications of the ACM. 1999. p. 40-46.
[5] Bardram, J.E. Plans as Situated Action: An Activity Theory
Approach to Workflow Systems. in ECSCW '97. 1997.
Copenhagen, Denmark: Kluwer Academic Publishers.
[6] Bardram, J.E. and C. Bossen, Mobility Work: The Spatial
Dimension of Collaboration at a Hospital. Computer
Supported Cooperative Work (CSCW), 2005. 14(2): p. 131-
160.
[7] Bardram, J.E., J. Bunde-Pedersen, A. Doryab and S.
Sørensen. CLINICAL SURFACES --- Activity-Based
Computing for Distributed Multi-Display Environments in
Hospitals. in Proceedings of the 12th IFIP TC 13
International Conference on Human-Computer Interaction:
Part II. 2009. Uppsala, Sweden: Springer-Verlag.
[8] Bellotti, V. and A. Sellen. Design for Privacy in Ubiquitous
Computing Environments. in Proceedings of the Third
Conference on European Conference on Computer-
Supported Cooperative Work. 1993: Kluwer Academic
Publishers.
[9] Bossen, C. The parameters of common information spaces::
the heterogeneity of cooperative work at a hospital ward. in
Proceedings of the 2002 ACM conference on Computer
supported cooperative work. 2002. New Orleans, Louisiana,
USA: ACM.
[10] Bylund, M., K. Höök and A. Pommeranz. Pieces of Identity.
in Proceedings of the 5th Nordic Conference on Human-
Computer Interaction: Building Bridges. 2008. Lund,
Sweden: ACM.
[11] Cranor, L.F., M. Arjula and P. Guduru, Use of a P3P user
agent by early adopters, in Proceedings of the 2002 ACM
workshop on Privacy in the Electronic Society. 2002, ACM:
Washington, DC.
[12] Dourish, P., What we talk about when we talk about context.
Personal Ubiquitous Comput., 2004. 8(1): p. 19-30.
[13] Dourish, P. and K. Anderson, Collective Information
Practice: Exploring Privacy and Security as Social and
Cultural Phenomena. Human-Computer Interaction, 2006.
21(3): p. 319-342.
[14] Dourish, P., E. Grinter, J.D.d.l. Flor and M. Joseph, Security
in the Wild: User Strategies for Managing Security as an
Everyday, Practical Problem. Personal Ubiquitous
Computing, 2004. 8(6): p. 391-401.
[15] Eisner, E.W., The Enlightened Eye: Qualitative Inquiry and
the Enhancement of Educational Practice. 1997: Prentice
Hall.
[16] Flechais, I., J. Riegelsberger and M.A. Sasse. Divide and
Conquer: The Role of Trust and Assurance in the Design of
Secure Socio-Technical Systems. in Proceedings of the 2005
Workshop on New Security Paradigms. 2005. Lake
Arrowhead, California: ACM.
[17] Harper, R.H.R., M.G. Lamming and W.M. Newman,
Locating systems at work: implications for the development
of active badge applications. Interacting with Computers,
1992. 4(3): p. 343-363.
[18] Harrison, S. and P. Dourish, Re-place-ing space: the roles of
place and space in collaborative systems, in Proceedings of
the 1996 ACM conference on Computer supported
cooperative work. 1996, ACM: Boston, Massachusetts,
United States.
[19] Heckle, R.R. and W.G. Lutters, Privacy implications for
single sign-on authentication in a hospital environment, in
Proceedings of the 3rd symposium on Usable privacy and
security. 2007, ACM: Pittsburgh, Pennsylvania. p. 173-174.
[20] Jha, A.K., T.G. Ferris, K. Donelan, C. DesRoches, A.
Shields, S. Rosenbaum, et al., How common are electronic
health records in the United States? A summary of the
evidence. Health Affairs, 2006. 25(6): p. w496-w496.
[21] Kientz, J.A. and G.D. Abowd. KidCam: Toward an Effective
Technology for the Capture of Children's Moments of
Interest. in Proceedings of the 7th International Conference
on Pervasive Computing. 2009. Nara, Japan: Springer-
Verlag.
[22] Kientz, J.A., R.I. Arriaga and G.D. Abowd. Baby steps:
evaluation of a system to support record-keeping for parents
of young children. in Proceedings of the 27th international
conference on Human factors in computing systems. 2009.
Boston, MA, USA: ACM.
[23] Kientz, J.A., R.I. Arriaga, M. Chetty, G.R. Hayes, J.
Richardson, S.N. Patel, et al. Grow and know: understanding
record-keeping needs for tracking the development of young
children. in Proceedings of the SIGCHI conference on
Human factors in computing systems. 2007. San Jose,
California, USA: ACM.
[24] Kobayashi, M., S.R. Fussell, Y. Xiao and F.J. Seagull. Work
coordination, workflow, and workarounds in a medical
context. in Conference on Human Factors in Computing
Systems (CHI'07). 2005. Portland, OR, USA: ACM Press,
New York, New York.
[25] Nissenbaum, H., Privacy as Contextual Integrity.
Washington Law Review, 2004. 79(1).
[26] Palen, L. and P. Dourish. Unpacking "privacy" for a
networked world. in Proceedings of the SIGCHI conference
on Human factors in computing systems. 2003. Ft.
Lauderdale, Florida, USA: ACM.
[27] Reddy, M. and P. Dourish. A Finger on the Pulse: Temporal
Rhythms and Information Seeking in Medical Work. in
Proceedings of the 2002 ACM Conference on Computer
Supported Cooperative Work. 2002. New Orleans, Louisiana,
USA: ACM.
[28] Sellen, A.J. and R.H.R. Harper, The Myth of the Paperless
Office. 2001: The MIT Press.
[29] Vega, L., Security in Practice: Examining the Collaborative
Management of Personal Sensitive Information in Childcares
and Medical Centers, in Computer Science. 2010, Virginia
Tech: Blacksburg. p. 104.
[30] Whitten, A. and J.D. Tygar. Why Johnny Can’t Encrypt: A
Usability Evaluation of PGP 5.0. in Proceedings of the 8th
USENIX Security Symposium. 1999.