Track: Privacy, security, confidentiality and protection of healthcare information
Marc-André Léger, DESS, MScA (MIS),
Université de Sherbrooke, Sherbrooke, Québec, Canada, firstname.lastname@example.org
Through a case scenario approach, this article seeks to demonstrate the inadequacies of current Risk Assessment Methodologies used today. In particular, Risk Assessment Methodologies used in a Healthcare setting fail to adequatly weigh the value of ethical and public health. Therefore different approaches, relying on different paradigms, could be used. Two possible candidates are proposed, Prospect Theory and Nash’s Equilibrium.
Health, information, Security, Risk, Management
Healthcare professionals and organisations need information. Evidence based medicine; healthcare system administration and medical research all rely on data produced throughout the system. Information systems are increasingly present in all aspects of clinical practice, in administrative functions and in many other areas. The emerging importance of the Electronic Health Record (EHR) as well as the increase in the use of information technology (IT) in healthcare activities is progressively providing access to large quantities of data concerning patients, health care delivery and research   . Because of this reliance on information and because information needs various technologies to carry it, information security has become an issue. Healthcare organizations, to perform optimally, with regularity, over time, need to identify the predictable , they need to manage risks associated to its need for information. This is what we call Healthcare Informational Risk Management or HIRM.
There are many additional factors that justify the need for HIRM. The limited availability of financial and human resources, motivates organizations to be very careful about how it allocates them. Because Information Technology can be expensive to acquire and maintain and require specialized resources, HIRM can be used as part of the solution to keep their costs under control. For some organisations, laws and regulations impose specific requirements as to the preservation of privacy and confidentiality. The nature of Healthcare imposes requirements for availability, for example that availability of a patient’s bedside chart during rounds. Integrity of information can also be a sensitive issue, for example between the blood types A and B there is a single bit difference but if that bit is changed inadvertently, it can have severe consequence for a patient receiving the wrong blood. All of these reasons and others require Healthcare organisations to implement a Risk Management program. For others, contractual requirements are a catalyst. Managing risks is paramount to accurate financial reporting and optimal decision-making . For these and other motivation, there has been significant interest in the Québec Healthcare system to find a HIRM solution, expressed through Request for Proposals (RFP) published in the last year. As well, many regional jurisdictions in Canada, the Federal Government and Canada Health Infoway have shown interest in HIRM. In this article, we look at HIRM through an example in our specific local context, we therefore present an overview of the Québec Healthcare system.
This discussion paper presents a research hypothesis that has emerged from on-going research being performed as a requirement for the obtention of a Doctorate degree in Clinical Sciences at the Faculty of Medecine of the University of Sherbrooke. The article uses a case scenario approach to illustrate a research problem that has evolved into a hypothesis.
3. Case scenario
3.1 Brief overview of the Québec Healthcare system
Since 1971, the Québec Health and Social Services Agency, known as the MSSS (Ministered de la Santé et de Services Socaux), has been the sole provider of Healthcare in the Province of Québec, where approximately 25% of the population of Canada reside. In 2005 it employed 269 600 individuals in 1786 worksites, representing 6.7% of the active population of Québec . At the local level, 95 Health and Social Services Centers (CSSS) and associated Local Services Network (RLS) offer health and social services to a given population. In December 2004, the Act respecting local health and social services network development agencies (Bill 25) created CSSS by merging local community health centres (CLSCs), residential and long-term care centres (CHSLDs) and general and specialized hospital centres (CHSGSs). The objectives of health and social services centres are the following:
- To promote health and well-being
- To bring together the services offered to the public
- To offer more accessible, better coordinated and seamless services
- To make it easier for people to move through the health and social services network
- To ensure better patient management, particularly of the most vulnerable users
All CSSS and RLS are connected to a province wide Healthcare network, known as the RTSS . This private network implements a top down infrastructure with a national datacenter (TCN) linking several regional datacenters (TCR). Local CSSS and Healthcare establishments have Local Area Networks that are connected to the TCR of their region. Typical Information management services, like email or word processing, are provided at the establishment level. In some cases, databases are supported by database management systems shared (s-DBMS) among multiple establishments within a TCR. Internet access is provided through firewalls located at the TCN level.
3.2. Our scenario
To illustrate the problem we find in HIRM, we present a simple scenario. A resident of the Province of Québec, in the city of Montréal, accesses the RLS through a nearby community health center (CLSC) for the flu. He is very worried because he watches the news and fears that he may have Bird flu (H5N1). Arriving at the reception, his identity is verified as he presents his Québec Medicare card. At this point the resident is considered a patient (P) and goes to an isolated waiting room while his Health Record (HR) is retrieved and until the appropriate Healthcare Professional (HP) becomes available. In the CLSC, the patient’s HR is in part on a paper support (covering pre-1998 visits by the patient) and electronic format (eHR). Due to the RTSS, part of the eHR is retrieved from a local database and another portion from the s-DBMS located in the Montreal TCR. Once P has met with the HP, in this case a General Practitioner MD, blood tests are ordered, the eHR is amended to include the new information and P leaves with a recommendation for rest and hydration. The HR suspects P has a common cold and may suffer from an anixiety related disorder. Once the laboratory results are returned, a few hours later, the patient is informed via phone by the CLSC that he has a simple cold. We will expand on this scenario through the remainder of this article to illustrate our hypothesis.
4. What is Risk?
The word risk finds it’s origins in the middle-age Italian word risco, meaning sharp rock. In the 17th century, as the early insurance companies where involved in maritime shipping, risk evolved from the sharp rocks that where a source of danger for ships . Since the introduction of probabilities by Pascal and the early work of Rousseau on uncertainty , the idea has developed that risk is something that can be studied, it is not magical nor an Act of God. The Uncertainty of the future, a condition of affairs is designated by Knight  in the 1920’s with the term « risk ». Later authors  suggest that the terms risk and uncertainty have become interchangeable, and one can often be found in the description of the other. For Browning , risk stems from uncertainty surrounding potential future states and the consequences of those states should they occur. The US Army  defines risk as the accepted result of an informed decision and terms gamble an uninformed bet or guess on a hopeful outcome. In epidemiology , it is most often used to express the probability that a particular outcome will occur following a particular exposure. In a healthcare setting risk is composed of the following three component parts :
- Threat: The occurrence of which will represent a trigger event which may lead to an adverse (set of) consequence(s).
- Vulnerability: A weakness in the system and – or the overall environment, which could be exploited by a threat occurrence.
- Impact: the (set of) consequence(s) to a healthcare unit which could arise if a threat occurrence exploited vulnerability and adversely affected one or more assets comprising the system.
4.1 Formal Risk Assessment Methodologies
In an organisational setting, risk is managed in a mixture of formal and informal processes. Formal risk management processes are what we refer to as Risk Management. ISO Guide 73(2002) defines Risk Management as the coordinated activities used by an organisation to direct and control risk. It generally includes risk assessment, risk treatment, risk acceptance and risk communication activities  to balance the operational and economic costs of risk mitigation measures to maximize organisational benefits by protecting assets that support their mission .
Formal Risk Assessment Methodologies (FRAMs), such as CRAMM , determine risk as the “product” of the likelihood of a security incident affecting a particular asset and the impact cost. Similar approaches are used by methodologies such as MÉHARI or OCTAVE, used in Québec. IVRI™, developped by the author, also follows this approach. All of these methodologies are in a similar qualitative paradigm. In all of them the likelihood (probabilities) of a threat and the severity of the impacts must be determined by individuals in the organisations using Likert-like scales. This makes them subject to how individuals perceive risk and its components. According to Savage , the very assignment of numerical probabilities, even if subjective, implies that it represents choice under risk. These probabilities are expressions of what is ultimately belief and seem more like uncertainty. Matters where, according to John Maynard Keynes , there is no scientific basis on which to form any calculable probability whatever. In the field, we have observed that the subjective nature of uncertainty may introduce internal validity problems with FRAMs. We have observed noticable differences with individual determination of likelyhood or impact in vivo. We believe that this subjectivity is a potential source of error in risk assessment since there is little evidence of internal validity controls, similar to what is used in research methodologies (e.g. triangulation), in FARMs.
4.2. Validity issues in FRAMs
In a non-exaustive empirical analisys of risk assessment methodologies used in Québec organisations, we found little evidence of internal validy controls or that internal validity controls had been validated by the creators of these methodologies. Using validity criterias used in Clinical Research presented in Whittemore , illustrated on the table below, we believe that there is evidence that some criterias are not addressed.
Table 1: Primary and Secondary Criteria of Validity in Qualitative research 
|Credibility||Do the results of the research reflect the experience of participants or the context in a believable way?|
|Authenticity||Does a representation of the emic perspective exhibit awareness to the subtle differences in the voices of all participants?|
|Criticality||Does the research process demonstrate evidence of critical appraisal?|
|Integrity||Does the research reflect recursive and repetitive checks of validity as well as a humble presentation of findings?|
|Explicitness||Have methodological decisions, interpretations, and investigator biases been addressed?|
|Vividness||Have thick and faithful descriptions been portrayed with artfulness and clarity?|
|Creativity||Have imaginative ways of organizing, presenting, and analyzing data been incorporated?|
|Thoroughness||Do the findings convincingly address the questions posed through completeness and saturation?|
|Congruence||Are the process and the findings congruent?
Do all the themes fit together?
Do findings fit into a context outside the study situation?
|Sensitivity||Has the investigation been implemented in ways that are sensitive to the nature of human, cultural, and social contexts?|
In particular we believe that criterias of Authenticity, Integrity, Vividness, Thoroughness, Congruence and Sensitivity appear problematic in relation to FRAMs we have examined. These should warrant empirical investigation to verify. We therefore believe that it is therefore necessary to look at decions about risk are made to try to understand how this source of error can be better understood.
4.3. Decisions about risk
Models of individual preferences about risk have their historical roots in the school of social philosophy known as Utilitarianism , proposed in the late 18th century. In Utilitarianism, the goal of all actions is to maximize general utility, with utility defined as any quantitative index of happiness satisfying certain basic properties. Utilitarian theory, neoclassical economic theory and game theory are the basic principals of rational choice theory or RCT . The fundamental core of RCT is that social interaction is basically an economic transaction that is guided in its course by the actor’s rational choices among alternative outcomes. Decisions are taken only after its benefits and costs have been weighed, considering prices, probabilities and indivual preferences. The unit of analysis is the individual decision made by an individual decision maker. RCT defines rational actions of rational individuals as occurring under several constraints:
- Scarcity of resources
- Opportunity costs
- Institutional norms
In an organisational setting, with the classic top-down management structure, the sum of these individual decisions, with different weights in respect to the position of the decision taker, are what make it function. These individuals in a social, while using RCT to maximise utility, are affected by the above mentionned constraints and by other influence of a psychological and cultural nature as well as by external pressures. Risk Assessment Methodologies mentionned previously all implement processes to account for the consideration of the abovementionned constraints of RCT in risk assessment. In short, Rational Choice Theory is the theoritical model behind these methodologies. While we believe this is more due to historial and cultural reasons rather than on epistemological positionning, it appears to be supported by empirical evidence.
5. Application of RCT to our risk scenario
In this section of our article, we present an example of HIRM using Rational Choice Theory. This expands on the scenario presented earlier. In the scenaro we presented before there are several stakeholders. The most obvious ones are the Patient (P) and CLSC Staff. As well, TCR staff that manage the s-DBMS and MSSS staff that manage the Quebec Healthcare system are also stakeholders in our scenario. The informational assests that are involved are:
- Québec Medicare card;
- Health Record (HR) and electronic support (eHR);
- The RTSS network;
- A local database;
- A s-DBMS located in the Montreal TCR;
- The laboratory results;
To illustrate the expected utility for each of the stakeholder category in relation to the relative value of the information assets, se we have build the table presented below. For this purpose we have made an informed guess at the relative value using data from a previous study  in a scenario where the informaiton asset was divulged or destroyed (high impact). We present only the most relevant results in table 1 for convinience.
Table 2: Relative value of information assets by stakeholder category.
|Medicare card||HR||RTSS||Local Database||s-DBMS|
|Staff||Low||Replacement cost||Low||Replacement cost and data recovery||Low|
|TCR staff||Low||Replacement cost||High||Low||High|
|MSSS staff||Replacement cost and misuse cost||Replacement cost and potential privacy law suits||Replacement cost||Low||Replacement cost|
Let’s limit our scope to the eHR information asset. What is, in our scenario, the risk associated with the eHR. Risk, as we cited from Smith , consist of Threat, Vulnerability and Impact. If we consider the threat as the divulgation or destruction of the eHR and the Vulnerability as being use of the RTSS network to gain internet access to the eHR we can propose the following table.
Table 3: Impact of the divulgation of the eHR and Risk by stakeholder category
|Stakeholder||Impact of the divulgation of the eHR||Risk|
|Patient||Loss of privacy, a basic human right protected in Québec, potential for anxiety and financial loss. Loss of confidence in the Healthcare system.||Potentially High|
|Staff||May need to retype data retrieved from paper form (time) or restore backups (time) if available, possible sanctions by employer (generally minor unless criminal intent)||Low|
|TCR staff||May need to restore backups if available (time), sanctions by employer if there is direct responsibility (generally minor unless criminal intent).||Low|
|MSSS staff||1000$ per incident in case of law suits for loss of privacy. Loss of reputation if the situation is made public, possible sanctions from a letter of reprimand to loss of employement or demotion (generally minor unless criminal intent) if a responsibility can be established.||Low|
In such a scenario, where the Threat to materialise, the risk would be a function of the impact. Comparing the impact of the realisation with the non-divulgation state we are in before we added the Threat, we would estimate the risk from each stakeholder’s point of view as has indicated in the last column of the previous table. If, as we cited previuosly, the objective of Risk Management is to balance the operational and economic costs of risk mitigation measures to maximize benefits by protecting the eHR, then from the point of view of each stakeholder the justification is for low risk mitigation expenditures, with the exception of the Patient. In the case MSSS, because the aggregate the combined risk of the 7 million residents of Québec, the combined risk cand be perceived as more significant. Using RCT to maximise utility, we would expect the MSSS and the patient to give more value to protecting the eHR, while it would have less value for other stakeholders. In the field and in previous empirical research , we have noticed that TCR staff, when given a choice, allocated more ressources to operating performance than to Risk Management activities. At the MSSS level, the suggested high aggegated risk may supported by reality, as significant effort is devoted to ensure that the link between the TCN and the InterNet is secure.The Patients, while concerned, have little say in HIRM..
5.1. Application of a Formal Risk Assement Methodology to our risk scenario
We performed a Formal Risk Assessment, in our scenario making basic assumptions based on our knowledge of the Québec Healthcare system from a previus study . This was done using IVRI™. This methodology was choosen necause it was created by the author of this article and because it is available at no cost on the Internet (www.leger.ca) so this risk assessment scenario may be duplicated. It was published in french  in 2003 and uses a Spreadsheet to assist the Risk Assessment, which produces the graphic presented below. The IVRI Risk Index (IRi) was 1570 with a baseline (IB) at 727.
Figure 1 Estimated Risk by Threat category with IVRI™
By comparing the results obtained using the FRAM with the resultus of the application of RCT to our scenario, we believe that there is the appearance of congruance. A possible explanation for this is that FRAMs, such as IVRI, implements a form of RCT. This needs to be confirmed through empirical investigation. Our hypothesis is that FRAMs available today in Québec implement a form of Rational Choice Theory.
5.2. Where is the problem?
The problem that we see, having done research in the field of Healthcare Informatics, has to do with Ethics. In Healthcare, a long Ethical tradition, first expressed through the Hypocratical oath and reenforced by experice of the Nuremburg Code, has evolved to be suppported by law, Charters of rights and Codes of Deontology. The rights to privacy and confidentiality are intimately connected with the right to respect for one’s dignity, integrity and autonomy are constitutionally enshrined in the Canadian Charter of Rights and Freedoms and Quebec’s Charter of Human Rights and Freedoms . They are the principal drivers of the requirement for adequate treatment of risk in healthcare organisations . In assessing risk in an HIRM setting it is necessary to value Ethical considerations as well as the expected utility provided by RCT. In our previous scenario, Ethical considerations, such as loss of privacy if a single patient’s information is divulged, has a relatively low Risk for the MSSS, but has a high potential of Risk for the patient, as we illustrated in Table 3.
In a review of litterature, we have identified that there are several components to risk in a Healthceare setting :
- A requirement for formal Policies, Documentation and training;
- The presence of appropriate Safeguards;
- Limiting Collection;
- Processes to enable Challenging Compliance;
- De-identification of data;
- Secure transmission of data;
- Management controls;
- A requirement for Openness;
- Informed consent;
- Identifying Purposes of data collection;
- Access to information by patients
- right to withhold,
- amend; and
- Limiting Use, Disclosure, and Retention;
- Full disclosure (No secret databases shall exist);
- Non-commercial use (No medical record shall be sold, utilized for marketing purposes without the prior informed consent of the individual).
In the context of the scenario we have presented, most of these components could be applicable. Either because of the leal obligations that affect the eHR, described in  or the ethical requirements of the Declaration of Helsinki , in an ideal scenario of Risk Assessment, all of these could have an influence of the potential for Risk. Of all of the components of Risk, many may not be easily assigned a value. How much value can be given to the quality of the informed consent? Perhaps a value can be put on Pivacy by refering to Jurisprudence, but it is likely to be always too low for the indivual victime and always too high for the responsible party. If we look at informed consent, we find that it may be difficult to determine, in HIRM activities, the quality of that consent. In many of these ethical issues our intuition suggests that there is no linearity between Threat and Impact but rather the Risk likely increases by increments, like a stairway with uneven steps. Because it is difficult to assign a value to these components of risk, any FRAM that use financial or replacement costs in the calculation of the Impact as a principal component of risk will necessarely undervalue all of the intangible components, components with little monetary value or difficult to perceive as an expected utility expressed in menetary terms. We believe there is a link between this problem and the validity issues mentionned earlier. We therefore make the hypothesis that FRAMs are, at best, of an undetermined acuracy.
6. Why not look at different approaches?
Throught a litterature review we have performed for an ongoing research project, we have identified areas of litterature that where not covered in the tradition fields of Healthcare or Information technology. This has led us to look at different theories that can be used to understand Risk Management. Looking to the field of econometric and epidemiology, we have seen evidence that there are risk assessment models that have been developped in other fields which could be applied to HIRM. We have not found any evidence that this possibility has been evaluted in the IT security litterature or in the Healthcare litterature. In our revue of litterature on risk, we have found that there are different theories that have been developped. We have also seen evidence that Game Theory is used in the field of insurance for risk calculation. So we are proposing the hypothesis that perhaps a different approach could be used to estimate HIRM. Looking in litterature, we suggest two possible condidates to replace RCT as the basis for risk assessment in FRAMs.
6.1. Possible candidate 1: Prospect Theory
According to Edwards , Prospect theory was formulated first by Kahneman and Tversky in 1979 as an alternative method of explaining choices made by individuals under conditions of risk, as a substitute for expected utility theory. Kahneman and Tversky realized the fact that the expected utility theory model did not fully describe the manner in which individuals make decisions in risky situations and that therefore, there were instances in which a decisionmaker’s choice could not be predicted. For example, they point out that Expected Utility does not explain the manner in which framing can change the decision of the individual, nor does it explain why individuals exhibit risk-seeking behavior in some instances and risk-averse behavior in others. Kahneman and Tversky  demonstrate that subjects’ choices of lotteries exhibit a wide range of anomalies that violate expected utility theory. Most importantly, they show that predictable and dramatic shifts in preference can be generated by changing the ways in which options are framed. Unlike traditional economic theories, which deduce implications from normative preferences, prospect theory takes an inductive and descriptive approach. Prospect theory can be viewed  as a parsimonious summary of most of the important risky choice anomalies. A HIRM approach based on Prospect Theory in wich Risk takes into account framing could be used, at least it could be possible. Futher study is required to explore this, but it shows a possibility to view risk in a different light than it is possible to do with Expected Utility. So we contend that there is at least one theory than can be used to identify risk and model decisions about risk.
6.2. Possible candidate 2: Nash’s Equilibrium
John Forbes Nash, made famous by Russel Crowe in the movie A beautifull mind, suggested that Expeted Utility may not be the best way to describe how individuals make risky decisions. ‘Adam Smith needs revision’, as is quoted in the movie. Nash  formally defined an equilibrium of a noncooperative game to be a profile of strategies, one for each player in the game, such that each player’s strategy maximizes his expected utility payoff against the given strategies of the other players. If the behavior of all the players in such a game can be predicted, then the prediction must be a Nash equilibrium, or else it would violate this assumption of intelligent rational individual behavior. Should the predicted behavior not satisfy the conditions for Nash equilibrium, then there must be at least one individual whose expected welfare could be improved by educating him to more effectively pursue his own best interests, without any other change . It would appear that a Nash’s Equilibrium could better account for non monetary impacts of risk in Healtcare Information Systems, such as divulgation of private information, loss of live or other Ethical violations because it approaches the problem as one of strategy rather than as one of uncertainty. Rather than viewing risk as a function of threats, probability of realisation and impact, it could view risk as a variance from a dominant strategy in a non-cooperative game between an organisation (with information to protect), an environnement (wich may can dammage to the information systems) and a third player (competitors, hackers or malitious employees). Approaches based on Nash’s Equilibrium have been used in Econometrics to create mathematical models of economies, in other fields to develop models to assess insurance risk and in other fields. We believe that empirical research should be done to explore this possibility in HIRM. Such an approach could integrate the various monetary, non-monetary and ethical concerns of Healthcare organisations.
We are suggesting that different approaches to the HIRM problem should be considered. We believe that using a case scenario approach as we did in this article, we are able to demonstrate the likelyhood that the current approach is limited. It is our pretention that Nash’s Equilibrium could better account for non monetary impacts of risk in Healtcare Information Systems, such as divulgation of private information, loss of live or other Ethical violations. While we believe that empirical research should be done to explore this possibility, it is currently impossible to persue this hypothesis due, principally, to lack of funding. This paper intends to demonstrate, by a review of litterature, examples from different fields and discussion, that this idea has merit. Should this be proved, it could eventually significantly affect how IT Risk Management is done. Unfortunatly at this time there is no reserch funding available to persue this idea or ideas of this type in Healtcare Informatics Research or in the Information Technology feld. Because there are no economic incentives to do the kind of fundamental research needed to develop such an idea, private entreprise can’t persue this. We believe that this situation should be corrected.
 Anderson JG. Security of the distributed electronic patient record: a case-based approach to identifying policy issues, International Journal of Medical Informatics, 2002, pages 111–118
 Safran, C., Goldberg, H., Electronic patient records and the impact of the Internet, International Journal of Medical Informatics, 2000, pages 77–83
 Sujansky, W., Heterogeneous Database Integration in Biomedicine, Journal of Biomedical Informatics, 2001, pages 285–298
 Watkins, M.D., Bazerman, M.H., Predictable Surprises: The Disasters You Should Have Seen Coming, Harvard Business review Online, 2003
 Stoneburner, G., Goguen, A., Feringa, A., NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, July 2002
 Ministère de la Santé et de la Sécurité Sociale du Québec: www.msss.gouv.qc.ca
 Hancock, Bill, COMMON SENSE GUIDE FOR SENIOR MANAGERS, Top Ten Recommended Information Security Practices, 1st Edition, July 2002
 Léger, Marc-André, Méthodologie IVRI de gestion du risque en matière de sécurité de l’information, Éditions Fortier Communications, Montréal, Septembre 2003
 Schumacher, H. J., Ghosh, S., A fundamental framework for network security, Journal of Network and Computer Applications, 1997, pages 305–322
 Myerson, Judith, Risk Management, INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT, 1999, pages 305-308
 Beucher, S., Reghezza, M., (2004) Les risques (CAPES Agrégation), Bréal
 Knight, Frank H. (1921) Risk, Uncertainty, and Profit, Boston, MA: Hart, Schaffner & Marx; Houghton Mifflin Company, 1921. [Online] available fromhttp://www.econlib.org/library/Knight/knRUP1.html ; accessed 11 December 2005
 Beck, Ulrich (1986) Risk Society: Towards a New Modernity, Sage Publications
 US Army (1998) US Army tarining manual FM100-14
 Browning, T. R. (1999) Sources of Schedule Risk in Complex System Development, Lean Aerospace Initiative at Massachusetts Institute of Technology, John Wiley & Sons
 Last JM, (2001) A dictionary of epidemiology. 4th edition. New York: Oxford University Press
 Smith, E., Eloff, J.H.P. (1999) Security in health-care information systems—current trends, International Journal of Medical Informatics, vol. 54, pp.39–54
 Jøsang, A., Bradley_, D., Knapsko, S. J. (2004) Belief-Based Risk Analysis, Australasian Information Security Workshop 2004 (AISW 2004), Dunedin, New Zealand. Conferences in Research and Practice in Information Technology, Vol. 32
 Cusson, R. (2002), Étude comparative des méthodologies d’analyse de risque, Conseil du Trésor du Québec
 Savage, L. (1954). The Foundations of Statistics. Dover, New York.
 Keynes, J.M. (1937) The General Theory of Empoyment, QJE
 Lo, A. W. (1999) The Three P’s of Total Risk Management, Financial Analysts Journal, January/February 1999, pp.13-26
 Levi, M. and als. (1990), The Limits of Rationality, University of Chicago Press, Chicago, Illinois in Zey, M. (1998) Rational Choice Theory and Organizational Theory: A Critique, Sage Publishing, February 1998
 Léger, Marc-André, Un processus d’analyse des vulnérabilités technologiques comme mesure de protection contre les cyber-attaques, Rapport d’activité de synthèse, Maîtrise en Informatique de Gestion, UQAM, Juin 2003, 110 pages
 CIHR (Canadian Institutesof Health Research), Secondary use of personal information in health research: Case studies, Canadian Institute of Health Research, November 2002
 MSSS, Ministère de la Santé du Québec, Le réseau RTSS C’est, site internet du MSSS, http://www.msss.gouv.qc.ca/rtss/, 2003
 Whittemore, R., Validity in qualitative research, Qualitative Health Research, vol 11, no 4, july 2001, pages 522-537.
 Belmont Report, Ethical Principles and Guidelines for the Protection of Human Subjects of Research, The National Commission for the Protection of Human Subjects of Biomedical andBehavioral Research, April 18, 1979
 WORLD MEDICAL ASSOCIATION, DECLARATION OF HELSINKI, Ethical Principles for Medical Research Involving Human Subjects, Helsinki, Finland, June 1964
 Nuremberg code, Directives for Human Experimentation, 1947
 Harkness, J., Lederer, S.E., Wikler, D., Laying ethical foundations for clinical research, Bulletin of the World Health Organization, 2001
 CSA (Canadian Standards Association), Model Code for the Protection of Personal Information (Q830-96) , 2003,http://www.csa.ca/standards/privacy/code/Default.asp?language=english
 CIHR (Canadian Institutes of Health Research), Guidelines for Protecting Privacy and Confidentiality in the Design, Conduct and Evaluation of Health Research: BEST PRACTICES, CONSULTATION DRAFT, April 2004
 Buckovich, Suzy A. et als, Driving Toward Guiding Principles: A Goal for Privacy, Confidentiality, and Security of Health Information, Journal of the American Medical Informatics Association Volume 6 Number 2 Mar / Apr 1999, Pages 122-133
 Boudreau, Christian et la CAI, Étude sur l’inforoute de la santé au Québec : Enjeux techniques, éthiques et légaux, document de réflexion, octobre 2001
 Edwards, K., Prospect Theory: A Literature Review, International Review of Financial Analysis, Vol. 5, No. 1, 1996, pages 19-38
 Laibson D., Zeckhauser, R. (1998) Amos Tversky and the Ascent of Behavioral Economics, Journal of Risk and Uncertainty, pp 7–47
 Myerson, Roger B. (1996) NASH EQUILIBRIUM AND THE HISTORY OF ECONOMIC THEORY, Journal of Economic Literature 36:1067-1082 (1999), revised, March 1999, accessed online on March 8th, 2006, http://home.uchicago.edu/~rmyerson/
The author wishes to thank Professor Andrew Grant of the Faculty of medicine of the University of Sherbrooke and, the CIHR Health Informatics PhD/Postdoc Strategic Training Program (Canadian Institutes of Health Research and the BC Michael Smith Foundation for Health Research) for funding and support making this article possible.