Chapter 10 - Data Security

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Intrusion detection system (IDS):

A system that performs automated intrusion detection; procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusion

Single sign-on:

A type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control

Incident:

An occurrence in a medical facility that is inconsistent with accepted standards of care

User-based access control (UBAC):

A security mechanism used to grant users of a system access based on identity

Audit trail:

1. A chronological set of computerized records that provides evidence of information system activity (logins and logouts, file accesses) used to determine security violations 2. A record that shows who has accessed a computer system, when it was accessed, and what operations were performed.

Access control

1. A computer software program designed to prevent unauthorized use of an information resource 2. As amended by HITECH, a technical safeguard that requires a covered entity must in accordance with 164.306(a)(1) implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) (45 CFR 164.312 2003)

Authorization:

1. As amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508 2. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with the authorization

Contingency plan:

1. Documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster 2. A recovery plan in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected personal health information (ePHI)

Cryptography:

1. The art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again 2. In information security, the study of encryption and decryption techniques

Data integrity:

1. The extent to which healthcare data are complete, accurate, consistent, and timely 2. A security principle that keeps information from being modified or otherwise corrupted either maliciously or accidentally

Risk management:

A comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate, and control risk, defined as the organization's risk of accidental financial liability

Firewall:

A computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network

Role-based access control (RBAC):

A control system in which access decisions are based on the roles of individual users as part of an organization

Data dictionary:

A descriptive list of the names, definitions, and attributes of data elements to be collected in an information system or database whose purpose is to standardize definitions and ensure consistent use

Network control:

A method of protecting data from unauthorized change and corruption at rest and during transmission among information systems

Security program:

A plan outlining the policies and procedures created to protect healthcare information

Emergency mode of operations:

A plan that defines the processes and controls that will be followed until the operations are fully restored

Business continuity plan:

A program that incorporates policies and procedures for continuing business operations during a computer system shutdown

Password:

A series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database

Two-factor authentication:

A signature type that includes at least two of the following three elements: something known, such as a password; something held, such as a token or digital certificate; and something that is personal, such as a biometric in the form of a fingerprint, retinal scan, or other

Security threat

A situation that has the potential to damage a healthcare organization's information system

Sniffers:

A software security product that runs in the background of a network, examining and logging packet traffic and serving as an early warning device against crackers

Application safeguards:

Controls contained in application software or computer programs to protect the security and integrity of information

Information Technology Asset Disposition (ITAD):

Policy that identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal

Encryption:

The process of transforming text into an unintelligible string of characters that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination

American Recovery and Reinvestment Act (ARRA):

The purposes of this act include the following: (1) To preserve and create jobs and promote economic recovery. (2) To assist those most impacted by the recession. (3) To provide investments needed to increase economic efficiency by spurring technological advances in science and health. (4) To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases

Data definition:

The specific meaning of a healthcare- related data element

External threats:

Threats that originate outside an organization

Administrative safeguards:

Under HIPAA, are administrative actions and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.

An employee accesses PHI on a computer system that does not relate to her job functions. What security mechanism should have been implemented to minimize this security breach? a. Access controls b. Audit controls c. Contingency controls d. Security incident controls

a. Access controls

Threats to data security are most likely to come from which of the following? a. Employees b. Natural disasters c. Compromised firewalls d. Hackers outside an organization

a. Employees

Administrative safeguards include policies and procedures that address which of the following regarding computer resources? a. Management b. Maintenance c. Modification d. Manipulation

a. Management

A dietary department donated its old microcomputer to a school. Some old patient data were still on the microcomputer. What controls would have minimized this security breach? a. Access controls b. Device and media controls c. Facility access controls d. Workstation controls

b. Device and media controls

A visitor walks through the computer department and picks up a CD from an employee's desk. What security controls should have been implemented to prevent this security breach? a. Device and media controls b. Facility access controls c. Workstation use controls d. Workstation security controls

b. Facility access controls

An employee in the physical therapy department arrives early every morning to snoop through the EHR for potential information about neighbors and friends. What security mechanism should have been implemented that could minimize this security breach? a. Audit controls b. Facility access controls c. Facility access controls d. Workstation security

b. Facility access controls c. Facility access controls

Which of the following statements is true regarding HIPAA security? a. All institutions must implement the same security measures. b. HIPAA allows flexibility in the way an institution implements the security standards. c. All institutions must implement all HIPAA implementation specifications. d. A security risk assessment must be performed every year.

b. HIPAA allows flexibility in the way an institution implements the security standards.

These are automatic checks that help preserve data confidentiality and integrity. a. Access controls b. Audit controls c. Application controls d. Incident controls

c. Application controls

A visitor to the hospital looks at the screen of the admitting clerk's computer workstation when she leaves her desk to copy some admitting documents. What security mechanism would best have minimized this security breach? a. Access controls b. Audit controls c. Automatic logoff controls d. Device and media controls

c. Automatic logoff controls

An admission coordinator consistently enters the wrong patient gender while entering data in the MPI. What security measures should be in place to minimize this security breach? a. Access controls b. Audit trail c. Edit checks d. Password controls

c. Edit checks

The first and most fundamental strategy for minimizing security threats is which of the following? a. Establish access controls b. Implement an employee security awareness program c. Establish a secure organization d. Conduct a risk analysis

c. Establish a secure organization

For HIPAA implementation specifications that are addressable, the covered entity _________. a. Implements the specification b. May choose not to implement the specification if it is too costly to execute c. Must conduct a risk assessment to determine if the specification is appropriate to its environment d. Does not have to implement the specification if it is a small hospital

c. Must conduct a risk assessment to determine if the specification is appropriate to its environment

Locks on computer room doors illustrate a type of _________. a. Access control b. Workstation control c. Physical control d. Security breach

c. Physical control

HIPAA requires that policies and procedures be maintained for a minimum of _______. a. Seven years b. Six years from date of creation c. Six years from date of creation or date when last in effect, whichever is later d. Seven years from date when last in effect

c. Six years from date of creation or date when last in effect, whichever is later

The individual responsible for ensuring that everyone follows the organization's data security policies and procedures is which of the following? a. Chief executive officer b. Chief information officer c. Chief privacy officer d. Chief security officer

d. Chief security officer

The greatest threat category to electronic health information is which of the following? a. Natural disasters b. Power surges c. Hardware malfunctions d. Humans

d. Humans

An employee observes an outside individual putting some computer disks in her purse. The employee does not report this security breach. What security measures should have been in place to minimize this threat? a. Access controls b. Audit controls c. Authentication controls d. Security incident procedures

d. Security incident procedures

A laboratory employee forgot his user ID badge at home and uses another lab employee's badge to access the computer system. What controls should have been in place to minimize this security breach? a. Access controls b. Security incident procedures c. Security management process d. Workforce security awareness training

d. Workforce security awareness training

Unsecured electronic protected health information (e-PHI):

e-PHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons

Security:

1. The means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss 2. The physical protection of facilities and equipment from theft, damage, or unauthorized access; collectively, the policies, procedures, and safeguards designed to protect the confidentiality of information, maintain the integrity and availability of information systems, and control access to the content of these systems

Authentication:

1. The process of identifying the source of health record entries by attaching a handwritten signature, the author's initials, or an electronic signature 2. Proof of authorship that ensures, as much as possible, that log-ins and messages from a user originate from an authorized source 3. As amended by HITECH, means the corroboration that a person is the one claimed

Impact analysis:

A collective term used to refer to any study that determines the benefit of a proposed project, including cost-benefit analysis, return on investment, benefits realization study, or qualitative benefit study

Context-based access control (CBAC):

An access control system which limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information

Digital certificate:

An electronic document that establishes a person's online identity

Digital signature:

An electronic signature that binds a message to a particular individual and can be used by the receiver to authenticate the identity of the sender

Likelihood determination:

An estimate of the probability of threats occurring

Physical safeguards:

As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures; includes facility access controls, workstation use, workstation security, and device and media controls

Implementation specifications:

As amended by HITECH, specific requirements or instructions for implementing a privacy or security standard

Technical safeguards:

As amended by HITECH, the Security Rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it

Decryption:

Data decoded and restored back to original readable form

Edit check:

Helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer

Access safeguards:

Identification of which employees should have access to what data; the general practice is that employees should have access only to data they need to do their jobs.

Public key infrastructure (PKI):

In cryptography, an asymmetric algorithm made publicly available to unlock a coded message

Incident detection:

Methods used to identify both accidental and malicious events; detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred

Trigger events:

Review of access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures

Application controls:

Security strategies, such as password management, included in application software and computer programs

Malware:

Software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives

HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Single-key encryption:

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated; see also private key infrastructure

Private key infrastructure:

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated; see also single-key encryption

Security breach:

Unauthorized data or system access

Disaster recovery plan:

The document that defines the resources, actions, tasks, and data required to manage the businesses recovery process in the event of a business interruption

Data availability:

The extent to which healthcare data are accessible whenever and wherever they are needed

Data consistency:

The extent to which the healthcare data are reliable and the same across applications

Audit controls:

The mechanisms that record and examine activity in information systems

Biometrics:

The physical characteristics of users (such as fingerprints, voiceprints, retinal scans, iris traits) that systems store and use to authenticate identity before allowing the user access to a system

Intrusion detection:

The process of identifying attempts or actions to penetrate a system and gain unauthorized access

Risk analysis:

The process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority

Data security:

The process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or destruction

Internal threats:

Threats that originate within an organization

Within the context of data security, protecting data privacy means defending or safeguarding _________. a. Access to information b. Data availability c. Health record quality d. System implementation

a. Access to information

Data security includes protecting data availability, privacy, and ________. a. Suitability b. Integrity c. Flexibility d. Quality

b. Integrity


Kaugnay na mga set ng pag-aaral

Word Meaning in the Preface to A Dictionary of the English Language

View Set

Health 231 Chapter 1 Questions TAMU

View Set

Knowledge Check - Politics C, D, and E

View Set

chapter 11: introduction to contracts - brief hypotheticals

View Set