Chapter 10 - Data Security
Intrusion detection system (IDS):
A system that performs automated intrusion detection; procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusion
Single sign-on:
A type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control
Incident:
An occurrence in a medical facility that is inconsistent with accepted standards of care
User-based access control (UBAC):
A security mechanism used to grant users of a system access based on identity
Audit trail:
1. A chronological set of computerized records that provides evidence of information system activity (logins and logouts, file accesses) used to determine security violations 2. A record that shows who has accessed a computer system, when it was accessed, and what operations were performed.
Access control
1. A computer software program designed to prevent unauthorized use of an information resource 2. As amended by HITECH, a technical safeguard that requires a covered entity must in accordance with 164.306(a)(1) implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) (45 CFR 164.312 2003)
Authorization:
1. As amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508 2. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with the authorization
Contingency plan:
1. Documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster 2. A recovery plan in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected personal health information (ePHI)
Cryptography:
1. The art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again 2. In information security, the study of encryption and decryption techniques
Data integrity:
1. The extent to which healthcare data are complete, accurate, consistent, and timely 2. A security principle that keeps information from being modified or otherwise corrupted either maliciously or accidentally
Risk management:
A comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate, and control risk, defined as the organization's risk of accidental financial liability
Firewall:
A computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network
Role-based access control (RBAC):
A control system in which access decisions are based on the roles of individual users as part of an organization
Data dictionary:
A descriptive list of the names, definitions, and attributes of data elements to be collected in an information system or database whose purpose is to standardize definitions and ensure consistent use
Network control:
A method of protecting data from unauthorized change and corruption at rest and during transmission among information systems
Security program:
A plan outlining the policies and procedures created to protect healthcare information
Emergency mode of operations:
A plan that defines the processes and controls that will be followed until the operations are fully restored
Business continuity plan:
A program that incorporates policies and procedures for continuing business operations during a computer system shutdown
Password:
A series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database
Two-factor authentication:
A signature type that includes at least two of the following three elements: something known, such as a password; something held, such as a token or digital certificate; and something that is personal, such as a biometric in the form of a fingerprint, retinal scan, or other
Security threat
A situation that has the potential to damage a healthcare organization's information system
Sniffers:
A software security product that runs in the background of a network, examining and logging packet traffic and serving as an early warning device against crackers
Application safeguards:
Controls contained in application software or computer programs to protect the security and integrity of information
Information Technology Asset Disposition (ITAD):
Policy that identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal
Encryption:
The process of transforming text into an unintelligible string of characters that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination
American Recovery and Reinvestment Act (ARRA):
The purposes of this act include the following: (1) To preserve and create jobs and promote economic recovery. (2) To assist those most impacted by the recession. (3) To provide investments needed to increase economic efficiency by spurring technological advances in science and health. (4) To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases
Data definition:
The specific meaning of a healthcare- related data element
External threats:
Threats that originate outside an organization
Administrative safeguards:
Under HIPAA, are administrative actions and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.
An employee accesses PHI on a computer system that does not relate to her job functions. What security mechanism should have been implemented to minimize this security breach? a. Access controls b. Audit controls c. Contingency controls d. Security incident controls
a. Access controls
Threats to data security are most likely to come from which of the following? a. Employees b. Natural disasters c. Compromised firewalls d. Hackers outside an organization
a. Employees
Administrative safeguards include policies and procedures that address which of the following regarding computer resources? a. Management b. Maintenance c. Modification d. Manipulation
a. Management
A dietary department donated its old microcomputer to a school. Some old patient data were still on the microcomputer. What controls would have minimized this security breach? a. Access controls b. Device and media controls c. Facility access controls d. Workstation controls
b. Device and media controls
A visitor walks through the computer department and picks up a CD from an employee's desk. What security controls should have been implemented to prevent this security breach? a. Device and media controls b. Facility access controls c. Workstation use controls d. Workstation security controls
b. Facility access controls
An employee in the physical therapy department arrives early every morning to snoop through the EHR for potential information about neighbors and friends. What security mechanism should have been implemented that could minimize this security breach? a. Audit controls b. Facility access controls c. Facility access controls d. Workstation security
b. Facility access controls c. Facility access controls
Which of the following statements is true regarding HIPAA security? a. All institutions must implement the same security measures. b. HIPAA allows flexibility in the way an institution implements the security standards. c. All institutions must implement all HIPAA implementation specifications. d. A security risk assessment must be performed every year.
b. HIPAA allows flexibility in the way an institution implements the security standards.
These are automatic checks that help preserve data confidentiality and integrity. a. Access controls b. Audit controls c. Application controls d. Incident controls
c. Application controls
A visitor to the hospital looks at the screen of the admitting clerk's computer workstation when she leaves her desk to copy some admitting documents. What security mechanism would best have minimized this security breach? a. Access controls b. Audit controls c. Automatic logoff controls d. Device and media controls
c. Automatic logoff controls
An admission coordinator consistently enters the wrong patient gender while entering data in the MPI. What security measures should be in place to minimize this security breach? a. Access controls b. Audit trail c. Edit checks d. Password controls
c. Edit checks
The first and most fundamental strategy for minimizing security threats is which of the following? a. Establish access controls b. Implement an employee security awareness program c. Establish a secure organization d. Conduct a risk analysis
c. Establish a secure organization
For HIPAA implementation specifications that are addressable, the covered entity _________. a. Implements the specification b. May choose not to implement the specification if it is too costly to execute c. Must conduct a risk assessment to determine if the specification is appropriate to its environment d. Does not have to implement the specification if it is a small hospital
c. Must conduct a risk assessment to determine if the specification is appropriate to its environment
Locks on computer room doors illustrate a type of _________. a. Access control b. Workstation control c. Physical control d. Security breach
c. Physical control
HIPAA requires that policies and procedures be maintained for a minimum of _______. a. Seven years b. Six years from date of creation c. Six years from date of creation or date when last in effect, whichever is later d. Seven years from date when last in effect
c. Six years from date of creation or date when last in effect, whichever is later
The individual responsible for ensuring that everyone follows the organization's data security policies and procedures is which of the following? a. Chief executive officer b. Chief information officer c. Chief privacy officer d. Chief security officer
d. Chief security officer
The greatest threat category to electronic health information is which of the following? a. Natural disasters b. Power surges c. Hardware malfunctions d. Humans
d. Humans
An employee observes an outside individual putting some computer disks in her purse. The employee does not report this security breach. What security measures should have been in place to minimize this threat? a. Access controls b. Audit controls c. Authentication controls d. Security incident procedures
d. Security incident procedures
A laboratory employee forgot his user ID badge at home and uses another lab employee's badge to access the computer system. What controls should have been in place to minimize this security breach? a. Access controls b. Security incident procedures c. Security management process d. Workforce security awareness training
d. Workforce security awareness training
Unsecured electronic protected health information (e-PHI):
e-PHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons
Security:
1. The means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss 2. The physical protection of facilities and equipment from theft, damage, or unauthorized access; collectively, the policies, procedures, and safeguards designed to protect the confidentiality of information, maintain the integrity and availability of information systems, and control access to the content of these systems
Authentication:
1. The process of identifying the source of health record entries by attaching a handwritten signature, the author's initials, or an electronic signature 2. Proof of authorship that ensures, as much as possible, that log-ins and messages from a user originate from an authorized source 3. As amended by HITECH, means the corroboration that a person is the one claimed
Impact analysis:
A collective term used to refer to any study that determines the benefit of a proposed project, including cost-benefit analysis, return on investment, benefits realization study, or qualitative benefit study
Context-based access control (CBAC):
An access control system which limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information
Digital certificate:
An electronic document that establishes a person's online identity
Digital signature:
An electronic signature that binds a message to a particular individual and can be used by the receiver to authenticate the identity of the sender
Likelihood determination:
An estimate of the probability of threats occurring
Physical safeguards:
As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures; includes facility access controls, workstation use, workstation security, and device and media controls
Implementation specifications:
As amended by HITECH, specific requirements or instructions for implementing a privacy or security standard
Technical safeguards:
As amended by HITECH, the Security Rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it
Decryption:
Data decoded and restored back to original readable form
Edit check:
Helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer
Access safeguards:
Identification of which employees should have access to what data; the general practice is that employees should have access only to data they need to do their jobs.
Public key infrastructure (PKI):
In cryptography, an asymmetric algorithm made publicly available to unlock a coded message
Incident detection:
Methods used to identify both accidental and malicious events; detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred
Trigger events:
Review of access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures
Application controls:
Security strategies, such as password management, included in application software and computer programs
Malware:
Software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives
HIPAA Security Rule
The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Single-key encryption:
Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated; see also private key infrastructure
Private key infrastructure:
Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated; see also single-key encryption
Security breach:
Unauthorized data or system access
Disaster recovery plan:
The document that defines the resources, actions, tasks, and data required to manage the businesses recovery process in the event of a business interruption
Data availability:
The extent to which healthcare data are accessible whenever and wherever they are needed
Data consistency:
The extent to which the healthcare data are reliable and the same across applications
Audit controls:
The mechanisms that record and examine activity in information systems
Biometrics:
The physical characteristics of users (such as fingerprints, voiceprints, retinal scans, iris traits) that systems store and use to authenticate identity before allowing the user access to a system
Intrusion detection:
The process of identifying attempts or actions to penetrate a system and gain unauthorized access
Risk analysis:
The process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority
Data security:
The process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or destruction
Internal threats:
Threats that originate within an organization
Within the context of data security, protecting data privacy means defending or safeguarding _________. a. Access to information b. Data availability c. Health record quality d. System implementation
a. Access to information
Data security includes protecting data availability, privacy, and ________. a. Suitability b. Integrity c. Flexibility d. Quality
b. Integrity