HIM 298 Sayles CHAPTER 10 DATA SECURITY

The General Rules include the following:

(1) Covered entities must demonstrate and document that they have done the following: o Ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) that is created, received, maintained, or transmitted by the covered entity. o Protect e-PHI against any reasonably anticipated threats or hazards to the security or integrity of e-PHI. o Protect e-PHI against any reasonable or anticipated uses or disclosure that are not permitted under the HIPAA Privacy Rule. o Ensure compliance with HIPAA Security Rule by workforce members. (2) The Security Rule is flexible, scalable, and technology neutral. Regarding flexibility, HIPAA allows a covered entity to adopt security protection measures that are appropriate and reasonable for its organization. In determining which security measures to use, the following must be taken into account: o Size, complexity, and capabilities of the covered entity o Technical infrastructure, hardware, and software capabilities o Security measure costs o Probability and criticality of the potential risks to e-PHI. (3) Standards: The General Rules specify which HIPAA Security Rule standards covered entities must comply with. Business Associates, hybrid entities, and other related entities are also required to comply with these standards. (4) Implementation Specifications define how standards are to be implemented. They are either required or addressable. = Entities must apply all implementation specifications that are REQUIRED = ADDRESSABLE does not mean optional. For those implementation specifications that are labeled ADDRESSABLE, the covered entity must conduct a risk assessment and evaluate whether the specification is appropriate to its environment. (5) Maintenance: HIPAA requires covered entities and business associates to maintain their security measures.

To prevent the intrusion of malware, organizations establish antivirus policies and procedures that establish the use of antivirus software and specify:

(1) What devices should be scanned, such as file servers, mail servers, desktop computers (2) What programs, documents, and files should be scanned (3) how often scans should be scheduled (4) who is responsible for ensuring scans are being completed (5) what action should be taken when malware is detected

Common BAs include:

* Consultants * Billing companies * Transcription companies * Accounting firms * Law firms

The two implementation specifications for Technical Safeguards Transmission Security include:

* Integrity controls * Encryption

Example policies for administrative safeguards:

* One such policy might DIRECT USERS to log off the computer system when they are not using it or employ automatic log offs after a period of inactivity. * password security (inappropriate sharing, minimum password requirements, changing the frequency of updating passwords, and failed log in monitoring), * timely removal of terminated employee's system access. * Prohibiting employees from accessing the internet for purposes that are not work related. * An organization should have a policy on Information Technology Asset Disposition (ITAD).

Administrative safeguards detail how the security program should be managed from the organization's perspective:

* Policies and procedures should be written and formalized in a POLICY MANUAL. * The organization should issue a statement of its philosophy on data security. * It should outline data security authority and responsibilities throughout the organization.

Trigger events include employees viewing:

* Records of patients with the same last name or address of the employee * VIP records (celebrities, board members, political figures) * Records of those involved in high-profile events in the community * Records with little or no activity for 120 days * Other employee's record * Files of minors * Files of those treated for infectious diseases or sensitive diagnoses such as HIV/AIDS or sexually transmitted diseases * Records of patients for which the viewing employee did not care * Records of a spouse (without the same surname) * Records of terminated employees * Portions of records of a discipline not consistent with employee's expertise.

Data back up procedures may involve:

* Server redundancy or duplexing (duplicate information on one or more servers) * Sending data off-site contracted vendors or data warehouses for safe and secure storage and access.

Examples or Types of malware:

* computer virus * computer worm * Trojan horse * spyware * backdoor programs * rootkit

Environmental hazards include

* fire * floods * moisture * temperature variations * loss of electricity

The organization should offer a FORMAL PROGRAM that educates every new employee on the confidential nature of patient and organizational data. The program should:

* inform employees about the organization's security policies and the consequences of failing to comply with them. * give each employee a copy of its security policies as they relate to the employee's job function * require every employee to sign a yearly confidentiality statement. * receive periodic and ongoing security reminders * include policies and procedures regarding mobile devices, the use of e-mail and faxed information, and appropriate and inappropriate use of social media.

The implementation specifications for Technical Safeguards Access Controls include:

+ unique user identification + emergency access procedures (for example, a break-the-glass capability that allows nonstandard access) + automatic logoff after a predetermined period of workstation inactivity + encryption and decryption

The contingency plan is developed based on the following steps:

1 Identifying the minimum allowable time for system disruption. 2 Identifying alternatives for system continuation. 3 Evaluating the cost and feasibility of each alternative. 4 Developing procedures required for activating the plan.

Examples of types of incident responses:

1) "watch and warn" 2) "repair and report" 3) "pursue and prosecute"

Types of Encryption:

1) Private Key Infrastructure/Single Key Infrastructure 2) Pretty Good Privacy (PGP) / Public Key Infrastructure

The Administrative Safeguards include the following standards that must be implemented by covered entities:

1) Security Management Process 2) Assigned Security Responsibility 3) Workforce Security 4) Information Access Management 5) Security Awareness and Training 6) Security Incident Procedures 7) Contingency Plan 8) Evaluation 9) Business Associate Contracts

Data Security Threats (both internal and external) can be cause by:

1) Threats caused by People 2) Threats Caused by the Environment 3) Threats caused by Hardware and Software Factors

Technical Safeguards provisions include:

1. Access controls 2. Audit controls 3. Integrity 4. Person or Entity Authentication 5. Transmission Security

Three data quality dimensions that are often addressed using computer tools are:

1. Data Availability 2. Data Consistency 3. Data Definition

After conducting a risk assessment, if the covered entity finds that the specification is not a reasonable and appropriate safeguard for its environment (for example, a small organization may decide not to encrypt PHI because it deems it too expensive to so), then the covered entity must:

1. Document why it is not reasonable and appropriate to implement the specification as written. 2. Implement an equivalent alternative method if reasonable and appropriate.

COMPONENTS OF A SECURITY PROGRAM:

1. EMPLOYEE AWARENESS INCLUDING ONGOING EDUCATION AND TRAINING 2. RISK MANAGEMENT PROGRAM 3. ACCESS SAFEGUARDS 4. PHYSICAL AND ADMINISTRATIVE SAFEGUARDS 5. SOFTWARE APPLICATION SAFEGUARDS 6. NETWORK SAFEGUARDS 7. DISASTER PLANNING AND RECOVERY 8. DATA QUALITY CONTROL PROCESSES

Types of Data Security Threats:

1. Internal Threats 2. External Threats

Responses to an incident include:

1. Workforce notification 2. Preserving evidence 3. Mitigating harmful effects caused by the breach 4. Evaluating the incident as a part of the organization's risk management process.

Foundations upon which access control mechanisms are based from:

1= Identification 2= Authentication 3= Authorization

Three Cryptographic Technologies used in healthcare are:

1> Encryption 2> Digital Signatures 3> Digital Certificates

Physical Safeguards consist of the following:

1> Facility Access Controls 2> Workstation Use 3> Workstation Security 4> Device and Media Controls

Application controls:

1> authentication 2> audit trail 3> edit check

There are 3 different types of information that can be used for authentication:

1~ SOMETHING YOU KNOW Example: *personal identification number (PIN) *passwords *your mother's maiden name 2~ SOMETHING YOU HAVE Example: *smart cards *token cards 3~ SOMETHING YOU ARE = refers to BIOMETRICS Example: *palm prints *finger prints *voice prints *retinal (eye) scans

8) Evaluation

= A periodic evaluation must be performed in response to environmental or operational changes affecting the security of e-PHI and appropriate improvements in policies and procedures should follow.

1) Security Management Process

= An organization must have a defined security management process. This means that there is a process in place for: * creating, maintaining, and overseeing the development of security policies and procedures * identifying vulnerabilities and conducting risk analyses * establishing a risk management program * developing a sanction policy * reviewing information system activity

a) Business Associate or Other Contracts

= Covered entities must obtain a written contract with business associates or other entities (hybrid or other) who handle e-PHI. = The written contract must stipulate that the business associate will implement HIPAA administrative, physical, and technical safeguards and procedures and documentation requirements that safeguard the confidentiality, integrity, and availability of the e-PHI that it creates, receives, maintains, or transmits on behalf of the covered entity. = The contract must ensure that any agent, including a SUBCONTRACTOR, agrees to implement reasonable and appropriate safeguards.

Sniffers

= Data encryption that provides protection for data across transmission lines is important because eavesdropping is easily accomplished using these devices. = can be attached to networks for the purpose of diverting transmitted data.

e. Threats from vengeful employees or outsiders who mount attacks on the organization's information systems.

= Disgruntled employees might destroy computer hardware or software, delete or change data, or enter data incorrectly into the computer system. = Outsiders might mount attacks that can harm the organization's information resources. = Example: MALICIOUS HACKERS can plant viruses in a computer system or break into telecommunications systems to degrade or disrupt system availability.

2) Assigned Security Responsibility

= Each covered entity must designate a security official (CSO/Security Officer) who has been assigned security responsibility for the development and implementation of the policies and procedures required by the HIPAA Security Rule.

c. Threats from insiders who access information or computer systems for spite or profit

= Generally, such employees seek information to commit fraud or theft.

1) Threats caused by People

= HUMANS are the greatest threat to electronic health information

1) Private Key Infrastructure/Single Key Infrastructure

= In this method, two or more computers share the same secret key and that key is used to both encrypt and decrypt a message.

d. Threats from intruders who attempt to access information or steal physical resources

= Individuals may physically come onto the organization's property to access information or steal equipment such as laptop computers or printers. = They also may loiter in the organization's buildings hoping to access information from unprotected computer terminals or to read or take paper documents, computer disks, or other information.

2) Threats Caused by the Environment

= Natural disasters such as earthquakes, tornadoes, floods, and hurricanes can demolish physical facilities and electrical utilities. = Facilities in California and other earthquake-prone areas send back-up information to vaults that are located many miles off-site, perhaps in a distant state, to assist in the recovery of data should an earthquake or other catastrophic event destroy on-site computer systems.

c) Incident Response Plan and Procedures

= Once a security incident has been identified, there must be a coordinated response to mitigate the incident. = this includes management procedures and responsibilities to ensure a quick response is effectively implemented for specific types of incidents.

b) Incident Detection

= Once possible threats and vulnerabilities are known, it is important to be able to detect whether a threat or incident or intrusion has occurred. = methods for this should be used to identify both accidental and malicious events. = this program should monitor information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred.

3) Threats caused by Hardware and Software Factors

= Other causes of security breaches are utility, software and hardware failures and malfunctions. = These include hardware breakdowns and software failures that cause information systems to shut down or malfunction unexpectedly. = Example: * hard-disk crash that destroys or corrupts data * a program code that does not execute properly and alters or destroys information * a failed, weak, or poorly configured firewall * unsecured browsers = Electrical outages and power outages also can cause problems.

2> Workstation Use

= Policies and procedures must relate to workstations that access e-PHI and include proper functions to be performed, how they are to be performed, and the physical environment in which those workstations exist.

3> Workstation Security

= Provisions under workstation security require that physical safeguards be implemented for workstations with access to e-PHI.

v Policies and Procedures and Documentation Requirements

= The Security Rules requires that covered entities and business associates have: 1* policies and procedures and that 2* they be documented in writing.

3) Workforce Security

= The covered entity must ensure APPROPRIATE CLEARANCE PROCEDURES to grant access to individually identifiable information to workforce members who need to use e-PHI to perform their job duties and must maintain appropriate oversight of authorization and access. = covered entities must prevent access to information to those who do not need it and have clear procedures of access termination for employees who leave the organization.

1> Facility Access Controls

= This includes establishing safeguards to prohibit the physical hardware and computer system itself from unauthorized access while ensuring that proper authorized access is allowed. Similar safeguards are also required to protect the computer system from catastrophic physical events (for example, fire, flooding, and electrical malfunctions).

9) Business Associate Contracts

= This standard requires business associates to appropriately safeguard information in their possession and covered entities to receive satisfactory assurances that the business associates will do so.

4) Information Access Management

= This standard requires covered entities to implement a program of information access management. = It includes specific policies and procedures to determine who should have access to what information.

3. Integrity

= This standard requires covered entities to implement policies and procedures to protect e-PHI from being improperly altered or destroyed. = In other words, this standard requires organizations to provide corroboration that their data have not been altered in an unauthorized manner. = Data authentication can be substantiated through audit trails and system logs that track users who have accessed or modified data via unique identifiers.

5) Security Awareness and Training

= This standard requires entities to provide security training for all staff. = They must address: * security reminders, * detection and reporting of malicious software, * login monitoring, and * password management.

1. Access controls

= This standard requires implementation of technical procedures to control or limit access to health information. = This requirement ensures that individuals are given authorization to access only the data they need to perform their respective jobs.

2. Audit controls

= This standard requires procedural mechanisms be implemented to record activity in systems that contain e-PHI and that the output be examined to determine appropriateness of access.

4. Person or Entity Authentication

= This standard requires that those accessing e-PHI must be appropriately identified and authenticated.

7) Contingency Plan

= This standard requires the establishment and implementation of policies and procedures for responding to emergencies or failures in systems that contain e-PHI. = It includes: * data back up plan, * disaster recovery plan, * emergency mode of operation plan, * testing and revision procedures, and * applications and data criticality analysis to prioritize data and determine what must be maintained or restored first in an emergency.

4> Device and Media Controls

= This standard requires the facility to specify proper receipt and removal of hardware and media with e-PHI and to address items as they move within an organization. = The entity must also address procedures for removal or disposal including reuse or redeployment of electronic media, data backup, and the identity of persons accountable for the process. = INFORMATION TECHNOLOGY ASSET DISPOSITION (ITAD) POLICIES are required under this standard. = The policies should address end of life cycle hard drives, laptops, servers and other media that have contained sensitive data. = Before hard drives, servers, or laptops are disposed of, appropriate data destruction must be carried out.

5. Transmission Security

= This standard requires the guarding of data against unauthorized access (interception) or improper modification without detection when they are in transit, whether via open networks such as the Internet or private networks such as those internal to an organization.

6) Security Incident Procedures

= This standard requires the implementation of policies and procedures to address security incidents, including responding to, reporting, mitigating suspected or known incidents.

2) Pretty Good Privacy (PGP) / Public Key Infrastructure

= a common encryption method used over the internet. = this method uses both a public and a private key, which form a KEY PAIR. = the sending computer uses a key to encrypt the data and it gives a key to the recipient computer to decrypt the data. = with this type of system there is a registry of public keys called CERTIFICATE AUTHORITY. = If one user wants to send an encrypted message to another, the registry is consulted and the receiving user's public key is used to encrypt the data. Only the recipient, who knows the private key, can decrypt the message into its original form.

2. Data Consistency

= a component of data integrity, means that data do not change no matter how often or in how many ways they are stored, processed, or displayed. = Data values are consistent when the value of any given data element is the same across applications and systems.

* rootkit

= a computer program designed to gain unauthorized access to a computer and assume control over the operating system and modify the operating system.

* backdoor programs

= a computer program that bypasses normal authentication processes and allows access to computer resources, such as programs, computer networks, or entire computer systems.

* spyware

= a computer program that tracks an individual's activity on a computer system. = COOKIES are a type of this malware = these programs can store authentication information such as an individual's password.

The HITECH Act

= a portion of ARRA = broadened privacy and security provisions including greater individual rights and protections when third parties handle individually identifiable health information.

* computer worm

= a program that copies itself and spreads throughout a network. Unlike a computer virus, this does not need to attach itself to a legitimate program. It can execute and run itself.

* computer virus

= a program that reproduces itself and attaches itself to legitimate programs on a computer. = can be programmed to change or corrupt data. = frequently they slow down the performance of a computer system.

d# Intrusion Detection Systems

= a system that performs automated intrusion detection.

3) "pursue and prosecute"

= a type of response which would include the monitoring of an attack, the minimization of the attack, the collection of evidence, and the involvement of a law enforcement agency. = might be used in instances of suspected identity theft.

1> authentication

= a type of software application control where through the use of passwords, tokens or biometrics, a system keeps a record of end users' identifications and authentication mechanisms and then matches the authentication mechanism to each end user's privileges. This ensures that end users can access only the information they have permission to access.

Single Sign-On

= allows login to many separate, although related, software systems. = allows a user to log in one time and be able to access the many systems. = This prevents the user from having to log in again for each of them.

a# Firewalls

= also called SECURE GATEWAY = is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. = It is a software program or device that filters information and serves as a buffer between two networks, usually between a private (trusted) network like an intranet and a public (untrusted) network like the Internet. = allow internal users access to an external network while blocking malicious hackers from damaging internal systems. = it may control the size of the file that is allowed through the firewall. = is configured to permit, deny, encrypt, or decrypt computer traffic.

Role-Based Access Control (RBAC)

= an access control model in which access is based on a user's job function within the organization. = Determining what data to make available to an employee usually involves identifying classes of information based on the employee's role in the organization. = Every role in the organization should be identified, along with the type of information required to perform it. = is one used most often in healthcare organizations. = Example: The organization would determine what information a REGISTRAR, for example would need to know to do his or her job. Subsequently, every individual who works as a registrar would have access to the same information.

User-Based Access Control (UBAC)

= an access control model used to grant users of a system access based on identity = grants access based on a user's individual identity. = Example: Every employee in the quality improvement department could potentially have a different degree of access if they have unique responsibilites in that department.

Disaster Recovery Plan

= an immediate component of a contingency plan. = addresses the resources, actions, tasks, and data necessary to restore those services identified as critical, as soon as possible, and to manage business recovery processes.

Certificate Authority (CA)

= an independent source that acts as the middleman who the sending and receiving computers trusts. It confirms that each computer is who it says it is and provides the public keys of each computer to the other.

Incident

= an occurrence or an event.

Contingency Plan

= and its component disaster recovery plan will guide an organization through undesirable nonroutine events. = a set of procedures, documented by the organization to be followed when responding to emergencies. = is based on information gathered during the RISK ASSESSMENT AND ANALYSIS. The risk assessment includes the probability that an unexpected shutdown will occur.

6. NETWORK SAFEGUARDS

= another important strategy used to guard against security breaches = All kinds of networks are used to transmit healthcare data today, and the data must be protected from intruders and corruption during transmission within and external to the organization. = With the widespread use of the Internet, network controls also are essential to prevent the threat of hackers.

i Administrative Safeguards

= are documented, formal practices to manage data security measures throughout the organization. = They require the facility to establish a security management process.

Backup procedures

= are necessary to ensure that the organization's business can continue in the event of a disruption. = are also necessary to be in compliance with the federal and state regulations.

c# Web Security Protocols

= are transmission protocols that provide data security = Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are based on pubic key cryptography. = these protocols are the most common protocols used to secure communications on the Internet between a web browser and a web server. = these protocols allow authentication of the server. = frequently used for electronic mail, Internet faxing, instant messaging, e-commerce transactions, and voice communications over the Internet (VoIP). = these protocols allow authentication of the server.

3> Digital Certificates

= are used to implement public key encryption on a large scale. = is an electronic document that uses a digital signature to bind together a public key with an identity such as the name of a person or an organization, address, and so forth. = it can be used to verify that a public key belongs to an individual.

Computer Tools

= are used to monitor unscheduled computer downtime, determine why failures occurred, and provide data to help minimize future problems.

iii Technical Safeguards

= consist of five broad categories. = These provisions include those things that can be implemented from a technical standpoint using computer software.

Implementation Specifications

= define how standards are to be implemented. Implementation specifications are either required or addressable. = They are either required or addressable. = Entities MUST apply all implementation specifications that are REQUIRED = ADDRESSABLE does not mean optional. For those implementation specifications that are labeled ADDRESSABLE, the covered entity must conduct a risk assessment and evaluate whether the specification is appropriate to its environment.

Data Security

= encompasses measures and tools to safeguard data and information systems on which they reside, from unauthorized access, use, disclosure, disruption, modification, or destruction.

2. RISK MANAGEMENT PROGRAM

= encompasses the identification, evaluation and control of risks that are inherent in unexpected and inappropriate events.

8. DATA QUALITY CONTROL PROCESSES

= ensuring data quality is an essential part of any data security program. = monitoring and tracking systems that ensure data quality are part of a data security program.

The Department of Health and Human Services

= established the HIPAA Privacy Rule and the HIPAA Security Rule.

3. ACCESS SAFEGUARDS

= establishing this is a fundamental security strategy = Basically, this means being able to identify which employees should have access to what data.

Backup policies and procedures

= for all systems (including non-networked computers such as laptops) should be in place. = should specify what files and programs require backup, what type should be performed, how frequently it should occur, and how it is to be conducted.

a. Data at rest

= for example, data contained in databases, file systems, or flash drives.

c. Data in use

= for example, data in the process of being created, retrieved, updated, or deleted.

b. Data in motion

= for example, data moving through a network or wireless transmission

d. Data disposed

= for example, discarded paper records or recycled electronic media. = It is critical to use appropriate data destruction methods to ensure disposed data cannot be read, retrieved, or reconstructed in any way.

workforce clearances

= granting appropriate data access levels to individuals

3> edit check

= help to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer. = For example: A system using this feature would disallow an ICD-10 CM code that does not exist. = are important because they are automatic checks that help preserve data confidentiality and integrity.

Chief Security Officer (CSO)

= helps manage the different threats to data security in a coordinated security program. = someone from the inside the organization who is given responsibility for data security. = should be someone at the middle or senior management level. = responsible for ensuring that everyone follows the policies and procedures in place in the data security program which is done using monitoring and evaluation systems, typically on an annual basis. = In addition to yearly audits, this person might establish procedures to audit and evaluate current processes randomly.

Information Technology Asset Disposition (ITAD)

= identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal.

Information security committee

= in addition to appointing someone to the CSO position, the organization appoints an ADVISORY or POLICY-MAKING GROUP. = works with the CSO to evaluate the organization's security needs, establish a security program, develop associated policies and procedures including monitoring and sanction policies, and ensure that the policies are followed.

ADMINISTRATIVE SAFEGUARDS

= include policies ad procedures that address the management of computer resources.

ii Physical Safeguards

= include the protection of electronic systems from natural and environmental hazards and intrusion. = They encompass related buildings and equipment.

The HIPAA of 1996

= includes provisions for insurance reform and administrative simplification. Included in the administrative simplification provisions was a requirement for setting standards to protect health information.

4. PHYSICAL AND ADMINISTRATIVE SAFEGUARDS

= involves both Physical safeguards which refer to the physical protection of information resources from physical damage, loss from natural or other disasters, and theft, and the Administrative safeguards which include policies ad procedures that address the management of computer resources.

Cryptography

= is a branch of mathematics that is based on the transformation of data by developing CIPHERS, which are codes that are to be kept secret. = is used as a tool for data security

1> Encryption

= is a method of encoding data, converting them to a jumble of unreadable scrambled characters and symbols as they are transmitted through a telecommunication network so that they are not understood by persons who do not have a key to transform the data into their original form. = uses algorithm. Upon receipt, data can only be decoded and restored back to their original readable form (DECRYPTION) by using a special algorithm. = Takes the message from one computer and encodes it in a form that only the receiving computer can decode.

1. EMPLOYEE AWARENESS INCLUDING ONGOING EDUCATION AND TRAINING

= is a particularly important tool to reduce security breaches by wrongdoers (either intentional or unintentional) and to make witnesses cognizant of security breaches so they can recognize, respond to them, and report them appropriately.

* Trojan horse

= is a program that gains unauthorized access to a computer and masquerades as a useful function. = is a virus capable of compromising data by copying confidential files to unprotected areas of the computer system. = may also copy and send themselves to e-mail addresses in a user's computer.

2> Digital Signatures or Digital Signature scheme

= is a public key cryptography method that ensures that an electronic document such as an e-mail message or text file is authentic. This means that the receiver knows who created the document and is assured that the document has not been altered in any way since it was created. = in this method, data are electronically signed by applying the sender's private key to the data. The digital signature can be stored or transmitted to the data. The signature can then be verified by the receiving party using the public key of the signer. = sometimes confused with e-signatures.

1) "watch and warn"

= is a response that includes monitoring and notification of an incident but takes no immediate action.

Business continuity plan

= is a set of policies and procedures that directs the organization how to continue its business operations during a computer system shutdown.

One-time password (OTP) token

= is a small electronic device programmed to generate and display new passwords at certain intervals. = is usually used in combination with user identification or a password = to access a system, a user puts in an identification code and the OTP token generates a one-time password that is displayed on the token.

smart cards and tokens

= is a small plastic card with an embedded microchip that can store multiple identification factors for a specific user. = usually is used in combination with a user identification or password

2> audit trail

= is a software program that tracks every single access or attempted access of data in the computer system. = it logs the name of the individual who accessed the data, terminal location or IP address, the date and time accessed, the type of data, and the action taken (for example, modifying, reading, or deleting data). = are usually examined by system administrators who use special analysis software to identify suspicious or abnormal system events or behavior. = because it maintains a complete log of system activity, it can also be used to help reconstruct how and when an adverse event or failure occurred. = are reviewed periodically, on predetermined schedules or relative to highly sensitive information.

Likelihood Determination

= is an estimate of the probability of threats occurring

Passwords

= is an example of "something you know" = are frequently used in conjunction with username. = should be of specific length, include special characters and numbers, should be case sensitive, and should not be words that are included in a dictionary or related to the user's ID or personal information. = provide the least amount of security compared to other methods.

Malicious software or malware

= is another type of threat that is caused by these INTENTIONAL software intrusions = these software applications can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives. = usually gains access to computers via the Internet as attachments in e-mails or through browsing a website that installs the software after the user clicks on a pop-up window.

Automated Intrusion Detection

= is called INTRUSION DETECTION SYSTEM (IDS).

3. Data Definition

= is describing the data. = Every data element should have a clear meaning and a range of acceptable values.

II. Ensuring the integrity of data

= is important because providers use the data in making decisions about patient care.

Chief Security Officer (CSO)

= is responsible in managing all aspects of computer security = coordinates the development of security policies and to make certain that they are followed. = when the data security program with policies and procedures is in place, this individual is responsible for ensuring that everyone follows them which is done using monitoring and evaluation systems typically on an annual basis. = in addition to yearly audit, this individual might establish procedures to audit and evaluate current processes randomly.

Intrusion Detection

= is the process of identifying attempts or actions to penetrate a system and gain unauthorized access. =can be either be performed in real time or after the occurrence of an intrusion. = the purpose of this is to prevent the compromise of the confidentiality, integrity, or availability or a resource. = can be performed manually or automatically.

Access Control

= is the restriction of access to information and information resources (such as computers) to only those who are authorized, by role or other means. = for this to be effective, mechanisms must be in place that restrict access.

Context-Based Access Control (CBAC)

= limits a user's access based not only on identity and role, but also on a person's location and time of access. = Example: Two respiratory therapists may be given the same access based on their identical roles. However, with this type of access control, their access will be further refined (and may differ) based on the units to which they are assigned and the respective shifts they work.

The HITECH Act under ARRA

= mandated improved enforcement of the Privacy Rule and Security Rule.

Policies

= may also indicate whether a FULL PROCEDURE (all data at one time) or INCREMENTAL PROCEDURE (partial data at one time) be performed and the frequency with which it should occur (such as daily or weekly).

1. Data Availability

= means data are easily obtainable

III. Ensuring the availability of data

= means making sure that the organization can depend on the information system to perform as expected, and to provide information when and where it is needed.

Data Integrity

= means that data are COMPLETE, ACCURATE, CONSISTENT, and UP-TO-DATE so it is RELIABLE. This concept is at the center of DATA GOVERNANCE. = defined by The Security and Privacy Rule as data that has not been altered or destroyed in an unauthorized manner.

Technology Neutral

= means that specific technologies are not prescribed allowing organizations to develop as their technological capabilities evolve.

Scalable

= means that the Security Rule is written so that it accommodates organizations of any size.

Manual Intrusion Detection

= might take place by examining log files, audit trails, or other evidence for signs of intrusions.

b) Group Health Plan Requirements

= must ensure their plan documents provide that the plan sponsor ( an entity that provides a health plan for its employees) will reasonably and appropriately safeguard e-PHI that is created, received, maintained, or transmitted by or to plan sponsors on behalf of the health plans.

Disaster Planning

= occurs through a contingency plan = It encompasses what an organization and its personnel need to do both during and after events that limit or prevent access to facilities and patient information. = typically includes policies and procedures to help the business continue operations during an unexpected shutdown or disaster. = it also includes procedures the business can implement to restore its computer systems and resume normal operation after the disaster.

Business Associates (BA)

= perform functions or activities on behalf of or for a covered entity that involve the use or disclosure of protected health information.

7. DISASTER PLANNING AND RECOVERY

= preparing for emergencies such as natural disasters and power outages = preparing for both events that cause minimal disruption (for example, short-term power outages) and for large-scale events such as tornadoes.

Emergency mode of operations

= prescribes processes and controls to be followed until operations are fully restored.

The General Rules

= provide the objective and scope for the HIPAA Security Rule as a whole. = They specify that covered entities must develop a security program that includes a range of security safeguards to protect individually identifiable health information maintained or transmitted in electronic form.

PHYSICAL SAFEGUARDS

= refer to the physical protection of information resources from physical damage, loss from natural or other disasters, and theft. = includes protection and monitoring of the WORKPLACE, COMPUTING FACILITIES , and ANY TYPE OF HARDWARE OR SUPPORTING INFORMATION SYSTEM INFRASTRUCTURE such as wiring closets, cables, and telephone and data lines.

American Recovery and Reinvestment Act ( ARRA)

= responsible for the additional changes to the Privacy and Security Rules. = moved the enforcement for HIPAA security compliance from the CMS's Office of Electronic Standards and Security to the Department of Health and Human Services Office for Civil Rights (OCR).

a) Risk Analysis

= risk management begins with this which includes identifying SECURITY THREATS. = also includes identifying VULNERABILITIES, which are weaknesses in an organization's operations of which a threat can take advantage of. = includes a determination of how likely it is that any given threat may occur, and estimating the impact of a catastrophic event. = identify how electronic protected health information (e-PHI) is created, managed, stored, and transmitted within the organization and whether vendors or consultants use or maintain e-PHI). Of increasing importance is the threat created by the ubiquitous use of mobile devices (phones, tablets, laptops, and so forth). = once threats are identified, it is important for an organization to make a LIKELIHOOD DETERMINATION and an IMPACT ANALYSIS.

2= Authentication

= second element of access control = is the act of verifying a claim of identity

Executive Level Managers

= should have a high-level understanding of the data security policies and procedures and approve security budgets.

HIM director or designee

= should sit on the information security committee to assist in deterimining levels of access, authorization, and audit trail reviews.

Identity theft

= stealing information from patients, their families, or other employees = can result in prosecution of those employees who obtained that information unlawfully.

Two-Factor Authentication

= strong authentication requires providing information from two of the three different types of authentication information. = an individual provides something he knows and something he has. = Examples: *use of smart cards or tokens with user identification *Disney land guests insert their park tickets and also have their index finger scanned. = is a stronger method of protecting data access than user identification with passwords.

1= Identification

= the BASIC BUILDING BLOCK of access control = usually is performed through the username or user number. = methods must be robust so that impostors cannot successfully pose as a legitimate user and enter a system illegitimately.

DATA ENCRYPTION STANDARD (DES)

= the best known secret key security = published by the National Institute of Standards and Technology (NIST).

3= Authorization

= the third element of access control = is a RIGHT or PERMISSION GIVEN to an individual to use a computer resource, such as a computer, or to use specific applications and access specific data. = it is also a set of actions that gives permission to an individual to perform specific functions such as read, write, or execute tasks.

5. SOFTWARE APPLICATION SAFEGUARDS

= these are controls CONTAINED IN APPLICATION SOFTWARE = or computer programs to protect the security and integrity of information. = These application controls are important because they are automatic checks that help preserve data confidentiality and integrity.

2) "repair and report"

= this response may be instituted = this type of response may be used in the case of a virus attack

iv Organizational Requirements

= this section includes just TWO standards: 1 One addresses business associates and similar entities 2 The other addresses group health plan requirements

1. Internal Threats

= threats originate within an organization

2. External Threats

= threats that originate outside an organization

b# Cryptographic Technologies

= types of this network safeguard include: encryption, digital signatures, and digital certificates which are used to protect information in a variety of situations. This includes protecting data when they are in storage (data at rest), on portable devices such as laptops and flash drives, and while they are being transmitted across networks.

security breaches

= unauthorized data or system access, by people from both inside and outside the organization.

e-signatures

= usually means a system for signing or authenticating electronic documents by entering a unique code or password that verifies the identity of the person and creates an individual signature on a document. These do not necessarily use cryptography.

Impact Analysis

= what the impact of threats on information assets might be.

I. Protecting the privacy of data

= within the CONTEXT OF DATA SECURITY, this means DEFENDING or SAFEGUARDING access to information. This concept is at the center of INFORMATION GOVERNANCE = only those individuals who need to know information should be authorized to access it. = in the HEALTHCARE CONTEXT, the protection of data privacy generally refers to PATIENT-RELATED DATA.

To protect from natural or environmental hazards:

> Equipment should be housed in structurally sound and safe areas. > There should be smoke and fire alarms, fire suppression systems, heat sensors, and appropriate monitored heating and cooling systems in place. > Appropriate backup power sources such as uninterruptible power supply (UPS) devices or power generators should be available if a power outage occurs.

To protect workstations that are more exposed to the public:

> Locking devices can be used to prevent removal of a computer equipment and other devices. > Automatic logouts can be used to prevent access by unauthorized individuals. > Documentation of the custody of devices must be addressed. One such method is maintaining a CUSTODY LOG that documents who has had custody, and what files and data were on the laptop during the custody period. > Policies and procedures should be in place that cover laptop or mobile device use. > Other security mechanisms such as Two-Factor Authentication and Full Disk Encryption should be used. > Global positioning systems (GPS) can also be installed on laptops as well as systems to remotely locate a computer to retrieve and delete data from it, should a computer be lost or stolen.

To protect from intrusion:

> there should be proper physical separation from the public. > Doors, locks, audible alarms, and cameras should be installed to protect particularly sensitive areas such as data centers. > Identification procedures should be in place; for example, the use of badges to identify employees. > Processes should be established for logging in and out of computer equipment or media. For example, if a data disk or device is being transported or removed from one location to another, there should be a sign-out and sign-in procedure to track access and removal. > Sign-in and Sign-out logs should be in place to track access to sensitive areas such as data centers.

Roles and Composition of an information security committee:

@ CSO @ Executive Level Managers @ HIM director or designee @ CIO @ Information Technology System directors @ Network engineers @ Representatives from clinical departments (lab, nursing, pharmacy, radiology)

Usually, authorization is managed through special authorization software that uses various criteria to determine if an individual has authorization for access, sometimes referred to as ________ ________ ________. For example, authorization may be based on not only the individual's identity but also the individual's role (role-based) and physical location of the resource (that is, access to only certain computers), and time of day (context-based).

Access Control Matrix

Data definitions and their values are usually stored in a

Data Dictionary

b. Threats from insiders who abuse their access privileges to information

Example: * employees who knowingly disclose information about a patient to individuals who do not have proper authorization, * employees with access to computer files who purposefully snoop for information they do not need to perform their jobs, * employees who store information on a thumb or flash drive, remove it from the facility on a laptop or other storage device, and subsequently lose the device or have it stolen.

a. Threats from insiders who make unintentional errors

Example: * typographical errors, * inadvertent deletion of files on a computer disk, * unknowingly disclose confidential information.

Three Basic Elements of an Effective Data Security Program are the following:

I. Protecting the PRIVACY of data II. Ensuring the INTEGRITY of data III. Ensuring the AVAILABILITY of data

True or False: A SECURITY PROGRAM is as much about ENSURING DATA QUALITY AND ACCURACY as it is about MAINTAING INFORMATIONAL PRIVACY.

True

True or False: A good security program will ensure data are available seven days a week, 24 hours a day. To accomplish this effectively, organizations must have back up and down time procedures in place.

True

True or False: A plan is as good as its implementation. It must be tested periodically to ensure that all parts of the plan---from disaster identification to backup and recovery---work as expected.

True

True or False: A well-conceived risk management program can aid prevention, detection, and mitigation of security breaches including identity theft.

True

True or False: Addressable does not mean optional.

True

True or False: Another important change per the HITECH Act was defining breach and adding breach notification requirements.

True

True or False: Backup and Recovery procedures are also a part of PHYSICAL SECURITY.

True

True or False: Backup and Recovery procedures should specifically include SERVER, DATA, and NETWORK PROCEDURES.

True

True or False: Breaches only apply to UNSECURED e-PHI, which is e-PHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons.

True

True or False: Business Associates are now directly responsible for, and can now be held directly responsible for not complying with, the administrative, the physical, and technical safeguards of the HIPAA Security Rule.

True

True or False: Documentation of security policies and procedures must be retained for 6 YEARS from the date of its creation or the date when it last was in effect, whichever is later.

True

True or False: Effective data security requires PLANNING, TRAINING, and the IMPLEMENTATION OF REALISTIC POLICIES AND PROCEDURES that address both INTERNAL and EXTERNAL THREATS.

True

True or False: FILTERS can be used to filter both incoming and outgoing e-mail so that malware is quarantined.

True

True or False: For health information, an important part of the disaster recovery plan is ensuring the availability and accuracy of data as soon as possible after a disaster.

True

True or False: Four of the threats listed can involve an organization's employees.

True

True or False: HIPAA does require a regular review of system activity such as monitoring new user access, reviewing system access by users in general, and testing the access of recently terminated employees to assure they have, in fact, been removed from access roles.

True

True or False: HIPAA requires a business associate to report to the covered entity any security incident or breach of e-PHI of which it becomes aware.

True

True or False: Identification of an organization's information assets includes an inventory of application software, hardware, networks, and other information assets. Once information assets have been identified, their value to the organization is determined.

True

True or False: Information leaked to unauthorized individuals about providers, employees, or the organization can have as devastating an effect as information leaked about patients because it can affect an organization's reputation and lead to liability if such information was unlawfully disclosed.

True

True or False: Once the appropriate people and committees are in place, the next step is to establish a data security program.

True

True or False: The HIPAA Security Rule requires that security incidents be identified, reported to the appropriate persons, and documented.

True

True or False: The Security Rule itself does not require encryption unless the organization deems it appropriate, but the security of e-PHI transmitted over public networks or communication systems must be accomplished.

True

True or False: The first and most fundamental strategy in minimizing security threats is to ESTABLISH A SECURE ORGANIZATION that is responsible for managing all aspects of computer security. This involves appointing someone in the organization to coordinate the development of security policies and to make certain that they are followed.

True

True or False: The general practice is that employees should have access only to data they need to do their respective jobs.

True

True or False: The requirements of the HIPAA Security Rule enforce the tenet of INFORMATION GOVERNANCE, which is the protection of information and access by authorized individuals only.

True

True or False: The single most important change per HITECH Act on HIPAA's privacy and security provisions was the requirement that business associates of HIPAA-covered entities must comply with most of the same rules as covered entities.

True

True or False: UNINTENTIONAL ERROR is one of the major causes of security breaches.

True

True or False: Under the HITECH act, breach notification requirements provide for those situations when affected individuals must be notified about an information security breach affecting their protected health information (PHI).

True

True or False: With appropriate policies and procedures in place, it is the responsibility of the organization and it's managers, directors, CSO, and employees with audit responsibilities to review access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures. These types of events are usually called TRIGGER EVENTS.

True

True or False: The HIPAA Privacy Rule and HIPAA Security Rules are standards that apply to every health plan, healthcare clearinghouse, and healthcare provider processing financial or administrative transactions electronically.

True

The following are some common Network Safeguards:

a# Firewalls b# Cryptographic Technologies c# Web Security Protocols d# Intrusion Detection Systems

Two standards for Organizational Requirements:

a) Business Associate or Other Contracts b) Group Health Plan Requirements

Risk Management Program can include:

a) Risk Analysis b) Incident Detection c) Incident Response Plan and Procedures

With regard to security, breach notification has implications for the protection of data in all phases:

a. Data at rest b. Data in motion c. Data in use d. Data disposed

Five General Categories of Threats Caused by People:

a. Threats from insiders who make unintentional errors b. Threats from insiders who abuse their access privileges to information c. Threats from insiders who access information or computer systems for spite or profit d. Threats from intruders who attempt to access information or steal physical resources e. Threats from vengeful employees or outsiders who mount attacks on the organization's information systems.

Security Rule standards are grouped into five categories:

i Administrative Safeguards ii Physical Safeguards iii Technical Safeguards iv Organizational Requirements v Policies and Procedures and Documentation Requirements

Maintaining data security begins with

identification of the basic elements of a data security program.

Employee Education

is one of the best defenses for protection of data and computer resources.

Covered entities must demonstrate and document that they have done the following:

o Ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) that is created, received, maintained, or transmitted by the covered entity. o Protect e-PHI against any reasonably anticipated threats or hazards to the security or integrity of e-PHI. o Protect e-PHI against any reasonable or anticipated uses or disclosure that are not permitted under the HIPAA Privacy Rule. o Ensure compliance with HIPAA Security Rule by workforce members.

In determining which security measures to use, the following must be taken into account:

o Size, complexity, and capabilities of the covered entity o Technical infrastructure, hardware, and software capabilities o Security measure costs o Probability and criticality of the potential risks to e-PHI.

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)

requires the user to respond to a question that is assumed could not be answered by a machine.

The 3 basic elements of an effective data security program help prevent

system or access errors from occurring