HIMT 1301 CHapter 10
Unsecured electronic protected health information
(ePHI) ePHI that has not been made usable, readable or indecipherable to unauthorized persons
Impact analysis
1. A collective term used to refer to any study that determines the benefit of a proposed project, including cost-benefit analysis, return on investment, benefits realization study, or qualitative benefit study. 2. An estimate of the impact of threats on information assets
Audit trail
1. a chronological set of computerized records that provides evidence of information system activity (log-ins an log-outs, file access) used to determine security violations 2. A record that shows who has accessed a computer system, when it was accessed, and what operations were performed
Access control
1. a computer software program designed to prevent unauthorized use of an information resource 2. As amended by HITECH, a technical safeguard that requires a covered entity must in accordance with 164.306(a)(1) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) (45 CFR 164.312 2003)
Authorization
1. as amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section (164.508) 2. when a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with the authorization (45 CFR 164.508) 3. A right permission given to an individual to use a computer resource, such as a computer or to use specific applications and access specific data. It is also a set of actions that vies permission to an individual to perform specific perform specific functions such as read, write, or execute tasks
Contingency plan
1. documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster 2. A recovery plan in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected personal health information(ePHI)
Data integrity
1. the extent to which healthcare data are complete, accurate, consistent, and timely 2. A security principle that keeps information from being modified or otherwise corrupted wither maliciously or accidentally
Authentication
1. the process of identifying the source of health record entries by attaching a handwritten signature, the author's initials or an electronic signature 2. Proof of authorship that ensures, as much as possible, that log-ins and messages from a user originate from an authorized source. 3. As amended by HITECH, Means the corroboration that a person is the one claimed. 4. Affirms a health record's legitimacy through testimony or written validation that it is indeed the record of the subject individual and the information in it is valid
Network controls
A method of protecting data from unauthorized change and corruption at rest and during transmission among information systems
Emergency mode of operations
A plan that defines the processes and controls that will be followed until the operations are fully restored
Trojan horse
A program that gains unauthorized access to a computer and masquerades as a useful function
Business continuity plan (BCP)
A program that incorporates policies and procedures for continuing business operations during a computer system shutdown
Computer virus
A program that reproduces itself and attaches itself to legitimate programs on a computer that can change or corrupt data
Smart card
A small plastic card with an embedded microchip that can store multiple identification factors for a specific user
Sniffers
A software security product that runs in the background of a network, examining and logging packet traffic and serving as an early warning device against crackers
Intrusion detection system (IDS)
A system that perform automated intrusion detection. procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusions
Computer worm
A type of malware that copies itself and spreads throughout a network. Unlike a computer virus, a computer work does not need to attach itself to a legitimate program. It can execute and run itself
Context-based access control (CBAC)
An access control system that limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information
Digital certificates
An electronic document that establishes a person's online identity
Digital signatures
An electronic signature that binds a message to a particular individual and can be used by the receiver to authenticate the identity of the sender
Physical safeguards
As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures
Technical safeguards
As amended by HITECH, the security rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it
Information technology
Computer technology (hardware and software) combined with telecommunications technology(data, image, and voice works)
Decryption
Data decoded and restored back to original readable form
Baiting
Hackers leave an infected USB or flash drive in a public area in hope that someone will come by, pick it up, and use out of curiosity
Electronic protected health information (ePHI)
Health information that is stored digitally and is subject to HIPAA
Edit check
Helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer
Access safeguards
Identification of which employees should have access to what data. the general practice is that employees should have access only to data they need to do their jobs
Public key infrastructure (PKI)
In Cryptography, an asymmetric algorithm made publicly available to unlock a coded message
Incident detection
Methods used to identity both accidental and malicious events. detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred
Information Technology Asset Disposition (ITAD)
Policy that identifies how all data storage devices are destroyed and purged of data prior to re-purposing or disposal
Trigger events
Review of access logs, audit trails, failed log-ins, and other reports generated to monitor compliance with the policies and procedures
Malware
Software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives
Data loss prevention
Strategies that are used to limit sensitive data being moved or transferred outside of the healthcare organization
Disaster recovery plan
The document that defines the resources, actions, tasks, and data required to manage the businesses recovery process in the event of a business interruption
Data availability
The extent to which healthcare data are accessible whenever and wherever they are needed
Data consistency
The extent to which the healthcare data are reliable and the same across applications
Chief security officer (CSO)
The individual who is responsible for the security program of healthcare organization
Social engineering
The manipulation of individuals (or targets) to freely disclose personal information or account credentials to hackers
Biometrics
The physical characteristics of users (such as fingerprints, voiceprints, retinal scans, iris traits) that systems store and use to authenticate identity before allowing the user access to a system
Intrusion detection
The process of identifying attempts or action to penetrate a system and gain unauthorized access
Data security
The process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or destruction
Encryption
The process of transforming text into an unintelligible string of characteristics that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination
Data definition
The specific meaning of a healthcare-related data element
External threats
Threats that originate outside an organization
Internal threats
Threats that originate with an organization
Automatic logout
Timed log outs of information systems that reduce the chances that one's account will be used by someone else, can be sued to prevent access by unauthorized individuals
Private key infrastructure
Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message, however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated. see also single-key encryption
Single-key encryption
Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message, however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated: see also private key infrastructure
Administrative safeguards
Under HIPPA, are administrative actions and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information (45 CFR 164.304 2013)
Backdoor program
a backdoor program is a computer program that bypasses normal authentication processes and allows access to computer resources, such as programs, computer networks, or entire computer systems
Risk management
a comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate and control risks, defined as the organization's risk of accidental financial liability
Spyware
a computer program that tracks and individuals' activity on a computer system
Firewall
a computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network
Role-based access control (RBAC)
a control system in which access decisions are based on the roles of individual users as part of an organization: Rootkit - A computer program designed to gain unauthorized access to a computer and assume control of and modify the operating system Security, 1. the means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss. 2. The physical protection of facilities and equipment from theft, damage, or unauthorized access
User-based access control (UBAC)
a security mechanism used to grant users of a system access based on identity
Password
a series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database
Two-factor authentication
a signature type that includes at least two of the following three elements: something known, such as a password: something held, such as a token or digital certificate. and something that is personal, such as a biometric in the form of a fingerprint, retinal scan, or other
Token
a small electronic device programmed to generate and display new passwords at certain intervals
Tailgating
a social engineering technique that allows a hacker, imposter, or other unauthorized individual to use an authorized individual's access privileges to gain access to a restricted physical area
Spear phishing
a type of phishing where the hacker researchers the individual being targeted
Single sign-on
a type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control
Likelihood determination
an estimate of the probability of threats occurring
Incident
an occurrence in a medical facility that is inconsistent with accepted standards of care
Implementation specifications
as amended by HITECH, specific requirements or instructions for implementing a privacy or security standard
Application safeguards
controls contained in application software or computer programs to protect the security and integrity of information
Ransomware
is a malicious software that hackers employ to block access to a computer system or a particular computer files
Application control
security strategies, such as password management, included in application software and computer programs
Cryptography
the art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again 2. In information security, the study of encryption and decryption techniques
HIPAA Security Rule
the federal regulations created to implement the security requirements of HIPAA
Audit control
the mechanisms that record and examine activity in information systems
collectively
the policies, procedures, and safeguards designed to protect the confidentiality of information, maintain the integrity and availability of information systems, and control access to the content of these systems
Risk analysis
the process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks should be proactively addressed and which risks are lower in priority
Forensics
the process of identifying, analyzing, recovering, and preserving data within a electronic environment
Phishing
type of social engineering that uses e-mail to try and obtain passwords and other personal information from individuals
Security breach
unauthorized data or system access
includes facility access controls
workstation use, workstation security, and device and media controls