HIMT 1301 CHapter 10

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Unsecured electronic protected health information

(ePHI) ePHI that has not been made usable, readable or indecipherable to unauthorized persons

Impact analysis

1. A collective term used to refer to any study that determines the benefit of a proposed project, including cost-benefit analysis, return on investment, benefits realization study, or qualitative benefit study. 2. An estimate of the impact of threats on information assets

Audit trail

1. a chronological set of computerized records that provides evidence of information system activity (log-ins an log-outs, file access) used to determine security violations 2. A record that shows who has accessed a computer system, when it was accessed, and what operations were performed

Access control

1. a computer software program designed to prevent unauthorized use of an information resource 2. As amended by HITECH, a technical safeguard that requires a covered entity must in accordance with 164.306(a)(1) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) (45 CFR 164.312 2003)

Authorization

1. as amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section (164.508) 2. when a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with the authorization (45 CFR 164.508) 3. A right permission given to an individual to use a computer resource, such as a computer or to use specific applications and access specific data. It is also a set of actions that vies permission to an individual to perform specific perform specific functions such as read, write, or execute tasks

Contingency plan

1. documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster 2. A recovery plan in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected personal health information(ePHI)

Data integrity

1. the extent to which healthcare data are complete, accurate, consistent, and timely 2. A security principle that keeps information from being modified or otherwise corrupted wither maliciously or accidentally

Authentication

1. the process of identifying the source of health record entries by attaching a handwritten signature, the author's initials or an electronic signature 2. Proof of authorship that ensures, as much as possible, that log-ins and messages from a user originate from an authorized source. 3. As amended by HITECH, Means the corroboration that a person is the one claimed. 4. Affirms a health record's legitimacy through testimony or written validation that it is indeed the record of the subject individual and the information in it is valid

Network controls

A method of protecting data from unauthorized change and corruption at rest and during transmission among information systems

Emergency mode of operations

A plan that defines the processes and controls that will be followed until the operations are fully restored

Trojan horse

A program that gains unauthorized access to a computer and masquerades as a useful function

Business continuity plan (BCP)

A program that incorporates policies and procedures for continuing business operations during a computer system shutdown

Computer virus

A program that reproduces itself and attaches itself to legitimate programs on a computer that can change or corrupt data

Smart card

A small plastic card with an embedded microchip that can store multiple identification factors for a specific user

Sniffers

A software security product that runs in the background of a network, examining and logging packet traffic and serving as an early warning device against crackers

Intrusion detection system (IDS)

A system that perform automated intrusion detection. procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusions

Computer worm

A type of malware that copies itself and spreads throughout a network. Unlike a computer virus, a computer work does not need to attach itself to a legitimate program. It can execute and run itself

Context-based access control (CBAC)

An access control system that limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information

Digital certificates

An electronic document that establishes a person's online identity

Digital signatures

An electronic signature that binds a message to a particular individual and can be used by the receiver to authenticate the identity of the sender

Physical safeguards

As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures

Technical safeguards

As amended by HITECH, the security rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it

Information technology

Computer technology (hardware and software) combined with telecommunications technology(data, image, and voice works)

Decryption

Data decoded and restored back to original readable form

Baiting

Hackers leave an infected USB or flash drive in a public area in hope that someone will come by, pick it up, and use out of curiosity

Electronic protected health information (ePHI)

Health information that is stored digitally and is subject to HIPAA

Edit check

Helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer

Access safeguards

Identification of which employees should have access to what data. the general practice is that employees should have access only to data they need to do their jobs

Public key infrastructure (PKI)

In Cryptography, an asymmetric algorithm made publicly available to unlock a coded message

Incident detection

Methods used to identity both accidental and malicious events. detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred

Information Technology Asset Disposition (ITAD)

Policy that identifies how all data storage devices are destroyed and purged of data prior to re-purposing or disposal

Trigger events

Review of access logs, audit trails, failed log-ins, and other reports generated to monitor compliance with the policies and procedures

Malware

Software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives

Data loss prevention

Strategies that are used to limit sensitive data being moved or transferred outside of the healthcare organization

Disaster recovery plan

The document that defines the resources, actions, tasks, and data required to manage the businesses recovery process in the event of a business interruption

Data availability

The extent to which healthcare data are accessible whenever and wherever they are needed

Data consistency

The extent to which the healthcare data are reliable and the same across applications

Chief security officer (CSO)

The individual who is responsible for the security program of healthcare organization

Social engineering

The manipulation of individuals (or targets) to freely disclose personal information or account credentials to hackers

Biometrics

The physical characteristics of users (such as fingerprints, voiceprints, retinal scans, iris traits) that systems store and use to authenticate identity before allowing the user access to a system

Intrusion detection

The process of identifying attempts or action to penetrate a system and gain unauthorized access

Data security

The process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or destruction

Encryption

The process of transforming text into an unintelligible string of characteristics that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination

Data definition

The specific meaning of a healthcare-related data element

External threats

Threats that originate outside an organization

Internal threats

Threats that originate with an organization

Automatic logout

Timed log outs of information systems that reduce the chances that one's account will be used by someone else, can be sued to prevent access by unauthorized individuals

Private key infrastructure

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message, however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated. see also single-key encryption

Single-key encryption

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message, however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated: see also private key infrastructure

Administrative safeguards

Under HIPPA, are administrative actions and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information (45 CFR 164.304 2013)

Backdoor program

a backdoor program is a computer program that bypasses normal authentication processes and allows access to computer resources, such as programs, computer networks, or entire computer systems

Risk management

a comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate and control risks, defined as the organization's risk of accidental financial liability

Spyware

a computer program that tracks and individuals' activity on a computer system

Firewall

a computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network

Role-based access control (RBAC)

a control system in which access decisions are based on the roles of individual users as part of an organization: Rootkit - A computer program designed to gain unauthorized access to a computer and assume control of and modify the operating system Security, 1. the means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss. 2. The physical protection of facilities and equipment from theft, damage, or unauthorized access

User-based access control (UBAC)

a security mechanism used to grant users of a system access based on identity

Password

a series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database

Two-factor authentication

a signature type that includes at least two of the following three elements: something known, such as a password: something held, such as a token or digital certificate. and something that is personal, such as a biometric in the form of a fingerprint, retinal scan, or other

Token

a small electronic device programmed to generate and display new passwords at certain intervals

Tailgating

a social engineering technique that allows a hacker, imposter, or other unauthorized individual to use an authorized individual's access privileges to gain access to a restricted physical area

Spear phishing

a type of phishing where the hacker researchers the individual being targeted

Single sign-on

a type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control

Likelihood determination

an estimate of the probability of threats occurring

Incident

an occurrence in a medical facility that is inconsistent with accepted standards of care

Implementation specifications

as amended by HITECH, specific requirements or instructions for implementing a privacy or security standard

Application safeguards

controls contained in application software or computer programs to protect the security and integrity of information

Ransomware

is a malicious software that hackers employ to block access to a computer system or a particular computer files

Application control

security strategies, such as password management, included in application software and computer programs

Cryptography

the art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again 2. In information security, the study of encryption and decryption techniques

HIPAA Security Rule

the federal regulations created to implement the security requirements of HIPAA

Audit control

the mechanisms that record and examine activity in information systems

collectively

the policies, procedures, and safeguards designed to protect the confidentiality of information, maintain the integrity and availability of information systems, and control access to the content of these systems

Risk analysis

the process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks should be proactively addressed and which risks are lower in priority

Forensics

the process of identifying, analyzing, recovering, and preserving data within a electronic environment

Phishing

type of social engineering that uses e-mail to try and obtain passwords and other personal information from individuals

Security breach

unauthorized data or system access

includes facility access controls

workstation use, workstation security, and device and media controls


Ensembles d'études connexes

Sociology Unit 9 Gender and Sexuality

View Set

CMPE150 Midterm Review Questions

View Set

HPU Macroeconomics Howard Final prep

View Set

Unit 6 Rocks and Minerals study guide

View Set

Part 4: Writing to Evaluate Mortimer's Style Quiz

View Set

ACTG 350 Key Terms (Midterm 2 - Final)

View Set

Adding Fractions with Different Denominators

View Set

emergency care: Cardiac emergencies, CPR, and AED

View Set