Ch.10 data security

contingency plan

"Documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster"

audit trail

(1) a chronological set of computerized records that provides evidence of information system activity (log-ins and log-outs, file accesses) used to determine security violations. (2) a record that shows who has accessed a computer system, when it was accessed, and what operations were performed

data integrity

(1) the extent to which healthcare data are complete, accurate, consistent, and timely (2) a security principle that keeps information from being modified or otherwise corrupted either maliciously or accidentally

examples of malware include:

-computer virus: a program that reproduces itself and attaches itself to legitimate programs on a computer. -computer worm: a program that copies itself and spreads throughout a network. unlike a computer virus, a computer worm does not need to attach itself to a legitimate program. It can execute and run itself. -trojan horse: a program that gains unauthorized access to a computer and masquerades as a useful function. Trojan horses may also copy and send themselves to e-mail addresses in a users computer. -spyware: a computer program that tracks an individual's activity on a computer system. cookies are a type of spyware. -backdoor programs: a computer program that bypasses normal authentication processes and allows access to computer resources, such as programs, computer networks, or entire computer systems. -rootkit: a computer program designed to gain unauthorized access to a computer and assume control over the operating system and modify the operating system.

an effective security program should contain the following components

-employee awareness including ongoing education and training -risk management program -access safeguards -physical and administrative safeguards -software application safeguards -network safeguards -disaster planning and recovery -data quality control processes

types of network safeguards

-firewalls -cryptography -encryption -digital signatures -digital certificates -web security protocols -intrusion detection systems

what are the types of access safeguards?

-identification -authentication -passwords -smart cards and tokens -biometrics -two-factor authentication -single sign-on -authorization -

An effective data security program embodies three basic elements to help prevent system or access errors from occurring:

-protecting the privacy of data -ensuring the integrity of data -ensuring the availability of data

there are 3 different types of information that can be used for authentication

1. something you know 2.something you have 3.something you are

Security rule standards are grouped into five categories:

1.administrative safeguards 2.physical safeguards 3.technical safeguards 4.organizational requirements 5.policies and procedures and documentation requirements

one common application control is

1.authentication 2.audit trail 3.edit check

organizational requirements include two standards

1.business associate or other contracts 2.group health plan requirements

impact analysis

A collective term used to refer to any study that determines the benefit of a proposed project, including cost-benefit analysis, return on investment, benefits realization study, or qualitative benefit study

role-based access control (RBAC)

A control system in which access decisions are based on the roles of individual users as part of an organization

data dictionary

A descriptive list of the names, definitions, and attributes of data elements to be collected in an information system or database whose purpose is to standardize definitions and ensure consistent use

security program

A plan outlining the policies and procedures created to protect healthcare information

emergency mode of operations

A plan that defines the processes and controls that will be followed until the operations are fully restored

business continuity plan

A program that incorporates policies and procedures for continuing business operations during a computer system shutdown

user-based access control (UBAC)

A security mechanism used to grant users of a system access based on identity

two-factor authentication

A signature type that includes at least two of the following three elements: something known, such as a password; something held, such as a token or digital certificate; and something that is personal, such as a biometric in the form of a fingerprint, retinal scan, or other

examples of something you have

A smart card, a token or key fob.

Intrusion Detection System (IDS)

A system that performs automated intrusion detection; procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusion

single sign-on

A type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control

the HITECH act is a portion of the

ARRA

additional changes to the privacy and security rules were created as a result of the

American Recovery and Reinvestment Act (ARRA)

context-based access control (CBAC)

An access control system which limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information

digital certificates

An electronic document that establishes a person's online identity

digital signatures

An electronic signature that binds a message to a particular individual and can be used by the receiver to authenticate the identity of the sender

likelihood determination

An estimate of the probability of threats occurring

incident

An occurrence in a medical facility that is inconsistent with accepted standards of care

physical safeguards

As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures;, including facility access controls, workstation use, workstation security, and device and media controls

implementation specifications

As amended by HITECH, specific requirements or instructions for implementing a privacy or security standard

technical safeguards

As amended by HITECH, the Security Rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it

application safeguards

Controls contained in application software or computer programs to protect the security and integrity of information

decryption

Data decoded and restored back to original readable form

edit check

Helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer

access safeguards

Identification of which employees should have access to what data; the general practice is that employees should have access only to data they need to do their jobs.

Public Key Infrastructure (PKI)

In cryptography, an asymmetric algorithm made publicly available to unlock a coded message

HIPAA security rule

Law that requires covered entities to establish administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of health information.

incident detection

Methods used to identify both accidental and malicious events; detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred

examples of something you know

PIN, password or mothers maiden name.

information technology asset disposition (ITAD)

Policy that identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal

trigger events

Review of access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures

application control

Security strategies, such as password management, included in application software and computer programs

Data backup policies and procedures may include

Server redundancy

data availability

The extent to which healthcare data are accessible whenever and wherever they are needed

data consistency

The extent to which the healthcare data are reliable and the same across applications

audit control

The mechanisms that record and examine activity in information systems

biometrics

The physical characteristics of users (such as fingerprints, voiceprints, retinal scans, iris traits) that systems store and use to authenticate identity before allowing the user access to a system

intrusion detection

The process of identifying attempts or actions to penetrate a system and gain unauthorized access

data security

The process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or destruction

encryption

The process of transforming text into an unintelligible string of characters that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination

American Recovery and Reinvestment Act (ARRA)

The purposes of this act include the following: (1) To preserve and create jobs and promote economic recovery. (2) To assist those most impacted by the recession. (3) To provide investments needed to increase economic efficiency by spurring technological advances in science and health. (4) To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases

data definition

The specific meaning of a healthcare-related data element

external threats

Threats that originate outside an organization

internal threats

Threats that originate within an organization

single key encryption

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated; see also private key infrastructure

Private key infrastructure

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated; see also single-key encryption

security breach

Unauthorized data or system access

risk management

a comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. the processes in place to identify, evaluate and control risk, defined as the organization's risk of accidental financial liability.

access control

a computer software program designed to prevent unauthorized use of an information resource

firewall

a computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network

network controls

a method of protecting data from unauthorized change and corruption at rest and during transmission among information systems

password

a series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database.

security threat

a situation that has the potential to damage a healthcare organization's information

sniffers

a software security product that runs in the background of a network, examining and logging packet traffic and serving as an early warning device against crackers

technical safeguards consist of 5 broad categories:

access controls audit controls integrity person or entity authentication transmission security

incident detection should be used to identify

accidental and malicious events

authorization

as amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508

which of the following is an example of a technical safeguard?

assigned passwords that limit access to computer-stored information

examples of something you are

biometrics

which computer program can copy and run itself without attaching itself to a legitimate program?

computer worm

data definitions and their values are usually stored in a

data dictionary

data in use

data in the process of being created, retrieved, updated or deleted

data in motion

data moving through a network or wireless transmission

data at rest

data that is contained in data bases, file systems or flash drives

data disposed

discarded paper records or recycled electronic media

HIPAA policies and procedures for documentation requirements

documentation must be retained for 6 years from the date of its creation or the date when it was in effect, whichever is later.

administrative safeguards

documented, formal practices to manage data security measures throughout the organization; Details how the security program should be managed from the organizations perspective. (User limitations, screen savers, timing out of terminals)

the HIPAA security rule requires that security incidents be identified, reported to the appropriate persons and

documented.

Unsecured electronic protected health information (e-PHI)

e-PHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons

which of the following is a software application safeguard?

edit check

physical safeguards consist of the following:

facility access controls workstation use workstation security device and media controls

a firewall is

filters information between networks

which of the following provides the objective and scope for the HIPAA security rule as a whole?

general rules

if an implementation specification is addressable

if not implemented, the organization must document why it is not reasonable and appropriate to do so

data privacy is the concept that is at the center of

information governance

HIPAA of 1996 includes provisions for

insurance reform and administrative simplification

physical safeguards

must include the protection of electronic systems from natural and environmental hazards and intrusion.

according to the ARRA revisions

potential business associate liability was increased under HIPAA

included in the administrative simplification provisions was a requirement for setting standards to

protect health information

Chief Security Officer (CSO)

responsible for ensuring the security of business systems and developing strategies and safeguards against attacks by hackers and viruses

risk management begins with

risk analysis

the administrative safeguards include the following standards that must be implemented by covered entities:

security management process assigned security responsibility workforce security information access management security awareness and training security incident procedures contingency plan evaluation business associate contracts

the department of health and human services established the HIPAA privacy rule and the HIPAA

security rule

malware

software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives.

cryptography

the art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again.

disaster recovery plan

the document that defines the resources, actions, tasks, and data required to manage the business recovery process in the event of business interuption

security

the means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction or loss.

risk analysis

the process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority

authentication

the process of identifying the source of health record entries by attaching a handwritten signature, the author's initials, or an electronic signature.

external threats can be caused by which of the following?

tornadoes

HIPAA allows a covered entity to adopt security protection measures that are appropriate and reasonable for its organization.

true

data availability, consistency, and definition are three data quality dimensions that are often addressed using computer tools

true

humans are the greatest threat to electronic health information

true

the role based access control (RBAC) is the one used most often in health care organizations

true

Strong authentication requires providing information from two of the three different types of authentication information:

two factor authentication

administrative safegaurds

under HIPAA, are administrative actions and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.

The institute of medicine (IOM) reports that correct medication administration increases when hospitals

use well-designed, robust computerized drug ordering systems and barcodes, but poorly designed systems can create hazards.

responses to an incident include

workforce notification, preserving evidence, mitigating harmful effects caused by the breach and evaluating the incident as a part of the organization's risk management process.