Ch.10 data security
contingency plan
"Documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster"
audit trail
(1) a chronological set of computerized records that provides evidence of information system activity (log-ins and log-outs, file accesses) used to determine security violations. (2) a record that shows who has accessed a computer system, when it was accessed, and what operations were performed
data integrity
(1) the extent to which healthcare data are complete, accurate, consistent, and timely (2) a security principle that keeps information from being modified or otherwise corrupted either maliciously or accidentally
examples of malware include:
-computer virus: a program that reproduces itself and attaches itself to legitimate programs on a computer. -computer worm: a program that copies itself and spreads throughout a network. unlike a computer virus, a computer worm does not need to attach itself to a legitimate program. It can execute and run itself. -trojan horse: a program that gains unauthorized access to a computer and masquerades as a useful function. Trojan horses may also copy and send themselves to e-mail addresses in a users computer. -spyware: a computer program that tracks an individual's activity on a computer system. cookies are a type of spyware. -backdoor programs: a computer program that bypasses normal authentication processes and allows access to computer resources, such as programs, computer networks, or entire computer systems. -rootkit: a computer program designed to gain unauthorized access to a computer and assume control over the operating system and modify the operating system.
an effective security program should contain the following components
-employee awareness including ongoing education and training -risk management program -access safeguards -physical and administrative safeguards -software application safeguards -network safeguards -disaster planning and recovery -data quality control processes
types of network safeguards
-firewalls -cryptography -encryption -digital signatures -digital certificates -web security protocols -intrusion detection systems
what are the types of access safeguards?
-identification -authentication -passwords -smart cards and tokens -biometrics -two-factor authentication -single sign-on -authorization -
An effective data security program embodies three basic elements to help prevent system or access errors from occurring:
-protecting the privacy of data -ensuring the integrity of data -ensuring the availability of data
there are 3 different types of information that can be used for authentication
1. something you know 2.something you have 3.something you are
Security rule standards are grouped into five categories:
1.administrative safeguards 2.physical safeguards 3.technical safeguards 4.organizational requirements 5.policies and procedures and documentation requirements
one common application control is
1.authentication 2.audit trail 3.edit check
organizational requirements include two standards
1.business associate or other contracts 2.group health plan requirements
impact analysis
A collective term used to refer to any study that determines the benefit of a proposed project, including cost-benefit analysis, return on investment, benefits realization study, or qualitative benefit study
role-based access control (RBAC)
A control system in which access decisions are based on the roles of individual users as part of an organization
data dictionary
A descriptive list of the names, definitions, and attributes of data elements to be collected in an information system or database whose purpose is to standardize definitions and ensure consistent use
security program
A plan outlining the policies and procedures created to protect healthcare information
emergency mode of operations
A plan that defines the processes and controls that will be followed until the operations are fully restored
business continuity plan
A program that incorporates policies and procedures for continuing business operations during a computer system shutdown
user-based access control (UBAC)
A security mechanism used to grant users of a system access based on identity
two-factor authentication
A signature type that includes at least two of the following three elements: something known, such as a password; something held, such as a token or digital certificate; and something that is personal, such as a biometric in the form of a fingerprint, retinal scan, or other
examples of something you have
A smart card, a token or key fob.
Intrusion Detection System (IDS)
A system that performs automated intrusion detection; procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusion
single sign-on
A type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control
the HITECH act is a portion of the
ARRA
additional changes to the privacy and security rules were created as a result of the
American Recovery and Reinvestment Act (ARRA)
context-based access control (CBAC)
An access control system which limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information
digital certificates
An electronic document that establishes a person's online identity
digital signatures
An electronic signature that binds a message to a particular individual and can be used by the receiver to authenticate the identity of the sender
likelihood determination
An estimate of the probability of threats occurring
incident
An occurrence in a medical facility that is inconsistent with accepted standards of care
physical safeguards
As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures;, including facility access controls, workstation use, workstation security, and device and media controls
implementation specifications
As amended by HITECH, specific requirements or instructions for implementing a privacy or security standard
technical safeguards
As amended by HITECH, the Security Rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it
application safeguards
Controls contained in application software or computer programs to protect the security and integrity of information
decryption
Data decoded and restored back to original readable form
edit check
Helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer
access safeguards
Identification of which employees should have access to what data; the general practice is that employees should have access only to data they need to do their jobs.
Public Key Infrastructure (PKI)
In cryptography, an asymmetric algorithm made publicly available to unlock a coded message
HIPAA security rule
Law that requires covered entities to establish administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of health information.
incident detection
Methods used to identify both accidental and malicious events; detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred
examples of something you know
PIN, password or mothers maiden name.
information technology asset disposition (ITAD)
Policy that identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal
trigger events
Review of access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures
application control
Security strategies, such as password management, included in application software and computer programs
Data backup policies and procedures may include
Server redundancy
data availability
The extent to which healthcare data are accessible whenever and wherever they are needed
data consistency
The extent to which the healthcare data are reliable and the same across applications
audit control
The mechanisms that record and examine activity in information systems
biometrics
The physical characteristics of users (such as fingerprints, voiceprints, retinal scans, iris traits) that systems store and use to authenticate identity before allowing the user access to a system
intrusion detection
The process of identifying attempts or actions to penetrate a system and gain unauthorized access
data security
The process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or destruction
encryption
The process of transforming text into an unintelligible string of characters that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination
American Recovery and Reinvestment Act (ARRA)
The purposes of this act include the following: (1) To preserve and create jobs and promote economic recovery. (2) To assist those most impacted by the recession. (3) To provide investments needed to increase economic efficiency by spurring technological advances in science and health. (4) To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reductions in essential services and counterproductive state and local tax increases
data definition
The specific meaning of a healthcare-related data element
external threats
Threats that originate outside an organization
internal threats
Threats that originate within an organization
single key encryption
Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated; see also private key infrastructure
Private key infrastructure
Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated; see also single-key encryption
security breach
Unauthorized data or system access
risk management
a comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. the processes in place to identify, evaluate and control risk, defined as the organization's risk of accidental financial liability.
access control
a computer software program designed to prevent unauthorized use of an information resource
firewall
a computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network
network controls
a method of protecting data from unauthorized change and corruption at rest and during transmission among information systems
password
a series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database.
security threat
a situation that has the potential to damage a healthcare organization's information
sniffers
a software security product that runs in the background of a network, examining and logging packet traffic and serving as an early warning device against crackers
technical safeguards consist of 5 broad categories:
access controls audit controls integrity person or entity authentication transmission security
incident detection should be used to identify
accidental and malicious events
authorization
as amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508
which of the following is an example of a technical safeguard?
assigned passwords that limit access to computer-stored information
examples of something you are
biometrics
which computer program can copy and run itself without attaching itself to a legitimate program?
computer worm
data definitions and their values are usually stored in a
data dictionary
data in use
data in the process of being created, retrieved, updated or deleted
data in motion
data moving through a network or wireless transmission
data at rest
data that is contained in data bases, file systems or flash drives
data disposed
discarded paper records or recycled electronic media
HIPAA policies and procedures for documentation requirements
documentation must be retained for 6 years from the date of its creation or the date when it was in effect, whichever is later.
administrative safeguards
documented, formal practices to manage data security measures throughout the organization; Details how the security program should be managed from the organizations perspective. (User limitations, screen savers, timing out of terminals)
the HIPAA security rule requires that security incidents be identified, reported to the appropriate persons and
documented.
Unsecured electronic protected health information (e-PHI)
e-PHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons
which of the following is a software application safeguard?
edit check
physical safeguards consist of the following:
facility access controls workstation use workstation security device and media controls
a firewall is
filters information between networks
which of the following provides the objective and scope for the HIPAA security rule as a whole?
general rules
if an implementation specification is addressable
if not implemented, the organization must document why it is not reasonable and appropriate to do so
data privacy is the concept that is at the center of
information governance
HIPAA of 1996 includes provisions for
insurance reform and administrative simplification
physical safeguards
must include the protection of electronic systems from natural and environmental hazards and intrusion.
according to the ARRA revisions
potential business associate liability was increased under HIPAA
included in the administrative simplification provisions was a requirement for setting standards to
protect health information
Chief Security Officer (CSO)
responsible for ensuring the security of business systems and developing strategies and safeguards against attacks by hackers and viruses
risk management begins with
risk analysis
the administrative safeguards include the following standards that must be implemented by covered entities:
security management process assigned security responsibility workforce security information access management security awareness and training security incident procedures contingency plan evaluation business associate contracts
the department of health and human services established the HIPAA privacy rule and the HIPAA
security rule
malware
software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives.
cryptography
the art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again.
disaster recovery plan
the document that defines the resources, actions, tasks, and data required to manage the business recovery process in the event of business interuption
security
the means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction or loss.
risk analysis
the process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority
authentication
the process of identifying the source of health record entries by attaching a handwritten signature, the author's initials, or an electronic signature.
external threats can be caused by which of the following?
tornadoes
HIPAA allows a covered entity to adopt security protection measures that are appropriate and reasonable for its organization.
true
data availability, consistency, and definition are three data quality dimensions that are often addressed using computer tools
true
humans are the greatest threat to electronic health information
true
the role based access control (RBAC) is the one used most often in health care organizations
true
Strong authentication requires providing information from two of the three different types of authentication information:
two factor authentication
administrative safegaurds
under HIPAA, are administrative actions and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.
The institute of medicine (IOM) reports that correct medication administration increases when hospitals
use well-designed, robust computerized drug ordering systems and barcodes, but poorly designed systems can create hazards.
responses to an incident include
workforce notification, preserving evidence, mitigating harmful effects caused by the breach and evaluating the incident as a part of the organization's risk management process.