Intro. Health Information Management: Chapter 10
Audit trail
1. A chronological set of computerized records that provides evidence of information system activity (log-ins and log-outs, file accesses) used to determine security violations 2. A record that shows who has accessed a computer system, when it was accessed, and what operations were performed.
Contingency plan
1. Documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster 2. A recovery plan in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected personal health information (ePHI)
Cryptography
1. The art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again 2. In information security, the study of encryption and decryption techniques.
Impact analysis
A collective term used to refer to any study that determines the benefit of a proposed project, including cost-benefit analysis, return on investment, benefits realization study, or qualitative benefit study.
Risk management
A comprehensive program of activities intended to minimize the potential for injuries to occur in a facility to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate, and control risk, defined as the organization's risk of accidental financial liability.
Rootkit
A computer program designed to gain on unauthorized access to a computer and assume control over the operating system and modify the operating system.
Spyware
A computer program that tracks an individual's activity on a computer system. These programs can store authentication information such as an individual's password.
Role-based access control (RBAC)
A control system in which access decisions are based on the roles of individual users as part of an organization; the one used most often in healthcare organizations.
Data dictionary
A descriptive list of the names, definitions, and attributes of data elements to be collected in an information system or database whose purpose is to standardize definitions and ensure consistent use.
Network controls
A method of protecting data from unauthorized change and corruption at rest and during transmission among information systems.
Emergency mode of operations
A plan that defines the processes and controls that will be followed until the operations are fully restored.
Computer worm
A program that copies itself and spreads throughout a network - executes and runs itself.
Trojan horse
A program that gains unauthorized access to a computer and masquerades as a useful function; is capable of compromising data by copying confidential files to unprotected areas of the computer system; may also copy and send themselves to email addresses in a user's computer.
Business continuity plan
A program that incorporates policies and procedures for continuing business operations during a computer system shutdown.
Computer virus
A program that reproduces itself and attaches itself to legitimate programs on a computer.
Authorization
A right or permission given to an individual to use a computer resource, such as a computer, or to use specific applications and access specific data.
User-based access control (UBAC)
A security mechanism used to grant users of a system access based on identity.
Security threats
A situation that has the potential to damage a healthcare organization's information system.
Sniffers
A software security product that runs in the background of a network, examining and logging packet traffic and serving as an early warning device against crackers.
Two-factor authentication
A stronger method of protecting data access than user identification with passwords.
Intrusion Detection System (IDS)
A system that performs automated intrusion detection; procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusion.
Cookies
A type of spyware
Single sign-on
Allows a user to log in one time and be able to access the many systems. This prevents the user from having to log in again for each of them.
Context-based access control (CBAC)
An access control system which limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information.
Chief Security Officer (CSO)
An appointed individual in a organization that coordinates the development of security policies and makes certain that they are followed.
-Protecting the privacy of data -Ensuring the integrity of data -Ensuring the availability of data
An effective data security program embodies three basic elements to help prevent system or access errors from occurring:
-employee awareness including ongoing education and training -risk management program -access safeguards -physical and administrative safeguards -software application safeguards -network safeguards -disaster planning and recovery -data quality control processes
An effective security program should contain the following components:
Digital certificate
An electronic document that establishes a person's online identity.
Digital signature
An electronic signature that binds a message to a particular individual and can be used by the receiver to authenticate the identity of the sender.
Likelihood determination
An estimate of the probability of threats occurring
Incident
An occurrence or an event
Physical safeguards
As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures;, including facility access controls, workstation use, workstation security, and device and media controls.
Implementation specifications
As amended by HITECH, specific requirements or instructions for implementing a privacy or security standard.
Technical safeguards
As amended by HITECH, the Security Rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.
Identification
Basic building block of access control; usually performed through the username or user number.
People or by environmental and hardware or software factors
Both internal and external threats can be caused by ___ or by ___.
Unsecured e-PHI
Breaches only apply to ___, which is e-PHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons.
Backdoor programs
Computer program that bypasses normal authentication processes and allows access to computer resources, such as programs, computer networks, or entire computer systems.
Access control
Computer software program designed to prevent unauthorized use of an informational resource.
Application safeguards
Controls contained in application software or computer programs to protect the security and integrity of information.
Data at rest
Data contained in databases, file systems, or flash drives
Decryption
Data decoded and restored back to original readable form.
Data in use
Data in the process of being created, retrieved, updated, or deleted
Data disposed
Discarded paper records or recycled electronic media. It is critical to use appropriate data destruction methods to ensure disposed data cannot be read, retrieved, or reconstructed in any way.
Six years
Documentation must be retained for ___ from the date of its creation or the date when it last was in effect, whichever is later.
Identification, authentication, authorization
Elements of access control:
Computer virus, computer worm, Trojan horse, spyware, backdoor programs, and rootkit
Examples of malware include:
Smart cards and tokens
Examples of something you have
Passwords
Examples of something you know include such things as a personal identification number; frequently used in conjunction with username.
Edit check
Helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer.
Access safeguards
Identification of which employees should have access to what data; the general practice is that employees should have access only to data they need to do their jobs.
Public Key Infrastructure (PKI)
In cryptography, an asymmetric algorithm made publicly available to unlock a coded message.
Internet or browsing a website
Malware usually gains access to computers via the ___ as attachments in emails or through ___ that installs the software after the user clicks on a pop up window.
Chief Information Officer (CIO), information technology system directors, network engineers, and representatives from clinical departments
Management positions involved in the information security committee are:
Data backup procedures
May involve server redundancy or duplexing (duplicate information on one or more servers) and sending data to off-site contracted vendors or data warehouses for safe and secure storage and access.
Incident detection
Methods used to identify both accidental and malicious events; detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred.
Employee within an organization
More often, security breaches occur when an ___ either accesses Information without authorization or deliberately alters or destroys information.
Information Technology Asset Disposition (ITAD)
Policy that identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal.
"Watch and warn"
Response that includes monitoring and notification of an incident but takes no immediate action.
"Pursue and prosecute"
Response that would include the monitoring of an attack, the minimization of the attack, the collection of evidence, and the involvement of a law enforcement agent.
Trigger events
Review of access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures.
Application controls
Security strategies, such as password management, included in application software and computer programs.
Malware
Software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives; known as malicious software.
Biometrics
Something you are; included palm prints, fingerprints, voice prints, and retinal (eye) scans.
HIPAA Security Rule
Specifies that covered entities must develop a security program that includes a range of security safeguards to protect individually identifiable health information maintained or transmitted in electronic form.
Authentication
The act of verifying a claim of identity; there are three types of information that can be used: something you know, something you have, or something you are.
Identifying the minimum allowable time for system disruption, identifying alternatives for system continuation, evaluating the cost and feasibility of each alternative, developing procedures required for activating the plan
The contingency plan is developed based on the following steps:
Disaster recovery plan
The document that defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption.
Data availability
The extent to which healthcare data are accessible whenever and wherever they are needed.
Data integrity
The extent to which healthcare data are complete, accurate, consistent, and timely; for example, an error made while recording a prescribed drug dosage could cause the wrong amount of medication to be given to a patient, potentially resulting in significant injury or even death.
Data consistency
The extent to which the healthcare data are reliable and the same across applications.
Intrusion detection
The process of identifying attempts or actions to penetrate a system and gain unauthorized access.
Data security
The process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or destruction.
Encryption
The process of transforming text into an unintelligible string of characters that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination.
Most of the same rules as covered entities
The single most important change was the requirement that business associates of HIPAA-covered entities must comply with ___.
Data definition
The specific meaning of a healthcare-related data element.
"Repair and report"
This type of response may be used in the case of a virus attack
External threats
Threats that originate outside an organization
Internal threats
Threats that originate within an organization
-threats from insiders who make unintentional errors -threats from insiders who abuse their access privileges to information -threats from insiders who access information or computer systems for spite or profit -threats from intruders who attempt to access information or steal physical resources -threats from vengeful employees or outsiders who mount attacks on the organization's information systems
Threats to data security from people can be classified into five general categories:
Private key infrastructure or single-key encryption
Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated.
security breach
Unauthorized data or system access
Administrative safeguards
Under HIPAA, are administrative actions and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.
Humans
___ are the greatest threat to electronic health information.
Firewall
a computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network.
Data in motion
data moving through a network or wireless transmission
Risk analysis
the process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority.