Chapter 10

Contingency plan, Disaster recovery plan

A _____________, a set of procedures to follow when responding to emergencies, and its component _____________ will guide an organization through any undesirable non-routine events.

Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA)

A ______________________________ requires the user to respond to a question that is assumed that could not be answered by a computer.

Risk management

A comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate, and control risk, defined as the organization's risk of accidental financial liability.

Role-based access control (RBAC)

A control system in which access decisions are based on the roles of individual users as part of an organization.

Data dictionary

A descriptive list of the names, definitions, and attributes of data elements to be collected in an information system or database whose purpose is to standardize definitions and ensure consistent use

Filters information between networks

A firewall: A.Is an administrative safeguard B.Filters information between networks C.Only limits incoming information D.Only limits outgoing information

Patient, employee, and organizational information

A healthcare organization's data privacy efforts should encompass A.Patient information only B.Employee information only C.Patient and organizational information only D.Patient, employee, and organizational information

Network controls

A method of protecting data from unauthorized change and corruption at rest and during transmission among information systems

Security program

A plan outlining the policies and procedures created to protect healthcare information.

Authorization

A right or permission giving to an individual to use a computer resource, such as a computer, or to use specific applications and access specific data. A set of actions that gives permission to an individual to perform specific functions such as read, write, or execute tasks.

User-based access control (UBAC)

A security mechanism used to grant users of a system access based on identity.

Password

A series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database

Two-factor authentication

A signature type that includes at least two of the following three elements: something known, such as a password; something held, such as a token or digital certificate; and something that is personal, such as a biometric in the form of a fingerprint, retinal scan, or other.

Security threat

A situation that has the potential to damage a healthcare organization's information system.

Intrusion detection system (IDS)

A system that performs automated intrusion detection; procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusion.

Access control

A technical safeguard that requires a covered entity must implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.

Single sign-on

A type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control

Access control

An HIM professional using her password can access and change data in the hospital's master patient index. A patient accounting representative, using his password, cannot perform the same function. Limiting the class of information and functions that can be performed by these two employees is managed by which of the following? A. Network controls B. Audit trails C. Administrative controls D. Access controls

Context-based access control (CBAC)

An access control system which limits users to accessing information not only in accordance with their information not only in accordance with their identity and role, but to the location and time in which they are accessing the information.

Availability

An effective data security program embodies three basic elements. Which of the following is one of the elements discussed in this chapter? A. State-of-the-art hardware B. Quick retrieval C. Availability D. Anti-virus software

Incident

An occurrence in a medical facility that is inconsistent with accepted standards of care

Data availability

Can depend on systems to perform as expected, without error, and to provide information when and where needed.

-Authentication -Edit checks -Audit trails

Common application safeguard methods:

Server redundancy

Data backup policies and procedures may include: A.Server redundancy B.Ensuring all data is maintained on-site C.Maintaining one copy of all data D.Avoiding the use of power generators

Decryption

Data decoded and restored back to original readable form

Access safeguards

Establishing _____________________ is a fundamental security strategy. It means being able to identify which employees should have access to which data.

Biometrics

Examples of "something you are"

Smart card or token

Examples of "something you have"

Password or PIN

Examples of "something you know"

-Password or PIN -Smart card or token -Biometrics -Two-factor authentication -Single Sign-on

Examples of authentication

Tornadoes

External security threats can be caused by which of the following? A. Employees who steal data during work time B. A facility's water pipes bursting C. Tornadoes D. The failure of a facility's software

Access safeguards

Identification of which employees should have access to what data; the general practice is that employees should have access only to data they need to do their jobs.

Public key infrastructure (PKI)

In cryptography, an asymmetric algorithm made publicly available to unlock a coded message. This method uses both a public and a private key, which form a key pair. The sending computer uses a key to encrypt the data and it gives a key to the recipient computer to decrypt the data.

Assisting in workforce data access clearances

In what way might an organization's human resources department be involved in information security? A. Processing weekly payroll B. Assisting in workforce data access clearances C. Writing job descriptions D. Installing systems for employees to clock in

Malware

Intentional software intrusions are also known as which of the following? A. Hackers B. Criminals C. Internal threats D. Malware

Incident detection

Methods used to identify both accidental and malicious events; detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred.

Include mandatory scheduled password changes

Password policies should do which of the following? A.Include mandatory scheduled password changes B.Permit password sharing only between good friends C.Require that passwords consist of numbers only D.Require that passwords be changed every 30 days

Information Technology Asset Disposition (ITAD)

Policy that identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal

-People -Environmental and hardware or software factors

Potential threats to data security are caused by two main sources:

Trigger events

Review of access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures

Application control

Security strategies, such as password management, included in application software and computer programs

Implementation specifications

Specific requirements or instructions for implementing a privacy or security standard

Verification

Systems may require _______ that a human, not a computer, is accessing a website or storage portal.

-Protecting the privacy of data -Ensuring the integrity of data -Ensuring the availability of data

The 3 data security concepts:

-Flexible -Scalable -Technology neutral

The HIPAA Security Rule is:

Contingency plan

The __________________ is based on information gathered during risk assessment and analysis

Security Rule, risk analysis

The __________________ requires an organization to implement security measures that are sufficient to reduce risk and vulnerabilities. Risk management begins with ___________________.

Identification

The basic building block of access control is ________________.

Employees

The categories of security threats by people demonstrate an organization's greatest potential liability group consists of: A. Patients B. Visistors C. Employees D. Hackers outside the organization

Data availability

The extent to which healthcare data are accessible whenever and wherever they are needed.

Chief Security Officer (CSO), Information security committee

The first strategy in minimizing security threats is to establish a secure organization. This involves hiring a ______________________ and appointing an advisory or policy-making group such as an ________________.

-watch and warn -repair and report -pursue and prosecute

The incident response plan:

Security

The means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss.

Biometrics

The physical characteristics of users (such as Palm prints, fingerprints, voice prints, and retinal scans) that systems store and use to authenticate identity before allowing the user access to a system.

Security

The physical protection of facilities and equipment from theft, damage, or unauthorized access; collectively, the policies, procedures, and safeguards designed to protect the confidentiality of information, maintain the integrity and availability of information systems, and control access to the content of these systems.

Risk analysis

The process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority.

Data security

The process of keeping data, both in transit and at rest, sage from unauthorized access, alteration, or destruction.

Internal, External

Threats can be ______ or ___________.

Annually

Training programs on data security should be conducted at least: A. Semi-annually B. Annually C. Every two years D. Quarterly

Private key infrastructure

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated

Computer worm

Which computer program can copy and run itself without attaching itself to a legitimate program? A.Computer worm B.Backdoor program C.Trojan horse D.Spyware

Edit check

Which of the following is a software application safeguard? A.Firewall B.Impact analysis C.Edit check D.Contingency plan

People

Which of the following is a threat to data security? A. Cryptographic technologies B. People C. Intrusion detection systems D. Access controls

Writing a policy regarding automatic computer logoffs

Which of the following is an example of an administrative safeguard? A. Placing heat sensors near computer equipment B. Writing a policy regarding automatic computer logoffs C. Locking data center doors D. Placing computer monitors to face away from public areas

Risk analysis

Which of the following is the identification of an organization's security threats and vulnerabilities? A. Risk analysis B. Likelihood determination C. Impact analysis D. Authentication

Encryption

Which of the following is the process that encodes material, converting it to scrambled data that must be decoded? A. An audit trail B. Encryption C. A password D. A physical safeguard

Two-factor authentication

Which of the following is the strongest type of authentication? A. Single-factor B. Biometric C. Two-factor authentication D. Smart card

They originate within an organization

Which of the following is true of internal security threats? A.They are caused by people B.They are caused by disgruntled employees C.They originate within an organization D.They are natural disasters

Integrity

Which term is defined as data that is complete, accurate, consistent, and up-to-date? A. Availability B. Confidentiality C. Integrity D. Security

Employees

_____________ are often responsible for threats to data security.

Data availability, consistency, and definition

_______________, ________________, and ______________ are three data quality dimensions that are often addressed using computer tools.

Network controls

_________________ are essential to prevent the threat of hackers.

Administrative safeguards

__________________ are documented formal practices to manage data security measures throughout the organization.

Access control

__________________ that restrict access when necessary but allow access to complete job tasks is necessary. The organization must develop procedures and methods for identification, authentication, and authorization of users.

Cryptography

a branch of mathematics that is based on the transformation of data by developing ciphers, which are codes that are be kept secret.

Encryption

a method of encoding data, converting them to a jumble of unreadable scrambled characters and symbols as they are transmitted through a telecommunication network so that they are not understood by persons who do not have a key to transform the data into their original form.

Business continuity plan

a set of policies and procedures that directs the organization how to continue its business operations during a computer system shutdown

Contingency plan

a set of procedures, documented by the organization to be followed when responding to emergencies

Audit trail

a software program that tracks every single access or attempted access of data in the computer system

Scalable

accommodates organizations of any size

American Recovery and Reinvestment Act (ARRA)

additional changes to the Privacy and Security Rules were created as a result of the _______. They moved the enforcement for HIPAA security compliance from the Centers for Medicare and Medicaid Services' Office of Electronic Standards and Security to the Department of Health and Human Services Office for Civil Rights.

Disaster recovery plan

addresses the resources, actions, tasks, and data necessary to restore those services identified as critical, as soon as possible, and to manage business recovery processes

Likelihood determination

an estimate of the probability of threats occurring

Incident

an occurrence or an event

Digital certificates

are used to implement public key encryption on a large scale. It is an electronic document that uses a digital signature to bind together a public key with an identity such as the name of a person or an organization, address, and so forth.

Sniffers

can be attached to networks for the purpose of diverting transmitted data

Application safeguards

controls contained in application software or computer programs to protect the security and integrity of information

Data integrity

data are complete, accurate, consistent, and up-to-date so it is reliable. Data that has not been altered or destroyed in an unauthorized manner.

Ensuring the integrity of data

data should be complete, accurate, consistent and up-to-date

Protecting the privacy of data

defending or safeguarding access to information

Implementation specifications

define how standards are to be implemented

Risk management

encompasses the identification, evaluation and control of risks that are inherent in unexpected and inappropriate events

Edit check

helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer

Data definition

is describing the data. Every data element should have a clear meaning and a range of acceptable values

Unsecured electronic protected health information (e-PHI)

is e-PHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons.

Security

is the measures and tools to safeguard data, and the information systems on which they reside, from unauthorized access, use, disclosure, disruption, modification, or destruction

Access control

is the restriction of access to information and information resources (such as computers) to only those who are authorized, by role or other means

Ensuring the availability of data

making sure the organization an depend on the information system to perform as expected, and to provide information when and where it is needed

Malware

malicious software; Software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives.

Data consistency

means that data do not change no matter how often or in how many ways they are stored, processed, or displayed

Digital signatures

or digital signature scheme is a public key cryptography method that ensures that an electronic document such as an e-mail message or text file is authentic. This means that the receiver knows who created the document and is assured that the document has not been altered in any way since it was created.

Administrative safeguards

policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information

Emergency mode of operations

prescribes processes and controls to follow until operations are fully restored

Intrusion detection

process of identifying attempts or actions to penetrate a system and gain unauthorized access. The purpose is to prevent the compromise of the confidentiality, integrity, or availability of a resource.

Physical safeguards

refer to the physical protection of information resources from physical damage, loss from natural or other disasters, and theft.

Audit control

requires procedural mechanisms be implemented to record activity in systems that contain e-PHI and that the output be examined to determine appropriateness of access

Firewall

secure gateway; part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. A software program or device that filters information and serves as a buffer between two networks, usually between a private network like an intranet and a public network like the internet.

Encryption

secures ePHI; affects data at rest, in motion, in use, and disposed

Flexible

security measures may be adopted that are appropriate and reasonable for the organization

Technology neutral

specific technologies are not prescribed

HIPAA Security Rule

specifies that covered entities must develop a security program that includes a range of security safeguards to protect individually identifiable health information maintained or transmitted in electronic form

Technical safeguards

the Security Rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it

Authentication

the act of verifying a claim of identity

External threats

threats that originate outside an organization

Internal threats

threats that originate within an organization

Impact analysis

what the impact of threats on information assets might be