Chapter 10- Data Security

Audit trail

1. A chronological set of computerized records that provides evidence of information system activity (logins and logouts, file accesses) used to determine security violations. 2. A record that shows who has accessed a computer system, when it was accessed, and what operations were performed.

Access control

1. A computer software program designed to prevent unauthorized use of an information resource. 2. As amended by HITECH, a technical safeguard that requires a covered entity must in accordance with 164.306(a) (1) implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a) (4) (45 CFR 164.312 2003)

Authorization

1. As amended by HITECH, except as otherwise specified, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508. 2. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such as use or disclosure must be consistent with the authorization (45 CFR 164.508 2013).

Data integrity

1. The extent to which healthcare data are complete, accurate, consistent, and timely. 2. A security principle that keeps information from being modified or otherwise corrupted either maliciously or accidentally.

Security

1. The means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss. 2. The physical protection of facilities and equipment from theft, damage, or unauthorized access, ; collectively, the policies, procedures, and safeguards designed to protect the confidentiality of information, maintain the integrity and availability of information systems, and control access to the content of these systems.

Authentication

1. The process of identifying the source of health record entries by attaching a handwritten signature, the author's initials, or an electronic signature. 2. Proof of authorship that ensures, as much as possible, that log-ins and messages from a user originate from an authorized source. 3. As amended by HITECH, means the corroboration that a person is the one claimed.

Impact analysis

A collective term used to refer to any study that determines the benefit of a proposed project, including cost-benefit analysis, return on investment, benefits realization study, or qualitative benefit study.

Risk management

A comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate, and control risk, defined as the organization's risk of accidental financial liability.

Firewall

A computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network.

Role-based access control (RBAC)

A control system in which access decisions are based on the roles of individual users as part of an organization.

Data dictionary

A descriptive list of the names, definitions, and attributes of data elements to be collected in an information system or database whose purpose is to standardize definitions and ensure consistent use.

Network controls

A method of protecting data from unauthorized change and corruption at rest and during change and corruption at rest and during transmission among information systems.

Security program

A plan outlining the policies and procedures created to protect healthcare information.

Emergency mode of operations

A plan that defines the processes and controls that will be followed until the operations are fully restored.

Business continuity plan

A program that incorporates policies and procedures for continuing business operations during a computer system shutdown.

User-based access control (UBAC)

A security mechanism used to grant users of a system access based on identity.

Password

A series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database.

Two-factor authentication

A signature type that includes at least two of the following three elements: something known, such as a password; something held, such as a token or digital certificate; and something that is personal, such as a biometric in the form of a fingerprint, retinal scan, or other.

Security threat

A situation that has the potential to damage a healthcare organization's information system.

Sniffers

A software security product that runs in the background of a network, examining and logging packet traffic and serving as an early warning against crackers.

Intrusion Detection System (IDS)

A system that performs automated intrusion detection, procedures should be outlined in the organization's data security plan to determine what actions should be taken in response to a probable intrusion.

Single sign-on

A type of technology that allows a user access to all disparate applications through one authentication procedure, thus reducing the number and variety of passwords a user must remember and enforcing and centralizing access control.

Context-based access control (CBAC)

An access control system which limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information.

Digital certificates

An electronic document that establishes a person's online identity.

Digital signatures

An electronic signature that binds a message to a particular individual and can be used by the receiver to authenticate the identity of the sender.

Likelihood determination

An estimate of the probability of threats occurring.

Incident

An occurrence in a medical facility that is inconsistent with accepted standards of care.

Physical safeguards

As amended by HITECH, security rule measures such as locking doors to safeguard data and various media from unauthorized access and exposures; includes facility access controls, workstation use, workstation security, and device and media controls.

Implementation specifications

As amended by HITECH, specific requirements or instructions for implementing a privacy or security standard.

Technical safeguards

As amended by HITECH, the Security Rule means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Application safeguards

Controls contained in application software or computer programs to protect the security and integrity of information.

Decryption

Data decoded and restored back to original readable form.

Edit check

Helps to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer.

Access safeguards

Identification of which employees should have access to what data; the general practice is that employees should have access only to data they need to do their jobs.

Public key infrastructure (PKI)

In cryptography, an asymmetric algorithm made publicly available to unlock a coded message.

Incident detection

Methods used to identify both accidental and malicious events; detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred.

Information Technology Asset Disposition (ITAD)

Policy that identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal.

Trigger events

Review of access logs, audit trails, failed logins, and other reports generated to monitor compliance with the policies and procedures.

Application controls

Security strategies, such as password management, included in application software and computer programs.

Malware

Software applications that can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives.

Cryptography

The art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again. 2. In information security, the study of encryption and decryption techniques.

Disaster recovery plan

The document that defines the resources, actions, tasks, and data required to manage the businesses recovery process in the event of a business interruption.

Data availability

The extent to which healthcare data are accessible whenever and wherever they are needed.

Data consistency

The extent to which the healthcare data are reliable and the same across applications.

HIPAA Security Rule

The federal regulations created to implement the security requirements of HIPAA.

Audit controls

The mechanisms that record and examine activity in information systems.

Biometrics

The physical characteristics of users (such as fingerprints, voiceprints, retinal scans, iris traits) that systems store and use to authenticate identity before allowing the user access to a system.

Intrusion Detection

The process of identifying attempts or actions to penetrate a system and gain unauthorized access.

Risk analysis

The process of identifying possible security threats to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority.

Data security

The process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or destruction.

Encryption

The process of transforming text into an unintelligible string of characters that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination.

American Recovery and Reinvestment Act (ARRA)

The purposes of this act include the following: (1) To preserve and create jobs and promote economic recovery. (2) To assist those most impacted by the recession. (3) To provide investments needed to increase economic efficiency by spurring technological advances in science and health. (4) To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits. (5) To stabilize state and local government budgets, in order to minimize and avoid reproductions in essential services and counterproductive state and local increases.

Data definition

The specific meaning of a healthcare-related data element.

External threats

Threats that originate outside an organization.

Internal Threats

Threats that originate within an organization.

Private key infrastructure

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated.

Single key encryption

Two or more computers share the same secret key and that key is used to both encrypt and decrypt a message; however, the key must be kept secret and if it is compromised in any way, the security of the data is likely to be eliminated.

Security breach

Unauthorized data or system access.

Administrative safeguards

Under HIPAA, are administrative actions and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information (45 CFR 164.304 2013)

Unsecured electronic protected health information (e-PHI)

e-PHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons.