Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Introduction to Information Systems for Health Information Technology > Chapter 12 (Security) > Flashcards

Chapter 12 (Security) Flashcards

1
Q

three states of data protection

A

Data must be protected in its three states: data at rest, data in motion, and data in use.
Data at rest is when the data is stored on an electronic media such on a computer’s hard drive.
Data in motion is data that is moving from point A to point B such as being shared between a hospital and an insurer.
Data in use is when the data is being accessed for review, updates, or other purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

administrative simplification

A

a term mentioned in the Patient Protection and Affordable Care Act
It means to use technology to reduce clerical work and to standardize rules and achieve greater legal compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

covered entity (CE)

A

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

clearinghouse

A

(1) an establishment maintained by banks for settling claims and accounts
(2) a central agency for the collection, classification, and distribution of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

claim (health insurance/finances)

A

a demand for something due or believed to be due

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

healthcare clearinghouse

A

a company that collects billing data and processes it for the healthcare provider. The healthcare clearinghouse then submits the claim to the health plan for payment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

health plan

A

a plan that pays for the healthcare provided to the individuals covered under the plan. These plans include medical, dental, vision, and other forms of health plans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Transaction and Code Sets rules

A

A set of rules designed to standardize transactions performed by covered entities. These standards apply to electronic transactions only, such as claim submission, eligibility queries, and many more insurance-related functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

designated standard maintenance organizations (DSMOs)

A

organizations named by the Secretary of Health and Human Services (HHS) to maintain standards adopted under HIPAA and to receive and process requests to adopt new standards or modify existing standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

addressable standards vs required standards (HIPAA)

A

In each HIPAA Security Rule, implementation specifications are either “addressable” or “required” HIPAA requirements and describe how standards should be executed.

“Required” rules are quite cut and dried. Either you implement them, or you automatically fail to comply with the Security Rule. These mandatory rules represent 48% of the HIPAA Security Rule.

“Addressable” constitutes 52% of Security Rule specifications, and many entities do not fully understand what that entails.

Addressable requirements are often technical, and allow organizations the flexibility to implement different security controls to accomplish the requirement’s objective.

For example, if I had addressable specifications to cook a turkey, I could cook it in the oven like the recipe dictates, or I could BBQ, deep-fry, smoke, or microwave it. It doesn’t matter how I cook it, just that it gets cooked (and doesn’t give me food-poisoning).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

threat (computer security)

A

a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

vulnerability (computer security)

A

a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

risk analysis

A

the process of identifying possible security threats to a computer system and identifying which risks should be promptly addressed and which are lower in priority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

risk management

A

The process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

security management plan

A

a plan that describes how the organization will provide and maintain a safe physical environment and manage staff activities to reduce the risk of personal injury and property loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

sanction policy

A

a set of policies that addresses how employees will be penalized for failing to follow security policies and procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

information system activity review

A

a review that monitors for the inappropriate use or disclosure of electronic personal health information

HIPAA does not mandate the frequency of this review nor the way this review is to be conducted. These reviews should include logs, access, and incident reporting. People should monitor audit logs, the incident log, and other internal and external documentation to identify all successful and unsuccessful attempts to access ePHI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

chief privacy official (CPO)

A

a corporate executive charged with developing and implementing policies designed to protect employee and customer data from unauthorized access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

information access management

A

action that involves implementing policies and procedures to determine which employees have access to what information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

workforce clearance procedure

A

a policy that ensures that each employee’s level of access is appropriate

The access determination should be based on risk analysis and each employee’s job description. This would require the CE to evaluate each user and their need for data and functionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

termination process

A

a policy to eliminate an employee’s access to the information system when that person’s employment with the company ends—either through resignation or through termination (firing)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

security incident

A

any single event involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

forensics

A

relating to or dealing with the application of scientific knowledge to legal problems or criminal investigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

five steps of forensic investigation

A 
Policy and procedure development (including strict guidelines)
Evidence assessment (determining what should be looked for)
Evidence acquisition (how evidence will be captured)
Evidence examination (analyzing data obtained)
Documenting and reporting (documenting all activities performed)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

security event

A

any observable occurrence that is relevant to information security
The security event does not have to result in a breach of electronic personal health information. Security events include noncompliance with security policies, errors made by employees, leaving computer without logging out, writing down passwords, and so forth.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

contingency plan

A

a set of policies and procedures that identify how a hospital will react in the event of an information system emergency, such as power failure, natural disaster, a hacker, malware, or an information system failure. HIPAA calls this an emergency mode operation plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

contingent (adjective)

A

(1) dependent on or conditioned by something else
(2) likely but not certain to happen
(3) happening by chance or unforeseen causes
(4) not logically necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

redundancy

A

Intentional duplication of data, hardware, cables, or other hardware components of the information system.

Example: As data are entered, it is also saved onto a second computer server, creating a way to access an operational information system with little to no downtime. It can also be used for networks, computers, and other hardware. For example, a large urban hospital may have multiple network cables that connect buildings by using cables that are buried under the street. If one cable fails, another cable takes its place in transmitting data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

business associates (BAs)

A

organizations that conduct business on behalf of a company (e.g. hospital)
Examples of BAs are contract coders, application service providers, transcription services, and billing services. These associates require access to health information in order to do their jobs. Therefore, BAs are subject to the HIPAA Security Rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

business associate agreement (BAA)

A

in reference to healthcare, it is an agreement between a hospital and a hospital’s business associate
The BAA spells out the BA’s responsibilities and how it should protect health information. The BAA should also allow the hospital to terminate the contract if the BA fails to meet the responsibilities in the BAA. The BAA must address certain required elements (HIPAA).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

technical safeguards

A

the technology and the policy and procedures for its use that protect electronic protected health information and control access to it

32
Q

access controls

A

computer software programs designed to prevent unauthorized use of an information resource. Hospitals must define in their policies and procedures who can view, create, and modify data in an information system containing health information and use access controls to grant or limit those rights to employees who need them.

33
Q

role-based authentication

A

The functions and data available to the user are based on the role of the user.

For example, a coder in the HIM department needs to review health information to properly code the health record; however, the coder would not need to add clinical information to the health record, and access controls would restrict the user from doing so. In role-based authentication, all coders have the same access, and all nurses have the same access.

May also be called role-based access control.

34
Q

user-based authentication

A

The functions and data available are based on the needs of the individual user, not all users with the same job title.

For example, some HIM technicians may have the authority to combine duplicate health record numbers, but others would not have access to this function because there is not a need. This method is more specific to the user’s needs than role-based authentication as the user gains the data and functionality that they need but no more. Evaluating each user individually is very time consuming.

May also be called user-based access control.

35
Q

context-based authentication

A

an access control system that limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information

This is helpful when there are employees, such as nurses, who work in various units or have different roles at different times. For example, a nurse who works full-time in the quality improvement department may work at a nursing unit to earn some extra money for Christmas. As the ePHI and functions needed to perform these roles differ, the access that she has depends on her role at the time.

May also be called context-based access control.

36
Q

emergency access procedure

A

a procedure that grants an employee access to data they are not normally allowed to access

This access usually occurs during a medical emergency and may require a second password or a reason for access. Even in an emergency situation, there must be a way to identify who activated the emergency access and why.

37
Q

one-factor authentication

A

a method of authentication that utilizes one level of access control such as a username and password

38
Q

two-factor authentication

A

a method of authentication that combines two different categories of access control, such as something you know (username/password) and something you have (cell phone to receive a verification code)

39
Q

multi-factor authentication (MFA)

A

an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism

The authentication factors of a multi-factor authentication scheme may include:

  1. Something the user has: Any physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, etc.
  2. Something the user knows: Certain knowledge only known to the user, such as a password, PIN, TAN, etc.
  3. Something the user is: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
  4. Somewhere the user is: Some connection to a specific computing network or using a GPS signal to identify the location.
40
Q

Completely Automated Public Turning Test to tell Computers and Humans Apart (CAPTCHA)

A

a program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites
It often involves asking you to type text from a distorted image that a computer cannot read.

41
Q

token (computers)

A

an object (in software or in hardware) which represents the right to perform some operation

42
Q

audit controls

A

mechanisms that record and examine activity in information systems

43
Q

audit trails

A

a record of system activities, such as log-in, log-out, unsuccessful log-ins, print, query, and other actions

44
Q

trigger (computer security)

A

a flag that notifies the hospital of a possible security issue that needs investigation

45
Q

audit-reduction tools

A

A tool used to review the audit trail and compare it to facility-specific criteria and eliminate routine entries such as periodic backups. This means that backups and other routine maintenance would be removed from the reports from which audits are conducted. The audit-reduction tools can also look for trends and behavior outside the norm. This tool helps with eliminating useless information.

46
Q

transmission security

A

mechanisms designed to protect health information while the data are being transmitted between two points. These points can be internal or external to the hospital.

47
Q

encryption

A

A security tool that converts data from a readable form to unintelligible text. This is done with the science of cryptography, using mathematics to convert data into unintelligible data and back again. If encrypted data are intercepted during transmission, the health information is protected because the individual who intercepted the data cannot view it. Only authorized users are able to convert the data back into a readable format.

48
Q

cryptography

A

the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents

49
Q

symmetric encryption

A

Symmetric encryption uses a secret key to data. The computer sending the data uses the key to turn the message into the unintelligible format. The receiving computer uses the same key to revert the data back into its original format.

50
Q

asymmetric encryption

A

A cryptographic system that uses pairs of keys. Each pair consists of a public key (which may be known to others) and a private key (which may not be known by anyone except the owner).
In such a system, any person can encrypt a message using the intended receiver’s public key, but that encrypted message can only be decrypted with the receiver’s private key.

51
Q

firewall

A

(1) a wall or partition designed to inhibit or prevent the spread of fire
(2) a part of a computer system or network which is designed to block unauthorized access while permitting outward communication

52
Q

computer network

A

two or more computers that are connected with one another for the purpose of communicating data electronically

53
Q

node (computers)

A

a piece of equipment, such as a PC or peripheral, attached to a network

54
Q

intrusion detection systems (IDS)

A

systems that monitor networks and information systems to catch hackers and other intruders along with other security issues. The IDS notifies the information technology staff of the issue

55
Q

intrusion prevention systems (IPS)

A

a system that monitors networks to identify possible malware threats. When identified, the IPS notifies the network administration and takes steps to stop the threat

56
Q

malware

A

malicious software designed to harm a computer

57
Q

virus (computers)

A

A type of malicious code or program written to alter the way a computer operates and is designed to spread from one computer to another. A virus operates by inserting or attaching itself to a legitimate program or document that supports macros in order to execute its code. In the process, a virus has the potential to cause unexpected or damaging effects, such as harming the system software by corrupting or destroying data.

58
Q

worm (computers)

A

A type of malware that spreads copies of itself from computer to computer. It can replicate itself without any human interaction and does not need to attach itself to a software program in order to cause damage. Worms can be transmitted via software vulnerabilities.

59
Q

trojan (computers)

A

a type of malware that gives the appearance that it is perfectly legitimate software. This tricks the user into accessing it. Once accessed, the Trojan can perform a variety of harmful actions

60
Q

backdoor

A

a typically covert method of bypassing normal authentication or encryption in a computer

61
Q

bots

A

programs that perform automated tasks, such as gathering information and instant messaging, thus relieving a person of the responsibility of doing it.

62
Q

robotic process automation (RPA)

A

a software technology that makes it easy to build, deploy, and manage software robots that emulate human action

63
Q

spyware

A

software used to track keystrokes and passwords, monitor websites visited, or other actions and report these actions to the designated person or organization

64
Q

ransomware

A

a type of malicious software that prohibits access to information systems in an organization. The ransomware programmer may demand money before they will deactivate the ransomware.

65
Q

social engineering

A

the process of tricking someone into revealing information or doing something that will enable others to take advantage of them

66
Q

pretexting

A

a type of social engineering that attempts to capture the user’s attention so that they can be drawn in. The criminal then requests information from the recipient in order for the recipient to gain an inheritance, claim lottery winnings, or something else

67
Q

phishing

A

an e-mail scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly”
The e-mail received may look official, but it is not. Its intent is to capture usernames, passwords, account numbers, and any other personal information.

68
Q

baiting

A

Baiting works much like using a lure to catch a fish. The offender dangles something in front of the potential victim hoping that he or she will take the bait. Baiting takes many forms including downloading music or videos, a price that is too good to be true, or something else. It can also be leaving a thumbdrive in a public location hoping someone will access it and then be infected with some type of malware).

69
Q

quid pro quo (social engineering)

A

a type of social engineering that proposes an exchange of some service with the victim being duped out of something. On the surface, it is a fair exchange but the victim always comes away losing in the exchange

70
Q

quid pro quo (general definition)

A

Latin for “favor for a favor”; it is a favor or advantage granted or expected in return for something

71
Q

vishing

A

phishing that is verbally performed. The villain would use the phone to scam the individual out of personal information such as their social security number, bank account information, password, and more

72
Q

facility access controls

A

things which limit physical access to the data center and software to only authorized information system staff

73
Q

physical safeguards

A

physical measures, policies, and procedures to protect a CE’s electronic information systems, and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion

74
Q

property control tag

A

something that assigns a unique identifier to hardware, allowing it to be inventoried

75
Q

remote wipe

A

the deletion of data from a device remotely, when a device is not accessible

76
Q

four categories of HIPAA violations

A

Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

Tier 1: Minimum fine of $100 per violation up to $50,000
Tier 2: Minimum fine of $1,000 per violation up to $50,000
Tier 3: Minimum fine of $10,000 per violation up to $50,000
Tier 4: Minimum fine of $50,000 per violation

Introduction to Information Systems for Health Information Technology (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions