Chapter 12 (Security) Flashcards
three states of data protection
Data must be protected in its three states: data at rest, data in motion, and data in use.
Data at rest is when the data is stored on an electronic media such on a computer’s hard drive.
Data in motion is data that is moving from point A to point B such as being shared between a hospital and an insurer.
Data in use is when the data is being accessed for review, updates, or other purposes.
administrative simplification
a term mentioned in the Patient Protection and Affordable Care Act
It means to use technology to reduce clerical work and to standardize rules and achieve greater legal compliance.
covered entity (CE)
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards
clearinghouse
(1) an establishment maintained by banks for settling claims and accounts
(2) a central agency for the collection, classification, and distribution of information
claim (health insurance/finances)
a demand for something due or believed to be due
healthcare clearinghouse
a company that collects billing data and processes it for the healthcare provider. The healthcare clearinghouse then submits the claim to the health plan for payment
health plan
a plan that pays for the healthcare provided to the individuals covered under the plan. These plans include medical, dental, vision, and other forms of health plans.
Transaction and Code Sets rules
A set of rules designed to standardize transactions performed by covered entities. These standards apply to electronic transactions only, such as claim submission, eligibility queries, and many more insurance-related functions
designated standard maintenance organizations (DSMOs)
organizations named by the Secretary of Health and Human Services (HHS) to maintain standards adopted under HIPAA and to receive and process requests to adopt new standards or modify existing standards
addressable standards vs required standards (HIPAA)
In each HIPAA Security Rule, implementation specifications are either “addressable” or “required” HIPAA requirements and describe how standards should be executed.
“Required” rules are quite cut and dried. Either you implement them, or you automatically fail to comply with the Security Rule. These mandatory rules represent 48% of the HIPAA Security Rule.
“Addressable” constitutes 52% of Security Rule specifications, and many entities do not fully understand what that entails.
Addressable requirements are often technical, and allow organizations the flexibility to implement different security controls to accomplish the requirement’s objective.
For example, if I had addressable specifications to cook a turkey, I could cook it in the oven like the recipe dictates, or I could BBQ, deep-fry, smoke, or microwave it. It doesn’t matter how I cook it, just that it gets cooked (and doesn’t give me food-poisoning).
threat (computer security)
a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application
vulnerability (computer security)
a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.
risk analysis
the process of identifying possible security threats to a computer system and identifying which risks should be promptly addressed and which are lower in priority
risk management
The process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.
security management plan
a plan that describes how the organization will provide and maintain a safe physical environment and manage staff activities to reduce the risk of personal injury and property loss
sanction policy
a set of policies that addresses how employees will be penalized for failing to follow security policies and procedures
information system activity review
a review that monitors for the inappropriate use or disclosure of electronic personal health information
HIPAA does not mandate the frequency of this review nor the way this review is to be conducted. These reviews should include logs, access, and incident reporting. People should monitor audit logs, the incident log, and other internal and external documentation to identify all successful and unsuccessful attempts to access ePHI.
chief privacy official (CPO)
a corporate executive charged with developing and implementing policies designed to protect employee and customer data from unauthorized access
information access management
action that involves implementing policies and procedures to determine which employees have access to what information
workforce clearance procedure
a policy that ensures that each employee’s level of access is appropriate
The access determination should be based on risk analysis and each employee’s job description. This would require the CE to evaluate each user and their need for data and functionality.
termination process
a policy to eliminate an employee’s access to the information system when that person’s employment with the company ends—either through resignation or through termination (firing)
security incident
any single event involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system
forensics
relating to or dealing with the application of scientific knowledge to legal problems or criminal investigation
five steps of forensic investigation
Policy and procedure development (including strict guidelines) Evidence assessment (determining what should be looked for) Evidence acquisition (how evidence will be captured) Evidence examination (analyzing data obtained) Documenting and reporting (documenting all activities performed)
security event
any observable occurrence that is relevant to information security
The security event does not have to result in a breach of electronic personal health information. Security events include noncompliance with security policies, errors made by employees, leaving computer without logging out, writing down passwords, and so forth.
contingency plan
a set of policies and procedures that identify how a hospital will react in the event of an information system emergency, such as power failure, natural disaster, a hacker, malware, or an information system failure. HIPAA calls this an emergency mode operation plan.
contingent (adjective)
(1) dependent on or conditioned by something else
(2) likely but not certain to happen
(3) happening by chance or unforeseen causes
(4) not logically necessary
redundancy
Intentional duplication of data, hardware, cables, or other hardware components of the information system.
Example: As data are entered, it is also saved onto a second computer server, creating a way to access an operational information system with little to no downtime. It can also be used for networks, computers, and other hardware. For example, a large urban hospital may have multiple network cables that connect buildings by using cables that are buried under the street. If one cable fails, another cable takes its place in transmitting data.
business associates (BAs)
organizations that conduct business on behalf of a company (e.g. hospital)
Examples of BAs are contract coders, application service providers, transcription services, and billing services. These associates require access to health information in order to do their jobs. Therefore, BAs are subject to the HIPAA Security Rule.
business associate agreement (BAA)
in reference to healthcare, it is an agreement between a hospital and a hospital’s business associate
The BAA spells out the BA’s responsibilities and how it should protect health information. The BAA should also allow the hospital to terminate the contract if the BA fails to meet the responsibilities in the BAA. The BAA must address certain required elements (HIPAA).
technical safeguards
the technology and the policy and procedures for its use that protect electronic protected health information and control access to it
access controls
computer software programs designed to prevent unauthorized use of an information resource. Hospitals must define in their policies and procedures who can view, create, and modify data in an information system containing health information and use access controls to grant or limit those rights to employees who need them.
role-based authentication
The functions and data available to the user are based on the role of the user.
For example, a coder in the HIM department needs to review health information to properly code the health record; however, the coder would not need to add clinical information to the health record, and access controls would restrict the user from doing so. In role-based authentication, all coders have the same access, and all nurses have the same access.
May also be called role-based access control.
user-based authentication
The functions and data available are based on the needs of the individual user, not all users with the same job title.
For example, some HIM technicians may have the authority to combine duplicate health record numbers, but others would not have access to this function because there is not a need. This method is more specific to the user’s needs than role-based authentication as the user gains the data and functionality that they need but no more. Evaluating each user individually is very time consuming.
May also be called user-based access control.
context-based authentication
an access control system that limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information
This is helpful when there are employees, such as nurses, who work in various units or have different roles at different times. For example, a nurse who works full-time in the quality improvement department may work at a nursing unit to earn some extra money for Christmas. As the ePHI and functions needed to perform these roles differ, the access that she has depends on her role at the time.
May also be called context-based access control.
emergency access procedure
a procedure that grants an employee access to data they are not normally allowed to access
This access usually occurs during a medical emergency and may require a second password or a reason for access. Even in an emergency situation, there must be a way to identify who activated the emergency access and why.
one-factor authentication
a method of authentication that utilizes one level of access control such as a username and password
two-factor authentication
a method of authentication that combines two different categories of access control, such as something you know (username/password) and something you have (cell phone to receive a verification code)
multi-factor authentication (MFA)
an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism
The authentication factors of a multi-factor authentication scheme may include:
- Something the user has: Any physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, etc.
- Something the user knows: Certain knowledge only known to the user, such as a password, PIN, TAN, etc.
- Something the user is: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
- Somewhere the user is: Some connection to a specific computing network or using a GPS signal to identify the location.
Completely Automated Public Turning Test to tell Computers and Humans Apart (CAPTCHA)
a program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites
It often involves asking you to type text from a distorted image that a computer cannot read.
token (computers)
an object (in software or in hardware) which represents the right to perform some operation
audit controls
mechanisms that record and examine activity in information systems
audit trails
a record of system activities, such as log-in, log-out, unsuccessful log-ins, print, query, and other actions
trigger (computer security)
a flag that notifies the hospital of a possible security issue that needs investigation
audit-reduction tools
A tool used to review the audit trail and compare it to facility-specific criteria and eliminate routine entries such as periodic backups. This means that backups and other routine maintenance would be removed from the reports from which audits are conducted. The audit-reduction tools can also look for trends and behavior outside the norm. This tool helps with eliminating useless information.
transmission security
mechanisms designed to protect health information while the data are being transmitted between two points. These points can be internal or external to the hospital.
encryption
A security tool that converts data from a readable form to unintelligible text. This is done with the science of cryptography, using mathematics to convert data into unintelligible data and back again. If encrypted data are intercepted during transmission, the health information is protected because the individual who intercepted the data cannot view it. Only authorized users are able to convert the data back into a readable format.
cryptography
the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents
symmetric encryption
Symmetric encryption uses a secret key to data. The computer sending the data uses the key to turn the message into the unintelligible format. The receiving computer uses the same key to revert the data back into its original format.
asymmetric encryption
A cryptographic system that uses pairs of keys. Each pair consists of a public key (which may be known to others) and a private key (which may not be known by anyone except the owner).
In such a system, any person can encrypt a message using the intended receiver’s public key, but that encrypted message can only be decrypted with the receiver’s private key.
firewall
(1) a wall or partition designed to inhibit or prevent the spread of fire
(2) a part of a computer system or network which is designed to block unauthorized access while permitting outward communication
computer network
two or more computers that are connected with one another for the purpose of communicating data electronically
node (computers)
a piece of equipment, such as a PC or peripheral, attached to a network
intrusion detection systems (IDS)
systems that monitor networks and information systems to catch hackers and other intruders along with other security issues. The IDS notifies the information technology staff of the issue
intrusion prevention systems (IPS)
a system that monitors networks to identify possible malware threats. When identified, the IPS notifies the network administration and takes steps to stop the threat
malware
malicious software designed to harm a computer
virus (computers)
A type of malicious code or program written to alter the way a computer operates and is designed to spread from one computer to another. A virus operates by inserting or attaching itself to a legitimate program or document that supports macros in order to execute its code. In the process, a virus has the potential to cause unexpected or damaging effects, such as harming the system software by corrupting or destroying data.
worm (computers)
A type of malware that spreads copies of itself from computer to computer. It can replicate itself without any human interaction and does not need to attach itself to a software program in order to cause damage. Worms can be transmitted via software vulnerabilities.
trojan (computers)
a type of malware that gives the appearance that it is perfectly legitimate software. This tricks the user into accessing it. Once accessed, the Trojan can perform a variety of harmful actions
backdoor
a typically covert method of bypassing normal authentication or encryption in a computer
bots
programs that perform automated tasks, such as gathering information and instant messaging, thus relieving a person of the responsibility of doing it.
robotic process automation (RPA)
a software technology that makes it easy to build, deploy, and manage software robots that emulate human action
spyware
software used to track keystrokes and passwords, monitor websites visited, or other actions and report these actions to the designated person or organization
ransomware
a type of malicious software that prohibits access to information systems in an organization. The ransomware programmer may demand money before they will deactivate the ransomware.
social engineering
the process of tricking someone into revealing information or doing something that will enable others to take advantage of them
pretexting
a type of social engineering that attempts to capture the user’s attention so that they can be drawn in. The criminal then requests information from the recipient in order for the recipient to gain an inheritance, claim lottery winnings, or something else
phishing
an e-mail scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly”
The e-mail received may look official, but it is not. Its intent is to capture usernames, passwords, account numbers, and any other personal information.
baiting
Baiting works much like using a lure to catch a fish. The offender dangles something in front of the potential victim hoping that he or she will take the bait. Baiting takes many forms including downloading music or videos, a price that is too good to be true, or something else. It can also be leaving a thumbdrive in a public location hoping someone will access it and then be infected with some type of malware).
quid pro quo (social engineering)
a type of social engineering that proposes an exchange of some service with the victim being duped out of something. On the surface, it is a fair exchange but the victim always comes away losing in the exchange
quid pro quo (general definition)
Latin for “favor for a favor”; it is a favor or advantage granted or expected in return for something
vishing
phishing that is verbally performed. The villain would use the phone to scam the individual out of personal information such as their social security number, bank account information, password, and more
facility access controls
things which limit physical access to the data center and software to only authorized information system staff
physical safeguards
physical measures, policies, and procedures to protect a CE’s electronic information systems, and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion
property control tag
something that assigns a unique identifier to hardware, allowing it to be inventoried
remote wipe
the deletion of data from a device remotely, when a device is not accessible
four categories of HIPAA violations
Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
Tier 1: Minimum fine of $100 per violation up to $50,000
Tier 2: Minimum fine of $1,000 per violation up to $50,000
Tier 3: Minimum fine of $10,000 per violation up to $50,000
Tier 4: Minimum fine of $50,000 per violation