Data Security & Patient Privacy Flashcards

1
Q

Are research and educational activities exempt from the privacy and security
requirements for PHI?

A

No, they are not exempt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SSL

A

secure sockets layer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are some examples of technical safeguards in place to protect ePHI?

A

firewalls and secure transmission modes for communication such as virtual private networks (VPN) or secure sockets layer (SSL),and encryption techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the two dominant types of rewards that may motivate cyber criminals?

A

Financial and political gains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How may someone aiming for direct financial gain target ePHI?

A

stealing someone’s
identity in order to take out debt in their name; stealing credit card information; and
black market sale of PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How may someone aiming for indirect financial gain target ePHI?

A

the data affected by the crime is not sold but held for ransom, and the owner of the
data is extorted to pay money to get that data back

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Ransomware

A

A form of cybercrime with indirect financial rewards. Critical data is encrypted, and payment is demanded
in exchange for the de-encryption key

This is the greatest threat to most health systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Bitcoin makes up what percentage of ransom demands?

A

99%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Are most cyber attacks targeted at a specific healthcare entity or untargeted and directed at many institutions?

A

Untargeted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What office enforces HIPAA

A

The office of Civil RIghts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

HIPAA

A

Health Insurance Portability and Accountability Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

HITECH

A

Health Information Technology for Economic and Clinical
Health Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What did HITECH do?

A

Expanded protections for information systems with a focus on EMRs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

GDPR

A

General Data Protection Regulation

(a) EU-based
(b) Focuses on privacy of data more than security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are some potential Targets of Patient Health Attacks?

A

● Active medical devices
– Interrupt lifesaving action or modify to deliver lethal results
● Medicines
– Destroy inventory, change allergy records, and change dosage delivery
● Surgery
– Change work order and medical records, disrupt remote access, disrupt
environment, and disrupt equipment
● Clinicians
– Misdirection or misinformation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are common issues that open up medical devices to cyber attacks?

A

– Failure to provide timely security updates
– Malware
– Unauthorized access to the network
– Device reprogramming
– Denial of service attacks
– Poor password management
- Poorly designed software security features for off-the-shelf products
– Poor configuration of networks and security practices

17
Q

Who created a Safety Action Plan in 2018 to respond to the growing threats towards medical devices?

A

FDA (Food and Drug Administration)

18
Q

What are some of the focus area of the Safety Action Plan?

A

– Establishment of a medical device patient safety net
– Exploration of regulatory options to modernize timely implementation of post-market mitigations
– Innovation toward safer medical devices
– Advancement of medical device cybersecurity

19
Q

What does the MDS2 contain?

A

A document available on every healthcare device sold which contains a list of the software systems embedded in the device and the known
vulnerabilities

20
Q

What is a pitfall of DHCP, in terms of security, and what was added to networks to enhance security?

A

The ease of adding devices to the network resulted in decreased network security

Network Access Control systems enable networks to assign and manage permissions of devices

21
Q

What are two ways DICOM receivers can be set?

A
  1. Promiscuous (they will accept a DICOM object from any other network node)
  2. Non-promiscuous (a DICOM object has to be defined in the receiving system before being allowed to send information)
22
Q

Social engineering

A

A term used to describe the act of taking advantage of human weaknesses to gain illicit access to a computer network

23
Q

Phishing

A

Fake emails used to obtain passwords; usually appearing as familiar websites with benign-appearing links that may allow malicious software onto the network

24
Q

Spear phishing

A

Targeted email at a user and which contains content that is specific to that user
so as to gain trust

25
Q

Altruism exploits

A

Pretending to be a family member to obtain protected health information

26
Q

Intrusion Detection System

A

Computer systems which contain both logging and also
“honeypots”

activates logging and additional security

27
Q

Logging

A

keeping track of attempts at an attack

28
Q

“Honeypots”

A

directories or systems which appear attractive to hackers and entice them to break in

29
Q

Trojan Horse

A

Malicious code that accompanies useful code onto the system during a download or routine maintenance

30
Q

Should a product advertised with “zero” vulnerabilities be trusted?

A

Probably not, this likely means no testing has been done

31
Q

How is the 80/20 principle applied in protection systems?

A

you don’t have to scan or segment every piece of equipment but should assess and prioritize areas that have the most critical vulnerabilities and the most dangerous impact

32
Q

Man in the Middle

A

A cyberattack in which the attacker places a device on the network within an institution and is able to intercept or modify the traffic from a sending system to a receiving system

33
Q

What two systems have been found to be vulnerable to man-in-the-middle attacks in 2018?

A

HL7 and DICOM

34
Q

Pestilence

A

A malicious tool that is able to intercept lab values from a laboratory information system being sent to an electronic medical care record

35
Q

adversarial network

A

a type of deep learning that can add or remove pathology from a DICOM image

36
Q

A hacker posing as a member of the IT team to obtain passwords is an example of:
A. Sniffng
B. Social engineering
C. Intrusion detection
D. Probing
E. Log analysis

37
Q

Ransomware is:
A. A cyberattack that results in direct fnancial rewards
B. Less important to healthcare than to other industries
C. A type of cybercrime that has been around for decades
D. A threat to patient health
E. A countermeasure employed by hospital security teams