Data Security & Patient Privacy Flashcards
Are research and educational activities exempt from the privacy and security
requirements for PHI?
No, they are not exempt
SSL
secure sockets layer
What are some examples of technical safeguards in place to protect ePHI?
firewalls and secure transmission modes for communication such as virtual private networks (VPN) or secure sockets layer (SSL),and encryption techniques
What are the two dominant types of rewards that may motivate cyber criminals?
Financial and political gains
How may someone aiming for direct financial gain target ePHI?
stealing someone’s
identity in order to take out debt in their name; stealing credit card information; and
black market sale of PHI
How may someone aiming for indirect financial gain target ePHI?
the data affected by the crime is not sold but held for ransom, and the owner of the
data is extorted to pay money to get that data back
Ransomware
A form of cybercrime with indirect financial rewards. Critical data is encrypted, and payment is demanded
in exchange for the de-encryption key
This is the greatest threat to most health systems
Bitcoin makes up what percentage of ransom demands?
99%
Are most cyber attacks targeted at a specific healthcare entity or untargeted and directed at many institutions?
Untargeted
What office enforces HIPAA
The office of Civil RIghts
HIPAA
Health Insurance Portability and Accountability Act
HITECH
Health Information Technology for Economic and Clinical
Health Act
What did HITECH do?
Expanded protections for information systems with a focus on EMRs
GDPR
General Data Protection Regulation
(a) EU-based
(b) Focuses on privacy of data more than security
What are some potential Targets of Patient Health Attacks?
● Active medical devices
– Interrupt lifesaving action or modify to deliver lethal results
● Medicines
– Destroy inventory, change allergy records, and change dosage delivery
● Surgery
– Change work order and medical records, disrupt remote access, disrupt
environment, and disrupt equipment
● Clinicians
– Misdirection or misinformation
What are common issues that open up medical devices to cyber attacks?
– Failure to provide timely security updates
– Malware
– Unauthorized access to the network
– Device reprogramming
– Denial of service attacks
– Poor password management
- Poorly designed software security features for off-the-shelf products
– Poor configuration of networks and security practices
Who created a Safety Action Plan in 2018 to respond to the growing threats towards medical devices?
FDA (Food and Drug Administration)
What are some of the focus area of the Safety Action Plan?
– Establishment of a medical device patient safety net
– Exploration of regulatory options to modernize timely implementation of post-market mitigations
– Innovation toward safer medical devices
– Advancement of medical device cybersecurity
What does the MDS2 contain?
A document available on every healthcare device sold which contains a list of the software systems embedded in the device and the known
vulnerabilities
What is a pitfall of DHCP, in terms of security, and what was added to networks to enhance security?
The ease of adding devices to the network resulted in decreased network security
Network Access Control systems enable networks to assign and manage permissions of devices
What are two ways DICOM receivers can be set?
- Promiscuous (they will accept a DICOM object from any other network node)
- Non-promiscuous (a DICOM object has to be defined in the receiving system before being allowed to send information)
Social engineering
A term used to describe the act of taking advantage of human weaknesses to gain illicit access to a computer network
Phishing
Fake emails used to obtain passwords; usually appearing as familiar websites with benign-appearing links that may allow malicious software onto the network
Spear phishing
Targeted email at a user and which contains content that is specific to that user
so as to gain trust
Altruism exploits
Pretending to be a family member to obtain protected health information
Intrusion Detection System
Computer systems which contain both logging and also
“honeypots”
activates logging and additional security
Logging
keeping track of attempts at an attack
“Honeypots”
directories or systems which appear attractive to hackers and entice them to break in
Trojan Horse
Malicious code that accompanies useful code onto the system during a download or routine maintenance
Should a product advertised with “zero” vulnerabilities be trusted?
Probably not, this likely means no testing has been done
How is the 80/20 principle applied in protection systems?
you don’t have to scan or segment every piece of equipment but should assess and prioritize areas that have the most critical vulnerabilities and the most dangerous impact
Man in the Middle
A cyberattack in which the attacker places a device on the network within an institution and is able to intercept or modify the traffic from a sending system to a receiving system
What two systems have been found to be vulnerable to man-in-the-middle attacks in 2018?
HL7 and DICOM
Pestilence
A malicious tool that is able to intercept lab values from a laboratory information system being sent to an electronic medical care record
adversarial network
a type of deep learning that can add or remove pathology from a DICOM image
A hacker posing as a member of the IT team to obtain passwords is an example of:
A. Sniffng
B. Social engineering
C. Intrusion detection
D. Probing
E. Log analysis
B
Ransomware is:
A. A cyberattack that results in direct fnancial rewards
B. Less important to healthcare than to other industries
C. A type of cybercrime that has been around for decades
D. A threat to patient health
E. A countermeasure employed by hospital security teams
D
