HIPAA Lesson 7

Question 1

What are the three rules of the Administrative Simplification?

Answer 1

1. Standards for Electronic Transactions, Code Sets, and Identifiers
2. The Privacy Rule
3. The Security Rule

Question 2

_______ means having controls, countermeasures, and procedures in place to ensure the appropriate protection of your information assets.

Answer 2

Security

Question 3

In the 1990s, governmental organizations from Canada, France, Germany, the Netherlands, the United Kingdom, and the United States created the _______.

Answer 3

Common Criteria

Question 4

Good security _______ the vulnerability of assets and resources.

Answer 4

minimizes

Question 5

An ______ is anything of value.

Answer 5

asset

Question 6

______ is any weakness that someone could exploit to violate a system or the information it contains.

Answer 6

Vulnerability

Question 7

A ______ is a potential violation of security.

Answer 7

threat

Question 8

In the Common Criteria model, ______ include all those who are accountable for or place value on the assets in question.

Answer 8

owners

Question 9

______ seek to abuse or damage assets. Owners assume that the threats may harm the assets in a way that will reduce their value.

Answer 9

Threat agents

Question 10

______ is the danger of various threats and attacks on an organization’s assets.

Answer 10

Risk

Question 11

______ is the process of proving your identity to a system or network.

Answer 11

Authentication

Question 12

The authentication processes that uses a person’s physical traits, like a thumbprint or retinal scan, to confirm identity.

Answer 12

Biometrics

Question 13

______ ensures that only authorized users access a system and rejects (repudiates) all unauthorized users.

Answer 13

Access control

Question 14

______ ensures the privacy of data on the system and network.

Answer 14

Data confidentiality

Question 15

______ assures that data hasn’t been altered or destroyed in any unauthorized manner—either accidentally, intentionally, or due to some type of system failure.

Answer 15

Data integrity

Question 16

______ means that you make a copy of your data to protect against data loss.

Answer 16

Data Backup and Recovery

Question 17

______ can result from environmental hazards like a flood or fire, failed hard drives or other media, or accidental deletion of data.

Answer 17

Data loss

Question 18

______ is the denial of access to a system, such as entering your password incorrectly and being denied access to an account?

Answer 18

Repudiation

Question 19

______ of an access attempt means that it’s possible to verify the user’s identity and allow him or her to access the system, such as entering your password correctly and gaining access to your account.

Answer 19

Nonrepudiation

Question 20

List the three components of Risk management: (AUE)

Answer 20

1. Analyzing the results of the required risk assessment
2. Updating policies, procedures, and practices to protect against identified threats and vulnerabilities
3. Enforcing appropriate security program requirements

Question 21

______ means collecting data and evaluating the effectiveness of the business’s security program. Audit data includes logs, predefined reports, reports related to threats, vulnerabilities identified during risk assessment, policies and procedures, and so on.

Answer 21

Audit and system monitoring

Question 22

The “system” part of audit and system monitoring means checking the information technology system you’re using. List several goals to keep in mind here: (P-DISC)

Answer 22

• Apply patches (fixes) as necessary.
• Make sure security is in place and working properly.
• Confirm that data is available as needed.
• Keep data confidential.
• Protect the integrity of the data. In other words, make sure it isn’t stolen, tampered with, degraded, or lost.

Question 23

List the two types of security mechanisms:

Answer 23

Specific and Pervasive

Question 24

______ apply to specific functions or processes, like encryption or access authentication.

Answer 24

Specific security mechanisms

Question 25

______ apply system wide, regardless of function, like audit trails and backup and recovery processes.

Answer 25

Pervasive mechanisms

Question 26

______ provides confidentiality of data.

Answer 26

Encryption

Question 27

______ on messages electronically simulate handwritten signatures, which provide authentication of messages, especially when you use them with encryption.

Answer 27

Digital signatures

Question 28

_____ allow authorized users to use a system and block unauthorized users.

Answer 28

Access control mechanisms

Question 29

______ include time stamping, sequence numbering, and cryptographic chaining. All of these can ensure the integrity of data units or fields.

Answer 29

Data integrity mechanisms

Question 30

The computer operating system automatically marks the date and time a file or information in the database was viewed or modified.

Answer 30

Time stamping

Question 31

Each data field or file in a database gets its own number in a certain order. A missing block of numbers means there’s been a breach or error.

Answer 31

Sequence numbering

Question 32

A “key” is encrypted within blocks of data in an operating system, database, or file. The key links blocks of information together. If a key is missing or modified, that indicates a breach in data integrity.

Answer 32

Cryptographic (cipher block) chaining

Question 33

List the three authentication methods: (SY-HAK)

Answer 33

• Something you know (username and password),
• Something you have (a token, like a SecurID card token),
• Something you are (biometric information, like fingerprints or voiceprints).

Question 34

______ provide the same services as a notary public. A trusted third-party entity uses an underlying protocol or mechanism to verify a given data transaction.

Answer 34

Notarization mechanisms

Question 35

List the specific security mechanisms: (DEA DAN)

Answer 35

• Encryption
• Digital Signatures
• Access Control Mechanisms
• Data Integrity
• Authentication Information
• Notarization Mechanisms

Question 36

List the two most common pervasive security mechanisms:

Answer 36

• Audit Trails

* Security Recovery

Question 37

An ______ is a record of key activities within a system.

Answer 37

audit trail

Question 38

______ is an automated feature of some systems that helps you recover system software if the system fails or crashes.

Answer 38

Security Recovery

Question 39

A ______ is the danger of an attack or disruption that could compromise an organization’s information, systems, and technology infrastructure.

Answer 39

threat

Question 40

These threats have no premeditated intent.

Answer 40

Accidental threats

Question 41

These threats may be as simple as a casual examination of computer or network data, or can be a sophisticated attack using special system knowledge and advanced tools to steal confidential information.

Answer 41

Intentional threats

Question 42

These threats do not modify any information in the system.

Answer 42

Passive threats

Question 43

If a threat involves altering information, changing the state or operation of the system, or changing how the program works, it is called an _______.

Answer 43

active threat

Question 44

List the most common types of attacks on computer systems: (MISS-PD)

Answer 44

• Malicious Software
• Spoofing
• Denial of Service (DoS)
• Password cracker applications
• Insider (internal) attacks
• Social Engineering

Question 45

This term refers to viruses, worms, Trojan horses, and backdoor programs, all of which intentionally reroute, alter, or destroy information.

Answer 45

Malicious software / malware

Question 46

_____ happens when an entity falsely assumes the identity of another entity. In other words, a fraudster might send out emails that look like they came from a local hospital.

Answer 46

Spoofing

Question 47

______ is a common way to obtain information useful for committing identity theft.

Answer 47

Phishing

Question 48

______ attacks can compromise the use of hundreds or even thousands of systems to launch multiple attacks.

Answer 48

Distributed Denial of Service (DDoS)

Question 49

A ______ attack results in the overload of a resource, such as disk space, network bandwidth, internal tables of memory, or input buffers. The overload means that the resource is unavailable for others to use.

Answer 49

Denial of Service (DoS )

Question 50

A _______ is any program that compromises security by revealing passwords.

Answer 50

password cracker application

Question 51

These attacks happen when legitimate users of a system behave in unintended or unauthorized ways.

Answer 51

Insider (internal) attacks

Question 52

About ______% of inappropriate access to data occurs within an organization.

Answer 52

85%

Question 53

_____ is someone who pretends to be someone he or she isn’t and cons his or her way into getting information.

Answer 53

Social Engineering

Question 54

______ is a violation of the organization’s security policies or technologies.

Answer 54

Security Breach

Question 55

Several nations joined to create a general security understanding known as what? 
• The Common Criteria. 
• Minimum Necessary. 
• The Security Rule. 
• The Privacy Rule.

Answer 55

The Common Criteria

Question 56

How does the Security Rule define a threat?
• A potential violation of security.
• An entity that impersonates another entity.
• A weakness that someone could exploit to violate a system.
• A record of key activities within a system.

Answer 56

A potential violation of security.

Question 57

What's the correct name for the process by which you prove your identity to a system? 
• Access control. 
• Repudiation. 
• Data confidentiality. 
• Authentication.

Answer 57

Authentication

Question 58

What is an accidental threat?
• One that results in no modification to any data.
• One that alters data.
• A threat that has no premeditated intent.
• A casual examination of computer data by someone who isn’t supposed to have access to it.

Answer 58

A threat that has no premeditated intent

Question 59

Which type of attack can you protect against by training people rather than by altering or reprogramming computers? 
• Insider (internal) attack. 
• Malicious software. 
• Denial of service (DoS). 
• Social engineering.

Answer 59

Social engineering