HIPAA Lesson 8 Flashcards
According to the Computer Crime and Security Survey, which of these is the most common form of computer attack or abuse?
o Computer viruses.
o Security breaches that lead to significant financial losses.
o Internal employee abuse.
o Denial of service (DoS) attacks.
Computer viruses.
When you're talking about the Security Rule, what's the correct name for standards that work for large and small organizations? o Best practices. o Technology-neutral. o Comprehensive. o Scalable.
Scalable.
Which term best matches this definition? "The security principle that means valued information assets are free from unauthorized modification or destruction." o Integrity. o Confidentiality. o Availability. o Addressable.
Integrity.
What's the correct name for the strategy of implementing controls that reduce the causes of risk? o Risk assumption. o Risk transference. o Risk elimination. o Risk mitigation.
Risk mitigation.
When you're conducting a risk assessment, what should be your final step? o Vulnerability identification. o Threat identification. o Risk determination. o System or asset criticality analysis.
Risk determination.
The Computer Security Institute concludes that ______ attacks continue to be the source of the greatest financial losses. Further, there’s been a significant increase in _______ access, which is now the second-most-significant contributor to computer crime losses.
- virus
2. unauthorized
______ are the methods that have proven most effective over time.
Best practices
The Security Rule creators developed the philosophy that the Security Rule should be _____, _____, and _____.
- comprehensive
- technology-neutral
- scalable
Encompassing all areas of the organization.
Comprehensive
List the security standards three main categories:
- administrative controls
- physical controls
- technical controls.
_____ is a not-for-profit organization that sets standards for all sorts of technology fields.
NIST (National Institute for Standards & Technology)
Protection of valued information assets from unauthorized disclosure.
Confidentiality
Unbiased about whose technology or whose software product an organization uses.
Technology-neutral
Rules and procedures that work just as well for a few users as they do for many.
Scalable
Free from unauthorized modification or destruction.
Integrity
Obtainable to those who have authorization to access it when they need it.
Availability
The Security Rule has ____ standards.
18
These specifications provide details about how to comply with the Security standards.
Implementation specifications
A _____ implementation specification means that an organization has to implement the specification, no matter what the organization does or what sized it is.
Required
_____ implementation specifications give CEs some flexibility for compliance with the security standards. A covered entity must first do its own risk ______ and create its own risk ______ strategy. It must also ______ the security measures already in place and consider the _____ of implementation.
- Addressable
- analysis
- mitigation
- assess
- cost
______ cannot be the sole reason for not adopting an implementation specification.
Cost
The Security Management Process contains which risk implementation specifications.
- Risk Analysis
2. Risk Management
Risk can be a ______ or ______ measure.
quantitative
qualitative
A risk measure that uses a mathematical process and assigned weights and numbers.
Quantitative
Risk can be a ______ measure of the likelihood of a particular threat affecting a particular vulnerability, and the resulting impact that it would have.
Qualitative (non-numerical)
What Are the Sources of Threats to Protected Health Information?
- Human: hackers, viruses, unintentional deletion, deliberate attacks, unauthorized access
- Natural: floods, earthquakes, tornadoes, fires, lightning strikes
- Environmental: long-term power failure, broken water pipes, heat or air-conditioning problems
List the key steps for conducting a Risk Assessment.
- System or asset criticality analysis: How important is the system and the data on it?
- Threat identification: What can damage the confidentiality, integrity, or availability of the data on this system?
- Vulnerability identification: What weaknesses in the system make it susceptible to effects of a given threat?
- Control analysis: What safeguards are in place?
- Likelihood determination: What are the odds that a given threat will happen?
- Impact analysis: What will happen if a threat occurs?
- Risk determination: Based on how you answered the previous questions, what is your quantitative or qualitative measure of risk?
List the four risk strategies.
- Risk Assumption
- Risk Mitigation
- Risk Avoidance
- Risk Transference
Accept the risk as it is.
Risk Assumption
Put controls in place that will offset the risk or reduce the harmful effects of the threat.
Risk Mitigation
Implementing controls that eliminate the cause of the risk.
Risk Avoidance
Transfer the risk to someone else.
Risk Transference
______ is this overall process of risk assessment and risk mitigation.
Risk management
After you complete your risk mitigation, there will still be vulnerabilities. This is the _______ level of risk to your assets.
residual
You can never eliminate all risks. You can only reduce them to an _______ level.
acceptable
Determine each risk strategy used below when an individual purchases a laptop:
- Installed antivirus software
- Accepted risk of not installing antivirus software
- Didn’t connect the laptop to the Internet
- Bought insurance to cover costs if someone hacks into the laptop
- Risk Mitigation
- Risk Assumption
- Risk Avoidance
- Risk Transference
