M4: Flashcards

1
Q

Information that is a subset of health information, including demographic information collected from an individual and:
1) is created or received by a health care provider, health plan, employer, or health care clearinghouse
2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; that
(i) identifies the individual or
(ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

A

Protected Health Information (PHI)

Defined by HIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Using the same password for multiple clients

A

Data breach of a retirement plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Data management.
  2. Technology management.
  3. Service provider management.
  4. People issues/training period
A

4 major areas for effective practices and policies identified by the 2011 Council

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The Advisory Council on Employee Welfare and Pension Benefit Plans

A

The ERISA Advisory Council

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Cybercriminals encrypt/seize entire hard drives & hold for high ransom

A

Ransomware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Removing or retaining a service provider

A

A fiduciary act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Information that can be used to distinguish/trace an individual’s identity, such as their name, SSN, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

A

PII

Defined by Office of Management and Budget (OMB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A service provider involved with plan administration

A

Third-Party Administrator (TPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Where cyber criminals pretend to be senior executives asking employees to transfer funds.

A

Wire transfer e-mail fraud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This office has set definitions for PII

A

Office of Management and Budget (OMB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Prescription disposals in a trash can

A

Data breach of a medical plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

4 common cyber threats

A

Ransomware
phishing
wire transfer e-mail fraud
malware via external devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Where intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer.

A

Malware via external devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

2015 Council focus

A

cyber security issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Law that controls the way private information of individuals is treated

A

Gramm-Leach-Bliley Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A section of ERISA that requires a fiduciary to discharge their duties

A

404(a)

17
Q

Failure to install security system updates

A

A form of data breach identified in retirement plans

18
Q

developing educational materials for plan sponsors, fiduciaries and their vendors; highlighting the need to focus on benefit plan cybersecurity in addition to enterprise cybersecurity.

A

2016 Council focus

19
Q

Lost documents with PHI

A

Data breach of a medical plan

20
Q

This agency requires personal data in benefit plans to be protected

A

Federal Trade Commission (FTC)

21
Q

Where fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for cyber-criminals to infiltrate a computer network.

A

Phishing

22
Q

An individual’s name in combination with other data

A

Personal information

23
Q

This organization that developed the Cybersecurity Framework

A

National Institute of Standards and Technology (NIST)

24
Q

This case involved inadvertent exposure of personal medical information

A

GMR case

25
Q

It issued 3 pieces of sub-regulatory guidance addressing the cybersecurity practices of retirement plan sponsors, their service providers & plan participants

A

Department of Labor (DOL)

26
Q

1) Company and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information.
2) They must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provided to independent service providers.
3) Must have the program evaluated both initially and every 2 years by a certified third party.
4) As is typical of FTC enforcement actions, the settlement will remain in force for the next 20 years.

The settlement demonstrates that according to FTC, companies must be held to high standards with regard to third-party vendor management and oversight when it involves personal information.

A

Terms of the GMR settlement with FTC