Question | Answert |
Access Controls | A computer software program designed to prevent unauthorized use of an information resource. |
Administrative Safeguard | Set of nine standards including security management functions, assigned security responsibility, workforce security, information access management, security awareness/training, security incident reporting, contingency plan, evaluation, contracts and etc. |
Administrative Simplification | Section of HIPAA that deals with privacy and security as well as standardization of electronic transactions and code sets |
ASC X12 Standard | Committee responsible for the development and maintenance of electronic data interchange standards for many industries |
Audit Trail | Chronological record of electronic systems activities that enable the reconstruction, review, and examination of the sequence of events surrounding or leading to each event/transaction from beginning to end including who performed what and when it occured |
Biometrics | Physical characteristics of users (fingerprints, voiceprints, retinal scans)that systems store and use to authenticate identity before allowing the user access to a system |
Business Associate | An individual/group who aren't a member of a covered entity's workforce but who helps the covered entity in the performance of various functions involving the use or disclosure of patient-identifiable health information |
Certified in Healthcare Privacy and Security (CPHS) | AHIMA credential that recoginzed advanced competency in designing, implementing, and administering comprehensive privacy and security protection programs |
Certified Information Systems Security Professional (CISSP) | A generic security certification and therefore is not healthcare specific |
Code Sets | Any set of codes used to encode data elements, such as tables of tterms, medical concepts, medical diagnostic codes, or medical procedure codes, includes both the code and their description |
Contingency Plan | Documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster |
Covered Entity | Any health plan, healthcare clearinghouse, or healthcare provider that transmits specific healthcare transactions in electronic form |
Data Recovery | The restoration of lost data or the reconciliation of conflicting or erroneous data after a system failure |
Degaussing | The process of removing or rearranging the magnetic field of a disk in order to render the data unrecoverable |
Denial of Service | Denial of service attack is a type of malware that is designed to overload a Web site or other information system so that the system cannot handle the load and eventually shuts down |
Designated Standard Maintenance Organizations | Organizations designated to control standards used in the electronic transmission used in healthcare |
Electronic Data Interchange (EDI) | A standard transmission format using strings of data for business information communicated among the computer systems of independent organizations |
Electronic Protected Health Information (ePHI) | All individually identifiable information that is created or received electronically by a healthcare provider or any other entity subject to HIPAA requirements |
Encryption | Process of transforming text into an unintelligible string of characters that can be transmitted via communications media with a high degree of security and then decrypted when it reaches a secure destination |
Facility Access Controls | Limit physical access to authorized information system staff to the data centers where the hardware and software for the electronic information systems are held |
Firewall | A computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network |
Forensics | The process used to gather intact and validated evidence and is the process that should be used to gather evidence of the security incident |
Health Insurance Portability and Accountability Act of 1996 (HIPAA) | Impacts many areas of healthcare such as insurance portability, code sets, privacy, security and national identifier standards |
Information System Activity Review | The periodic review of the security controls |
Integrity | The state of being whole or umimpaired. In the context of data security, data integrity means the protection of data from accidental or unauthorized intentional change |
Intrusion Detection and Response | Is the act of monitoring systems or networks for unauthorized users or unauthorized activities and the actions taken for correction to these acts |
Malicious Software | Software designed to harm a computer. |
Mitigation | Requires covered entities to lessen, as much as possible, harmful effects that result from the wrongful use and disclosure of protected health information |
Network Security | Using technology to protect the data transmitted across the network and includes fire walls, encryption, and data integrity |
One-factor Authentication | Passwords are commonly used in conjunction with a user name or identifier. |
Passwords | A series of characters that must be entered to authenticate user identity and gain access to a computer or specified portions of a database |
Person or Entity Authentication | The corroboration that an entity is who it claims to be |
Phishing | E-mail that appears from a legitimate business that ask for account number or other personal information |
Physical Safeguards | Measures such as locking doors to safeguard data and computer programs from undesired occurrences and exposures |
Privacy | The quality or state of being hidden from, or undisturbed by, the observation or activities of other persons, or freedom from unauthorized intrusion; in healthcare-related contexts, the right of a patient to control disclosure of personal information |
Privacy Rule | The federal regulations created to implement the privacy requirements of the simplification subtitle of the Health Insurannce Portability and Accountability Act of 1996 |
Protected Health Information (PHI) | Individually identifiable health information, transmitted electronically or maintained in any other form, that is created or received by a healthcare provider or any other entity subject to HIPAA requirementd |
Redundancy | The concept of building a backup computer system that is an exact version of the primary system and that can replace it in the event of a primary system failure |
Risk Analysis | The process of identifying possible security threat to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority; also called risk assessment |
Risk Assessment | The process of identifying possible security threat to the organization's data and identifying which risks should be proactively addressed and which risks are lower in priority; also called risk analysis |
Security | The means to controll access and protect information from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration, destruction, or loss; the physical protection of facilities and equipment |
Security Awareness Training | Provides employees of the covered entity with information with and a basic knowledge of the security policies and procedures of the organization |
Security Event | Security events are poor security practices that have not led to harm |
Security Incident | Security incidents (are poor security practices that) have resulted in harm or a significant risk of harm |
Security Management Plan | It must include the policies required to prevent, identify, control, and resolve security incidents |
Security Official | An individual to be in charge of the security program for the covered entity. Also called a Chief Security Officer (CSO) |
Security Rule | The federal regulations created to implement the security requirements of the Health Insurance Portability and Accountability Act of 1996 |
Spoliation | Unintentional destruction or alteration of evidence is called spoliation |
Spyware | Spyware may be used to track keystrokes and passwords, monitor Web sites visited, or other actions, and report these actions back to the creator of the spyware. The spyware may contribute to identify identity theft or other breaches of privacy |
Technical Safeguard | The technology and the policy and procedures for its use that protect electronic protected health information and control access to it; protects ePHI from unauthorized access and destruction/alterations |
Telephone Callback Procedures | Procedures used primarily when employees have access to an organization's health information systems from a remote location that verify whether the caller's number is authorized and prevent access when it is not |
Termination Process | A HIPAA-mandated process that terminates an employee's access immediately upon separation from the facility |
Token | A physical device, such as a key card, inserted into a door to admit an authorized person or into a computer to authenticate a computer user |
Transactions and Code Sets Rule | Designed to standardize transactions performed by healthcare organizations. These apply to electronic transactions only. |
Transmission Security | Mechanisms designed to protect ePHI while the data are being transmitted between two points |
Trigger | A documented response that alerts a skilled nursing facility resident assessnent instrunent assessor to the fact that further research is needed to clarify an assessment |
Two-factor Authentication | Tokens are used in conjunction with a password to provide two-factor authentication (token and password are two different types of authentications) |
Username | A unique identifier assigned to each user |
Virus | A computer program, typically hidden, that attaches itself to other programs and has the ability to replicate and cause various forms of harm to the data |
Workforce Clearance Procedure | Ensures that each member of the workforce's level of access is appropriate |
Worm | A special type of computer virus, usually transfered fron computer to computer via e-mail, that can replicate itself and use memory but cannot attach itself to other programs |