Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
31 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
What does ISO stand for?
|
International Organization for Standards
|
|
|
|
What is ISO 17799?
|
International Organization for Standards technical security standards
|
|
|
|
What is the EUDPD?
|
European Union Data Protection Directive, which seeks to protect data privacy for individuals.
|
|
|
|
What is Privacy of data?
|
Privacy defines WHAT information should be held confidential and is permitted to be used/disclosed by those with a need to know.
|
Example: Mental health data, HIV/AIDS data, other disease specific data.
|
|
|
What is the Security of data?
|
Security primarily deals with electronic data and serves to set forth technical, procedural and or physical control limits. It basically defines how information is protected.
|
Example: Creating policies to protect data, put in controls to govern access to certain data, define how data can be accessed and transmitted i.e. password protected files, no USB drives, etc.
|
|
|
Who manages a privacy and security compliance program at an institution?
|
A management level person is assigned the duty of administrating a program to attain and comply with information protection laws, rules and guidelines.
|
|
|
|
What are the four parts of establishing information privacy and security compliance?
|
They are:
1. Awareness 2. Assessment 3. Remediation 4. Maintenance |
1. Awareness is knowing the rules of information privacy and security.
2. Assessing the organization's level of compliance with the laws and rules and identifying gaps in this compliance. It is also referred to as "risk analysis". 3. Remediation is eliminating the gaps in compliance by either policies (paper method) and via training to change the practice of workers to better fit more compliant ways of using/creating/transmitting information. 4. Maintenance is keeping up with changing rules/requirements of information privacy and security and making sure workers are informed and trained on a regular basis. |
|
|
How is the Assessment phase carried out?
|
By using questionnaires, interviews, checklists, and more.
|
|
|
|
What important aspects of the Assessment phase?
|
1. Protection of assets which are information, systems, applications and services and people
2. Facility Walkthrough using a facility walkthrough checklist (page 141). 3. Establish a Technical Baseline, a snapshot of the organization's current technical status. This is done by evaluating the network infrastructure, network access points, vulnerabilities, password evaluation, identifying devices connected to the network and more. 4. Identifications of threats and vulnerabilities where a threat can possible exploit a system vulnerability. A plan to address these threats and minimize harm are part of the assessment. (Identify Threat Source, the Threat itself, and the Vulnerability). |
|
|
|
What are the basic steps to identify vulnerabilities and threats?
|
Determine Vulnerabilities
- Determine Threats - Determine Threat Motivation - Determine Likelihood of Threat |
All of these steps help to establish what kind of risk the organizations systems can be exposed to.
|
|
|
Where are the three possible sources of Threats?
|
- Natural
- Human - Environmental |
Natural: includes eathquakes, lightening, storms..etc
Human: unintentional or intentional harm done to systems. Environmental: Power failure, pollution, chemicals leaks or liquid leaks. (not to be confused with Natural causes). |
|
|
What is Impact Analysis?
|
Impact analysis is determining the effect of a threat manifesting itself in the system.
|
The impact can be described in terms of being harmful towards Integrity, Availability or Confidentiality of systems and information.
|
|
|
What are the three security goals?
|
1. Maintain Integrity
2. Maintain Availability 3. Maintain Confidentiality |
|
|
|
What is meant by Loss of Integrity?
|
Loss of Integrity is when data or systems are improperly modified (intentionally or un-intentionally). If left un-correct will perpetuate the corrupted data or contaminated system and cause inaccuracy, fraud and erroneous issues.
|
Loss of Integrity might sometime be the first step in an attack on a system or information.
|
|
|
What is meant by Loss of Availability?
|
It is downtime of the system, intentional or unintentional which causes slowdowns for end users if they have to perform duties using manual/backup processes. This can also be a hindrance in practicing safe medicine.
|
Example: if barcode scanning is down due to system downtime, then meds are being given on the idea that the nurses and other clinical staff are not making mistakes in administering the correct drugs, doses, strengths...etc.
|
|
|
What is meant by Loss of Confidentiality?
|
Loss of Confidentiality is the unauthorized disclosure of information as a result of unintentional or intentional causes.
|
Unintentional causes create a loss of confidence in the healthcare entity in operating securely.
|
|
|
What is Risk Determination?
|
Risk Determination is a function of the likelihood of a threat to exploit a certain vulnerability, the magnitude of the impact and adequacy of security controls for reducing the risk.
|
|
|
|
Describe the Risk Scale?
|
High Risk: System may continue to operate but a strong corrective action plan must be put in place soon.
Medium Risk: Plan must be developed to incorporate necessary corrective action within a reasonable time. Low Risk: It is up to the discretion of the system's authorizing official to determine whether corrective actions are still required or rather the risk is acceptable. |
Page. 145, Figure 7-5.
|
|
|
What is the first step of remediation?
|
Updating the organizations security and privacy policies and procedures.
|
pg 148 - cphims review guide
|
|
|
What teams/persons should update/create privacy and scurity policies and procedures?
|
Training and Communication, IS, Privacy and Security Officials, Operations, Regulatory adn Legal, HR and others who have an ongoing ownership of those policies.
|
|
|
|
When taking PHI from one building to another, what must be done?
|
Sign in and out the PHI.
|
|
|
|
When implementing technical access controls on PHI, what are two considerations that must be kept in mind?
|
1. Do not overly restrict PHI that it interferes with job function.
2. Access should be restricted enough to sufficiently provide privacy of PHI of patients and members. |
|
|
|
What are some Technical Access Controls?
|
1. Limit profiles of users from certain PHI (mental health info, aids/hiv info).
2. Incorporate what kind of access users have in to their profiles 3. If a user doesn't need access to certain PHI anymore, it should be modified timely. 4. Access profiles of users should be reviewed regularly to ensure users don't have too much or too little access. |
|
|
|
What is the first step in administering the Maintenance stage of PHI privacy and security?
|
By implementing a training program to ensure all employees understand the organizations policies and procedures.
|
|
|
|
What parts make up the training material?
|
1. Awareness Training
2. Protection from malicious software Training 3. Login attempt monitoring Training 4. Password management Training 5. Details of policies and procedures Training 6. Periodic reminders 7. Policy and procedure changes 8. Info about disciplinary measures 9. Testing |
|
|
|
Who should receive privacy and security training?
|
All members of the organization, including temporary staff, HR personnel, senior leadership, new employees, students and volunteers.
|
|
|
|
How do you maintain security and privacy compliance?
|
By doing routine audits and monitoring of security and privacy controls.
|
Performing routine risk management. Routine review of policies. Review of system audit trails. Testing and review of disaster recovery/business continuity planning.
|
|
|
What are the 3 steps of ongoing risk management?
|
1. Initial Risk Assessment
2. Risk Mitigation 3. Ongoing Monitoring and Assessment |
1. the process of initial risk determining
2. Risk Mitigation: The process to reduce the risk severity. - No Action - Reduce or Mitigate risk - Transfer Risk to another org. |
|
|
What are some auditing/monitoring tools and techniques?
|
1. Self-Audit
2. Walk-Through Audit 3. Person to Person Interviews 4. Checklists or Scorecards 5. A Rating Scale |
1. Cross referencing the privacy and security requirements with organizations policies and procedures.
2. A physical walk through of the area to observe system and process compliance. 3. Interviewing staff to determine level of understanding. 4. A checklist or scorecard provides a consistent methodology to record observations, and contains sample questions. 5. A good rating scale of 'not-compliant', 'compliant', 'compliant but needs improvement' are less subjective than a numerical scale... |
|
|
What should happen with the report of findings from audits, and other monitoring and evaluating processes?
|
Management in all areas should be informed, and so should senior leadership.
|
|
|
|
What are the elements of Contingency Planning?
|
1. Data backup plan
2. Disaster recovery plan 3. Emergency mode operation plan 4. Testing and revision 5. Application and Data Criticality analysis |
|
